Edit tour

macOS Analysis Report
http://seed.grubhubforrestaurants.com

Overview

General Information

Sample URL:	http://seed.grubhubforrestaurants.com
Analysis ID:	1670327
Infos:

Detection

Score:	0
Range:	0 - 100

Signatures

No high impact signatures.

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1670327
Start date and time:	2025-04-21 15:44:36 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://seed.grubhubforrestaurants.com
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean0.mac@0/14@36/0

Warnings

Excluded IPs from analysis (whitelisted): 17.137.170.34, 17.253.24.197, 17.253.13.139, 17.253.83.204, 17.253.120.201, 17.253.125.201, 17.253.61.202, 17.253.67.139, 17.253.3.146, 172.64.149.23, 23.222.200.29, 3.130.116.206, 23.222.201.219, 52.15.215.21, 142.250.176.202, 17.253.3.136, 17.36.200.79, 17.253.3.140, 17.253.3.138
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, smoot-searchv2.v.aaplimg.com, updates.cdn-apple.com.akadns.net, crl.apple.com, ocsp.comodoca.com, radarsubmissions.apple.com, itunes.apple.com.edgekey.net, safebrowsing.googleapis.com, help.apple.com, init.itunes.apple.com, mesu-cdn.apple.com.akadns.net, lcdn-locator-usuqo.apple.com.akadns.net, e673.dsce9.akamaiedge.net, help-ar.apple.com.edgekey.net, api.smoot.apple.com, bag-smoot.v.aaplimg.com, mesu-cdn.origin-apple.com.akadns.net, configuration.apple.com, lcdn-locator.apple.com.akadns.net, help.origin-apple.com.akadns.net, radarsubmissions.apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, configuration.apple.com.akadns.net, configuration.apple.com.edgekey.net, mesu.apple.com, updates.cdn-apple.com, init-cdn.itunes-apple.com.akadns.net, api2.smoot.apple.com
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://seed.grubhubforrestaurants.com

Process Tree

System is macvm-mojave

xpcproxy New Fork (PID: 609, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

mono-sgen32 New Fork (PID: 613, Parent: 537)

open (MD5: 34bd93241fa5d2aee225941b1ca14fa4) Arguments: /usr/bin/open -a Safari http://seed.grubhubforrestaurants.com

xpcproxy New Fork (PID: 614, Parent: 1)

Safari (MD5: 2dde28c2f8a38ed2701ba17a0893cbc1) Arguments: /Applications/Safari.app/Contents/MacOS/Safari

xpcproxy New Fork (PID: 628, Parent: 1)

silhouette (MD5: 485ec1bd3cd09293e26d05f6fe464bfd) Arguments: /usr/libexec/silhouette

xpcproxy New Fork (PID: 644, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49348 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49353 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.130.8.225:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 3.130.8.225:443 -> 192.168.11.12:49384 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49393 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49418 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49420 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49423 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49424 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49425 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49426 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.47.6:443 -> 192.168.11.12:49427 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.199.70
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6
Source: unknown	TCP traffic detected without corresponding DNS query: 151.101.47.6

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 21 Apr 2025 13:45:44 GMTserver: Apachevary: Accept-Encodingcontent-encoding: gzipcontent-length: 1211content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 57 5d 73 9b 38 14 7d 4e 66 f2 1f 34 ee cc da 99 6e 6d 30 71 b7 49 ec ec ac 63 c0 75 0a 8e b1 11 31 2f 3b 20 09 03 16 82 08 f9 b3 93 ff be c2 76 da ed ee c3 ee 73 27 bc 18 a4 73 75 cf bd f2 39 82 6e 2c 32 7a 77 71 de 8d 49 80 ab 5f 91 08 4a ee 16 7c 15 c6 ab 30 ca 39 27 a5 08 56 3c 60 a2 6c a2 3c eb b6 8e 00 89 2c 11 4f 0a 01 c4 ae 20 bd 9a 20 5b d1 4a 83 75 70 1c ad 81 92 a3 5e ad 95 96 ad 28 61 0b c2 0b 9e 30 d1 4a 92 88 34 b3 84 35 d3 b2 76 d7 6d 1d b1 ff b9 96 04 ac 03 0e 38 c1 09 27 48 fc 49 13 b6 04 3d 50 8f 85 28 6e 5a 2d bc 2b 92 c5 aa 22 d7 8a 9a 45 5c fc 4e 7a 61 3b 4b b2 64 cd 9f ee f3 28 d7 76 0c 29 fa e3 66 78 75 1d 2d e7 1b c7 80 6a 68 e2 47 3f f3 a1 db b6 3f fb 1e 34 b0 31 ca 91 67 3c 4f 69 df 85 4a dc 87 ba e1 ce d9 44 41 6d 67 4c 96 13 8e 06 90 fa 99 9a ce 3c c3 f4 9f 8a 8d d3 c6 5b db dc 28 ae 12 0f a6 ed eb 36 f6 9c 99 ad 74 32 64 da 7d 5b 2f 55 d7 c5 62 32 eb af a6 43 7f 64 eb d7 6b 57 a5 1d 92 5d a7 fe d3 52 9b 0d a1 e9 33 c8 02 6f 6b ca 35 47 d8 f3 07 78 69 69 f8 a9 cf b0 d2 c9 6d c9 6d 22 b3 d9 6a 1c 87 cc 77 fd c1 72 ef 66 ce 92 d0 be e9 30 e8 b9 ea 1f ed 30 33 1e bd 59 7c 3f 87 0b d5 77 6d db d1 3f c9 9c 86 47 06 d6 1a 99 6a 1c ea 9b 35 72 55 0f b5 b7 9e 3f 73 0c 6b 4f 2d 62 5e 6b 7e ba 68 a3 d4 19 3b d0 f8 82 4d 61 38 5e 5c ce b5 be 85 28 5d 5b 6e 87 8e 21 f6 3c a3 b8 0f 07 46 e9 64 f6 de df c7 62 9a 7d d2 c6 03 c7 1d 43 fa 10 2e 71 e0 a5 68 ed e9 a3 79 e0 4e ae 42 93 e6 ee 7e f4 f1 41 2b 66 d6 70 c2 e7 8a 2a 02 98 6f 7d 25 f6 1c 83 9a c1 f4 da f3 97 46 39 6f 2f 94 09 f3 fb 16 8b 95 80 15 26 f6 a0 37 db fb 63 4b 51 b7 13 97 8e 83 36 bd f2 97 9d 61 a8 20 8e cd ed b3 27 fb 6d 1b 54 fd a2 b8 1d e4 41 6b 42 e1 03 f2 ca ce 58 57 67 d3 14 3e db fa 42 c1 6d b8 79 d0 e0 47 6b e0 0c ac 14 8e 7c 6f a4 79 a6 ce d1 d2 e8 38 9e b0 b1 be 5d 23 6f b3 7e 50 61 8e da 45 80 cd 72 8f 32 3c 80 86 cf c6 06 bc 0a 15 7d 87 15 11 04 c3 91 1d aa c5 c3 7c 3f b2 ed 14 9a ee f4 7a e2 ea 6a 36 35 70 02 07 8e 56 ed c0 f8 09 33 dc a6 3b 6b d0 d7 91 56 ac 5c 9d 3e c2 a1 9f 4e a0 be b7 52 a3 b0 5c 7b 8b 86 fa 15 d6 fa 3b 9f 4d 36 63 e8 f3 59 86 2d 68 aa c3 a9 36 9a 8f 5d 5f 77 52 df 9f a6 b8 0c f6 68 87 34 fb 11 6a 78 ef 40 f8 34 f5 b6 43 a4 42 e6 6b 92 9b f9 69 3f 5b 96 f2 7f a7 f3 5f ea b7 17 e7 17 e7 ad 16 98 12 01 02 20 92 8c e4 2b 01 f2 08 68 8a 02 b2 84 d2 a4 24 28 67 b8 04 22 07 64 4b d0 4a 10 09 7c d5 09 48 22 20 62 02 fe 26 40 50 f0 3c 93 51 20 0a 12 5a 02 29 6f 50 e6 19 91 21 41 Data Ascii: W]s8}Nf4nm0qIcu1/; vs'su9n,2zwqI_J\|09'V<`l<,O [Jup^(a0J45vm8'HI=P(nZ-+"E\Nza;Kd(v)fxu-jhG??41g<OiJDAmgL<[(6t2d}[/Ub2CdkW]
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 21 Apr 2025 13:45:45 GMTserver: Apachelast-modified: Tue, 22 Oct 2024 03:26:38 GMTetag: "85c0-62508564b3780-gzip"accept-ranges: bytesvary: Accept-Encodingcontent-encoding: gzipcontent-length: 14345content-type: application/javascriptconnection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 7d 5b 57 e3 c8 96 e6 7b af d5 ff c1 28 ab b3 a4 44 36 92 2f 24 98 54 b1 80 e4 96 05 24 09 24 90 76 f9 70 64 29 b0 95 e8 e2 d2 c5 60 12 cf 5f 98 df d0 f3 3a 0f 33 8f fd 34 0f a7 57 ff af f9 76 84 6e 36 86 aa 3a 6b 1e e6 9c 2c 2c 45 ec 88 d8 11 b1 63 df 22 62 6b e5 dd bb 7f fd 97 ca bb ca 9e e3 0f 58 38 0a 1d 3f fe 74 5e 19 37 6a cd 9a 56 a9 56 76 82 d1 24 74 06 c3 b8 22 5b ca 2c 90 5a 39 f4 2d b5 52 d7 ea 8d 8a 3c 8c e3 51 d4 5e 59 b9 2d 20 6a 56 e0 29 bc ee 23 c7 62 7e c4 ec 4a e2 db 2c ac c4 43 56 39 3e bc 10 85 50 e6 fe fe be 16 8c 00 11 24 a1 c5 6a 41 38 58 71 45 89 68 c5 73 e2 6a fa 52 1b 0d 47 4a 25 7b a1 8a 79 e5 17 43 27 aa 44 c1 6d 7c 6f 86 ac 62 05 7e 6c 3a 7e 84 07 9b 55 6e c3 c0 ab 50 d5 55 51 77 65 14 06 df 99 15 47 6d 5e f4 38 09 bd 24 3c 30 a3 61 a3 d2 9f 54 7e 35 43 d3 af 1c 4d 02 14 cf 3b 34 70 e2 61 d2 a7 be ac dc 51 be 4b d9 2b 5e 51 b2 f6 3d e2 bd 5c f9 d7 7f 19 9b e1 ec 10 19 b7 89 6f c5 4e e0 cb 4c f9 21 25 11 ab 44 71 e8 58 b1 b4 41 a0 7e 91 ad fc 08 59 9c 84 3e d2 3e f7 09 c3 9a 19 45 ce c0 7f 7a 2a d7 70 1b 84 32 2f a8 c6 86 ae 86 86 19 0e 12 8f f9 71 54 73 99 3f 88 87 1b f1 87 70 23 5e 5e 56 32 c0 a0 e2 50 95 39 5c 37 ee 29 69 fd 18 89 38 88 27 23 56 1b 9a d1 e7 7b ff 34 c4 38 85 f1 a4 66 99 ae 2b fb 6a a0 bc 7d 2b b3 6e d0 33 7c fc 51 36 52 fc d8 54 f5 6b e6 68 e4 4e e4 18 03 af e6 55 2b d3 8d 0c d5 4a 2c 33 15 38 aa 61 d1 2d 76 2f c7 4f 4f 72 6c a0 1d cf 89 98 a2 c8 72 de b5 40 35 d1 b9 ac b4 43 5d 8d c3 c9 8f 44 0e 6b 3e 7b 40 6d 8a 32 b5 cc d8 1a ca be f2 c3 c4 9f e9 34 87 b6 ca d0 f1 30 0c ee 5f 05 4f 08 9c 8f e1 06 ab d9 81 cf 36 03 99 d5 c6 a6 9b 30 a5 2d fb 46 fa ac 02 0d 3f 8a 4d df 62 c1 6d 25 de f4 db e8 01 fa 25 97 a7 83 51 d5 8a a2 a0 59 e6 cb 8e 6a 29 d3 44 96 43 23 4c 07 08 b5 3c 3d 75 7b 00 e0 bd 50 08 b8 c0 24 a4 7c 81 0b 46 4a c5 18 a8 8e f1 c3 35 fb cc 6d 6b 6a 84 31 6d 97 c8 c3 b9 95 f5 b7 41 57 eb 29 bc 8f 95 a0 ab f7 b2 39 a1 e7 a9 8a 31 88 da dd 9e 1a 8c e8 67 9a 65 9a c6 0f 6a bd 6d c9 9a a2 f2 b2 78 d4 15 55 64 e3 b9 ae 4c 55 29 6b 49 32 0c a2 09 f4 f9 7c e2 f5 03 17 34 60 76 c5 63 cd 89 59 68 c6 41 d8 5b 40 b6 44 0b 53 45 35 37 4a f3 62 Data Ascii: }[W{(D6/$T$$vpd)`_:34Wvn6:k,,Ec"bkX8?t^7jVVv$t"[,Z9-R<Q^Y- jV)#b~J,CV9>P$jA8XqEhsjRGJ%{yC'Dm\|ob~l:~UnPUQweGm^8$<0aT~5CM;4paQK+^Q=\oNL!%DqXA~Y>>Ez*p2/qTs?p#^^V2P9\7)i8'#V{48f+j}+n3\|Q6RTkhNU+J,38a-v/OOrlr@5C]Dk>{@m24
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 21 Apr 2025 13:45:46 GMTserver: Apachevary: Accept-Encodingcontent-encoding: gzipcontent-length: 977content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 95 95 5d 6f a3 46 14 86 ef 57 ca 7f 40 a9 d4 24 b5 6a f3 61 5b f5 6e 9c aa 4e c0 04 1b 88 07 66 30 73 53 01 83 33 98 01 26 80 3f 77 fb df 6b 87 ac 94 c4 be 68 e7 06 f1 72 9e 33 ef 61 3e ce 2d ad 33 76 77 f1 e5 96 c6 01 39 3e eb a4 66 f1 dd 73 b9 0a e9 2a 5c 14 65 19 57 75 b0 2a 83 bc ae da 51 91 dd 76 9a 80 43 64 15 95 09 af 85 7a c7 e3 e1 65 1d 6f eb ce 32 58 07 8d 7a 79 08 58 07 a5 50 c6 24 29 e3 a8 fe 9b 25 79 2a 0c 85 2b 5a d7 fc 6b a7 43 76 3c 79 5e 1d 13 76 16 72 9b 53 fe 67 3c 64 ce 6c 1b cc f2 17 3f ec cb 7e be 59 f5 b3 3f a6 bb 79 77 b0 48 6b d7 cf 7a de 4c 24 4f 64 6c 40 0b 51 0d cf 41 80 f7 e6 2e ca 0c 09 e4 51 d7 54 80 e5 aa c6 2c 12 a9 1b a6 a0 17 cf c9 2a f6 34 86 5c 34 85 ac e8 79 cc 98 c0 87 91 13 e5 40 b7 18 9f a0 9c 1b 33 8f 99 13 e5 af 2d 74 cd 8d 3d a7 20 76 b5 47 28 f2 75 e4 46 b2 a3 60 df 87 c6 3d d1 b0 ee 48 50 c2 4b c4 22 91 60 00 07 dc 63 0c d8 e3 5a 22 19 d7 02 8d ea 53 79 60 4c 15 80 8f f1 8e 48 14 9c f1 6e f4 00 6a a8 f1 03 53 f7 63 d7 48 fd 3d 75 e2 25 5a 62 4d 5b 02 31 da 02 6f 30 b3 75 be 0f c6 dc f4 c6 2c 8b c6 74 63 8d b7 a2 97 d6 25 92 fd 1e 94 e8 12 78 3d 11 79 86 19 6a 7c 87 25 8b 5a c8 98 22 48 5c 8c b0 1c a7 58 47 9a 35 b2 3d 5a 44 8c ca ce 1c e8 ee 7d 25 fa ec 79 e7 78 92 e3 e6 e4 d1 dd 0d ec 98 91 2e 54 98 19 8d 81 ea a8 e0 e5 e0 a1 22 d9 b3 e4 8b 86 1a 78 db ae 3d 1e f4 9c 31 4f 5c 44 5f cc 8c 1b d8 e3 92 99 51 c3 51 46 34 9e 9b 8a cb 46 13 3f a7 72 a4 73 18 a7 b3 8d 9f 3e 2a 44 46 14 c9 92 4e 64 3e c1 2a 5e 23 85 2a b3 25 81 21 42 fd 48 b7 32 4f 45 4f 60 c9 fa 87 da 47 d6 1e 4c a0 da 9b 06 1e 11 c1 de f0 ec 87 91 16 43 cb c7 5a ba 0b 55 b0 35 73 a3 e7 22 6c 5b 4b b6 0d c4 81 45 20 ed bb 1a 71 b0 3e da 3b 19 4a 43 e9 50 f3 de e8 43 55 9a ba 90 43 22 5b 45 b8 1b 14 40 33 1c fc 40 f3 99 87 26 1e 52 37 36 04 15 cc 61 19 66 c0 b7 55 ee 9b 12 b1 7c 11 a4 40 37 2a 90 6e 7d a8 8c a6 87 3d e1 3b 4b fc e2 3c 80 27 4b 03 a6 a7 76 bb ae 64 e5 01 b4 ba c1 dc 7a 32 11 7b 01 73 e4 83 39 d0 66 39 54 4c 05 d7 61 32 c0 56 46 b4 48 06 23 53 03 d4 dc d5 1b 4f 03 f7 41 66 71 7b ce 1e 61 06 26 91 18 6d 6c 04 cb 19 23 7b 3f 45 72 a4 f0 1e d4 46 65 98 63 d3 4f 8b 4d 88 28 05 b2 bf c7 7b 71 70 f5 ad 39 17 eb ea 78 18 7e 5d 57 c3 ab d6 26 c9 49 b1 69 27 79 1e 97 5e 42 6a 2a b4 84 ab af 1f 75 3d 4e 9e 69 fd 06 93 06 26 ef e0 c3 a9 8b e3 bc bd 39 c5 df be d0 f7 09 2a f6 9a a0 62 9f 13 cc cf b1 fe 1b 55 34 d3 16 d5 70 71 2c e3 e2 4b b2 b8 fe 44 df 0d 85 33 86 6e 84 ef ef e0 Data Ascii: ]oFW@$ja[nNf0sS3&?wkhr3a>-3vw9>fs\eWuQvCdzeo2XzyXP$)%y+ZkCv<y^vrSg<dl?~Y?ywHkzL$Odl@QA.QT,4\4y@3-t= vG(uF`=HPK"`cZ"Sy`L

Source: global traffic	HTTP traffic detected: GET /click.php?key=z4vx0cwffbwphlk1ydyk&cpv=0.005&subid=1432787208&sid=20250421234543edb753f5095fb676f9 HTTP/1.1Host: phisocoly.comConnection: keep-aliveUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Referer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er&fp=-7Accept-Language: en-gbAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: phisocoly.comAccept: /Connection: keep-aliveCookie: uclick=pmlp9lqqqd; uclickhash=pmlp9lqqqd-pmlp9lqqqd-ydlp-52a3dz-nt8w0-ktu3dz-ktu3bl-cc97ccUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Accept-Language: en-gbReferer: https://phisocoly.com/click.php?key=z4vx0cwffbwphlk1ydyk&cpv=0.005&subid=1432787208&sid=20250421234543edb753f5095fb676f9Accept-Encoding: br, gzip, deflate
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: seed.grubhubforrestaurants.comUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Accept-Language: en-gbAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er HTTP/1.1Host: dypigu.comUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Accept-Language: en-gbAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /js/fingerprint/iife.min.js HTTP/1.1Host: dypigu.comConnection: keep-aliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Accept-Language: en-gbReferer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2ErAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: dypigu.comConnection: keep-aliveAccept: /User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Accept-Language: en-gbReferer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2ErAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er&fp=-7 HTTP/1.1Host: dypigu.comConnection: keep-aliveUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Referer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2ErAccept-Language: en-gbAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /f2.php?e=lSQxaQnqYb62Ynwu6m8LyX49fktTYm5WQ0dPdGJUNVhFZXRaZzMycmJ1Rnc4M3RNTEJQc0hTbkR5eXdueWFlVTVLUlo5WlJKUDBScnRHNlpKVnpJQWlMK3AxUTMwOXhReTFIU0pvcTc2S3ZYYUJCdFZHS1U1ZjVlc0dZRU9pWllROGt1dmpFaFhHL29JL3RZYUJCS0d3Zmp4cDRtUFplc0t6eTJkYzhSejVjZFFjR0cxRW9QOHpzaGpMWGlmcGhwNGx0WktrV2Y5U1hjRW50VWJMbFpyZ1NhNVJLVUdTZVZ2ekZHVFNBOWhoclh2SXRHTCs0YlgySW1STndITy9Oeld4U3lMcGRESERqejVsdmg1Y0JEaWx4OG95SGpiTVhqMmpJZWp1MmhJS3BheXM3TlBKYnh2cHpUekQwYkI3d2VhV21Hd2pKZEZvV3h3QjdUbVV6cHNmWEVPRjl6c0tBNzRKUE5LaWd0RzJWODBFeUNYZFkybERxMnJ5TVZONjlxa09NdUh6TFdSZHBzSmVkb1JLVzJ6UE1LTUpUd2Noby9oRFJSZDhnQWVKWVEwOURsUnUrbmRYOEpYM1dNY0RkRHJsRkxYU3BLeXdYSjZqSDRPNFRMWE44T1NnaUN4aXNPMVlqRXVYRXRFQnU3M3Ztbi9ZNmdFc2RBMFRhMytwWFRCamNpOXlIUmRKc0cwOVUrQldzYkV2c3p5UFBrbnZMYkowbVhhR2YzZz09&vs=1024:658&ds=1024:768&sl=0:23&os=f&nos=f HTTP/1.1Host: dypigu.comConnection: keep-aliveUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15Referer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er&fp=-7Accept-Language: en-gbAccept-Encoding: gzip, deflate

Source: AutoFillQuirks.plist.251.dr	String found in binary or memory: .https://www.facebook.com/settings?tab=security_ equals www.facebook.com (Facebook)
Source: AutoFillQuirks.plist.251.dr	String found in binary or memory: 2https://www.linkedin.com/psettings/change-password_ equals www.linkedin.com (Linkedin)
Source: TopSites.plist.251.dr	String found in binary or memory: https://www.facebook.com/XFacebook equals www.facebook.com (Facebook)
Source: TopSites.plist.251.dr	String found in binary or memory: https://www.linkedin.com/XLinkedIn equals www.linkedin.com (Linkedin)
Source: TopSites.plist.251.dr	String found in binary or memory: https://www.yahoo.com/UYahoo equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: seed.grubhubforrestaurants.com
Source: global traffic	DNS traffic detected: DNS query: dypigu.com
Source: global traffic	DNS traffic detected: DNS query: app.readpeak.com
Source: global traffic	DNS traffic detected: DNS query: www.eis.de
Source: global traffic	DNS traffic detected: DNS query: www.tipico.com
Source: global traffic	DNS traffic detected: DNS query: ad2.trafficgate.net
Source: global traffic	DNS traffic detected: DNS query: www.rotlichtkartei.com
Source: global traffic	DNS traffic detected: DNS query: afftrk.altex.ro
Source: global traffic	DNS traffic detected: DNS query: febrare.ru
Source: global traffic	DNS traffic detected: DNS query: pay4results24.eu
Source: global traffic	DNS traffic detected: DNS query: telegram.me
Source: global traffic	DNS traffic detected: DNS query: www.salidzini.lv
Source: global traffic	DNS traffic detected: DNS query: ad.letmeads.com
Source: global traffic	DNS traffic detected: DNS query: advmanager.techfun.pl
Source: global traffic	DNS traffic detected: DNS query: phisocoly.com
Source: global traffic	DNS traffic detected: DNS query: adserver.html.it
Source: global traffic	DNS traffic detected: DNS query: promo.vador.com
Source: global traffic	DNS traffic detected: DNS query: blackfridaysales.ro
Source: global traffic	DNS traffic detected: DNS query: adserv.ontek.com.tr
Source: global traffic	DNS traffic detected: DNS query: www.trizer.pl
Source: global traffic	DNS traffic detected: DNS query: click.hotlog.ru
Source: global traffic	DNS traffic detected: DNS query: event.2performant.com
Source: global traffic	DNS traffic detected: DNS query: adv.imadrep.co.kr
Source: global traffic	DNS traffic detected: DNS query: www.installads.net
Source: global traffic	DNS traffic detected: DNS query: l.profitshare.ro
Source: global traffic	DNS traffic detected: DNS query: xltube.nl
Source: global traffic	DNS traffic detected: DNS query: izlenzi.com
Source: global traffic	DNS traffic detected: DNS query: affiliazioniads.snai.it
Source: global traffic	DNS traffic detected: DNS query: utimg.ru
Source: global traffic	DNS traffic detected: DNS query: ad.planbplus.co.kr
Source: global traffic	DNS traffic detected: DNS query: landing.parkplatzkartei.com
Source: global traffic	DNS traffic detected: DNS query: interactive.forthnet.gr
Source: global traffic	DNS traffic detected: DNS query: axiabanners.exodus.gr
Source: global traffic	DNS traffic detected: DNS query: www.stumbleupon.com
Source: global traffic	DNS traffic detected: DNS query: hitcounter.ru
Source: global traffic	DNS traffic detected: DNS query: top.mail.ru

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.24.0Date: Mon, 21 Apr 2025 13:45:49 GMTContent-Type: text/htmlContent-Length: 153Connection: close

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49348
Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49425
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49424
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49423
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49384
Source: unknown	Network traffic detected: HTTP traffic on port 49393 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49427 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49381
Source: unknown	Network traffic detected: HTTP traffic on port 49353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49426 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49424 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49384 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49418
Source: unknown	Network traffic detected: HTTP traffic on port 49348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49353
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49393
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49418 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49425 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49423 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49427
Source: unknown	Network traffic detected: HTTP traffic on port 49381 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49426

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Random device file read: /dev/urandom			Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 644)	Random device file read: /dev/random			Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	XML plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CloudHistoryRemoteConfiguration.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/AutoFillQuirks.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/LastSession.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CacheSettings.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/PerSiteZoomPreferences.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/CacheSettings.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/TopSites.plist	Jump to dropped file

Source: /usr/bin/open (PID: 613)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 614)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	4 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	5 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	4 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Name	IP	Active	Malicious	Reputation
advmanager.techfun.pl	178.33.55.187	true	false	high
e9520.ksd.akamaiedge.net	23.66.219.75	true	false	high
ip1.parkplatzkartei.com	185.52.189.101	true	false	unknown
ad.planbplus.co.kr	183.110.217.110	true	false	high
dypigu.com	103.224.182.206	true	false	unknown
adv.imadrep.co.kr	117.52.74.245	true	false	high
hitcounter.ru	46.148.230.18	true	false	high
ad.letmeads.com	185.69.153.89	true	false	high
dualstack.readpeakloadbalancer-production-126343442.eu-central-1.elb.amazonaws.com	18.193.137.14	true	false	high
catch-all.hotlog.ru	89.208.236.251	true	false	high
promo.vador.com	51.91.18.51	true	false	high
xltube.nl	217.22.19.83	true	false	high
ad2-trafficgate-net.gslb.rdcnw.net	133.237.128.69	true	false	high
pay4results24.eu	15.197.225.128	true	false	high
febrare.ru	185.137.235.9	true	false	high
s-part-0012.t-0009.t-msedge.net	13.107.246.40	true	false	high
www.rotlichtkartei.com	185.52.189.101	true	false	high
event.2performant.com	104.26.5.196	true	false	high
telegram.me	149.154.167.99	true	false	high
afftrk.altex.ro	81.196.185.8	true	false	high
www.salidzini.lv	104.21.56.43	true	false	high
trizer.pl	188.165.18.216	true	false	high
top.mail.ru	95.163.61.39	true	false	high
www.installads.net	104.21.20.197	true	false	high
e296.g.akamaiedge.net	23.204.242.177	true	false	high
phisocoly.com	3.130.8.225	true	false	unknown
seed.grubhubforrestaurants.com	207.244.76.131	true	false	unknown
blackfridaysales.ro	193.189.99.231	true	false	high
interactive.forthnet.gr	127.0.0.1	true	false	high
l.profitshare.ro	91.247.179.203	true	false	high
prd.ha.stumbleupon.com	3.214.100.128	true	false	high
www.stumbleupon.com	unknown	unknown	false	high
www.trizer.pl	unknown	unknown	false	high
ad2.trafficgate.net	unknown	unknown	false	high
affiliazioniads.snai.it	unknown	unknown	false	high
landing.parkplatzkartei.com	unknown	unknown	false	high
axiabanners.exodus.gr	unknown	unknown	false	high
app.readpeak.com	unknown	unknown	false	high
www.eis.de	unknown	unknown	false	high
click.hotlog.ru	unknown	unknown	false	high
adserver.html.it	unknown	unknown	false	high
utimg.ru	unknown	unknown	false	high
izlenzi.com	unknown	unknown	false	high
adserv.ontek.com.tr	unknown	unknown	false	high
www.tipico.com	unknown	unknown	false	high

Name	Source	Malicious	Reputation
https://www.sephora.com/profile/MyAccount_	AutoFillQuirks.plist.251.dr	false	high
https://myaccount.uscis.gov/users/registration/password_	AutoFillQuirks.plist.251.dr	false	high
https://www.dotloop.com/my/account/#/settings_	AutoFillQuirks.plist.251.dr	false	high
https://xhamster.com/password-recovery_	AutoFillQuirks.plist.251.dr	false	high
https://hotels.com/profile/settings.html_	AutoFillQuirks.plist.251.dr	false	high
https://myspace.com/settings/profile/email_	AutoFillQuirks.plist.251.dr	false	high
https://www.usaa.com/inet/ent_auth_password/pages/ChangePasswordPage_	AutoFillQuirks.plist.251.dr	false	high
https://allegro.pl/moje-allegro/moje-konto/logowanie-i-haslo_	AutoFillQuirks.plist.251.dr	false	high
https://customer.xfinity.com/users/me/update-password_	AutoFillQuirks.plist.251.dr	false	high
https://moncompte.lemonde.fr/gcustomer/account/password_	AutoFillQuirks.plist.251.dr	false	high
https://shein.com/user/security_	AutoFillQuirks.plist.251.dr	false	high
https://www.discogs.com/settings/user_	AutoFillQuirks.plist.251.dr	false	high
https://support.opentable.com/s/login/ForgotPassword?language=en_US_	AutoFillQuirks.plist.251.dr	false	high
https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/ChangePIN/Init_	AutoFillQuirks.plist.251.dr	false	high
https://www.amazon.com/ax/account/manage_	AutoFillQuirks.plist.251.dr	false	high
https://www.newsweek.com/contact_	AutoFillQuirks.plist.251.dr	false	high
https://www.birkenstock.com/profile_	AutoFillQuirks.plist.251.dr	false	high
https://id.sonyentertainmentnetwork.com/id/management/#/p/security_	AutoFillQuirks.plist.251.dr	false	high
https://www.nba.com/account/nbaprofile_	AutoFillQuirks.plist.251.dr	false	high
https://cloud.linode.com/profile/auth_	AutoFillQuirks.plist.251.dr	false	high
https://b2c.voegol.com.br/minhas-viagens/meu-perfil_	AutoFillQuirks.plist.251.dr	false	high
https://codepen.io/settings/account_	AutoFillQuirks.plist.251.dr	false	high
https://www.serasa.com.br/meus-dados/alterar-senha_	AutoFillQuirks.plist.251.dr	false	high
https://reg.usps.com/entreg/secure/ChangePasswordAction_input?returnActionName_	AutoFillQuirks.plist.251.dr	false	high
https://www.allrecipes.com/account/profile#/change-password_	AutoFillQuirks.plist.251.dr	false	high
https://pro.housecallpro.com/service_pro/account/reset_password_	AutoFillQuirks.plist.251.dr	false	high
https://user.manganelo.com/user_changes_pass_	AutoFillQuirks.plist.251.dr	false	high
https://www.dailymail.co.uk/registration/profile/change-password.html_	AutoFillQuirks.plist.251.dr	false	high
https://www.11st.co.kr/register/popupModifyPWD.tmall_	AutoFillQuirks.plist.251.dr	false	high
https://www.zulily.com/account/edit?rel=top_flyout_	AutoFillQuirks.plist.251.dr	false	high
https://cam.ana.co.jp/psz/us/amc_us.jsp?index=105_	AutoFillQuirks.plist.251.dr	false	high
https://www.creditkarma.com/myprofile/security_	AutoFillQuirks.plist.251.dr	false	high
https://secure07ea.chase.com/web/auth/dashboard#/dashboard/myProfileSignInSecurity/resetPassword/res	AutoFillQuirks.plist.251.dr	false	high
https://account.magento.com/customer/account/changepassword_	AutoFillQuirks.plist.251.dr	false	high
https://profile.theguardian.com/reset_	AutoFillQuirks.plist.251.dr	false	high
https://reelgood.com/account_	AutoFillQuirks.plist.251.dr	false	high
https://dash.e.jimdo.com/profile_	AutoFillQuirks.plist.251.dr	false	high
https://go.com/profile/account-settings/edit_	AutoFillQuirks.plist.251.dr	false	high
https://genius.com/password_resets/new_	AutoFillQuirks.plist.251.dr	false	high
https://www.macys.com/account/profile?cm_sp=macys_account-_-my_account-_-my_profile&linklocation=lef	AutoFillQuirks.plist.251.dr	false	high
https://logowanie.pl.canalplus.com/zmien-haslo_	AutoFillQuirks.plist.251.dr	false	high
https://www.alternate.de/html/myAccount/account/basicData.html_	AutoFillQuirks.plist.251.dr	false	high
https://blend.io/settings_	AutoFillQuirks.plist.251.dr	false	high
https://www.aesop.com/my-account_	AutoFillQuirks.plist.251.dr	false	high
https://member.daum.net/change/password.daum_	AutoFillQuirks.plist.251.dr	false	high
https://myaccount.virginmobile.ca/MyProfile/Details/EditProfile?editField=PASSWORD_	AutoFillQuirks.plist.251.dr	false	high
https://mastercard.syf.com/login/reset_	AutoFillQuirks.plist.251.dr	false	high
https://www.jcpenney.com/account/dashboard/personal/info_	AutoFillQuirks.plist.251.dr	false	high
https://www.yahoo.com/UYahoo	TopSites.plist.251.dr	false	high
https://worldstarhiphop.com/videos/reset.php_	AutoFillQuirks.plist.251.dr	false	high
https://www.shoop.de/einstellungen/benutzerdaten_	AutoFillQuirks.plist.251.dr	false	high
https://accounts.shopify.com/accounts/186490458/security_	AutoFillQuirks.plist.251.dr	false	high
https://app.carta.com/profiles/update/_	AutoFillQuirks.plist.251.dr	false	high
https://legacy.memoriams.com/Network/Account/ChangePassword_	AutoFillQuirks.plist.251.dr	false	high
https://profile.callofduty.com/cod/info_	AutoFillQuirks.plist.251.dr	false	high
https://blackwells.co.uk/bookshop/account/personal-details_	AutoFillQuirks.plist.251.dr	false	high
https://secure.hulu.com/account_	AutoFillQuirks.plist.251.dr	false	high
https://www.splunk.com/my-account/#/profile-details_	AutoFillQuirks.plist.251.dr	false	high
https://www.yelp.com/TYelp	TopSites.plist.251.dr	false	high
https://news.ycombinator.com/changepw_	AutoFillQuirks.plist.251.dr	false	high
https://classroom.udacity.com/settings/password_	AutoFillQuirks.plist.251.dr	false	high
https://pwrecovery.ruc.dk_	AutoFillQuirks.plist.251.dr	false	high
https://secure.ssa.gov/RIM/UpwdView.action_	AutoFillQuirks.plist.251.dr	false	high
https://www.ancestry.com/account/security/password_	AutoFillQuirks.plist.251.dr	false	high
https://key.harvard.edu/manage-account/change-password_	AutoFillQuirks.plist.251.dr	false	high
https://www.amazon.ca/ax/account/manage_	AutoFillQuirks.plist.251.dr	false	high
https://account.id.me/signin/password_	AutoFillQuirks.plist.251.dr	false	high
https://www.carnival.com/profilemanagement/profiles/changepassword_	AutoFillQuirks.plist.251.dr	false	high
https://thejigsawpuzzles.com/profile/?changepassword_	AutoFillQuirks.plist.251.dr	false	high
https://www.patreon.com/settings/account_	AutoFillQuirks.plist.251.dr	false	high
https://account.deere.com/actmgmt/change-password_	AutoFillQuirks.plist.251.dr	false	high
https://www.ikea.com/in/en/profile/dashboard/_	AutoFillQuirks.plist.251.dr	false	high
https://apps.anatel.gov.br/AnatelConsumidor/ConsumidorEditar.aspx_	AutoFillQuirks.plist.251.dr	false	high
https://www.safeway.com/customer-account/account-settings_	AutoFillQuirks.plist.251.dr	false	high
https://www.amazon.de/ax/account/manage_	AutoFillQuirks.plist.251.dr	false	high
https://www.cars.com/reset_password_	AutoFillQuirks.plist.251.dr	false	high
https://www.amazon.es/ax/account/manage_	AutoFillQuirks.plist.251.dr	false	high
https://www.zocdoc.com/patient/editprofile?section=Password_	AutoFillQuirks.plist.251.dr	false	high
https://www.apartments.com/my-account/#_	AutoFillQuirks.plist.251.dr	false	high
https://logonservices.iam.target.com/change-password/?target=#	AutoFillQuirks.plist.251.dr	false	high
https://www.aerlingus.com/html/user-profile.html_	AutoFillQuirks.plist.251.dr	false	high
https://www.dickssportinggoods.com/MyAccount/AccountSettings_	AutoFillQuirks.plist.251.dr	false	high
https://login.tmon.co.kr/user/info_	AutoFillQuirks.plist.251.dr	false	high
https://my.nextdns.io/account_	AutoFillQuirks.plist.251.dr	false	high
https://secure.indeed.com/account/changepassword_	AutoFillQuirks.plist.251.dr	false	high
https://www.temu.com/bgp_account_security.html_	AutoFillQuirks.plist.251.dr	false	high
https://imgur.com/account/settings/password_	AutoFillQuirks.plist.251.dr	false	high
https://my.norton.com/extspa/account/personalinfo_	AutoFillQuirks.plist.251.dr	false	high
https://account.proton.me/u/0/vpn/account-password_	AutoFillQuirks.plist.251.dr	false	high
https://www.espn.com/_	AutoFillQuirks.plist.251.dr	false	high
https://www.consumidor.gov.br/pages/usuario/editar_	AutoFillQuirks.plist.251.dr	false	high
https://www.nike.com/member/settings_	AutoFillQuirks.plist.251.dr	false	high
https://www.bathandbodyworks.com/my-account/edit-profile_	AutoFillQuirks.plist.251.dr	false	high
https://myvpostpay.verizon.com/ui/bill/secure/_	AutoFillQuirks.plist.251.dr	false	high
https://www.glassdoor.com/member/profile/settings.htm_	AutoFillQuirks.plist.251.dr	false	high
https://employeewe.bamboohr.com/dashboard/password.php_	AutoFillQuirks.plist.251.dr	false	high
https://login.yahoo.com/account/change-password_	AutoFillQuirks.plist.251.dr	false	high
https://www.pornhub.com/user/security_	AutoFillQuirks.plist.251.dr	false	high
https://www.cargurus.com/Cars/myAccount#/accountSettings_	AutoFillQuirks.plist.251.dr	false	high
https://www.prowlapp.com/settings.php_	AutoFillQuirks.plist.251.dr	false	high

IP	Domain	Country	ASN	ASN Name	Malicious
3.130.8.225	phisocoly.com	United States	16509	AMAZON-02US	false
103.224.182.206	dypigu.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	false
207.244.76.131	seed.grubhubforrestaurants.com	United States	30633	LEASEWEB-USA-WDCUS	false
151.101.47.6	unknown	United States	54113	FASTLYUS	false
23.210.0.217	unknown	United States	16625	AKAMAI-ASUS	false

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.877218280079437
Encrypted:	false
SSDEEP:	3:tQIVuW2yM/rBKcRWOv:io6x/rBdkA
MD5:	CF8156575A72C51BA6C0ED480F8315A0
SHA1:	8D1B47EEC788ED693566C021AC2F26C775AF5B90
SHA-256:	99229C910A4513C6F0625C8B49220263260972E7B37D46B0C739A512282C1A4E
SHA-512:	50D716D8E863908F9362892FA78848157AA54A6634915CCF93E986A1921AF52CE230971017CB1BDCA539916A49A5BEDA54B9182EEF04FF5EBD6D1D8B208B9A6B
Malicious:	false
Reputation:	low
Preview:	2025-04-21 08:45:39.087 Safari[614:4777] ApplePersistence=NO.

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 21, 2025 15:45:43.314225912 CEST	55401	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:43.425120115 CEST	53	55401	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:44.126867056 CEST	55007	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:44.331820965 CEST	53	55007	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:46.200310946 CEST	57726	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:46.202104092 CEST	62419	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:46.222210884 CEST	56300	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:46.227384090 CEST	56452	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:46.410784960 CEST	53	57726	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:46.415435076 CEST	53	56300	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:46.497031927 CEST	53	62419	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:46.743180990 CEST	53	56452	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.280733109 CEST	57690	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.288530111 CEST	59080	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.288754940 CEST	59351	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.288992882 CEST	49988	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.292794943 CEST	50919	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.293059111 CEST	55546	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.293318987 CEST	59498	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.293545961 CEST	56537	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.309092999 CEST	49375	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.455107927 CEST	53	49375	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.467986107 CEST	53	50919	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.473798990 CEST	53	57690	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.484611988 CEST	56256	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.491408110 CEST	53	59080	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.505800962 CEST	53	55546	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.510816097 CEST	53	59498	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.561007977 CEST	53	56537	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.593871117 CEST	53531	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.598057985 CEST	61065	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.598226070 CEST	61085	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.598474026 CEST	57077	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.685108900 CEST	53	56256	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.686268091 CEST	53	49988	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.704066038 CEST	53	53531	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.746212006 CEST	53	57077	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.770880938 CEST	53	59351	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.795595884 CEST	53931	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.802078009 CEST	62957	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.802242041 CEST	51166	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.804544926 CEST	64641	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.806524992 CEST	57353	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.895366907 CEST	54578	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:47.907187939 CEST	53	62957	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.907418013 CEST	53	61065	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.915605068 CEST	53	64641	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:47.947734118 CEST	53	61085	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.002487898 CEST	63520	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.004424095 CEST	55854	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.005482912 CEST	54635	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.009824038 CEST	54668	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.083136082 CEST	53	51166	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.084448099 CEST	53	54578	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.102243900 CEST	61383	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.103071928 CEST	60723	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.129339933 CEST	53	57353	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.133229017 CEST	53	63520	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.148200989 CEST	53	55854	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.203685045 CEST	54366	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.204452038 CEST	54791	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.206557989 CEST	62931	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.222954988 CEST	53	53931	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.305680990 CEST	49468	53	192.168.11.12	1.1.1.1
Apr 21, 2025 15:45:48.319797993 CEST	53	54635	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.342201948 CEST	53	54791	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.439485073 CEST	53	60723	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.474284887 CEST	53	54366	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.510958910 CEST	53	54668	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.512712002 CEST	53	49468	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.551608086 CEST	53	61383	1.1.1.1	192.168.11.12
Apr 21, 2025 15:45:48.614933014 CEST	53	62931	1.1.1.1	192.168.11.12

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1012
Entropy (8bit):	5.286991847916908
Encrypted:	false
SSDEEP:	24:2dfyiwHuG5Ku3hu65juqVrTrmuGoTxR1F1xW:cfyP5Z/5PrUon1F1xW
MD5:	0C29425555C7FF0CA114B1FD0DC39C50
SHA1:	D7D808E8BE92462F4C3CEBA66734F0E9BB26ACDD
SHA-256:	52826AFEEC974BB7BACB85BDC01DC4F23BF917D65E04773D7CAD393F7866F3FD
SHA-512:	D9C8364A85F4B4A96CAAC1409F32F9D6B2F8AE19201E0ABD2D449A3EEDADD471E99E44BC92DEB5D8FB60287DA64A88E61B45F759E7B9A383A9BBE5F5FD242F95
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>SingleDeviceSaveChangesThrottlingPolicy</key>..<string>1:1440</string>..<key>MultipleDeviceSaveChangesThrottlingPolicy</key>..<string>50:1 \| 10:2 \| 10:5 \| 10:30 \| 9:40 \| 1:510</string>..<key>SingleDeviceFetchChangesThrottlingPolicy</key>..<string>11:15 \| 1:1275</string>..<key>MultipleDeviceFetchChangesThrottlingPolicy</key>..<string>50:1 \| 50:3 \| 20:4 \| 20:5 \| 20:15 \| 20:18 \| 20:20</string>..<key>SyncCircleSizeRetrievalThrottlingPolicy</key>..<string>1:1440</string>..<key>MaximumRequestLimitCharacterCount</key>..<integer>100000</integer>..<key>SyncWindow</key>..<real>1209600</real>..<key>HistoryModificationIdleDelayBeforeSyncAttemptKey</key>..<integer>90</integer>..<key>HistoryRemovalIdleDelayBeforeSyncAttempt</key>..<integer>6</integer>..<key>SaveChangesBeforeTerminationTimeout</key>..<integer>1</integer>.</dic

Timestamp	Bytes transferred	Direction	Data
Apr 21, 2025 15:45:43.538934946 CEST	372	OUT	GET / HTTP/1.1 Host: seed.grubhubforrestaurants.com Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Language: en-gb Accept-Encoding: gzip, deflate Connection: keep-alive
Apr 21, 2025 15:45:44.085952044 CEST	1031	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 21 Apr 2025 13:45:43 GMT location: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er server: nginx set-cookie: sid=ebb7fe39-1eb6-11f0-8c39-3861696c1fb0; path=/; domain=.grubhubforrestaurants.com; expires=Sat, 09 May 2093 Data Raw: Data Ascii:
Apr 21, 2025 15:45:44.085999966 CEST	57	IN	Data Raw: 31 36 3a 35 39 3a 35 31 20 47 4d 54 3b 20 6d 61 78 2d 61 67 65 3d 32 31 34 37 34 38 33 36 34 37 3b 20 48 74 74 70 4f 6e 6c 79 0d 0a 0d 0a 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: 16:59:51 GMT; max-age=2147483647; HttpOnlyRedirecting

Timestamp	Bytes transferred	Direction	Data
Apr 21, 2025 15:45:44.510390043 CEST	1080	OUT	GET /f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er HTTP/1.1 Host: dypigu.com Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Language: en-gb Accept-Encoding: gzip, deflate Connection: keep-alive
Apr 21, 2025 15:45:44.682332993 CEST	1031	IN	HTTP/1.1 200 OK date: Mon, 21 Apr 2025 13:45:44 GMT server: Apache vary: Accept-Encoding content-encoding: gzip content-length: 1211 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 57 5d 73 9b 38 14 7d 4e 66 f2 1f 34 ee cc da 99 6e 6d 30 71 b7 49 ec ec ac 63 c0 75 0a 8e b1 11 31 2f 3b 20 09 03 16 82 08 f9 b3 93 ff be c2 76 da ed ee c3 ee 73 27 bc 18 a4 73 75 cf bd f2 39 82 6e 2c 32 7a 77 71 de 8d 49 80 ab 5f 91 08 4a ee 16 7c 15 c6 ab 30 ca 39 27 a5 08 56 3c 60 a2 6c a2 3c eb b6 8e 00 89 2c 11 4f 0a 01 c4 ae 20 bd 9a 20 5b d1 4a 83 75 70 1c ad 81 92 a3 5e ad 95 96 ad 28 61 0b c2 0b 9e 30 d1 4a 92 88 34 b3 84 35 d3 b2 76 d7 6d 1d b1 ff b9 96 04 ac 03 0e 38 c1 09 27 48 fc 49 13 b6 04 3d 50 8f 85 28 6e 5a 2d bc 2b 92 c5 aa 22 d7 8a 9a 45 5c fc 4e 7a 61 3b 4b b2 64 cd 9f ee f3 28 d7 76 0c 29 fa e3 66 78 75 1d 2d e7 1b c7 80 6a 68 e2 47 3f f3 a1 db b6 3f fb 1e 34 b0 31 ca 91 67 3c 4f 69 df 85 4a dc 87 ba e1 ce d9 44 41 6d 67 4c 96 13 8e 06 90 fa 99 9a ce 3c c3 f4 9f 8a 8d d3 c6 5b db dc 28 ae 12 0f a6 ed eb 36 f6 9c 99 ad 74 32 64 da 7d 5b 2f 55 d7 c5 62 32 eb af a6 43 7f 64 eb d7 6b 57 a5 1d 92 5d a7 fe d3 52 9b 0d a1 e9 33 c8 02 6f 6b ca 35 47 d8 [TRUNCATED] Data Ascii: W]s8}Nf4nm0qIcu1/; vs'su9n,2zwqI_J\|09'V<`l<,O [Jup^(a0J45vm8'HI=P(nZ-+"E\Nza;Kd(v)fxu-jhG??41g<OiJDAmgL<[(6t2d}[/Ub2CdkW]R3ok5Gxiimm"jwrf003Y\|?wm?Gj5rU?skO-b^k~h;Ma8^\(][n!<Fdb}C.qhyNB~A+fp*o}%F9o/&7cKQ6a 'mTAkBXWg>BmyGk\|oy8]#o~PaEr2<}\|?zj65pV3;kV\>NR\{;M6cY-h6]_wRh4jx@4CBki?[_ +h$(g"dKJ\|H" b&@P<Q Z)oP!A
Apr 21, 2025 15:45:44.682375908 CEST	404	IN	Data Raw: 99 b3 8b f3 68 c5 90 48 72 26 e7 29 0d 03 b4 74 4e 6b 35 2e c1 d7 8b f3 b3 4d c2 70 be 69 d2 1c 05 15 ac c9 49 41 03 44 1a 3f 48 f3 7d 3d 2a 7a 1f 7e ab 5f 4a fe 2f 55 09 82 ef 0e d1 92 6b 29 00 c7 7c 76 2a a5 07 4a 22 4e 0f 8d 7f a6 fc b5 2a b3 Data Ascii: hHr&)tNk5.MpiIAD?H}=z~_J/Uk)\|vJ"NZT<TpkDrhqS/![?knFT\ +8mUX\'e3=%keE^_D (n}ymnvAcxP<_1\|NUT}/@*p

Timestamp	Bytes transferred	Direction	Data
Apr 21, 2025 15:45:44.957514048 CEST	1045	OUT	GET /js/fingerprint/iife.min.js HTTP/1.1 Host: dypigu.com Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Language: en-gb Referer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er Accept-Encoding: gzip, deflate
Apr 21, 2025 15:45:45.126179934 CEST	1031	IN	HTTP/1.1 200 OK date: Mon, 21 Apr 2025 13:45:45 GMT server: Apache last-modified: Tue, 22 Oct 2024 03:26:38 GMT etag: "85c0-62508564b3780-gzip" accept-ranges: bytes vary: Accept-Encoding content-encoding: gzip content-length: 14345 content-type: application/javascript connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 cd 7d 5b 57 e3 c8 96 e6 7b af d5 ff c1 28 ab b3 a4 44 36 92 2f 24 98 54 b1 80 e4 96 05 24 09 24 90 76 f9 70 64 29 b0 95 e8 e2 d2 c5 60 12 cf 5f 98 df d0 f3 3a 0f 33 8f fd 34 0f a7 57 ff af f9 76 84 6e 36 86 aa 3a 6b 1e e6 9c 2c 2c 45 ec 88 d8 11 b1 63 df 22 62 6b e5 dd bb 7f fd 97 ca bb ca 9e e3 0f 58 38 0a 1d 3f fe 74 5e 19 37 6a cd 9a 56 a9 56 76 82 d1 24 74 06 c3 b8 22 5b ca 2c 90 5a 39 f4 2d b5 52 d7 ea 8d 8a 3c 8c e3 51 d4 5e 59 b9 2d 20 6a 56 e0 29 bc ee 23 c7 62 7e c4 ec 4a e2 db 2c ac c4 43 56 39 3e bc 10 85 50 e6 fe fe be 16 8c 00 11 24 a1 c5 6a 41 38 58 71 45 89 68 c5 73 e2 6a fa 52 1b 0d 47 4a 25 7b a1 8a 79 e5 17 43 27 aa 44 c1 6d 7c 6f 86 ac 62 05 7e 6c 3a 7e 84 07 9b 55 6e c3 c0 ab 50 d5 55 51 77 65 14 06 df 99 15 47 6d 5e f4 38 09 bd 24 3c 30 a3 61 a3 d2 9f 54 7e 35 43 d3 af 1c 4d 02 14 cf 3b 34 70 e2 61 d2 a7 be ac dc 51 be 4b d9 2b 5e 51 b2 f6 3d e2 bd 5c f9 d7 7f 19 9b e1 ec 10 19 b7 89 6f c5 4e e0 cb 4c f9 21 25 11 ab 44 71 e8 58 b1 b4 41 a0 7e 91 ad [TRUNCATED] Data Ascii: }[W{(D6/$T$$vpd)`_:34Wvn6:k,,Ec"bkX8?t^7jVVv$t"[,Z9-R<Q^Y- jV)#b~J,CV9>P$jA8XqEhsjRGJ%{yC'Dm\|ob~l:~UnPUQweGm^8$<0aT~5CM;4paQK+^Q=\oNL!%DqXA~Y>>Ez*p2/qTs?p#^^V2P9\7)i8'#V{48f+j}+n3\|Q6RTkhNU+J,38a-v/OOrlr@5C]Dk>{@m240_O60-F?Mbm%%QYj)DC#L<=u{P$\|FJ5mkj1mAW)91gejmxUdLU)kI2\|4`vcYhA[@DSE57Jb
Apr 21, 2025 15:45:45.126211882 CEST	1031	IN	Data Raw: e5 b9 39 7c f2 3c c9 e2 7d 8b d3 6e d1 28 5f 00 81 dd 30 04 09 4b fb cc 17 6d 56 b0 c6 4d 37 64 a6 3d a9 b0 07 66 25 31 96 59 4d 52 36 88 d2 37 4c 42 d3 d0 54 0b e3 83 47 c7 d0 14 45 75 36 14 22 0b aa 9c 16 0b d2 03 a3 fe 96 40 36 c3 5a d6 7b f1 Data Ascii: 9\|<}n(_0KmVM7d=f%1YMR67LBTGEu6"@6Z{u"b))mAH]Pu^#%!PV-+UA[=#L0v`X}n'4iNoS5^.BYA&-j`$cjD4q#G@`3hnV
Apr 21, 2025 15:45:45.126238108 CEST	1031	IN	Data Raw: 5a bd b1 ba aa 36 9b cd f5 b5 66 53 6b cc c3 17 98 f4 05 d6 be 01 51 ad 6d a4 16 83 81 ba d8 d3 93 24 29 29 87 fe 37 10 4d 60 64 fc ba 1a 42 e8 a3 3e 1f 1c 3b fd b5 f8 02 eb a9 49 fa eb 42 33 ad bf 7f ff be d1 6a e8 0d b5 be b6 de 6a ad b7 b4 f5 Data Ascii: Z6fSkQm$))7M`dB>;IB3jj7z}]Wutm=^C?3INvYC3T-Eama*e.zS}f4YTk/77_iOomZSz7 mR]Em4>{D=e
Apr 21, 2025 15:45:45.126295090 CEST	1031	IN	Data Raw: 6b 7e 2d a9 b6 31 87 93 ff 22 26 71 8e 49 3c 87 49 be 73 b5 a4 91 03 68 c1 c2 a4 59 b4 30 c7 b4 e8 69 ae 45 5b 81 41 cf b2 32 3f d8 25 16 4c 0c c2 a7 f9 72 e5 80 bc e6 a0 99 60 ca 5c 34 8b d6 74 64 f4 e6 fc 55 71 e6 62 f2 37 bb 75 55 e2 6e 5d 09 Data Ascii: k~-1"&qI<IshY0iE[A2?%Lr`\4tdUqb7uUn] tDAg.&[T[.i`_^ZIJ-p-n5tMje2$I]w2r2{omdy/wsyrBlk.O<myp$4pX)d]=fB
Apr 21, 2025 15:45:45.126323938 CEST	1031	IN	Data Raw: 6a 88 32 c1 12 77 86 e0 60 b2 2b cc 09 6b 5e 1f 04 b9 6d 04 4f 4f b2 64 05 1e 18 3a f0 e2 9e f8 94 89 95 d9 99 4b db c0 24 34 af f8 1a 7b 81 8b 65 64 53 ce f6 b3 6c bf c6 0f 78 9c 63 d1 c1 6e 37 65 a5 5d da f9 b5 54 f2 70 4e 61 70 28 85 de d7 7a Data Ascii: j2w`+k^mOOd:K$4{edSlxcn7e]TpNap(zeZ9k:2B\,c}E\|odWG9O5;3'AF`J~\|m`L`iV{w3fhtg#fDRv"Xo;kVw\{NIyP
Apr 21, 2025 15:45:45.126373053 CEST	1031	IN	Data Raw: 78 07 8c 66 fa dc 33 31 fc 7b 01 b9 0e f0 16 9b 16 64 43 50 af d7 c5 a8 5e 9c 6d 7d da 3a 49 31 07 d9 8d a1 2d 57 76 76 2b ad 56 85 2c 90 c4 43 f2 65 08 e9 48 95 76 ae b6 ec a0 cf f6 a4 5e 71 d2 f4 60 c6 a7 1f 07 1f 41 87 b0 a9 a1 27 d0 aa 39 51 Data Ascii: xf31{dCP^m}:I1-Wvv+V,CeHv^q`A'9QOX U7S\|g4acBl%)mDT^&d#\|Q9s_RDr2D)6,MrIc0`}<U6%cm\bhkt?S8j>g#Pi0,
Apr 21, 2025 15:45:45.126399040 CEST	1031	IN	Data Raw: 01 ea 66 28 d2 ee 43 9a 5e 58 19 a0 9e 6f 97 b1 66 5e 9f 45 9d 0b cd 39 a9 b7 86 9d fa ee c0 da 5f 0f 3b d7 87 ce e1 be 6b 63 1d fd dc 8d 9d d8 c5 4a dd 3a 3a dc 3d d9 fe 7c b4 25 55 9c de cf 60 69 fd d1 d8 27 14 7e 4f d0 b2 65 06 5e 9f d7 79 e4 Data Ascii: f(C^Xof^E9_;kcJ::=\|%U`i'~Oe^ycKD]cAOC_U{15wZzrt$ 'u[bM9`A_o=F!%KsT?GAtXe44xh>
Apr 21, 2025 15:45:45.126424074 CEST	1031	IN	Data Raw: 0e c7 06 d7 00 4e f5 94 af 11 6e 00 ed ec bb f5 ab ba 7b 47 0d 7c b9 3a db ef 37 86 b7 58 03 49 df bb 9c 5c e7 bc 9e 63 dc 38 79 b0 af f6 26 9d 2f 33 4b fc 3c 20 5f e0 33 64 33 e2 b0 1a 67 7a 1f eb a8 73 7d 09 d1 d3 14 d2 a0 71 a2 7f f3 f4 91 fd Data Ascii: Nn{G\|:7XI\c8y&/3K< _3d3gzs}qq]5`)<`v4[q\|GJZJ8T{s{F(;:e2HRbM,q!Mu7OJ=aAhLf<;2!=*G"4;)$k#"`2s-//!
Apr 21, 2025 15:45:45.126447916 CEST	1031	IN	Data Raw: 90 59 10 5a 21 e8 ef 11 82 c5 a4 25 f0 32 77 25 0d 0b fd df 5b 35 af d6 13 53 28 17 8f 7d 6f 0f f8 b8 da 2b 7c 32 53 4b 0e 4e 5c cb ef c0 40 6a 61 04 f5 e8 4f 96 22 7d 6d df 1d 32 d8 cf d0 db 88 8d 24 16 6c 72 8c fd a8 cc 65 b3 fe 1f 51 00 24 08 Data Ascii: YZ!%2w%[5S(}o+\|2SKN\@jaO"}m2$lreQ$pZ_nazK;ZyW9_CYGyk/PA;zE%*2t+wm83132Ny<+k>D&esSzsM}>T
Apr 21, 2025 15:45:45.126471996 CEST	1031	IN	Data Raw: c9 04 85 0c e9 a4 d2 c3 94 83 dc fc 1e 0c 80 13 e9 10 23 db fb fa fe b9 35 f4 ff 18 db e6 67 81 59 d0 b9 72 7d f3 e0 cb ea e1 c7 e3 07 8c d8 fb c3 fd f5 3a 96 8e 07 65 b0 f1 d9 d9 0e a0 c4 43 8e 36 51 76 7b 6c d5 5d 8d 34 0b a4 43 3f 7a 18 02 f3 Data Ascii: #5gYr}:eC6Qv{l]4C?zz"*F <7;a%flBihl;G'p@Agh5e#JV%VS\|Z?SfakV6VFd\G-9P9f'
Apr 21, 2025 15:45:45.292695045 CEST	1031	IN	Data Raw: a9 00 ea 39 6c 38 59 ca 2b 89 55 49 f4 89 ce 57 30 35 50 54 d9 34 e2 e7 87 19 f2 73 30 34 c0 c5 cd b6 f9 89 28 ce 3c 04 e2 88 82 f2 4b 6d f5 5d 76 63 9c 47 b1 8d 82 30 bd 66 6c 8a 43 96 56 76 80 81 cc b1 d3 30 3b 91 bc e8 6c ce dc c1 9c d9 c0 18 Data Ascii: 9l8Y+UIW05PT4s04(<Km]vcG0flCVv0;lMo,qQ)V8Yc=bUi@+}}Iw$nzVZ#cT-SgtOiyHH%q#Q*fC$R>\|:;7UyV-&:gh%?X

Timestamp	Bytes transferred	Direction	Data
Apr 21, 2025 15:45:46.372302055 CEST	1030	OUT	GET /favicon.ico HTTP/1.1 Host: dypigu.com Connection: keep-alive Accept: / User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Language: en-gb Referer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er Accept-Encoding: gzip, deflate
Apr 21, 2025 15:45:46.537470102 CEST	182	IN	HTTP/1.0 403 Forbidden cache-control: no-cache content-type: text/html Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Timestamp	Bytes transferred	Direction	Data
Apr 21, 2025 15:45:46.658905983 CEST	1831	OUT	GET /f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er&fp=-7 HTTP/1.1 Host: dypigu.com Connection: keep-alive Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Referer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er Accept-Language: en-gb Accept-Encoding: gzip, deflate
Apr 21, 2025 15:45:46.832031012 CEST	1031	IN	HTTP/1.1 200 OK date: Mon, 21 Apr 2025 13:45:46 GMT server: Apache vary: Accept-Encoding content-encoding: gzip content-length: 977 content-type: text/html; charset=UTF-8 connection: close Data Raw: 1f 8b 08 00 00 00 00 00 00 03 95 95 5d 6f a3 46 14 86 ef 57 ca 7f 40 a9 d4 24 b5 6a f3 61 5b f5 6e 9c aa 4e c0 04 1b 88 07 66 30 73 53 01 83 33 98 01 26 80 3f 77 fb df 6b 87 ac 94 c4 be 68 e7 06 f1 72 9e 33 ef 61 3e ce 2d ad 33 76 77 f1 e5 96 c6 01 39 3e eb a4 66 f1 dd 73 b9 0a e9 2a 5c 14 65 19 57 75 b0 2a 83 bc ae da 51 91 dd 76 9a 80 43 64 15 95 09 af 85 7a c7 e3 e1 65 1d 6f eb ce 32 58 07 8d 7a 79 08 58 07 a5 50 c6 24 29 e3 a8 fe 9b 25 79 2a 0c 85 2b 5a d7 fc 6b a7 43 76 3c 79 5e 1d 13 76 16 72 9b 53 fe 67 3c 64 ce 6c 1b cc f2 17 3f ec cb 7e be 59 f5 b3 3f a6 bb 79 77 b0 48 6b d7 cf 7a de 4c 24 4f 64 6c 40 0b 51 0d cf 41 80 f7 e6 2e ca 0c 09 e4 51 d7 54 80 e5 aa c6 2c 12 a9 1b a6 a0 17 cf c9 2a f6 34 86 5c 34 85 ac e8 79 cc 98 c0 87 91 13 e5 40 b7 18 9f a0 9c 1b 33 8f 99 13 e5 af 2d 74 cd 8d 3d a7 20 76 b5 47 28 f2 75 e4 46 b2 a3 60 df 87 c6 3d d1 b0 ee 48 50 c2 4b c4 22 91 60 00 07 dc 63 0c d8 e3 5a 22 19 d7 02 8d ea 53 79 60 4c 15 80 8f f1 8e 48 14 9c f1 6e f4 00 6a a8 f1 03 53 f7 63 d7 48 fd [TRUNCATED] Data Ascii: ]oFW@$ja[nNf0sS3&?wkhr3a>-3vw9>fs\eWuQvCdzeo2XzyXP$)%y+ZkCv<y^vrSg<dl?~Y?ywHkzL$Odl@QA.QT,4\4y@3-t= vG(uF`=HPK"`cZ"Sy`LHnjScH=u%ZbM[1o0u,tc%x=yj\|%Z"H\XG5=ZD}%yx.T"x=1O\D_QQF4F?rs>DFNd>^#%!BH2OEO`GLCZU5s"l[KE q>;JCPCUC"[E@3@&R76afU\|@7n}=;K<'Kvdz2{s9f9TLa2VFH#SOAfq{a&ml#{?ErFecOM({qp9x~]W&Ii'y^Bju=Ni&9bU4pq,KD3n
Apr 21, 2025 15:45:46.832043886 CEST	169	IN	Data Raw: fa ea 9b f0 cf 29 ec 9f c2 8d e7 b3 f4 d1 4f fe a6 e6 3f 1d fd 57 3f bf 5f 9f 11 7f 13 db d2 8d f0 e3 87 70 f2 43 4e d7 e7 f6 44 6a e8 ef 1f 3c fd df 42 3f db 6a d4 f3 be fc 4f be 9a fd f1 d1 98 fe 8e 3f eb ec e2 cb 5b 38 2b a2 a0 4e 8a bc 5d c6 Data Ascii: )O?W?_pCNDj<B?jO?[8+N]Q\|nZkU.mysT^x9^qJ#?s

Timestamp	Bytes transferred	Direction	Data
Apr 21, 2025 15:45:47.107076883 CEST	1907	OUT	GET /f2.php?e=lSQxaQnqYb62Ynwu6m8LyX49fktTYm5WQ0dPdGJUNVhFZXRaZzMycmJ1Rnc4M3RNTEJQc0hTbkR5eXdueWFlVTVLUlo5WlJKUDBScnRHNlpKVnpJQWlMK3AxUTMwOXhReTFIU0pvcTc2S3ZYYUJCdFZHS1U1ZjVlc0dZRU9pWllROGt1dmpFaFhHL29JL3RZYUJCS0d3Zmp4cDRtUFplc0t6eTJkYzhSejVjZFFjR0cxRW9QOHpzaGpMWGlmcGhwNGx0WktrV2Y5U1hjRW50VWJMbFpyZ1NhNVJLVUdTZVZ2ekZHVFNBOWhoclh2SXRHTCs0YlgySW1STndITy9Oeld4U3lMcGRESERqejVsdmg1Y0JEaWx4OG95SGpiTVhqMmpJZWp1MmhJS3BheXM3TlBKYnh2cHpUekQwYkI3d2VhV21Hd2pKZEZvV3h3QjdUbVV6cHNmWEVPRjl6c0tBNzRKUE5LaWd0RzJWODBFeUNYZFkybERxMnJ5TVZONjlxa09NdUh6TFdSZHBzSmVkb1JLVzJ6UE1LTUpUd2Noby9oRFJSZDhnQWVKWVEwOURsUnUrbmRYOEpYM1dNY0RkRHJsRkxYU3BLeXdYSjZqSDRPNFRMWE44T1NnaUN4aXNPMVlqRXVYRXRFQnU3M3Ztbi9ZNmdFc2RBMFRhMytwWFRCamNpOXlIUmRKc0cwOVUrQldzYkV2c3p5UFBrbnZMYkowbVhhR2YzZz09&vs=1024:658&ds=1024:768&sl=0:23&os=f&nos=f HTTP/1.1 Host: dypigu.com Connection: keep-alive Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Referer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er&fp=-7 Accept-Language: en-gb Accept-Encoding: gzip, deflate
Apr 21, 2025 15:45:47.290826082 CEST	297	IN	HTTP/1.1 302 Found date: Mon, 21 Apr 2025 13:45:47 GMT server: Apache location: https://phisocoly.com/click.php?key=z4vx0cwffbwphlk1ydyk&cpv=0.005&subid=1432787208&sid=20250421234543edb753f5095fb676f9 content-length: 0 content-type: text/html; charset=UTF-8 connection: close

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 21, 2025 15:45:36.592699051 CEST	151.101.47.6	443	192.168.11.12	49348	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Feb 04 19:54:22 CET 2025 Wed Apr 29 14:54:50 CEST 2020	Tue Nov 18 20:40:14 CET 2025 Thu Apr 11 01:59:59 CEST 2030
Apr 21, 2025 15:45:36.592699051 CEST	151.101.47.6	443	192.168.11.12	49348	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030
Apr 21, 2025 15:45:36.867152929 CEST	151.101.47.6	443	192.168.11.12	49351	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Feb 04 19:54:22 CET 2025 Wed Apr 29 14:54:50 CEST 2020	Tue Nov 18 20:40:14 CET 2025 Thu Apr 11 01:59:59 CEST 2030	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0	5c118da645babe52f060d0754256a73c
Apr 21, 2025 15:45:36.867152929 CEST	151.101.47.6	443	192.168.11.12	49351	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030		5c118da645babe52f060d0754256a73c
Apr 21, 2025 15:45:37.105123043 CEST	151.101.47.6	443	192.168.11.12	49353	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Feb 04 19:54:22 CET 2025 Wed Apr 29 14:54:50 CEST 2020	Tue Nov 18 20:40:14 CET 2025 Thu Apr 11 01:59:59 CEST 2030	771,49196-49195-49188-49187-49162-49161-52393-49200-49199-49192-49191-49172-49171-52392-157-156-61-60-53-47-49160-49170-10,65281-0-23-13-5-13172-18-16-11-10,29-23-24-25,0	5c118da645babe52f060d0754256a73c
Apr 21, 2025 15:45:37.105123043 CEST	151.101.47.6	443	192.168.11.12	49353	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030		5c118da645babe52f060d0754256a73c

Timestamp	Bytes transferred	Direction	Data
2025-04-21 13:45:47 UTC	1204	OUT	GET /click.php?key=z4vx0cwffbwphlk1ydyk&cpv=0.005&subid=1432787208&sid=20250421234543edb753f5095fb676f9 HTTP/1.1 Host: phisocoly.com Connection: keep-alive Upgrade-Insecure-Requests: 1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Referer: http://dypigu.com/f.php?e=b2mimivrXCofo3ync0EPwH49fkYwRFV1bGdPZmZVU2NIZWVFdFJocWFqSlBUV0hBVEFUYnQ0c2ROekQrcDVlZm1jTWFGZXpwR2dxNGw0U0hDS292dWRTN05mcGNBNEs1UUdtQTBuSHZJNE9vU1l5em9jZXk3THVGZnVnaWxGZm1JdWZDdkM3dXBnd05oNGdPQlZmN1hhbnZUZDkzUmRkelBGRnVWU1A2bmFPWThCYVg1ZUNNRE81UUFWeDMvcG1hbEwvcU1Wc2xWZTRFMzlMeG93Zjg2cjRORVFLdGtFRWhsY3BMcllvMU5lOVdWWFpCbDFsRmNzZzhtSm83ODRUOVlKbkdaWjcvWEJYaUQ4bGloUzJ6K3pTMHQrY01taVoxZ0hWRFlGaS9WZkFsY2g0QnZBMnh0anpGdWVWTzZOM01xQUlOa2l4Zk5Hb0crdGxqWDVlNFl1L0U5cWVMQlVKcWs5OE1TSjVqNEg0d2VwK3V6MDRDMjVJZWJ3WGErckF5RWtNdExvcWwvK1Voc2padGszcmdDVFZnOFV4b0Eyd0taaHJNb1pKYzJNNjVGUS9QUE1mSFdiVDR3ZUZDOXdnd2lyMDBEc3puUElPVHZjQVEzMjFpMUNxcHE4d3ByZnQwOVZrTmdMVG1HS3JYOUZERjZZSjdsazcyc3NPV3dzRVVXSWxHc1VnZ3dDVG8zTks0c2Er&fp=-7 Accept-Language: en-gb Accept-Encoding: gzip, deflate
2025-04-21 13:45:48 UTC	451	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 Date: Mon, 21 Apr 2025 13:45:48 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Set-Cookie: uclick=pmlp9lqqqd; expires=Tue, 22-Apr-2025 13:45:48 GMT; Max-Age=86400; path=/; secure; SameSite=none Set-Cookie: uclickhash=pmlp9lqqqd-pmlp9lqqqd-ydlp-52a3dz-nt8w0-ktu3dz-ktu3bl-cc97cc; expires=Tue, 22-Apr-2025 13:45:48 GMT; Max-Age=86400; path=/; secure; SameSite=none
2025-04-21 13:45:48 UTC	15634	IN	Data Raw: 31 65 62 30 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 62 61 73 65 20 68 72 65 66 3d 22 6c 61 6e 64 65 72 73 2f 39 61 30 35 36 33 62 66 61 64 2f 69 6e 64 65 78 2e 68 74 6d 6c 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 0d 0a 3c 74 69 74 6c 65 3e 46 61 73 74 20 61 6e 64 20 53 65 63 75 72 65 20 56 50 4e 20 66 6f 72 20 53 61 66 61 72 69 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 62 6f 64 79 20 7b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 31 31 31 Data Ascii: 1eb0<html xmlns="http://www.w3.org/1999/xhtml"><head><base href="landers/9a0563bfad/index.html"><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><title>Fast and Secure VPN for Safari</title><style>body {background-color:#111

Timestamp	Bytes transferred	Direction	Data
2025-04-21 13:45:49 UTC	511	OUT	GET /favicon.ico HTTP/1.1 Host: phisocoly.com Accept: / Connection: keep-alive Cookie: uclick=pmlp9lqqqd; uclickhash=pmlp9lqqqd-pmlp9lqqqd-ydlp-52a3dz-nt8w0-ktu3dz-ktu3bl-cc97cc User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.2 Safari/605.1.15 Accept-Language: en-gb Referer: https://phisocoly.com/click.php?key=z4vx0cwffbwphlk1ydyk&cpv=0.005&subid=1432787208&sid=20250421234543edb753f5095fb676f9 Accept-Encoding: br, gzip, deflate
2025-04-21 13:45:49 UTC	150	IN	HTTP/1.1 404 Not Found Server: nginx/1.24.0 Date: Mon, 21 Apr 2025 13:45:49 GMT Content-Type: text/html Content-Length: 153 Connection: close
2025-04-21 13:45:49 UTC	153	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>

Start time (UTC):	13:45:36
Start date (UTC):	21/04/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report http://seed.grubhubforrestaurants.com

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

System Summary

Persistence and Installation Behavior

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/null

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/com.apple.scriptmanager2.le.cache

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsDirectory.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsObject.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/AutoFillQuirks.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/CacheSettings.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/LastSession.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CacheSettings.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CloudHistoryRemoteConfiguration.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/PerSiteZoomPreferences.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/TopSites.plist

Static File Info

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Connections

HTTPS Proxied Packets

System Behavior

Analysis Process: xpcproxy PID: 609, Parent PID: 1

General

File Activities

File Opened

File Read

Process Activities

Process Spawned

System Activities

Sysctl Requested

macOS Analysis Report
http://seed.grubhubforrestaurants.com

Start time (UTC):	13:45:37
Start date (UTC):	21/04/2025
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Start time (UTC):	13:45:54
Start date (UTC):	21/04/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Start time (UTC):	13:46:31
Start date (UTC):	21/04/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre