Edit tour

macOS Analysis Report
https://secure.na2.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAskvx_bq2cquZ4iq5BLjtEbawFZPxMTV6mRN_3v_virXQazei6QWK2KQGkwGCN9pO8Sn1Zu0F3YP6y43ljMzViV-Jk1qAjzp1hzXH72fTmZKTDP9OlrjmAtiGxIKJVXAP&

Overview

General Information

Sample URL:	https://secure.na2.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAskvx_bq2cquZ4iq5BLjtEbawFZPxMTV6mRN_3v_virXQazei6QWK2KQGkwGCN9pO8Sn1Zu0F3YP6y43ljMzViV-Jk1qAjzp1hzXH72fTmZKTDP9Olr
Analysis ID:	1520713
Infos:

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false

Signatures

No high impact signatures.

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520713
Start date and time:	2024-09-27 19:00:35 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://secure.na2.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAskvx_bq2cquZ4iq5BLjtEbawFZPxMTV6mRN_3v_virXQazei6QWK2KQGkwGCN9pO8Sn1Zu0F3YP6y43ljMzViV-Jk1qAjzp1hzXH72fTmZKTDP9OlrjmAtiGxIKJVXAP&
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean0.mac@0/9@0/0

Warnings

Excluded IPs from analysis (whitelisted): 17.253.119.202, 17.253.119.201, 23.222.201.219, 23.45.148.31, 35.170.158.185, 44.234.124.145, 44.234.124.143, 44.234.124.144, 142.250.31.95, 23.199.55.48, 23.199.55.34, 23.199.55.63, 23.199.55.21, 23.199.55.5, 23.205.106.189, 23.205.106.159, 23.205.106.169, 192.168.11.12, 17.253.21.201, 17.253.21.202, 17.36.200.79, 23.205.106.166, 23.215.0.137, 23.215.0.139
VT rate limit hit for: https://secure.na2.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAskvx_bq2cquZ4iq5BLjtEbawFZPxMTV6mRN_3v_virXQazei6QWK2KQGkwGCN9pO8Sn1Zu0F3YP6y43ljMzViV-Jk1qAjzp1hzXH72fTmZKTDP9OlrjmAtiGxIKJVXAP&

Process Tree

System is macvm-mojave

xpcproxy New Fork (PID: 611, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

mono-sgen32 New Fork (PID: 617, Parent: 537)

open (MD5: 34bd93241fa5d2aee225941b1ca14fa4) Arguments: /usr/bin/open -a Safari https://secure.na2.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAskvx_bq2cquZ4iq5BLjtEbawFZPxMTV6mRN_3v_virXQazei6QWK2KQGkwGCN9pO8Sn1Zu0F3YP6y43ljMzViV-Jk1qAjzp1hzXH72fTmZKTDP9OlrjmAtiGxIKJVXAP&

xpcproxy New Fork (PID: 618, Parent: 1)

Safari (MD5: 2dde28c2f8a38ed2701ba17a0893cbc1) Arguments: /Applications/Safari.app/Contents/MacOS/Safari

xpcproxy New Fork (PID: 645, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

xpcproxy New Fork (PID: 648, Parent: 1)

silhouette (MD5: 485ec1bd3cd09293e26d05f6fe464bfd) Arguments: /usr/libexec/silhouette

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: .https://www.facebook.com/settings?tab=security_ equals www.facebook.com (Facebook)
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: 2https://www.linkedin.com/psettings/change-password_ equals www.linkedin.com (Linkedin)

Source: CloudHistoryRemoteConfiguration.plist.252.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://247sports.com/my/settings/password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.bbc.com/account/settings/edit/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.booking.com/account-recovery_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.docusign.com/me/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.forbes.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.gmx.net/ciss/security/edit/passwordChange_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.idm.telekom.com/account-manager/password/index.xhtml_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.live.com/password/Change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.magento.com/customer/account/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.samsung.com/membership/contents/security/password/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.shodan.io/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.autodesk.com/Profile/Security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.craigslist.org/pass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.ebay.com/acctsec/security-center/chngpwd_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.intuit.com/app/account-manager/security/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.nintendo.com/password/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.pch.com/forgotpass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.shopify.com/accounts/186490458/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://acesso.gov.br/area-cidadao/#/alterarSenha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://adultfriendfinder.com/p/update.cgi?p=my_account_update_account_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.acorns.com/settings/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.carta.com/profiles/update/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.getflywheel.com/profile/security/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.parkmobile.io/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.plex.tv/desktop#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.prolific.co/account/general_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.sipgatebasic.de/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.stonly.com/app/general/userSettings/Account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.zeplin.io/profile/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://appleid.apple.com/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://apps.anatel.gov.br/AnatelConsumidor/ConsumidorEditar.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://apps.jw.org/E_PASSCHG1_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://archive.org/account/index.php?settings=1_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://arxiv.org/user/change_own_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.astonmartinf1.com/Dashboard/ChangePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.danawa.com/modifyMember_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.fandom.com/auth/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.readymag.com/password/forgot_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.redgifs.com/lo/reset?ticket=_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.usnews.com/changePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://bandcamp.com/settings#password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://benefitslogin.discoverybenefits.com/Profile/UpdatePassword.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://blend.io/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://bugzilla.kernel.org/userprefs.cgi?tab=account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://cam.ana.co.jp/psz/us/amc_us.jsp?index=105_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://campus.tum.de_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://card.discover.com/cardmembersvcs/personalprofile/pp/UpdateDetails?ICMPGN=MYPROFILE_USERID_PA
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://censys.io/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://cfspart.impots.gouv.fr/monprofil-webapp/GererMonProfil_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://chaturbate.com/auth/password_change/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://classroom.udacity.com/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://cloud.digitalocean.com/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://cloud.linode.com/profile/auth_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://codepen.io/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://consumercenter.mysynchrony.com/consumercenter/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://customer.xfinity.com/users/me/update-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://customercenter.marketwatch.com/account#password?mod=ql_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://customercenter.wsj.com/account#password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dash.cloudflare.com/profile/authentication_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dashboard.branch.io/account-settings/user_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dashboard.dittomusic.com/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dashboard.heroku.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dashboard.messagebird.com/account/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://discord.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://fetlife.com/settings/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://forum.wii-homebrew.com/index.php/AccountManagement/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://foursquare.com/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/ChangePIN/Init_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://genius.com/password_resets/new_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://github.com/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://go.com/profile/account-settings/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://help.steampowered.com/en/wizard/HelpChangePassword?redir=store/account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://hibrain.net/mybrain/users/password/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://home.thesun.co.uk/edit/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://hotels.com/profile/settings.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://hq1.appsflyer.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://id.atlassian.com/manage-profile/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://id.nfl.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://id.sonyentertainmentnetwork.com/id/management/#/p/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://imgur.com/account/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://key.harvard.edu/manage-account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://kundenportal.edeka-smart.de/edeka-csc/forgot-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://leetcode.com/accounts/password/set/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://legacy.memoriams.com/Network/Account/ChangePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://linktr.ee/admin/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.aliexpress.com/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.aol.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.blockchain.com/en/#/security-center/advanced_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.coupang.com/login/userModify.pang_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.teamviewer.com/nav/profile/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.tmon.co.kr/user/info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.usatoday.com/USAT-GUP/password-forgot/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.yahoo.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.yahoo.com/myaccount/security/change-password/?src=finance_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.yahoo.com/myaccount/security/change-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://logonservices.iam.target.com/change-password/?target=#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mail.protonmail.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mastercard.syf.com/login/reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mathworks.com/mwaccount/profiles/password/change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://member.daum.net/change/password.daum_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://member.webmd.com/password-reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://membership.latimes.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://memberssl.auction.co.kr/membership/MyInfo/MyInfo.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://meuvivo.vivo.com.br/meuvivo/appmanager/portal/fixo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://minhanet.net.com.br/webcenter/portal/MinhaNet/pages_alterarsenha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://moncompte.lemonde.fr/gcustomer/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.foxbusiness.com/?p=account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.foxnews.com/?pieces=reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.ticketmaster.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.ea.com/cp-ui/security/index_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.google.com/signinoptions/password?continue=https://myaccount.google.com/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.google.com/signinoptions/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.virginmobile.ca/MyProfile/Details/EditProfile?editField=PASSWORD_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccounts.capitalone.com/Security/changePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mychart.clevelandclinic.org/inside.asp?mode=passwd_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mypassword.uml.edu/#Change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myvpostpay.verizon.com/ui/bill/secure/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://na224.lightning.force.com/lightning/settings/personal/ChangePassword/home_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://nbcuniversal.nbc.com/request-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://news.ycombinator.com/changepw_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://nhentai.net/reset/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://nid.naver.com/user2/help/myInfo.nhn?m=viewChangePasswd_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://nypost.com/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://online.citi.com/US/ag/profile-update/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://onlyfans.com/my/settings/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://orcid.org/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://password.umsystem.edu/reset/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://play.hbomax.com/setting/account/edit/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://portal.edd.ca.gov/WebApp/Profile/UpdatePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://portal.pilotflyingj.com/myrewards/forgot-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://portalpersonas.bancochile.cl/mibancochile-web/front/persona/index.html#/mi-perfil/datos-segu
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://portlandgeneral.com/secure/profile/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://poshmark.com/user/account-info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://profile.callofduty.com/cod/info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://profile.theguardian.com/reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://pwrecovery.ruc.dk_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://quizlet.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://redirect.pizza/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://reelgood.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://reg.usps.com/entreg/secure/ChangePasswordAction_input?returnActionName_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://rule34.xxx/index.php?page=account&s=change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://rumble.com/account/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://saude.sulamericaseguros.com.br/segurado/gerenciar-cadastro/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure-www.gap.com/my-account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.aarp.org/account/editaccount?request_locale=en&nu=t_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.bankofamerica.com/auth/security-center/main/?activity=changePasscode_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.cecredentialtrust.com/account/editpassword/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.fnac.com/account/update-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.hulu.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.indeed.com/account/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.maxpreps.com/utility/member/forgotpassword.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.npr.org/oauth2/login_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.orclinic.com/portal/editprofile.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.ssa.gov/RIM/UpwdView.action_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure07ea.chase.com/web/auth/dashboard#/dashboard/myProfileSignInSecurity/resetPassword/res
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://selvbetjening.rejsekort.dk/CWS/CustomerManagement/ChangePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://shein.com/user/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://shop.tmz.com/user?show=account-tab_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://slickdeals.net/forums/login.php?do=lostpw_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://soap2day.to/home/user/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://soundcloud.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://spankbang.com/users/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://sslmember2.gmarket.co.kr/MYInfo/MemberInfo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://stackoverflow.com/users/account-recovery_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://stacksocial.com/user?show=account-tab_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://stripchat.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://subscribe.washingtonpost.com/profile/#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://support.opentable.com/s/login/ForgotPassword?language=en_US_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://thenounproject.com/accounts/password/change/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://todoist.com/prefs/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://trakt.tv/settings#password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://tripit.com/account/edit/section/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://twitter.com/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://udapps.nss.udel.edu/myUDsettings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://ui.attentivemobile.com/forgot-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://usa.experian.com/member/ngx-profile/account-info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://user.manganelo.com/user_changes_pass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://web.500px.com/settings/account/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://wordpress.com/me/security/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://worldstarhiphop.com/videos/reset.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.11st.co.kr/register/popupModifyPWD.tmall_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.1800contacts.com/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.aa.com/loyalty/profile/information_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.account.publishing.service.gov.uk/account/edit/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ae.com/myaccount_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.aerlingus.com/html/user-profile.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.aesop.com/my-account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.airnewzealand.com/membership/profile/security/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.alaskaair.com/www2/ssl/myalaskaair/myalaskaair.aspx?view=myinformation&tab=email_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.alliantcreditunion.com/OnlineBanking/Settings/AccessAndSecurity/ChangePassword.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.allianz.com.br/alteracao-de-password-ecliente_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.allrecipes.com/account/profile#/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.alternate.de/html/myAccount/account/basicData.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amctheatres.com/amcstubs/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.americanexpress.com/en-us/account/password/reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ancestry.com/account/security/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.apartments.com/my-account/#_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.arlt.com/mein-passwort/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.att.com/acctmgmt/profile/overview_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bathandbodyworks.com/my-account/edit-profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bbq-grill-world.de/customer/account/edit/changepass/1/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bedbathandbeyond.com/store/account/personalinfo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.berlet.de/mein-konto.htm#my-account--edit-pass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bestbuy.com/identity/accountSettings/page/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.biblegateway.com/user/account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.birkenstock.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bloomberg.com/portal/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.blutdruck-shop.de/mein-passwort/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.boredpanda.com/settings/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.browserstack.com/accounts/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.businessinsider.com/#_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.buzzfeed.com/settings/password/change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cakeresume.com/settings/account?ref=navs_settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.canva.com/login?redirect=%2Fsettings%2Flogin-and-security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cargurus.com/Cars/myAccount#/accountSettings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cbsnews.com/user/change-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cbssports.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.chegg.com/my/account-next_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.chess.com/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.chewy.com/app/resetpassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.clien.net/service/mypage/myInfoComfrim_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cnbc.com/account/#profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cnn.com/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.columbia.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.consumidor.gov.br/pages/usuario/editar_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.costco.com/AccountInformationView?identifier=manage-membership_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.crackle.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.creditkarma.com/myprofile/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.crunchyroll.com/resetpw_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cvs.com/my-account/profile/sign-in-and-security/edit-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dailymail.co.uk/registration/profile/change-password.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.darty.com/espace_client/donnees-personnelles/mot-de-passe/edition_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.delta.com/myprofile/security-settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.deviantart.com/settings/general_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dickssportinggoods.com/MyAccount/AccountSettings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.disneyplus.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dominos.com/en/pages/customer/#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.doordash.com/accounts/password/reset/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dropbox.com/account/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dsw.com/en/us/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dwr.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.eporner.com/profile/mturk_eporn/my/edit-pass/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.espn.com/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.etsy.com/your/account?ref=hdr_user_menu-settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.eventbrite.com/account-settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.evite.com/reset_password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.expedia.com/user/forgotpassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.fanfiction.net/account/password.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.fedex.com/en-us/create-account/how-to-reset-forgot-password.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.fitbit.com/settings/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.foodnetwork.com/user-profile-page_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.foxsports.com/#_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.gamespot.com/change-details/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.geocaching.com/account/settings/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.glassdoor.com/member/profile/settings.htm_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.gog.com/account/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.grubhub.com/account/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.happycow.net/members/profile/update/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.homedepot.com/myaccount/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.huffpost.com/member/edit-profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ign.com/account/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.insider.com/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.instacart.com/store/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.instagram.com/accounts/password/change/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.jcpenney.com/account/dashboard/personal/info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.kohls.com/myaccount/accountsettings.jsp_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.kroger.com/account/update_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.linkedin.com/psettings/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.livejasmin.com/en/girls/#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.lowes.com/mylowes/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.macys.com/account/profile?cm_sp=macys_account-_-my_account-_-my_profile&linklocation=lef
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.marktplaats.nl/account/password-reset/confirm.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.marriott.com/loyalty/myAccount/changePassword.mi_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.meliuz.com.br/minha-conta/meus-dados/senha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.mercari.com/mypage/email_password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.michaels.com/on/demandware.store/Sites-MichaelsUS-Site/default/Account-EditProfile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.mlb.com/account/general_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.myfreecams.com/php/account.php?request=status&vcc=1674246522#change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.mylo.id/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nba.com/account/nbaprofile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.netflix.com/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.newsweek.com/contact_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nike.com/member/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nordstrom.com/my-account/sign-in-info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nordstromrack.com/my-account/sign-in-info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nytimes.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.overleaf.com/user/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.paramountplus.com/account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.patreon.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.paypal.com/myaccount/security/password/change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.peacocktv.com/forgot_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.pearson.com/store/en-us/my-account/update-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.pinterest.com/settings/account-settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.politico.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.pornhub.com/user/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ppomppu.co.kr/myinfo/profile.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.prowlapp.com/settings.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.quora.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.rakuten.com/account-settings.htm_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.realtor.com/myaccount/profile/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.reddit.com/prefs/update/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.redfin.com/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.redtube.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.rei.com/YourAccountCredentials_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.reuters.com/account/forgot-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.roblox.com/my/account#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.rottentomatoes.com/user/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.samsclub.com/account/personal-info?xid=hdr_account_change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.santahelenasaude.com.br/beneficiario/#/alterar-senha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.saturn.de/webapp/wcs/stores/servlet/MultiChannelMAChangePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.sephora.com/profile/MyAccount_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.serasa.com.br/meus-dados/alterar-senha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.shoop.de/einstellungen/benutzerdaten_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.shopback.co.kr/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.shutterfly.com/account-settings/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.sonos.com/myaccount/user/profile/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.southwest.com/loyalty/myaccount/profile-security.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.spectrum.net/user-preferences/your-info/manage/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.speedway.com/my-account/security/passcode_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.splunk.com/my-account/#/profile-details
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.spotify.com/in-en/account/change-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.tasteofhome.com/login/updatepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.temu.com/bgp_account_security.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.thetrainline.com/my-account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.thetvdb.com/dashboard/account/changepass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.tiktok.com/login/email/forget-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.tripadvisor.com/Settings-cp_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.trulia.com/account/user_profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.tumblr.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.twilio.com/console/user/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.twitch.tv/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ulta.com/myaccount/index.jsp_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.united.com/ual/en/US/account/security/setpassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ups.com/lasso/updatePass?loc=en_US_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.usaa.com/inet/ent_auth_password/pages/ChangePasswordPage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ventrachicago.com/account/manage-account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.victoriassecret.com/us/account/profile#changePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.walgreens.com/account/user_and_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.walmart.com/account/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.wayfair.com/v/account/personal_info/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.wikihow.com/Special:ChangeCredentials/MediaWiki%5CAuth%5CPasswordAuthenticationRequest_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.wunderground.com/member/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.xvideos.com/account/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.youporn.com/settings/change/password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.zhihu.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.zillow.com/myzillow/profile/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ziprecruiter.com/login/forgot-password?realm=candidates_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.zocdoc.com/patient/editprofile?section=Password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://xhamster.com/password-recovery_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://yelp.com/profile_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://zoom.us/profile#pwd-form_

Source: classification engine

Classification label: clean0.mac@0/9@0/0

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Random device file read: /dev/urandom			Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 645)	Random device file read: /dev/random			Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	XML plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CloudHistoryRemoteConfiguration.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/AutoFillQuirks.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist	Jump to dropped file

Source: /usr/bin/open (PID: 617)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 618)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.sephora.com/profile/MyAccount_	AutoFillQuirks.plist.252.dr	false	unknown
https://accounts.ebay.com/acctsec/security-center/chngpwd_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.southwest.com/loyalty/myaccount/profile-security.html_	AutoFillQuirks.plist.252.dr	false	unknown
https://xhamster.com/password-recovery_	AutoFillQuirks.plist.252.dr	false	unknown
https://acesso.gov.br/area-cidadao/#/alterarSenha_	AutoFillQuirks.plist.252.dr	false	unknown
https://hotels.com/profile/settings.html_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.usaa.com/inet/ent_auth_password/pages/ChangePasswordPage_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.amctheatres.com/amcstubs/account_	AutoFillQuirks.plist.252.dr	false	unknown
https://customer.xfinity.com/users/me/update-password_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.walmart.com/account/profile_	AutoFillQuirks.plist.252.dr	false	unknown
https://moncompte.lemonde.fr/gcustomer/account/password_	AutoFillQuirks.plist.252.dr	false	unknown
https://shein.com/user/security_	AutoFillQuirks.plist.252.dr	false	unknown
https://zoom.us/profile#pwd-form_	AutoFillQuirks.plist.252.dr	false	unknown
https://support.opentable.com/s/login/ForgotPassword?language=en_US_	AutoFillQuirks.plist.252.dr	false	unknown
https://forum.wii-homebrew.com/index.php/AccountManagement/_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.twitch.tv/settings/security_	AutoFillQuirks.plist.252.dr	false	unknown
https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/ChangePIN/Init_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.instacart.com/store/account_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.newsweek.com/contact_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.victoriassecret.com/us/account/profile#changePassword_	AutoFillQuirks.plist.252.dr	false	unknown
https://dashboard.dittomusic.com/account/password_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.birkenstock.com/profile_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.delta.com/myprofile/security-settings_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.fanfiction.net/account/password.php_	AutoFillQuirks.plist.252.dr	false	unknown
https://id.sonyentertainmentnetwork.com/id/management/#/p/security_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.nba.com/account/nbaprofile_	AutoFillQuirks.plist.252.dr	false	unknown
https://cloud.linode.com/profile/auth_	AutoFillQuirks.plist.252.dr	false	unknown
https://meuvivo.vivo.com.br/meuvivo/appmanager/portal/fixo_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.livejasmin.com/en/girls/#	AutoFillQuirks.plist.252.dr	false	unknown
https://slickdeals.net/forums/login.php?do=lostpw_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.alaskaair.com/www2/ssl/myalaskaair/myalaskaair.aspx?view=myinformation&tab=email_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.linkedin.com/psettings/change-password_	AutoFillQuirks.plist.252.dr	false	unknown
https://bugzilla.kernel.org/userprefs.cgi?tab=account_	AutoFillQuirks.plist.252.dr	false	unknown
https://codepen.io/settings/account_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.roblox.com/my/account#	AutoFillQuirks.plist.252.dr	false	unknown
https://www.serasa.com.br/meus-dados/alterar-senha_	AutoFillQuirks.plist.252.dr	false	unknown
https://reg.usps.com/entreg/secure/ChangePasswordAction_input?returnActionName_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.allrecipes.com/account/profile#/change-password_	AutoFillQuirks.plist.252.dr	false	unknown
https://user.manganelo.com/user_changes_pass_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.dailymail.co.uk/registration/profile/change-password.html_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.11st.co.kr/register/popupModifyPWD.tmall_	AutoFillQuirks.plist.252.dr	false	unknown
https://app.plex.tv/desktop#	AutoFillQuirks.plist.252.dr	false	unknown
https://cam.ana.co.jp/psz/us/amc_us.jsp?index=105_	AutoFillQuirks.plist.252.dr	false	unknown
https://account.samsung.com/membership/contents/security/password/change-password_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.creditkarma.com/myprofile/security_	AutoFillQuirks.plist.252.dr	false	unknown
https://auth.readymag.com/password/forgot_	AutoFillQuirks.plist.252.dr	false	unknown
https://archive.org/account/index.php?settings=1_	AutoFillQuirks.plist.252.dr	false	unknown
https://secure07ea.chase.com/web/auth/dashboard#/dashboard/myProfileSignInSecurity/resetPassword/res	AutoFillQuirks.plist.252.dr	false	unknown
https://account.magento.com/customer/account/changepassword_	AutoFillQuirks.plist.252.dr	false	unknown
https://accounts.nintendo.com/password/edit_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.nordstrom.com/my-account/sign-in-info_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.dominos.com/en/pages/customer/#	AutoFillQuirks.plist.252.dr	false	unknown
https://profile.theguardian.com/reset_	AutoFillQuirks.plist.252.dr	false	unknown
https://reelgood.com/account_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.dropbox.com/account/security_	AutoFillQuirks.plist.252.dr	false	unknown
https://customercenter.wsj.com/account#password_	AutoFillQuirks.plist.252.dr	false	unknown
https://go.com/profile/account-settings/edit_	AutoFillQuirks.plist.252.dr	false	unknown
https://chaturbate.com/auth/password_change/_	AutoFillQuirks.plist.252.dr	false	unknown
https://genius.com/password_resets/new_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.macys.com/account/profile?cm_sp=macys_account-_-my_account-_-my_profile&linklocation=lef	AutoFillQuirks.plist.252.dr	false	unknown
https://www.alternate.de/html/myAccount/account/basicData.html_	AutoFillQuirks.plist.252.dr	false	unknown
https://blend.io/settings_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.cnn.com/account/settings_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.instagram.com/accounts/password/change/_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.redtube.com/settings_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.aesop.com/my-account_	AutoFillQuirks.plist.252.dr	false	unknown
https://member.daum.net/change/password.daum_	AutoFillQuirks.plist.252.dr	false	unknown
https://myaccount.virginmobile.ca/MyProfile/Details/EditProfile?editField=PASSWORD_	AutoFillQuirks.plist.252.dr	false	unknown
https://mastercard.syf.com/login/reset_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.jcpenney.com/account/dashboard/personal/info_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.pearson.com/store/en-us/my-account/update-password_	AutoFillQuirks.plist.252.dr	false	unknown
https://worldstarhiphop.com/videos/reset.php_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.boredpanda.com/settings/_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.shoop.de/einstellungen/benutzerdaten_	AutoFillQuirks.plist.252.dr	false	unknown
https://mypassword.uml.edu/#Change_	AutoFillQuirks.plist.252.dr	false	unknown
https://stripchat.com/settings_	AutoFillQuirks.plist.252.dr	false	unknown
https://accounts.shopify.com/accounts/186490458/security_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.redfin.com/change-password_	AutoFillQuirks.plist.252.dr	false	unknown
https://hibrain.net/mybrain/users/password/edit_	AutoFillQuirks.plist.252.dr	false	unknown
https://app.carta.com/profiles/update/_	AutoFillQuirks.plist.252.dr	false	unknown
https://legacy.memoriams.com/Network/Account/ChangePassword_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.ups.com/lasso/updatePass?loc=en_US_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.pinterest.com/settings/account-settings_	AutoFillQuirks.plist.252.dr	false	unknown
https://profile.callofduty.com/cod/info_	AutoFillQuirks.plist.252.dr	false	unknown
https://bandcamp.com/settings#password_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.crackle.com/profile_	AutoFillQuirks.plist.252.dr	false	unknown
https://secure.hulu.com/account_	AutoFillQuirks.plist.252.dr	false	unknown
https://app.acorns.com/settings/change-password_	AutoFillQuirks.plist.252.dr	false	unknown
https://news.ycombinator.com/changepw_	AutoFillQuirks.plist.252.dr	false	unknown
https://classroom.udacity.com/settings/password_	AutoFillQuirks.plist.252.dr	false	unknown
https://pwrecovery.ruc.dk_	AutoFillQuirks.plist.252.dr	false	unknown
https://rumble.com/account/profile_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.michaels.com/on/demandware.store/Sites-MichaelsUS-Site/default/Account-EditProfile_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.splunk.com/my-account/#/profile-details	AutoFillQuirks.plist.252.dr	false	unknown
https://secure.ssa.gov/RIM/UpwdView.action_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.realtor.com/myaccount/profile/settings_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.ancestry.com/account/security/password_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.zillow.com/myzillow/profile/_	AutoFillQuirks.plist.252.dr	false	unknown
https://key.harvard.edu/manage-account/change-password_	AutoFillQuirks.plist.252.dr	false	unknown
https://www.nytimes.com/account/change-password_	AutoFillQuirks.plist.252.dr	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
184.24.159.165	unknown	United States	16625	AKAMAI-ASUS	false
151.101.195.6	unknown	United States	54113	FASTLYUS	false
151.101.67.6	unknown	United States	54113	FASTLYUS	false

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/dev/null

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	ASCII text
Category:	dropped
Size (bytes):	61
Entropy (8bit):	4.860504345511341
Encrypted:	false
SSDEEP:	3:tRul2EDEXbmRWOv:GjsmkA
MD5:	F6DC0BA48DE14FEBC0E619779B78F7E7
SHA1:	6B5EE875719B8A6D72CCDE5501561187F28DA652
SHA-256:	C95B1773641CBEDDF61D169B1B2EB0979A6F999F0291CC42F3DF9292171D1065
SHA-512:	BE865B55588FD9F7021F5471BD21A1C4F2549D84C97BD02154C16D9189985182AACED259CDE3A92FB99441183599E65936D81E3B00E36122B23F923A59E2190C
Malicious:	false
Reputation:	low
Preview:	2024-09-27 12:01:38.796 Safari[618:4879] ApplePersistence=NO.

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/com.apple.scriptmanager2.le.cache

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	data
Category:	dropped
Size (bytes):	19328
Entropy (8bit):	2.9753497322131066
Encrypted:	false
SSDEEP:	192:XVlGq37NZFFFF/QQQQgdFSGXFFFFnQQQQ:uq37HFFFF/QQQQg3SGXFFFFnQQQQ
MD5:	1D8E1388683DC96ED97907EFCCE83FDA
SHA1:	561FDF03A98032BAAEB7BC214FD6FC2712BA42B0
SHA-256:	A6BE2B32F120066646A50B537477F2D359D7013851F123146CB9B6A7A1371E8C
SHA-512:	70A1E99DAD32B200EB26AD78E6433B3E9E052355ADA3A3AD1CB6C644C1A0513E593CCD89EF8B9B305013B37F3F850F049D787677878F412D23FB517147C18C98
Malicious:	false
Reputation:	low
Preview:	.............J..dJ......clti....0.......mlti........0...blti....2.......blti....2...H...blti....2...\|...blti....2.......blti....2.......blti....2.......blti....2...L...blti~...2.......5lti.@..,.......5lti.B..,....$..5lti.p..,.......5lti.D..,...87..................(....................................... .....................~...f... ...!............... ...4...3.......>.......U.......F...E...G...C...J...K...I...H...L...M...N.......O...?...9...P.......!............. .......t............."...........................................................#...............................^.......X...Y...Z...[...\...].......Q...........S.......R...............$.......(...%.......................&...'........... ...*...+...,...-.......5......./...0...1...6...7...8...:...4...3...........2...<...........T...;...=...>.......)...U...V...W.......@...A...B...F...E...G...C...D...J...K...I...H...L...M...N.......O...?.......9...P.......!...............j...X.....R...........%...7...........\.........".........

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsDirectory.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533814637805397
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGB5pBfbouR6/chQOnGqwc2U+v+h/:8MdGleOhpBouRwchQOnGqwc2U+v+h/
MD5:	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3
SHA1:	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C
SHA-256:	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
SHA-512:	1DC5282D27C49A4B6F921BA5DFC88B8C1D32289DF00DD866F9AC6669A5A8D99AFEDA614BFFC7CF61A44375AE73E09CD52606B443B63636977C9CD2EF4FA68A20
Malicious:	false
Reputation:	low
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsObject.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5110922853353324
Encrypted:	false
SSDEEP:	24:mFkXs98w/mBr53CEb9ujBbCYoVeA7uBEUMy733Ka2VCneWHrUZRJkWnJI4FNMOQS:m6Xsh+CLjL3Pe3T5FFEfEn8xiYuuSsS
MD5:	D3A1859E6EC593505CC882E6DEF48FC8
SHA1:	F8E6728E3E9DE477A75706FAA95CEAD9CE13CB32
SHA-256:	3EBAFA97782204A4A1D75CFEC22E15FCDEAB45B65BAB3B3E65508707E034A16C
SHA-512:	EA2A749B105759EA33408186B417359DEFFB4A3A5ED0533CB26B459C16BB3524D67EDE5C9CF0D5098921C0C0A9313FB9C2672F1E5BA48810EDA548FA3209E818
Malicious:	false
Reputation:	low
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/AutoFillQuirks.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	60017
Entropy (8bit):	6.44756590873966
Encrypted:	false
SSDEEP:	1536:Q+GC/PAgVltOQ7u0H8MbhNs39bQflSkq2:QxC/PNVlb7u0cSNs9jb2
MD5:	C5E8C26C5B5C64BBB1ADF49F38ACAA06
SHA1:	02AD97BC49A1C903CCC13F95754AA364CF864964
SHA-256:	7AA177CE2337F6AC63E9CB14E31B6BCA51E5D705B2D805232BCC32028A947362
SHA-512:	222A9C5C477E2941A1B6C119854142AC1DA88EB96E80E8C086C35E3B785B41C5AF5FFCF90FAB063C8B68B2D31708D82300C3FF4A12A501821601C370E3D9BBA3
Malicious:	false
Reputation:	low
Preview:	bplist00................................7.<.x.y.\|_.$DomainsIneligibleForStreamlinedLogin_. DomainsWithAssociatedCredentials_..PasswordGenerationRequirements_..DomainsForPasskeyFallbackUI_..ChangePasswordURLs_."DomainsIneligibleForAutomaticLogin_..AppIDsToDomainsAssociations_..DomainsIneligibleForPasskeys_..DomainsToConsiderIdentical]SharedDomains...^old.reddit.com.......... .V.Z.f.i.l.............................................................................".%.<.?.B.E.H.K.N.Q.T.X.\._.d.h.k.n.q.t.w.z.~.............................................................................).-.0.3.6.9.<.?.B.E.K.N.R.U.X.[.^.a.h.k.n.t.w.z.~............................................[3docean.net_..audiojungle.net^codecanyon.netZenvato.com_..graphicriver.net]photodune.net[placeit.net_..themeforest.net\tutsplus.com]videohive.net.......Vaa.com_..americanairlines.com_..americanairlines.jp.....Yaetna.com_..banneraetna.myplanportal.com..5.!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.?.@.A

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CloudHistoryRemoteConfiguration.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1012
Entropy (8bit):	5.286991847916908
Encrypted:	false
SSDEEP:	24:2dfyiwHuG5Ku3hu65juqVrTrmuGoTxR1F1xW:cfyP5Z/5PrUon1F1xW
MD5:	0C29425555C7FF0CA114B1FD0DC39C50
SHA1:	D7D808E8BE92462F4C3CEBA66734F0E9BB26ACDD
SHA-256:	52826AFEEC974BB7BACB85BDC01DC4F23BF917D65E04773D7CAD393F7866F3FD
SHA-512:	D9C8364A85F4B4A96CAAC1409F32F9D6B2F8AE19201E0ABD2D449A3EEDADD471E99E44BC92DEB5D8FB60287DA64A88E61B45F759E7B9A383A9BBE5F5FD242F95
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>SingleDeviceSaveChangesThrottlingPolicy</key>..<string>1:1440</string>..<key>MultipleDeviceSaveChangesThrottlingPolicy</key>..<string>50:1 \| 10:2 \| 10:5 \| 10:30 \| 9:40 \| 1:510</string>..<key>SingleDeviceFetchChangesThrottlingPolicy</key>..<string>11:15 \| 1:1275</string>..<key>MultipleDeviceFetchChangesThrottlingPolicy</key>..<string>50:1 \| 50:3 \| 20:4 \| 20:5 \| 20:15 \| 20:18 \| 20:20</string>..<key>SyncCircleSizeRetrievalThrottlingPolicy</key>..<string>1:1440</string>..<key>MaximumRequestLimitCharacterCount</key>..<integer>100000</integer>..<key>SyncWindow</key>..<real>1209600</real>..<key>HistoryModificationIdleDelayBeforeSyncAttemptKey</key>..<integer>90</integer>..<key>HistoryRemovalIdleDelayBeforeSyncAttempt</key>..<integer>6</integer>..<key>SaveChangesBeforeTerminationTimeout</key>..<integer>1</integer>.</dic

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	2890
Entropy (8bit):	6.383267531551876
Encrypted:	false
SSDEEP:	48:FMO+0F/o0CCPb/bCCoumzC6kiaR/wN4Gfhb0NegHI5mP0waijwg+tiEe:FMO+EoOfjovzCuv5I12msjtHe
MD5:	99707B6E8B1DAA434DE2A176A458F85C
SHA1:	96324F62483DD7AC8683D1850D694BB900EB3419
SHA-256:	F282D8A52BFDCD208792A47C074E59A1E16D627D53094E11FC73E595AEC7DDAD
SHA-512:	E8018018F91A5CE5C418F5C6445DC11A44B40AA6F619958D496B18507B3FE309415BF9AB293E9C7C0B3E4BA109213D0216D39C0304A7BC3CCE301DB0A729430C
Malicious:	false
Reputation:	low
Preview:	bplist00..=..........!$'*-0369<?BEHKNPRTWZ]`cfilnqtwz}......................._..Bundle Identifier_..Developer Identifier_..com.ci.LetyShopsZ8SY8U2YJ38....._..com.stopallads.stopalladssafariZW5672G9B78....._..com.ci.MyPointsScoreZPV79DKGW8E....._..com.shopicks.safariZ52637H29AM....._..com.mallforafrica.mfaZW67LVM7587....._..com.ci.FatWalletExpressZMUA2CU723E....._..com.ci.CashrewardsZWPDLU326V5....._..com.ci.ObybSecurityZ284W368NRK.....^com.ci.AmikashZP77C556755.... _..com.ci.ShopBackCashbackButtonZ63768R85VC..."#_..com.skaggivara.UniblockZ9ZWDNJ5X28...%&_..com.pcvark.adblockerZRQA86TX865...()_..com.ci.PrescritZDPQ487PKR3...+,^com.ci.CashBagZWPHQAS3C45..../_..com.betteradvertising.ghosteryZHPY23A294X...12_..com.ci.RotaryGumdropZ24MGUH34FU...45_..com.ci.DeippiesnlSpaarhulpZH8MVFTTJJ3...78_..com.ci.Rewards4RacingZL6C8C726SQ...:;_..com.findx.privacycontrolZ5QE6FTCMP9...=>_..com.ci.ShopandGivereminderZ5KWKJVWBTS...@A_..com.el1t.uBlockZ3NU33NW2M3...CD_..com.ci.DealDoktorZN64U5Y52L6...FG_.(co

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	2051
Entropy (8bit):	7.439944430762961
Encrypted:	false
SSDEEP:	48:E3NmrAKvZTlg9O1EKao855ebaI4fpg08PworoBKvZFuaGW:zAKBASrax5TI4hBO1roBKvjuaGW
MD5:	7B488E10072DAEF95A0E432FE230CEC1
SHA1:	C23689AAF88B6D330389CD7EE0376F089BE3E1FA
SHA-256:	426571756E6CB8B62035121837C7CFFBD8918C7FC3B907EBD89AC901F0293255
SHA-512:	1287291CE2F86EE16DE44A94E5C671D0D22867C6ABAC5ACA26D4C80A1339C7AF034F362F986CFEBD645737E837D60878561EEE016E36E5213F9128BE03AF2AEF
Malicious:	false
Reputation:	low
Preview:	bplist00.....^SessionVersion^SessionWindowsS1.0............................9_..SelectedTabIndex\TabBarHiddenZDateClosed_..FavoritesBarHidden]IsPopupWindow_. PrefersReadingListSidebarVisible\Miniaturized_..WindowStateVersionZWindowUUID_..WindowContentRectYTabStates_..IsPrivateWindow_..SelectedPinnedTabIndex...3A.S.B..m....S2.0_.$55070710-B6FC-47C8-ABFC-7C99B5F83EA0_..{{0, 49}, {1024, 696}}.... !."#.$%&'().,-...0123456.\IsDisposable\SessionState_..AncestorTabIdentifers_..SessionStateIsEncryptedXTabIndex]LastVisitTimeWTabUUIDVTabURL]TabIdentifierXTabTitle_..ProcessIdentifierWIsMuted.O.....x.k.=Ch.y..G...-...4.....U.. ...!d.4'..2..!XS.o.5.\.......k...:.Y..1.Y...m....B..3..x..._.v.oRw5..>......W_[. .. \.B.......}....y..PN..n[.[_...Y...g....j.v..gP..A.\|.}.M..jY..wd@{5.>..&.X%.m...~. .1vP.a1R4(e.../..........$N....D\|8....r.\+....\|/...?S._[.V.)u.n5..Ln...z1.f&Q...y.....k.M.4...9.He....1.o..O.2..D........V..P?.V.MbAt...[.....w.{.KXa.YY.rJaD...*u....V..0..r.E.8.3.^h...

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.9370658315190226
Encrypted:	false
SSDEEP:	3:N1n6qMvRGNMTAnd/t1tH:N1nleRaMTAltH
MD5:	CDC65B5F112547EAFAE0F16F9C149426
SHA1:	AEAF9908A5B6FF3E2F7B738ABF5FE9E79108BA01
SHA-256:	1C6D085D871A855CE4A3902BAB4B9B92631B8EE8F0B7F6536768A2AAF427B45C
SHA-512:	E8B0E4CE6A760A718A19976D3CFE9063F04FB4BF179947AECA84E94C83F21459FB9DC0FFABEA8F633BD2D0BA94FE1E15D8C97E9604FDE8BD0DEA961EB83BDDB7
Malicious:	false
Reputation:	low
Preview:	bplist00..._..ExtensionArchivesExtracted...(...............................)

Static File Info

⊘No static file info

Network Behavior

⊘No network behavior found

System Behavior

Analysis Process: xpcproxy PID: 611, Parent PID: 1

General

Start time (UTC):	17:01:34
Start date (UTC):	27/09/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: nsurlstoraged PID: 611, Parent PID: 1

General

Start time (UTC):	17:01:34
Start date (UTC):	27/09/2024
Path:	/usr/libexec/nsurlstoraged
Arguments:	/usr/libexec/nsurlstoraged --privileged
File size:	246624 bytes
MD5 hash:	321b0a40e24b45f0af49ba42742b3f64

Chronological Activities

Analysis Process: mono-sgen32 PID: 617, Parent PID: 537

General

Start time (UTC):	17:01:37
Start date (UTC):	27/09/2024
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: open PID: 617, Parent PID: 537

General

Start time (UTC):	17:01:37
Start date (UTC):	27/09/2024
Path:	/usr/bin/open
Arguments:	/usr/bin/open -a Safari https://secure.na2.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAskvx_bq2cquZ4iq5BLjtEbawFZPxMTV6mRN_3v_virXQazei6QWK2KQGkwGCN9pO8Sn1Zu0F3YP6y43ljMzViV-Jk1qAjzp1hzXH72fTmZKTDP9OlrjmAtiGxIKJVXAP&
File size:	105952 bytes
MD5 hash:	34bd93241fa5d2aee225941b1ca14fa4

Chronological Activities

Analysis Process: xpcproxy PID: 618, Parent PID: 1

General

Start time (UTC):	17:01:37
Start date (UTC):	27/09/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: Safari PID: 618, Parent PID: 1

General

Start time (UTC):	17:01:37
Start date (UTC):	27/09/2024
Path:	/Applications/Safari.app/Contents/MacOS/Safari
Arguments:	/Applications/Safari.app/Contents/MacOS/Safari
File size:	27120 bytes
MD5 hash:	2dde28c2f8a38ed2701ba17a0893cbc1

Chronological Activities

Analysis Process: xpcproxy PID: 645, Parent PID: 1

General

Start time (UTC):	17:02:30
Start date (UTC):	27/09/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: eficheck PID: 645, Parent PID: 1

General

Start time (UTC):	17:02:30
Start date (UTC):	27/09/2024
Path:	/usr/libexec/firmwarecheckers/eficheck/eficheck
Arguments:	/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
File size:	74048 bytes
MD5 hash:	328beb81a2263449258057506bb4987f

Chronological Activities

Analysis Process: xpcproxy PID: 648, Parent PID: 1

General

Start time (UTC):	17:03:40
Start date (UTC):	27/09/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: silhouette PID: 648, Parent PID: 1

General

Start time (UTC):	17:03:40
Start date (UTC):	27/09/2024
Path:	/usr/libexec/silhouette
Arguments:	/usr/libexec/silhouette
File size:	65920 bytes
MD5 hash:	485ec1bd3cd09293e26d05f6fe464bfd

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report https://secure.na2.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAskvx_bq2cquZ4iq5BLjtEbawFZPxMTV6mRN_3v_virXQazei6QWK2KQGkwGCN9pO8Sn1Zu0F3YP6y43ljMzViV-Jk1qAjzp1hzXH72fTmZKTDP9OlrjmAtiGxIKJVXAP&

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/null

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/com.apple.scriptmanager2.le.cache

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsDirectory.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsObject.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/AutoFillQuirks.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/CloudHistoryRemoteConfiguration.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist

Static File Info

Network Behavior

System Behavior

Analysis Process: xpcproxy PID: 611, Parent PID: 1

General

Chronological Activities

Analysis Process: nsurlstoraged PID: 611, Parent PID: 1

General

Chronological Activities

Analysis Process: mono-sgen32 PID: 617, Parent PID: 537

General

Chronological Activities

Analysis Process: open PID: 617, Parent PID: 537

General

Chronological Activities

Analysis Process: xpcproxy PID: 618, Parent PID: 1

General

Chronological Activities

Analysis Process: Safari PID: 618, Parent PID: 1

General

Chronological Activities

Analysis Process: xpcproxy PID: 645, Parent PID: 1

General

Chronological Activities

Analysis Process: eficheck PID: 645, Parent PID: 1

General

Chronological Activities

macOS Analysis Report
https://secure.na2.documents.adobe.com/public/esign?tsid=CBFCIBAACBSCTBABDUAAABACAABAAskvx_bq2cquZ4iq5BLjtEbawFZPxMTV6mRN_3v_virXQazei6QWK2KQGkwGCN9pO8Sn1Zu0F3YP6y43ljMzViV-Jk1qAjzp1hzXH72fTmZKTDP9OlrjmAtiGxIKJVXAP&