Edit tour

macOS Analysis Report
http://sync.kueezrtb.com

Overview

General Information

Sample URL:	http://sync.kueezrtb.com
Analysis ID:	1508557
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false

Signatures

No high impact signatures.

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1508557
Start date and time:	2024-09-10 11:51:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://sync.kueezrtb.com
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean0.mac@0/10@2/0

Warnings

Excluded IPs from analysis (whitelisted): 17.253.5.205, 17.253.5.206, 23.44.73.229, 23.45.136.27, 44.228.151.38, 172.217.12.106, 17.253.5.203, 17.253.5.204, 17.57.21.63, 17.253.5.201, 104.107.104.29
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, smoot-searchv2.v.aaplimg.com, updates.cdn-apple.com.akadns.net, crl.apple.com, itunes.apple.com.edgekey.net, safebrowsing.googleapis.com, help.apple.com, init.itunes.apple.com, mesu-cdn.apple.com.akadns.net, e673.dsce9.akamaiedge.net, lcdn-locator-usms11.apple.com.akadns.net, help-ar.apple.com.edgekey.net, api.smoot.apple.com, bag-smoot.v.aaplimg.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, mesu-cdn.origin-apple.com.akadns.net, configuration.apple.com, lcdn-locator.apple.com.akadns.net, help.origin-apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, configuration.apple.com.akadns.net, configuration.apple.com.edgekey.net, mesu.apple.com, updates.cdn-apple.com, init-cdn.itunes-apple.com.akadns.net, api2.smoot.apple.com

Process Tree

System is macvm-mojave

mono-sgen32 New Fork (PID: 617, Parent: 537)

open (MD5: 34bd93241fa5d2aee225941b1ca14fa4) Arguments: /usr/bin/open -a Safari http://sync.kueezrtb.com

xpcproxy New Fork (PID: 618, Parent: 1)

Safari (MD5: 2dde28c2f8a38ed2701ba17a0893cbc1) Arguments: /Applications/Safari.app/Contents/MacOS/Safari

xpcproxy New Fork (PID: 628, Parent: 1)

silhouette (MD5: 485ec1bd3cd09293e26d05f6fe464bfd) Arguments: /usr/libexec/silhouette

xpcproxy New Fork (PID: 645, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49409 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49414 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49419 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49420 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49421 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49422 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49423 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.192.4
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.121.22
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.121.22
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: sync.kueezrtb.comUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Accept-Language: en-gbAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: sync.kueezrtb.comConnection: keep-aliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Accept-Language: en-gbReferer: http://sync.kueezrtb.com/Accept-Encoding: gzip, deflate

Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: .https://www.facebook.com/settings?tab=security_ equals www.facebook.com (Facebook)
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: 2https://www.linkedin.com/psettings/change-password_ equals www.linkedin.com (Linkedin)

Source: global traffic	DNS traffic detected: DNS query: sync.kueezrtb.com
Source: global traffic	DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundaccess-control-allow-origin: *access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorizationaccess-control-allow-credentials: truep3p: CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV ADMa"access-control-allow-methods: GET, HEAD, OPTIONS, POSTcontent-type: application/json; charset=utf-8content-length: 43date: Tue, 10 Sep 2024 09:52:36 GMTkeep-alive: timeout=5Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 22 7d Data Ascii: {"statusCode":404,"message":"Cannot GET /"}
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundaccess-control-allow-origin: *access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorizationaccess-control-allow-credentials: truep3p: CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV ADMa"access-control-allow-methods: GET, HEAD, OPTIONS, POSTcontent-type: application/json; charset=utf-8content-length: 54date: Tue, 10 Sep 2024 09:52:37 GMTkeep-alive: timeout=5Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 7d Data Ascii: {"statusCode":404,"message":"Cannot GET /favicon.ico"}

Source: LastSession.plist.253.dr	String found in binary or memory: http://sync.kueezrtb.com/
Source: CloudHistoryRemoteConfiguration.plist.253.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://247sports.com/my/settings/password/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.bbc.com/account/settings/edit/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.booking.com/account-recovery_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.docusign.com/me/changepassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.forbes.com/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.gmx.net/ciss/security/edit/passwordChange_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.idm.telekom.com/account-manager/password/index.xhtml_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.live.com/password/Change_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.magento.com/customer/account/changepassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.samsung.com/membership/contents/security/password/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://account.shodan.io/change_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://accounts.autodesk.com/Profile/Security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://accounts.craigslist.org/pass_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://accounts.ebay.com/acctsec/security-center/chngpwd_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://accounts.intuit.com/app/account-manager/security/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://accounts.nintendo.com/password/edit_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://accounts.pch.com/forgotpass_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://accounts.shopify.com/accounts/186490458/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://acesso.gov.br/area-cidadao/#/alterarSenha_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://adultfriendfinder.com/p/update.cgi?p=my_account_update_account_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.acorns.com/settings/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.carta.com/profiles/update/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.getflywheel.com/profile/security/change_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.parkmobile.io/account/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.plex.tv/desktop#
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.prolific.co/account/general_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.sipgatebasic.de/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.stonly.com/app/general/userSettings/Account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://app.zeplin.io/profile/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://appleid.apple.com/account/manage_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://apps.anatel.gov.br/AnatelConsumidor/ConsumidorEditar.aspx_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://apps.jw.org/E_PASSCHG1_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://archive.org/account/index.php?settings=1_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://arxiv.org/user/change_own_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://auth.astonmartinf1.com/Dashboard/ChangePassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://auth.danawa.com/modifyMember_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://auth.fandom.com/auth/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://auth.readymag.com/password/forgot_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://auth.redgifs.com/lo/reset?ticket=_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://auth.usnews.com/changePassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://bandcamp.com/settings#password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://benefitslogin.discoverybenefits.com/Profile/UpdatePassword.aspx_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://blend.io/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://bugzilla.kernel.org/userprefs.cgi?tab=account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://cam.ana.co.jp/psz/us/amc_us.jsp?index=105_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://campus.tum.de_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://card.discover.com/cardmembersvcs/personalprofile/pp/UpdateDetails?ICMPGN=MYPROFILE_USERID_PA
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://censys.io/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://cfspart.impots.gouv.fr/monprofil-webapp/GererMonProfil_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://chaturbate.com/auth/password_change/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://classroom.udacity.com/settings/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://cloud.digitalocean.com/settings/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://cloud.linode.com/profile/auth_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://codepen.io/settings/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://consumercenter.mysynchrony.com/consumercenter/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://customer.xfinity.com/users/me/update-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://customercenter.marketwatch.com/account#password?mod=ql_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://customercenter.wsj.com/account#password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://dash.cloudflare.com/profile/authentication_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://dashboard.branch.io/account-settings/user_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://dashboard.dittomusic.com/account/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://dashboard.heroku.com/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://dashboard.messagebird.com/account/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://discord.com/settings/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://fetlife.com/settings/account/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://forum.wii-homebrew.com/index.php/AccountManagement/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://foursquare.com/change_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/ChangePIN/Init_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://genius.com/password_resets/new_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://github.com/settings/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://go.com/profile/account-settings/edit_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://help.steampowered.com/en/wizard/HelpChangePassword?redir=store/account/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://hibrain.net/mybrain/users/password/edit_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://home.thesun.co.uk/edit/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://hotels.com/profile/settings.html_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://hq1.appsflyer.com/account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://id.atlassian.com/manage-profile/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://id.nfl.com/account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://id.sonyentertainmentnetwork.com/id/management/#/p/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://imgur.com/account/settings/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://key.harvard.edu/manage-account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://kundenportal.edeka-smart.de/edeka-csc/forgot-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://leetcode.com/accounts/password/set/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://legacy.memoriams.com/Network/Account/ChangePassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://linktr.ee/admin/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.aliexpress.com/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.aol.com/account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.blockchain.com/en/#/security-center/advanced_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.coupang.com/login/userModify.pang_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.teamviewer.com/nav/profile/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.tmon.co.kr/user/info_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.usatoday.com/USAT-GUP/password-forgot/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.yahoo.com/account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.yahoo.com/myaccount/security/change-password/?src=finance_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://login.yahoo.com/myaccount/security/change-password/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://logonservices.iam.target.com/change-password/?target=#
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://mail.protonmail.com/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://mastercard.syf.com/login/reset_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://mathworks.com/mwaccount/profiles/password/change_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://member.daum.net/change/password.daum_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://member.webmd.com/password-reset_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://membership.latimes.com/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://memberssl.auction.co.kr/membership/MyInfo/MyInfo.aspx_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://meuvivo.vivo.com.br/meuvivo/appmanager/portal/fixo_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://minhanet.net.com.br/webcenter/portal/MinhaNet/pages_alterarsenha_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://moncompte.lemonde.fr/gcustomer/account/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://my.foxbusiness.com/?p=account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://my.foxnews.com/?pieces=reset_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://my.ticketmaster.com/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://myaccount.ea.com/cp-ui/security/index_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://myaccount.google.com/signinoptions/password?continue=https://myaccount.google.com/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://myaccount.google.com/signinoptions/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://myaccount.virginmobile.ca/MyProfile/Details/EditProfile?editField=PASSWORD_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://myaccounts.capitalone.com/Security/changePassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://mychart.clevelandclinic.org/inside.asp?mode=passwd_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://mypassword.uml.edu/#Change_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://myvpostpay.verizon.com/ui/bill/secure/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://na224.lightning.force.com/lightning/settings/personal/ChangePassword/home_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://nbcuniversal.nbc.com/request-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://news.ycombinator.com/changepw_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://nhentai.net/reset/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://nid.naver.com/user2/help/myInfo.nhn?m=viewChangePasswd_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://nypost.com/account/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://online.citi.com/US/ag/profile-update/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://onlyfans.com/my/settings/account/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://orcid.org/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://password.umsystem.edu/reset/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://play.hbomax.com/setting/account/edit/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://portal.edd.ca.gov/WebApp/Profile/UpdatePassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://portal.pilotflyingj.com/myrewards/forgot-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://portalpersonas.bancochile.cl/mibancochile-web/front/persona/index.html#/mi-perfil/datos-segu
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://portlandgeneral.com/secure/profile/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://poshmark.com/user/account-info_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://profile.callofduty.com/cod/info_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://profile.theguardian.com/reset_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://pwrecovery.ruc.dk_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://quizlet.com/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://redirect.pizza/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://reelgood.com/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://reg.usps.com/entreg/secure/ChangePasswordAction_input?returnActionName_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://rule34.xxx/index.php?page=account&s=change_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://rumble.com/account/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://saude.sulamericaseguros.com.br/segurado/gerenciar-cadastro/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure-www.gap.com/my-account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.aarp.org/account/editaccount?request_locale=en&nu=t_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.bankofamerica.com/auth/security-center/main/?activity=changePasscode_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.cecredentialtrust.com/account/editpassword/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.fnac.com/account/update-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.hulu.com/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.indeed.com/account/changepassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.maxpreps.com/utility/member/forgotpassword.aspx_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.npr.org/oauth2/login_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.orclinic.com/portal/editprofile.aspx_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure.ssa.gov/RIM/UpwdView.action_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://secure07ea.chase.com/web/auth/dashboard#/dashboard/myProfileSignInSecurity/resetPassword/res
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://selvbetjening.rejsekort.dk/CWS/CustomerManagement/ChangePassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://shein.com/user/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://shop.tmz.com/user?show=account-tab_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://slickdeals.net/forums/login.php?do=lostpw_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://soap2day.to/home/user/changepassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://soundcloud.com/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://spankbang.com/users/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://sslmember2.gmarket.co.kr/MYInfo/MemberInfo_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://stackoverflow.com/users/account-recovery_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://stacksocial.com/user?show=account-tab_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://stripchat.com/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://subscribe.washingtonpost.com/profile/#
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://support.opentable.com/s/login/ForgotPassword?language=en_US_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://thenounproject.com/accounts/password/change/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://todoist.com/prefs/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://trakt.tv/settings#password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://tripit.com/account/edit/section/change_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://twitter.com/settings/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://udapps.nss.udel.edu/myUDsettings/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://ui.attentivemobile.com/forgot-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://usa.experian.com/member/ngx-profile/account-info_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://user.manganelo.com/user_changes_pass_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://web.500px.com/settings/account/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://wordpress.com/me/security/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://worldstarhiphop.com/videos/reset.php_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.11st.co.kr/register/popupModifyPWD.tmall_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.1800contacts.com/account/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.aa.com/loyalty/profile/information_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.account.publishing.service.gov.uk/account/edit/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.ae.com/myaccount_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.aerlingus.com/html/user-profile.html_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.aesop.com/my-account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.airnewzealand.com/membership/profile/security/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.alaskaair.com/www2/ssl/myalaskaair/myalaskaair.aspx?view=myinformation&tab=email_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.alliantcreditunion.com/OnlineBanking/Settings/AccessAndSecurity/ChangePassword.aspx_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.allianz.com.br/alteracao-de-password-ecliente_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.allrecipes.com/account/profile#/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.alternate.de/html/myAccount/account/basicData.html_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.amctheatres.com/amcstubs/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.americanexpress.com/en-us/account/password/reset_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.ancestry.com/account/security/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.apartments.com/my-account/#_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.arlt.com/mein-passwort/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.att.com/acctmgmt/profile/overview_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.bathandbodyworks.com/my-account/edit-profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.bbq-grill-world.de/customer/account/edit/changepass/1/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.bedbathandbeyond.com/store/account/personalinfo_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.berlet.de/mein-konto.htm#my-account--edit-pass_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.bestbuy.com/identity/accountSettings/page/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.biblegateway.com/user/account/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.birkenstock.com/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.bloomberg.com/portal/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.blutdruck-shop.de/mein-passwort/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.boredpanda.com/settings/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.browserstack.com/accounts/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.businessinsider.com/#_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.buzzfeed.com/settings/password/change_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.cakeresume.com/settings/account?ref=navs_settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.canva.com/login?redirect=%2Fsettings%2Flogin-and-security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.cargurus.com/Cars/myAccount#/accountSettings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.cbsnews.com/user/change-password/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.cbssports.com/settings/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.chegg.com/my/account-next_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.chess.com/settings/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.chewy.com/app/resetpassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.clien.net/service/mypage/myInfoComfrim_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.cnbc.com/account/#profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.cnn.com/account/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.columbia.com/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.consumidor.gov.br/pages/usuario/editar_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.costco.com/AccountInformationView?identifier=manage-membership_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.crackle.com/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.creditkarma.com/myprofile/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.crunchyroll.com/resetpw_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.cvs.com/my-account/profile/sign-in-and-security/edit-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.dailymail.co.uk/registration/profile/change-password.html_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.darty.com/espace_client/donnees-personnelles/mot-de-passe/edition_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.delta.com/myprofile/security-settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.deviantart.com/settings/general_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.dickssportinggoods.com/MyAccount/AccountSettings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.disneyplus.com/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.dominos.com/en/pages/customer/#
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.doordash.com/accounts/password/reset/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.dropbox.com/account/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.dsw.com/en/us/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.dwr.com/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.eporner.com/profile/mturk_eporn/my/edit-pass/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.espn.com/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.etsy.com/your/account?ref=hdr_user_menu-settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.eventbrite.com/account-settings/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.evite.com/reset_password/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.expedia.com/user/forgotpassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.fanfiction.net/account/password.php_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.fedex.com/en-us/create-account/how-to-reset-forgot-password.html_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.fitbit.com/settings/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.foodnetwork.com/user-profile-page_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.foxsports.com/#_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.gamespot.com/change-details/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.geocaching.com/account/settings/changepassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.glassdoor.com/member/profile/settings.htm_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.gog.com/account/settings/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.grubhub.com/account/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.happycow.net/members/profile/update/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.homedepot.com/myaccount/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.huffpost.com/member/edit-profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.ign.com/account/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.insider.com/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.instacart.com/store/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.instagram.com/accounts/password/change/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.jcpenney.com/account/dashboard/personal/info_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.kohls.com/myaccount/accountsettings.jsp_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.kroger.com/account/update_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.linkedin.com/psettings/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.livejasmin.com/en/girls/#
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.lowes.com/mylowes/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.macys.com/account/profile?cm_sp=macys_account-_-my_account-_-my_profile&linklocation=lef
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.marktplaats.nl/account/password-reset/confirm.html_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.marriott.com/loyalty/myAccount/changePassword.mi_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.meliuz.com.br/minha-conta/meus-dados/senha_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.mercari.com/mypage/email_password/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.michaels.com/on/demandware.store/Sites-MichaelsUS-Site/default/Account-EditProfile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.mlb.com/account/general_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.myfreecams.com/php/account.php?request=status&vcc=1674246522#change_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.mylo.id/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.nba.com/account/nbaprofile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.netflix.com/password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.newsweek.com/contact_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.nike.com/member/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.nordstrom.com/my-account/sign-in-info_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.nordstromrack.com/my-account/sign-in-info_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.nytimes.com/account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.overleaf.com/user/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.paramountplus.com/account/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.patreon.com/settings/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.paypal.com/myaccount/security/password/change_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.peacocktv.com/forgot_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.pearson.com/store/en-us/my-account/update-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.pinterest.com/settings/account-settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.politico.com/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.pornhub.com/user/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.ppomppu.co.kr/myinfo/profile.php_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.prowlapp.com/settings.php_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.quora.com/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.rakuten.com/account-settings.htm_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.realtor.com/myaccount/profile/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.reddit.com/prefs/update/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.redfin.com/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.redtube.com/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.rei.com/YourAccountCredentials_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.reuters.com/account/forgot-password/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.roblox.com/my/account#
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.rottentomatoes.com/user/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.samsclub.com/account/personal-info?xid=hdr_account_change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.santahelenasaude.com.br/beneficiario/#/alterar-senha_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.saturn.de/webapp/wcs/stores/servlet/MultiChannelMAChangePassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.sephora.com/profile/MyAccount_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.serasa.com.br/meus-dados/alterar-senha_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.shoop.de/einstellungen/benutzerdaten_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.shopback.co.kr/account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.shutterfly.com/account-settings/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.sonos.com/myaccount/user/profile/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.southwest.com/loyalty/myaccount/profile-security.html_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.spectrum.net/user-preferences/your-info/manage/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.speedway.com/my-account/security/passcode_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.splunk.com/my-account/#/profile-details
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.spotify.com/in-en/account/change-password/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.tasteofhome.com/login/updatepassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.temu.com/bgp_account_security.html_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.thetrainline.com/my-account/change-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.thetvdb.com/dashboard/account/changepass_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.tiktok.com/login/email/forget-password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.tripadvisor.com/Settings-cp_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.trulia.com/account/user_profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.tumblr.com/settings/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.twilio.com/console/user/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.twitch.tv/settings/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.ulta.com/myaccount/index.jsp_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.united.com/ual/en/US/account/security/setpassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.ups.com/lasso/updatePass?loc=en_US_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.usaa.com/inet/ent_auth_password/pages/ChangePasswordPage_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.ventrachicago.com/account/manage-account/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.victoriassecret.com/us/account/profile#changePassword_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.walgreens.com/account/user_and_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.walmart.com/account/profile_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.wayfair.com/v/account/personal_info/edit_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.wikihow.com/Special:ChangeCredentials/MediaWiki%5CAuth%5CPasswordAuthenticationRequest_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.wunderground.com/member/settings_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.xvideos.com/account/security_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.youporn.com/settings/change/password/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.zhihu.com/settings/account_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.zillow.com/myzillow/profile/_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.ziprecruiter.com/login/forgot-password?realm=candidates_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://www.zocdoc.com/patient/editprofile?section=Password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://xhamster.com/password-recovery_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://yelp.com/profile_password_
Source: AutoFillQuirks.plist.253.dr	String found in binary or memory: https://zoom.us/profile#pwd-form_

Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49423
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49389
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49422
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49421
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49420
Source: unknown	Network traffic detected: HTTP traffic on port 49414 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49422 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49419
Source: unknown	Network traffic detected: HTTP traffic on port 49409 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49414
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 49394 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49394
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown	Network traffic detected: HTTP traffic on port 49389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49421 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49423 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49409
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49394 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49409 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49414 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49419 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49420 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49421 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49422 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49423 version: TLS 1.2

Source: classification engine

Classification label: clean0.mac@0/10@2/0

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Random device file read: /dev/urandom			Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 645)	Random device file read: /dev/random			Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	XML plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CloudHistoryRemoteConfiguration.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/AutoFillQuirks.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CacheSettings.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist	Jump to dropped file

Source: /usr/bin/open (PID: 617)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
http://sync.kueezrtb.com	0%	Avira URL Cloud	safe
http://sync.kueezrtb.com	0%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
hj5ozcalb.puzztake.com	206.189.188.237	true	false	unknown
h3.apis.apple.map.fastly.net	151.101.67.6	true	false	unknown
sync.kueezrtb.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://sync.kueezrtb.com/favicon.ico	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.sephora.com/profile/MyAccount_	AutoFillQuirks.plist.253.dr	false	unknown
https://accounts.ebay.com/acctsec/security-center/chngpwd_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.southwest.com/loyalty/myaccount/profile-security.html_	AutoFillQuirks.plist.253.dr	false	unknown
https://xhamster.com/password-recovery_	AutoFillQuirks.plist.253.dr	false	unknown
https://acesso.gov.br/area-cidadao/#/alterarSenha_	AutoFillQuirks.plist.253.dr	false	unknown
https://hotels.com/profile/settings.html_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.usaa.com/inet/ent_auth_password/pages/ChangePasswordPage_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.amctheatres.com/amcstubs/account_	AutoFillQuirks.plist.253.dr	false	unknown
https://customer.xfinity.com/users/me/update-password_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.walmart.com/account/profile_	AutoFillQuirks.plist.253.dr	false	unknown
https://moncompte.lemonde.fr/gcustomer/account/password_	AutoFillQuirks.plist.253.dr	false	unknown
https://shein.com/user/security_	AutoFillQuirks.plist.253.dr	false	unknown
https://zoom.us/profile#pwd-form_	AutoFillQuirks.plist.253.dr	false	unknown
https://support.opentable.com/s/login/ForgotPassword?language=en_US_	AutoFillQuirks.plist.253.dr	false	unknown
https://forum.wii-homebrew.com/index.php/AccountManagement/_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.twitch.tv/settings/security_	AutoFillQuirks.plist.253.dr	false	unknown
https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/ChangePIN/Init_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.instacart.com/store/account_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.newsweek.com/contact_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.victoriassecret.com/us/account/profile#changePassword_	AutoFillQuirks.plist.253.dr	false	unknown
https://dashboard.dittomusic.com/account/password_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.birkenstock.com/profile_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.delta.com/myprofile/security-settings_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.fanfiction.net/account/password.php_	AutoFillQuirks.plist.253.dr	false	unknown
https://id.sonyentertainmentnetwork.com/id/management/#/p/security_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.nba.com/account/nbaprofile_	AutoFillQuirks.plist.253.dr	false	unknown
https://cloud.linode.com/profile/auth_	AutoFillQuirks.plist.253.dr	false	unknown
https://meuvivo.vivo.com.br/meuvivo/appmanager/portal/fixo_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.livejasmin.com/en/girls/#	AutoFillQuirks.plist.253.dr	false	unknown
https://slickdeals.net/forums/login.php?do=lostpw_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.alaskaair.com/www2/ssl/myalaskaair/myalaskaair.aspx?view=myinformation&tab=email_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.linkedin.com/psettings/change-password_	AutoFillQuirks.plist.253.dr	false	unknown
https://bugzilla.kernel.org/userprefs.cgi?tab=account_	AutoFillQuirks.plist.253.dr	false	unknown
https://codepen.io/settings/account_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.roblox.com/my/account#	AutoFillQuirks.plist.253.dr	false	unknown
https://www.serasa.com.br/meus-dados/alterar-senha_	AutoFillQuirks.plist.253.dr	false	unknown
https://reg.usps.com/entreg/secure/ChangePasswordAction_input?returnActionName_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.allrecipes.com/account/profile#/change-password_	AutoFillQuirks.plist.253.dr	false	unknown
https://user.manganelo.com/user_changes_pass_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.dailymail.co.uk/registration/profile/change-password.html_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.11st.co.kr/register/popupModifyPWD.tmall_	AutoFillQuirks.plist.253.dr	false	unknown
https://app.plex.tv/desktop#	AutoFillQuirks.plist.253.dr	false	unknown
https://cam.ana.co.jp/psz/us/amc_us.jsp?index=105_	AutoFillQuirks.plist.253.dr	false	unknown
https://account.samsung.com/membership/contents/security/password/change-password_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.creditkarma.com/myprofile/security_	AutoFillQuirks.plist.253.dr	false	unknown
https://auth.readymag.com/password/forgot_	AutoFillQuirks.plist.253.dr	false	unknown
https://archive.org/account/index.php?settings=1_	AutoFillQuirks.plist.253.dr	false	unknown
https://secure07ea.chase.com/web/auth/dashboard#/dashboard/myProfileSignInSecurity/resetPassword/res	AutoFillQuirks.plist.253.dr	false	unknown
https://account.magento.com/customer/account/changepassword_	AutoFillQuirks.plist.253.dr	false	unknown
https://accounts.nintendo.com/password/edit_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.nordstrom.com/my-account/sign-in-info_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.dominos.com/en/pages/customer/#	AutoFillQuirks.plist.253.dr	false	unknown
https://profile.theguardian.com/reset_	AutoFillQuirks.plist.253.dr	false	unknown
https://reelgood.com/account_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.dropbox.com/account/security_	AutoFillQuirks.plist.253.dr	false	unknown
https://customercenter.wsj.com/account#password_	AutoFillQuirks.plist.253.dr	false	unknown
https://go.com/profile/account-settings/edit_	AutoFillQuirks.plist.253.dr	false	unknown
https://chaturbate.com/auth/password_change/_	AutoFillQuirks.plist.253.dr	false	unknown
https://genius.com/password_resets/new_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.macys.com/account/profile?cm_sp=macys_account-_-my_account-_-my_profile&linklocation=lef	AutoFillQuirks.plist.253.dr	false	unknown
https://www.alternate.de/html/myAccount/account/basicData.html_	AutoFillQuirks.plist.253.dr	false	unknown
https://blend.io/settings_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.cnn.com/account/settings_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.instagram.com/accounts/password/change/_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.redtube.com/settings_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.aesop.com/my-account_	AutoFillQuirks.plist.253.dr	false	unknown
https://member.daum.net/change/password.daum_	AutoFillQuirks.plist.253.dr	false	unknown
https://myaccount.virginmobile.ca/MyProfile/Details/EditProfile?editField=PASSWORD_	AutoFillQuirks.plist.253.dr	false	unknown
https://mastercard.syf.com/login/reset_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.jcpenney.com/account/dashboard/personal/info_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.pearson.com/store/en-us/my-account/update-password_	AutoFillQuirks.plist.253.dr	false	unknown
https://worldstarhiphop.com/videos/reset.php_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.boredpanda.com/settings/_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.shoop.de/einstellungen/benutzerdaten_	AutoFillQuirks.plist.253.dr	false	unknown
https://mypassword.uml.edu/#Change_	AutoFillQuirks.plist.253.dr	false	unknown
https://stripchat.com/settings_	AutoFillQuirks.plist.253.dr	false	unknown
https://accounts.shopify.com/accounts/186490458/security_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.redfin.com/change-password_	AutoFillQuirks.plist.253.dr	false	unknown
https://hibrain.net/mybrain/users/password/edit_	AutoFillQuirks.plist.253.dr	false	unknown
https://app.carta.com/profiles/update/_	AutoFillQuirks.plist.253.dr	false	unknown
https://legacy.memoriams.com/Network/Account/ChangePassword_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.ups.com/lasso/updatePass?loc=en_US_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.pinterest.com/settings/account-settings_	AutoFillQuirks.plist.253.dr	false	unknown
https://profile.callofduty.com/cod/info_	AutoFillQuirks.plist.253.dr	false	unknown
https://bandcamp.com/settings#password_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.crackle.com/profile_	AutoFillQuirks.plist.253.dr	false	unknown
https://secure.hulu.com/account_	AutoFillQuirks.plist.253.dr	false	unknown
https://app.acorns.com/settings/change-password_	AutoFillQuirks.plist.253.dr	false	unknown
https://news.ycombinator.com/changepw_	AutoFillQuirks.plist.253.dr	false	unknown
https://classroom.udacity.com/settings/password_	AutoFillQuirks.plist.253.dr	false	unknown
https://pwrecovery.ruc.dk_	AutoFillQuirks.plist.253.dr	false	unknown
https://rumble.com/account/profile_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.michaels.com/on/demandware.store/Sites-MichaelsUS-Site/default/Account-EditProfile_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.splunk.com/my-account/#/profile-details	AutoFillQuirks.plist.253.dr	false	unknown
https://secure.ssa.gov/RIM/UpwdView.action_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.realtor.com/myaccount/profile/settings_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.ancestry.com/account/security/password_	AutoFillQuirks.plist.253.dr	false	unknown
https://www.zillow.com/myzillow/profile/_	AutoFillQuirks.plist.253.dr	false	unknown
https://key.harvard.edu/manage-account/change-password_	AutoFillQuirks.plist.253.dr	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
184.28.121.22	unknown	United States	20940	AKAMAI-ASN1EU	false
206.189.188.237	hj5ozcalb.puzztake.com	United States	14061	DIGITALOCEAN-ASNUS	false
151.101.131.6	unknown	United States	54113	FASTLYUS	false
151.101.195.6	unknown	United States	54113	FASTLYUS	false
151.101.67.6	h3.apis.apple.map.fastly.net	United States	54113	FASTLYUS	false
147.182.129.240	unknown	United States	27555	BV-PUBLIC-ASNUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/dev/null

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.858867206657081
Encrypted:	false
SSDEEP:	3:tRnCrzFIAcRWOv:LC/iAvA
MD5:	4A5DAA0F69E4E48D6703819C8DE3B31B
SHA1:	C5A224AC05067EA015103F2064C4C9F96483A048
SHA-256:	85133AE5FEC9A8EAB3FADB79F89E8F0038B350A2F1C4268744C67573F544260E
SHA-512:	C69493045CA46EF357DEFDF03C6B9BD31FE4A3A80AEB70E99CF1723CD55A13D2208940968D7F09DB2E17F5EA6C90ECB58FDCACB91DD7A75C528673499F2C806E
Malicious:	false
Reputation:	low
Preview:	2024-09-10 04:52:31.257 Safari[618:4805] ApplePersistence=NO.

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/com.apple.scriptmanager2.le.cache

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	data
Category:	dropped
Size (bytes):	19328
Entropy (8bit):	2.9753497322131066
Encrypted:	false
SSDEEP:	192:XVlGq37NZFFFF/QQQQgdFSGXFFFFnQQQQ:uq37HFFFF/QQQQg3SGXFFFFnQQQQ
MD5:	1D8E1388683DC96ED97907EFCCE83FDA
SHA1:	561FDF03A98032BAAEB7BC214FD6FC2712BA42B0
SHA-256:	A6BE2B32F120066646A50B537477F2D359D7013851F123146CB9B6A7A1371E8C
SHA-512:	70A1E99DAD32B200EB26AD78E6433B3E9E052355ADA3A3AD1CB6C644C1A0513E593CCD89EF8B9B305013B37F3F850F049D787677878F412D23FB517147C18C98
Malicious:	false
Reputation:	low
Preview:	.............J..dJ......clti....0.......mlti........0...blti....2.......blti....2...H...blti....2...\|...blti....2.......blti....2.......blti....2.......blti....2...L...blti~...2.......5lti.@..,.......5lti.B..,....$..5lti.p..,.......5lti.D..,...87..................(....................................... .....................~...f... ...!............... ...4...3.......>.......U.......F...E...G...C...J...K...I...H...L...M...N.......O...?...9...P.......!............. .......t............."...........................................................#...............................^.......X...Y...Z...[...\...].......Q...........S.......R...............$.......(...%.......................&...'........... ...*...+...,...-.......5......./...0...1...6...7...8...:...4...3...........2...<...........T...;...=...>.......)...U...V...W.......@...A...B...F...E...G...C...D...J...K...I...H...L...M...N.......O...?.......9...P.......!...............j...X.....R...........%...7...........\.........".........

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsDirectory.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533814637805397
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGB5pBfbouR6/chQOnGqwc2U+v+h/:8MdGleOhpBouRwchQOnGqwc2U+v+h/
MD5:	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3
SHA1:	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C
SHA-256:	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
SHA-512:	1DC5282D27C49A4B6F921BA5DFC88B8C1D32289DF00DD866F9AC6669A5A8D99AFEDA614BFFC7CF61A44375AE73E09CD52606B443B63636977C9CD2EF4FA68A20
Malicious:	false
Reputation:	low
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsObject.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5110922853353324
Encrypted:	false
SSDEEP:	24:mFkXs98w/mBr53CEb9ujBbCYoVeA7uBEUMy733Ka2VCneWHrUZRJkWnJI4FNMOQS:m6Xsh+CLjL3Pe3T5FFEfEn8xiYuuSsS
MD5:	D3A1859E6EC593505CC882E6DEF48FC8
SHA1:	F8E6728E3E9DE477A75706FAA95CEAD9CE13CB32
SHA-256:	3EBAFA97782204A4A1D75CFEC22E15FCDEAB45B65BAB3B3E65508707E034A16C
SHA-512:	EA2A749B105759EA33408186B417359DEFFB4A3A5ED0533CB26B459C16BB3524D67EDE5C9CF0D5098921C0C0A9313FB9C2672F1E5BA48810EDA548FA3209E818
Malicious:	false
Reputation:	low
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/AutoFillQuirks.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	60017
Entropy (8bit):	6.44756590873966
Encrypted:	false
SSDEEP:	1536:Q+GC/PAgVltOQ7u0H8MbhNs39bQflSkq2:QxC/PNVlb7u0cSNs9jb2
MD5:	C5E8C26C5B5C64BBB1ADF49F38ACAA06
SHA1:	02AD97BC49A1C903CCC13F95754AA364CF864964
SHA-256:	7AA177CE2337F6AC63E9CB14E31B6BCA51E5D705B2D805232BCC32028A947362
SHA-512:	222A9C5C477E2941A1B6C119854142AC1DA88EB96E80E8C086C35E3B785B41C5AF5FFCF90FAB063C8B68B2D31708D82300C3FF4A12A501821601C370E3D9BBA3
Malicious:	false
Reputation:	low
Preview:	bplist00................................7.<.x.y.\|_.$DomainsIneligibleForStreamlinedLogin_. DomainsWithAssociatedCredentials_..PasswordGenerationRequirements_..DomainsForPasskeyFallbackUI_..ChangePasswordURLs_."DomainsIneligibleForAutomaticLogin_..AppIDsToDomainsAssociations_..DomainsIneligibleForPasskeys_..DomainsToConsiderIdentical]SharedDomains...^old.reddit.com.......... .V.Z.f.i.l.............................................................................".%.<.?.B.E.H.K.N.Q.T.X.\._.d.h.k.n.q.t.w.z.~.............................................................................).-.0.3.6.9.<.?.B.E.K.N.R.U.X.[.^.a.h.k.n.t.w.z.~............................................[3docean.net_..audiojungle.net^codecanyon.netZenvato.com_..graphicriver.net]photodune.net[placeit.net_..themeforest.net\tutsplus.com]videohive.net.......Vaa.com_..americanairlines.com_..americanairlines.jp.....Yaetna.com_..banneraetna.myplanportal.com..5.!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.?.@.A

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CacheSettings.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	94
Entropy (8bit):	4.37469842251369
Encrypted:	false
SSDEEP:	3:Nsm4nJNsGRbDJNsGM1aN7btoltm:NxeJ+gINaN3t4s
MD5:	7EBC7BAF0AB51EAF60EC8BC288C6B2FD
SHA1:	73E13AC19207D31E7B408C116B282EDACF66B2AD
SHA-256:	A2948EEBBF7982A18CF824CE6929D8003E93C52EBDF7EF6AEAF18E0F6B7F8CFF
SHA-512:	95F712B1A8B131EF083E8B479702A40130643E4784EB3F842732E4F40417B199D414675E607EE1B3D14D3B88E6A4BA4E0D5A130F0C78A6C2089D5F4179B10084
Malicious:	false
Reputation:	low
Preview:	bplist00....._..TemplateIconCacheVersion]TemplateIcons.....(68...............................9

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CloudHistoryRemoteConfiguration.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1012
Entropy (8bit):	5.286991847916908
Encrypted:	false
SSDEEP:	24:2dfyiwHuG5Ku3hu65juqVrTrmuGoTxR1F1xW:cfyP5Z/5PrUon1F1xW
MD5:	0C29425555C7FF0CA114B1FD0DC39C50
SHA1:	D7D808E8BE92462F4C3CEBA66734F0E9BB26ACDD
SHA-256:	52826AFEEC974BB7BACB85BDC01DC4F23BF917D65E04773D7CAD393F7866F3FD
SHA-512:	D9C8364A85F4B4A96CAAC1409F32F9D6B2F8AE19201E0ABD2D449A3EEDADD471E99E44BC92DEB5D8FB60287DA64A88E61B45F759E7B9A383A9BBE5F5FD242F95
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>SingleDeviceSaveChangesThrottlingPolicy</key>..<string>1:1440</string>..<key>MultipleDeviceSaveChangesThrottlingPolicy</key>..<string>50:1 \| 10:2 \| 10:5 \| 10:30 \| 9:40 \| 1:510</string>..<key>SingleDeviceFetchChangesThrottlingPolicy</key>..<string>11:15 \| 1:1275</string>..<key>MultipleDeviceFetchChangesThrottlingPolicy</key>..<string>50:1 \| 50:3 \| 20:4 \| 20:5 \| 20:15 \| 20:18 \| 20:20</string>..<key>SyncCircleSizeRetrievalThrottlingPolicy</key>..<string>1:1440</string>..<key>MaximumRequestLimitCharacterCount</key>..<integer>100000</integer>..<key>SyncWindow</key>..<real>1209600</real>..<key>HistoryModificationIdleDelayBeforeSyncAttemptKey</key>..<integer>90</integer>..<key>HistoryRemovalIdleDelayBeforeSyncAttempt</key>..<integer>6</integer>..<key>SaveChangesBeforeTerminationTimeout</key>..<integer>1</integer>.</dic

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	2890
Entropy (8bit):	6.383267531551876
Encrypted:	false
SSDEEP:	48:FMO+0F/o0CCPb/bCCoumzC6kiaR/wN4Gfhb0NegHI5mP0waijwg+tiEe:FMO+EoOfjovzCuv5I12msjtHe
MD5:	99707B6E8B1DAA434DE2A176A458F85C
SHA1:	96324F62483DD7AC8683D1850D694BB900EB3419
SHA-256:	F282D8A52BFDCD208792A47C074E59A1E16D627D53094E11FC73E595AEC7DDAD
SHA-512:	E8018018F91A5CE5C418F5C6445DC11A44B40AA6F619958D496B18507B3FE309415BF9AB293E9C7C0B3E4BA109213D0216D39C0304A7BC3CCE301DB0A729430C
Malicious:	false
Reputation:	low
Preview:	bplist00..=..........!$'*-0369<?BEHKNPRTWZ]`cfilnqtwz}......................._..Bundle Identifier_..Developer Identifier_..com.ci.LetyShopsZ8SY8U2YJ38....._..com.stopallads.stopalladssafariZW5672G9B78....._..com.ci.MyPointsScoreZPV79DKGW8E....._..com.shopicks.safariZ52637H29AM....._..com.mallforafrica.mfaZW67LVM7587....._..com.ci.FatWalletExpressZMUA2CU723E....._..com.ci.CashrewardsZWPDLU326V5....._..com.ci.ObybSecurityZ284W368NRK.....^com.ci.AmikashZP77C556755.... _..com.ci.ShopBackCashbackButtonZ63768R85VC..."#_..com.skaggivara.UniblockZ9ZWDNJ5X28...%&_..com.pcvark.adblockerZRQA86TX865...()_..com.ci.PrescritZDPQ487PKR3...+,^com.ci.CashBagZWPHQAS3C45..../_..com.betteradvertising.ghosteryZHPY23A294X...12_..com.ci.RotaryGumdropZ24MGUH34FU...45_..com.ci.DeippiesnlSpaarhulpZH8MVFTTJJ3...78_..com.ci.Rewards4RacingZL6C8C726SQ...:;_..com.findx.privacycontrolZ5QE6FTCMP9...=>_..com.ci.ShopandGivereminderZ5KWKJVWBTS...@A_..com.el1t.uBlockZ3NU33NW2M3...CD_..com.ci.DealDoktorZN64U5Y52L6...FG_.(co

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	1485
Entropy (8bit):	7.233816091748867
Encrypted:	false
SSDEEP:	24:/MVp+dVGmEH3oFqBlw8VUSeZTAqg9e/jQmjTbNhLkdzT1W6Nry0/toeIg8VUSGbt:E3NmrFEUbZTlg9eLRjLk9vNGHSEUdNy+
MD5:	5E19B2FA5A16BD746A0804DA1436B452
SHA1:	9D3CF77EE58A62CEA256C9DA011F23FECB2D3E74
SHA-256:	F4D57F184A92281CD2C542FB0C7A01536C6DB99B6E464F35F03FBED46DC37F04
SHA-512:	8C5DDBC1698BD3A6A62E1CC4232BFC5C4EE1F5C0A3AC3CF53DBDFD74AF5CB5EA1EF05B9D7F5EB846176696BE4E14ABB26C317483EFA39322654B4C155D64C035
Malicious:	false
Reputation:	low
Preview:	bplist00.....^SessionVersion^SessionWindowsS1.0............................9_..SelectedTabIndex\TabBarHiddenZDateClosed_..FavoritesBarHidden]IsPopupWindow_. PrefersReadingListSidebarVisible\Miniaturized_..WindowStateVersionZWindowUUID_..WindowContentRectYTabStates_..IsPrivateWindow_..SelectedPinnedTabIndex...3A.H'7.......S2.0_.$95F4D813-245C-49E1-8D1E-8105F3AA4017_..{{0, 49}, {1024, 696}}.... !."#.$%&'().,-...0123456.\IsDisposable\SessionState_..AncestorTabIdentifers_..SessionStateIsEncryptedXTabIndex]LastVisitTimeWTabUUIDVTabURL]TabIdentifierXTabTitle_..ProcessIdentifierWIsMuted.O..4hv'n3.r9.........X1i...~.#".........3 ... }..'g&2.X.1..#!9.L.ljr.....Q.......`.<=.N......_K}_.3Q.ZT:E.R.N.t..A:y\|....p. ...j.ZL.%.lk.Q....(..sK:Z\|..z...}..&.t9.&.w.jCt...F...........\.=...?..T.>...%....e....4...{...B.~#2..?uV..j>....O(4....[..n._m&w.....1...C..:...^T_3...`(..6't......K{.tV.[.....sI...T.....r..T.......S@93uK..w.P.v..".M...@.7....;..?........;....V..+A..m..R5.*M..Q.

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.9370658315190226
Encrypted:	false
SSDEEP:	3:N1n6qMvRGNMTAnd/t1tH:N1nleRaMTAltH
MD5:	CDC65B5F112547EAFAE0F16F9C149426
SHA1:	AEAF9908A5B6FF3E2F7B738ABF5FE9E79108BA01
SHA-256:	1C6D085D871A855CE4A3902BAB4B9B92631B8EE8F0B7F6536768A2AAF427B45C
SHA-512:	E8B0E4CE6A760A718A19976D3CFE9063F04FB4BF179947AECA84E94C83F21459FB9DC0FFABEA8F633BD2D0BA94FE1E15D8C97E9604FDE8BD0DEA961EB83BDDB7
Malicious:	false
Reputation:	low
Preview:	bplist00..._..ExtensionArchivesExtracted...(...............................)

Static File Info

⊘No static file info

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 114
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 11:52:28.562864065 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.562912941 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.563633919 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.563982010 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.574592113 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.574671030 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.575666904 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.576798916 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.586122036 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.586201906 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.587102890 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.587328911 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.597790003 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.597868919 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.599026918 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.599899054 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.609427929 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.609529018 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.610728979 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.611064911 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.621153116 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.621234894 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.622754097 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.632703066 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.632782936 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.633527040 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.687483072 CEST	443	49350	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.687551975 CEST	443	49350	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.689393044 CEST	49350	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:28.702471972 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.704169989 CEST	49351	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:28.705838919 CEST	49351	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:28.717875004 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.717956066 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.719732046 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.723598957 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.723675966 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.725263119 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.735363960 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:28.737361908 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:28.869004011 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.870687008 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.870743036 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.870769978 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.870810032 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.870830059 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:28.872594118 CEST	49351	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:28.872594118 CEST	49351	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:28.872700930 CEST	49351	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:28.875691891 CEST	49351	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:28.891606092 CEST	49351	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:29.055378914 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:29.055454016 CEST	443	49351	151.101.67.6	192.168.11.12
Sep 10, 2024 11:52:29.056314945 CEST	49351	443	192.168.11.12	151.101.67.6
Sep 10, 2024 11:52:29.611824036 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:29.776881933 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:32.051961899 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:32.217744112 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:32.218835115 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:32.325787067 CEST	49347	443	192.168.11.12	17.248.192.4
Sep 10, 2024 11:52:32.491287947 CEST	443	49347	17.248.192.4	192.168.11.12
Sep 10, 2024 11:52:36.285299063 CEST	49372	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:52:36.394876957 CEST	49373	80	192.168.11.12	147.182.129.240
Sep 10, 2024 11:52:36.510134935 CEST	80	49372	206.189.188.237	192.168.11.12
Sep 10, 2024 11:52:36.510786057 CEST	49372	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:52:36.512270927 CEST	49372	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:52:36.620383978 CEST	80	49373	147.182.129.240	192.168.11.12
Sep 10, 2024 11:52:36.621028900 CEST	49373	80	192.168.11.12	147.182.129.240
Sep 10, 2024 11:52:36.740366936 CEST	80	49372	206.189.188.237	192.168.11.12
Sep 10, 2024 11:52:36.741250992 CEST	49372	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:52:37.107068062 CEST	49376	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:52:37.335299969 CEST	80	49376	206.189.188.237	192.168.11.12
Sep 10, 2024 11:52:37.336378098 CEST	49376	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:52:37.338479996 CEST	49376	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:52:37.572243929 CEST	80	49376	206.189.188.237	192.168.11.12
Sep 10, 2024 11:52:37.575148106 CEST	49376	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:52:59.532577991 CEST	49388	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.532680988 CEST	443	49388	151.101.131.6	192.168.11.12
Sep 10, 2024 11:52:59.533684969 CEST	49388	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.534524918 CEST	49388	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.534631968 CEST	443	49388	151.101.131.6	192.168.11.12
Sep 10, 2024 11:52:59.880362034 CEST	443	49388	151.101.131.6	192.168.11.12
Sep 10, 2024 11:52:59.881139040 CEST	49388	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.881139040 CEST	49388	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.905349970 CEST	49388	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.905585051 CEST	443	49388	151.101.131.6	192.168.11.12
Sep 10, 2024 11:52:59.906225920 CEST	443	49388	151.101.131.6	192.168.11.12
Sep 10, 2024 11:52:59.906286001 CEST	49388	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.906845093 CEST	49388	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.931639910 CEST	49389	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.931766987 CEST	443	49389	151.101.131.6	192.168.11.12
Sep 10, 2024 11:52:59.932390928 CEST	49389	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.933551073 CEST	49389	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:52:59.933625937 CEST	443	49389	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.278115034 CEST	443	49389	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.278983116 CEST	49389	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.278983116 CEST	49389	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.284519911 CEST	49389	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.284723997 CEST	443	49389	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.285315990 CEST	443	49389	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.285407066 CEST	49389	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.285962105 CEST	49389	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.315654039 CEST	49391	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.315782070 CEST	443	49391	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.316616058 CEST	49391	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.317344904 CEST	49391	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.317405939 CEST	443	49391	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.657444954 CEST	443	49391	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.659303904 CEST	49391	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.659321070 CEST	49391	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.665530920 CEST	49391	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.665610075 CEST	443	49391	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.665764093 CEST	443	49391	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.666315079 CEST	49391	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.666542053 CEST	49391	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.678927898 CEST	49394	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.678994894 CEST	443	49394	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:00.679616928 CEST	49394	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.680275917 CEST	49394	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:00.680315018 CEST	443	49394	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:01.021945000 CEST	443	49394	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:01.023744106 CEST	49394	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:01.023744106 CEST	49394	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:01.030169964 CEST	49394	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:01.030466080 CEST	443	49394	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:01.031214952 CEST	443	49394	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:01.031346083 CEST	49394	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:01.031877995 CEST	49394	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.137672901 CEST	49409	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.137774944 CEST	443	49409	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.138513088 CEST	49409	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.139569998 CEST	49409	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.139636040 CEST	443	49409	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.479393959 CEST	443	49409	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.480225086 CEST	49409	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.480420113 CEST	49409	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.524424076 CEST	49409	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.524701118 CEST	443	49409	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.525346994 CEST	443	49409	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.525860071 CEST	49409	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.526221037 CEST	49409	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.633404016 CEST	49414	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.633532047 CEST	443	49414	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.634458065 CEST	49414	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.635400057 CEST	49414	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.635472059 CEST	443	49414	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.739041090 CEST	80	49372	206.189.188.237	192.168.11.12
Sep 10, 2024 11:53:06.740032911 CEST	49372	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:53:06.743488073 CEST	49372	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:53:06.967852116 CEST	80	49372	206.189.188.237	192.168.11.12
Sep 10, 2024 11:53:06.979330063 CEST	443	49414	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.980073929 CEST	49414	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.980186939 CEST	49414	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.987467051 CEST	49414	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.987673998 CEST	443	49414	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.988229990 CEST	443	49414	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:06.988262892 CEST	49414	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:06.988830090 CEST	49414	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:07.571449995 CEST	80	49376	206.189.188.237	192.168.11.12
Sep 10, 2024 11:53:07.573088884 CEST	49376	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:53:07.574606895 CEST	49376	80	192.168.11.12	206.189.188.237
Sep 10, 2024 11:53:07.802450895 CEST	80	49376	206.189.188.237	192.168.11.12
Sep 10, 2024 11:53:08.349214077 CEST	49419	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:08.349339008 CEST	443	49419	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:08.350276947 CEST	49419	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:08.354597092 CEST	49419	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:08.354692936 CEST	443	49419	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:08.697801113 CEST	443	49419	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:08.698796034 CEST	49419	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:08.698956013 CEST	49419	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:08.708822966 CEST	49419	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:08.709019899 CEST	443	49419	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:08.709619045 CEST	443	49419	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:08.709645987 CEST	49419	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:08.710787058 CEST	49419	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:26.625977039 CEST	49344	80	192.168.11.12	184.28.121.22
Sep 10, 2024 11:53:26.790009022 CEST	80	49344	184.28.121.22	192.168.11.12
Sep 10, 2024 11:53:26.791650057 CEST	49344	80	192.168.11.12	184.28.121.22
Sep 10, 2024 11:53:39.988105059 CEST	49420	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:39.988233089 CEST	443	49420	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:39.989337921 CEST	49420	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:39.990212917 CEST	49420	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:39.990281105 CEST	443	49420	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.333029032 CEST	443	49420	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.334726095 CEST	49420	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.334774971 CEST	49420	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.341243982 CEST	49420	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.341519117 CEST	443	49420	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.342201948 CEST	49420	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.342251062 CEST	443	49420	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.343045950 CEST	49420	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.355078936 CEST	49421	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.355204105 CEST	443	49421	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.355886936 CEST	49421	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.356540918 CEST	49421	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.356607914 CEST	443	49421	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.695271015 CEST	443	49421	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.696137905 CEST	49421	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.696137905 CEST	49421	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.707432985 CEST	49421	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.707576036 CEST	443	49421	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.707860947 CEST	443	49421	151.101.131.6	192.168.11.12
Sep 10, 2024 11:53:40.708389997 CEST	49421	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.708700895 CEST	49421	443	192.168.11.12	151.101.131.6
Sep 10, 2024 11:53:40.911297083 CEST	49422	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:40.911431074 CEST	443	49422	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:40.912168980 CEST	49422	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:40.913369894 CEST	49422	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:40.913438082 CEST	443	49422	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:41.251070976 CEST	443	49422	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:41.251816034 CEST	49422	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.252055883 CEST	49422	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.293138981 CEST	49422	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.293345928 CEST	443	49422	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:41.293951988 CEST	443	49422	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:41.293994904 CEST	49422	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.294518948 CEST	49422	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.323203087 CEST	49423	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.323329926 CEST	443	49423	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:41.324398041 CEST	49423	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.327847958 CEST	49423	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.327951908 CEST	443	49423	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:41.670130014 CEST	443	49423	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:41.672296047 CEST	49423	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.672297001 CEST	49423	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.680150032 CEST	49423	443	192.168.11.12	151.101.195.6
Sep 10, 2024 11:53:41.680437088 CEST	443	49423	151.101.195.6	192.168.11.12
Sep 10, 2024 11:53:41.680989981 CEST	49423	443	192.168.11.12	151.101.195.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 10, 2024 11:52:36.117168903 CEST	49290	53	192.168.11.12	1.1.1.1
Sep 10, 2024 11:52:36.282212973 CEST	53	49290	1.1.1.1	192.168.11.12
Sep 10, 2024 11:52:51.372994900 CEST	53	55636	1.1.1.1	192.168.11.12
Sep 10, 2024 11:53:40.739701033 CEST	60935	53	192.168.11.12	1.1.1.1
Sep 10, 2024 11:53:40.904437065 CEST	53	60935	1.1.1.1	192.168.11.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 10, 2024 11:52:36.117168903 CEST	192.168.11.12	1.1.1.1	0xb47c	Standard query (0)	sync.kueezrtb.com	A (IP address)	IN (0x0001)	false
Sep 10, 2024 11:53:40.739701033 CEST	192.168.11.12	1.1.1.1	0xc7b7	Standard query (0)	h3.apis.apple.map.fastly.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 10, 2024 11:52:36.282212973 CEST	1.1.1.1	192.168.11.12	0xb47c	No error (0)	sync.kueezrtb.com	synckueez.cootlogix.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 10, 2024 11:52:36.282212973 CEST	1.1.1.1	192.168.11.12	0xb47c	No error (0)	synckueez.cootlogix.com	sync.cootlogix.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 10, 2024 11:52:36.282212973 CEST	1.1.1.1	192.168.11.12	0xb47c	No error (0)	sync.cootlogix.com	ao9ui4chmm.puzztake.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 10, 2024 11:52:36.282212973 CEST	1.1.1.1	192.168.11.12	0xb47c	No error (0)	ao9ui4chmm.puzztake.com	hj5ozcalb.puzztake.com		CNAME (Canonical name)	IN (0x0001)	false
Sep 10, 2024 11:52:36.282212973 CEST	1.1.1.1	192.168.11.12	0xb47c	No error (0)	hj5ozcalb.puzztake.com		206.189.188.237	A (IP address)	IN (0x0001)	false
Sep 10, 2024 11:52:36.282212973 CEST	1.1.1.1	192.168.11.12	0xb47c	No error (0)	hj5ozcalb.puzztake.com		147.182.129.240	A (IP address)	IN (0x0001)	false
Sep 10, 2024 11:53:40.904437065 CEST	1.1.1.1	192.168.11.12	0xc7b7	No error (0)	h3.apis.apple.map.fastly.net		151.101.67.6	A (IP address)	IN (0x0001)	false
Sep 10, 2024 11:53:40.904437065 CEST	1.1.1.1	192.168.11.12	0xc7b7	No error (0)	h3.apis.apple.map.fastly.net		151.101.195.6	A (IP address)	IN (0x0001)	false
Sep 10, 2024 11:53:40.904437065 CEST	1.1.1.1	192.168.11.12	0xc7b7	No error (0)	h3.apis.apple.map.fastly.net		151.101.3.6	A (IP address)	IN (0x0001)	false
Sep 10, 2024 11:53:40.904437065 CEST	1.1.1.1	192.168.11.12	0xc7b7	No error (0)	h3.apis.apple.map.fastly.net		151.101.131.6	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sync.kueezrtb.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.11.12	49372	206.189.188.237	80

Timestamp	Bytes transferred	Direction	Data
Sep 10, 2024 11:52:36.512270927 CEST	371	OUT	GET / HTTP/1.1 Host: sync.kueezrtb.com Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Language: en-gb Accept-Encoding: gzip, deflate Connection: keep-alive
Sep 10, 2024 11:52:36.740366936 CEST	487	IN	HTTP/1.1 404 Not Found access-control-allow-origin: * access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization access-control-allow-credentials: true p3p: CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV ADMa" access-control-allow-methods: GET, HEAD, OPTIONS, POST content-type: application/json; charset=utf-8 content-length: 43 date: Tue, 10 Sep 2024 09:52:36 GMT keep-alive: timeout=5 Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 22 7d Data Ascii: {"statusCode":404,"message":"Cannot GET /"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.11.12	49376	206.189.188.237	80

Timestamp	Bytes transferred	Direction	Data
Sep 10, 2024 11:52:37.338479996 CEST	328	OUT	GET /favicon.ico HTTP/1.1 Host: sync.kueezrtb.com Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Language: en-gb Referer: http://sync.kueezrtb.com/ Accept-Encoding: gzip, deflate
Sep 10, 2024 11:52:37.572243929 CEST	498	IN	HTTP/1.1 404 Not Found access-control-allow-origin: * access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept, Authorization access-control-allow-credentials: true p3p: CP="NOI DSP COR PSAo PSDo OUR IND UNI COM NAV ADMa" access-control-allow-methods: GET, HEAD, OPTIONS, POST content-type: application/json; charset=utf-8 content-length: 54 date: Tue, 10 Sep 2024 09:52:37 GMT keep-alive: timeout=5 Data Raw: 7b 22 73 74 61 74 75 73 43 6f 64 65 22 3a 34 30 34 2c 22 6d 65 73 73 61 67 65 22 3a 22 43 61 6e 6e 6f 74 20 47 45 54 20 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 7d Data Ascii: {"statusCode":404,"message":"Cannot GET /favicon.ico"}

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Sep 10, 2024 11:52:28.870769978 CEST	151.101.67.6	443	192.168.11.12	49351	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Apr 26 02:39:11 CEST 2024 Wed Apr 29 14:54:50 CEST 2020	Wed Oct 23 02:49:11 CEST 2024 Thu Apr 11 01:59:59 CEST 2030	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0	5c118da645babe52f060d0754256a73c
Sep 10, 2024 11:52:28.870769978 CEST	151.101.67.6	443	192.168.11.12	49351	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030		5c118da645babe52f060d0754256a73c

System Behavior

Analysis Process: mono-sgen32 PID: 617, Parent PID: 537

General

Start time (UTC):	09:52:30
Start date (UTC):	10/09/2024
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

File Activities

File Read (Anonymous Pipes)

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: open PID: 617, Parent PID: 537

General

Start time (UTC):	09:52:30
Start date (UTC):	10/09/2024
Path:	/usr/bin/open
Arguments:	/usr/bin/open -a Safari http://sync.kueezrtb.com
File size:	105952 bytes
MD5 hash:	34bd93241fa5d2aee225941b1ca14fa4

File Activities

File Opened

File Read

File Seeked

Directory Enumerated

Process Activities

Process Exited

Process Killed

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: xpcproxy PID: 618, Parent PID: 1

General

Start time (UTC):	09:52:30
Start date (UTC):	10/09/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

File Activities

File Opened

Directory Created

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: Safari PID: 618, Parent PID: 1

General

Start time (UTC):	09:52:30
Start date (UTC):	10/09/2024
Path:	/Applications/Safari.app/Contents/MacOS/Safari
Arguments:	/Applications/Safari.app/Contents/MacOS/Safari
File size:	27120 bytes
MD5 hash:	2dde28c2f8a38ed2701ba17a0893cbc1

File Activities

File Opened

File Created

File Deleted

File Truncated

File Read

File Read (Anonymous Pipes)

File Written

File Seeked

File Moved

Directory Enumerated

Directory Attributes Enumerated Bulk

Directory Created

Directory Deleted

Permission Modified

Extended Attributes Set

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: xpcproxy PID: 628, Parent PID: 1

General

Start time (UTC):	09:52:41
Start date (UTC):	10/09/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

File Activities

File Opened

Directory Created

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: silhouette PID: 628, Parent PID: 1

General

Start time (UTC):	09:52:42
Start date (UTC):	10/09/2024
Path:	/usr/libexec/silhouette
Arguments:	/usr/libexec/silhouette
File size:	65920 bytes
MD5 hash:	485ec1bd3cd09293e26d05f6fe464bfd

File Activities

File Opened

File Read

File Seeked

Directory Enumerated

Directory Created

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: xpcproxy PID: 645, Parent PID: 1

General

Start time (UTC):	09:53:12
Start date (UTC):	10/09/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

File Activities

File Opened

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: eficheck PID: 645, Parent PID: 1

General

Start time (UTC):	09:53:12
Start date (UTC):	10/09/2024
Path:	/usr/libexec/firmwarecheckers/eficheck/eficheck
Arguments:	/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
File size:	74048 bytes
MD5 hash:	328beb81a2263449258057506bb4987f

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report http://sync.kueezrtb.com

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/null

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/com.apple.scriptmanager2.le.cache

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsDirectory.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsObject.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/AutoFillQuirks.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CacheSettings.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CloudHistoryRemoteConfiguration.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Connections

System Behavior

Analysis Process: mono-sgen32 PID: 617, Parent PID: 537

General

File Activities

File Read (Anonymous Pipes)

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: open PID: 617, Parent PID: 537

General

File Activities

File Opened

File Read

File Seeked

macOS Analysis Report
http://sync.kueezrtb.com