Edit tour

macOS Analysis Report
https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=dd-smartbutton&utm_location=module&_gl=116li0my_gcl_auMTczNzMwOTg2NC4xNzQyODIzNDgz_gaNjY4NzEwMzU4LjE3NDI4MjM0ODM._ga_XJWPQMJYHQ*MTc0NDA0MDI4OC4yLjEuMTc0NDA0MDMwMy40NS4wLjA.

Overview

General Information

Sample URL:	https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=dd-smartbutton&utm_location=module&_gl=116li0my_gcl_auMTczNzMwOTg2NC4xNzQyODIzNDgz_ga*NjY
Analysis ID:	1658511
Infos:

Detection

Score:	0
Range:	0 - 100

Signatures

No high impact signatures.

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1658511
Start date and time:	2025-04-07 17:39:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=dd-smartbutton&utm_location=module&_gl=116li0my_gcl_auMTczNzMwOTg2NC4xNzQyODIzNDgz_gaNjY4NzEwMzU4LjE3NDI4MjM0ODM._ga_XJWPQMJYHQ*MTc0NDA0MDI4OC4yLjEuMTc0NDA0MDMwMy40NS4wLjA.
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Detection:	CLEAN
Classification:	clean0.mac@0/16@0/0

Warnings

Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=dd-smartbutton&utm_location=module&_gl=1*16li0my*_gcl_au*MTczNzMwOTg2NC4xNzQyODIzNDgz*_ga*NjY4NzEwMzU4LjE3NDI4MjM0ODM.*_ga_XJWPQMJYHQ*MTc0NDA0MDI4OC4yLjEuMTc0NDA0MDMwMy40NS4wLjA.

Process Tree

System is macvm-mojave

xpcproxy New Fork (PID: 610, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

mono-sgen32 New Fork (PID: 615, Parent: 537)

open (MD5: 34bd93241fa5d2aee225941b1ca14fa4) Arguments: /usr/bin/open -a Safari https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=dd-smartbutton&utm_location=module&_gl=1*16li0my*_gcl_au*MTczNzMwOTg2NC4xNzQyODIzNDgz*_ga*NjY4NzEwMzU4LjE3NDI4MjM0ODM.*_ga_XJWPQMJYHQ*MTc0NDA0MDI4OC4yLjEuMTc0NDA0MDMwMy40NS4wLjA.

xpcproxy New Fork (PID: 616, Parent: 1)

Safari (MD5: 2dde28c2f8a38ed2701ba17a0893cbc1) Arguments: /Applications/Safari.app/Contents/MacOS/Safari

xpcproxy New Fork (PID: 630, Parent: 1)

com.apple.Safari.SandboxBroker (MD5: dbc4069451b58fff752f6b018b3f2c4e) Arguments: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker

xpcproxy New Fork (PID: 645, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

xpcproxy New Fork (PID: 646, Parent: 1)

silhouette (MD5: 485ec1bd3cd09293e26d05f6fe464bfd) Arguments: /usr/libexec/silhouette

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• Networking
• System Summary
• Persistence and Installation Behavior
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: .https://www.facebook.com/settings?tab=security_ equals www.facebook.com (Facebook)
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: 2https://www.linkedin.com/psettings/change-password_ equals www.linkedin.com (Linkedin)
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.facebook.com/XFacebook equals www.facebook.com (Facebook)
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.linkedin.com/XLinkedIn equals www.linkedin.com (Linkedin)
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.yahoo.com/UYahoo equals www.yahoo.com (Yahoo)

Source: CloudHistoryRemoteConfiguration.plist.252.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: TopSites.plist.252.dr	String found in binary or memory: http://www.apple.com/uk/startpage/
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://247sports.com/my/settings/password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.booking.com/account-recovery_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.churchofjesuschrist.org/changePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.deere.com/actmgmt/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.docusign.com/me/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.forbes.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.gmx.net/ciss/security/edit/passwordChange_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.id.hp.com/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.id.me/signin/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.idm.telekom.com/account-manager/password/index.xhtml_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.live.com/password/Change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.magento.com/customer/account/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.proton.me/u/0/vpn/account-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.samsung.com/membership/contents/security/password/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://account.shodan.io/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.adafruit.com/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.autodesk.com/Profile/Security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.craigslist.org/pass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.crowdin.com/password/change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.dmm.co.jp/settings/change/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.ebay.com/acctsec/security-center/chngpwd_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.intuit.com/app/account-manager/security/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.nintendo.com/password/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.panic.com/password_set_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.pch.com/forgotpass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.secondlife.com/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://accounts.shopify.com/accounts/186490458/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://acesso.gov.br/area-cidadao/#/alterarSenha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://adultfriendfinder.com/p/update.cgi?p=my_account_update_account_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://allegro.pl/moje-allegro/moje-konto/logowanie-i-haslo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.acorns.com/settings/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.carta.com/profiles/update/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.constantcontact.com/pages/myaccount/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.getflywheel.com/profile/security/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.parkmobile.io/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.plex.tv/desktop#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.prolific.co/account/general_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.sipgatebasic.de/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.stonly.com/app/general/userSettings/Account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://app.zeplin.io/profile/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://appleid.apple.com/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://apps.anatel.gov.br/AnatelConsumidor/ConsumidorEditar.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://apps.jw.org/E_PASSCHG1_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://archive.org/account/index.php?settings=1_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://arxiv.org/user/change_own_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.astonmartinf1.com/Dashboard/ChangePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.danawa.com/modifyMember_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.fandom.com/auth/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.opera.com/account/edit-profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.readymag.com/password/forgot_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.redgifs.com/lo/reset?ticket=_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://auth.usnews.com/changePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://b2c.voegol.com.br/minhas-viagens/meu-perfil_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://bandcamp.com/settings#password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://benefitslogin.discoverybenefits.com/Profile/UpdatePassword.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://blackwells.co.uk/bookshop/account/personal-details_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://blend.io/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://bugzilla.kernel.org/userprefs.cgi?tab=account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://cam.ana.co.jp/psz/us/amc_us.jsp?index=105_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://campus.tum.de_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://card.discover.com/cardmembersvcs/personalprofile/pp/UpdateDetails?ICMPGN=MYPROFILE_USERID_PA
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://censys.io/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://cfspart.impots.gouv.fr/monprofil-webapp/GererMonProfil_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://chaturbate.com/auth/password_change/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://classroom.udacity.com/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://cloud.digitalocean.com/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://cloud.linode.com/profile/auth_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://codepen.io/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://consumercenter.mysynchrony.com/consumercenter/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://customer.safeco.com/accountmanager/profile/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://customer.xfinity.com/users/me/update-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://customercenter.marketwatch.com/account#password?mod=ql_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://customercenter.wsj.com/account#password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dan.com/users/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dash.cloudflare.com/profile/authentication_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dash.e.jimdo.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dashboard.branch.io/account-settings/user_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dashboard.dittomusic.com/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dashboard.heroku.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://dashboard.messagebird.com/account/security_
Source: Downloads.plist.252.dr, Downloads.plist0.252.dr, Info.plist.252.dr	String found in binary or memory: https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_ca
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://discord.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://duolingo.com/settings/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://elpais.com/subscriptions/#/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://employeewe.bamboohr.com/dashboard/password.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://experience.gm.com/myaccount/security/passwordChange_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://fetlife.com/settings/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://flightaware.com/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://forum.wii-homebrew.com/index.php/AccountManagement/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://foursquare.com/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/ChangePIN/Init_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://genius.com/password_resets/new_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://github.com/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://go.com/profile/account-settings/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://help.steampowered.com/en/wizard/HelpChangePassword?redir=store/account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://help.steampowered.com/en/wizard/HelpWithLoginInfoReset/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://hibrain.net/mybrain/users/password/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://home.thesun.co.uk/edit/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://honeywell.csod.com/resetPasswrd.aspx?_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://hotels.com/profile/settings.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://hq1.appsflyer.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://id.atlassian.com/manage-profile/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://id.nfl.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://id.sonyentertainmentnetwork.com/id/management/#/p/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://identity.surveymonkey.com/us/manage?locale=en_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://identity.xero.com/account/?AccountUrl=/
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://imgur.com/account/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://key.harvard.edu/manage-account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://kundenportal.edeka-smart.de/edeka-csc/forgot-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://l.doctoralia.com.br/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://leetcode.com/accounts/password/set/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://legacy.memoriams.com/Network/Account/ChangePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://letterboxd.com/settings/auth/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://linktr.ee/admin/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.aliexpress.com/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.aol.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.blockchain.com/en/#/security-center/advanced_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.coupang.com/login/userModify.pang_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.teamviewer.com/nav/profile/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.thesun.co.uk/user/changePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.ti.com/ext/pwdchange/Identify_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.tmon.co.kr/user/info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.usatoday.com/USAT-GUP/password-forgot/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.yahoo.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.yahoo.com/myaccount/security/change-password/?src=finance_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://login.yahoo.com/myaccount/security/change-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://logonservices.iam.target.com/change-password/?target=#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://logowanie.pl.canalplus.com/zmien-haslo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mastercard.syf.com/login/reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mathworks.com/mwaccount/profiles/password/change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://member.daum.net/change/password.daum_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://member.webmd.com/password-reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://membership.latimes.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://memberssl.auction.co.kr/membership/MyInfo/MyInfo.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://meuvivo.vivo.com.br/meuvivo/appmanager/portal/fixo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://minhanet.net.com.br/webcenter/portal/MinhaNet/pages_alterarsenha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://moncompte.lemonde.fr/gcustomer/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.foxbusiness.com/?p=account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.foxnews.com/?pieces=reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.goabode.com/#/app/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.nextdns.io/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.norton.com/extspa/account/personalinfo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.okta.com/signin/password-reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://my.state.nj.us/edituser/EditUserProfile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.ea.com/cp-ui/security/index_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.google.com/signinoptions/password?continue=https://myaccount.google.com/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.google.com/signinoptions/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.uscis.gov/users/registration/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccount.virginmobile.ca/MyProfile/Details/EditProfile?editField=PASSWORD_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myaccounts.capitalone.com/Security/changePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mychart.clevelandclinic.org/inside.asp?mode=passwd_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mypassword.uml.edu/#Change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://mypay.dfas.mil/#/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myspace.com/settings/profile/email_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://myvpostpay.verizon.com/ui/bill/secure/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://na224.lightning.force.com/lightning/settings/personal/ChangePassword/home_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://nbcuniversal.nbc.com/request-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://news.ycombinator.com/changepw_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://nhentai.net/reset/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://nid.naver.com/user2/help/myInfo.nhn?m=viewChangePasswd_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://njal.la/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://nypost.com/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://online.citi.com/US/ag/profile-update/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://onlyfans.com/my/settings/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://orcid.org/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://password.umsystem.edu/reset/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://play.hbomax.com/setting/account/edit/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://portal.edd.ca.gov/WebApp/Profile/UpdatePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://portal.pilotflyingj.com/myrewards/forgot-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://portalpersonas.bancochile.cl/mibancochile-web/front/persona/index.html#/mi-perfil/datos-segu
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://portlandgeneral.com/secure/profile/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://poshmark.com/user/account-info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://pro.housecallpro.com/service_pro/account/reset_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://profile.callofduty.com/cod/info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://profile.nvgs.nvidia.com/security/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://profile.theguardian.com/reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://pwrecovery.ruc.dk_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://quizlet.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://redirect.pizza/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://reelgood.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://reg.usps.com/entreg/secure/ChangePasswordAction_input?returnActionName_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://rule34.xxx/index.php?page=account&s=change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://rumble.com/account/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://saude.sulamericaseguros.com.br/segurado/gerenciar-cadastro/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure-www.gap.com/my-account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.aarp.org/account/editaccount?request_locale=en&nu=t_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.bankofamerica.com/auth/security-center/main/?activity=changePasscode_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.cecredentialtrust.com/account/editpassword/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.fnac.com/account/update-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.hulu.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.indeed.com/account/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.login.gov/manage/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.maxpreps.com/utility/member/forgotpassword.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.npr.org/oauth2/login_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.orclinic.com/portal/editprofile.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.ssa.gov/RIM/UpwdView.action_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure.tagged.com/account_info.html?dataSource=Settings&ll=nav_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://secure07ea.chase.com/web/auth/dashboard#/dashboard/myProfileSignInSecurity/resetPassword/res
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://selvbetjening.rejsekort.dk/CWS/CustomerManagement/ChangePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://shein.com/user/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://shop.tmz.com/user?show=account-tab_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://slickdeals.net/forums/login.php?do=lostpw_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://soap2day.to/home/user/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://solitaired.com/user/reset-password?_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://soundcloud.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://spankbang.com/users/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://sslmember2.gmarket.co.kr/MYInfo/MemberInfo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://stackoverflow.com/users/account-recovery_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://stacksocial.com/user?show=account-tab_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://store.cpanel.net/my/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://stripchat.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://subscribe.washingtonpost.com/profile/#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://support.opentable.com/s/login/ForgotPassword?language=en_US_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://thejigsawpuzzles.com/profile/?changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://thenounproject.com/accounts/password/change/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://time.com/manage-account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://tinyurl.com/app/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://todoist.com/prefs/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://trakt.tv/settings#password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://tripit.com/account/edit/section/change_password_
Source: TopSites.plist.252.dr	String found in binary or memory: https://twitter.com/WTwitter
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://twitter.com/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://udapps.nss.udel.edu/myUDsettings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://ui.attentivemobile.com/forgot-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://usa.experian.com/member/ngx-profile/account-info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://user.manganelo.com/user_changes_pass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://web.500px.com/settings/account/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://wordpress.com/me/security/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://worldstarhiphop.com/videos/reset.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.11st.co.kr/register/popupModifyPWD.tmall_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.1800contacts.com/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.aa.com/loyalty/profile/information_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.account.publishing.service.gov.uk/account/edit/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.acehardware.com/myaccount#settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ae.com/myaccount_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.aeon.co.jp/app/settings/profile/password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.aerlingus.com/html/user-profile.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.aesop.com/my-account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.airnewzealand.com/membership/profile/security/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.alaskaair.com/www2/ssl/myalaskaair/myalaskaair.aspx?view=myinformation&tab=email_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.alliantcreditunion.com/OnlineBanking/Settings/AccessAndSecurity/ChangePassword.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.allianz.com.br/alteracao-de-password-ecliente_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.allrecipes.com/account/profile#/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.alternate.de/html/myAccount/account/basicData.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.ae/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.ca/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.co.uk/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.com.au/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.com.br/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.com.mx/ax/account/manage
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.com.tr/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.com/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.de/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.es/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.fr/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.in/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.it/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.nl/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.pl/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.sa/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.se/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amazon.sg/ax/account/manage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.amctheatres.com/amcstubs/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.americanexpress.com/en-us/account/password/reset_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ancestry.com/account/security/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.apartments.com/my-account/#_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.apply.vccs.edu/Profile/_default.aspx_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.arlt.com/mein-passwort/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.att.com/acctmgmt/profile/overview_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.auctionzip.com/cgi-bin/userpanel.cgi?mode=3_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bathandbodyworks.com/my-account/edit-profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bbq-grill-world.de/customer/account/edit/changepass/1/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bedbathandbeyond.com/store/account/personalinfo_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.belk.com/account-edit-profile/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.berlet.de/mein-konto.htm#my-account--edit-pass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bestbuy.com/identity/accountSettings/page/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.biblegateway.com/user/account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.birkenstock.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.bloomberg.com/portal/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.blutdruck-shop.de/mein-passwort/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.boredpanda.com/settings/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.browserstack.com/accounts/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.businessinsider.com/#_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.buzzfeed.com/settings/password/change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cakeresume.com/settings/account?ref=navs_settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.canva.com/login?redirect=%2Fsettings%2Flogin-and-security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cargurus.com/Cars/myAccount#/accountSettings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.carnival.com/profilemanagement/profiles/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cars.com/reset_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cbsnews.com/user/change-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cbssports.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.change.org/account_settings/change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.chegg.com/my/account-next_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.chess.com/settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.chewy.com/app/resetpassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cinemark.com.br/minha-conta_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.clien.net/service/mypage/myInfoComfrim_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cnbc.com/account/#profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cnn.com/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.columbia.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.consumidor.gov.br/pages/usuario/editar_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.costco.com/AccountInformationView?identifier=manage-membership_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.coursehero.com/my-account/#/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.crackle.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.creditkarma.com/myprofile/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.credly.com/earner/settings/privacy_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.crunchyroll.com/resetpw_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.cvs.com/my-account/profile/sign-in-and-security/edit-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dailymail.co.uk/registration/profile/change-password.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.darty.com/espace_client/donnees-personnelles/mot-de-passe/edition_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dell.com/identity/global/editaccount?_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.delta.com/myprofile/security-settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.deviantart.com/settings/general_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dickssportinggoods.com/MyAccount/AccountSettings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.discogs.com/settings/user_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.disneyplus.com/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dominos.com/en/pages/customer/#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.doordash.com/accounts/password/reset/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dotloop.com/my/account/#/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dropbox.com/account/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dsw.com/en/us/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.dwr.com/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.epicgames.com/account/password?lang=en&productName=epicgames_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.eporner.com/profile/mturk_eporn/my/edit-pass/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.espn.com/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.eventbrite.com/account-settings/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.evite.com/reset_password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.expedia.com/user/forgotpassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.familysearch.org/identity/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.fanfiction.net/account/password.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.fedex.com/en-us/create-account/how-to-reset-forgot-password.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.findagrave.com/user/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.fitbit.com/settings/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.foodnetwork.com/user-profile-page_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.foxsports.com/#_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.frutifica.com.br/conta/alterar_senha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.gamespot.com/change-details/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.geocaching.com/account/settings/changepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.glassdoor.com/member/profile/settings.htm_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.gocomics.com/profiles/create-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.gog.com/account/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.goodreads.com/ap/cnep_
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.google.com/?client=safari&channel=mac_bmVGoogle
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.grainger.com/myaccount/loginoptions_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.grubhub.com/account/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.happycow.net/members/profile/update/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.hilton.com/en/hilton-honors/guest/profile/password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.homedepot.com/myaccount/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.hsn.com/myaccount/update_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.huffpost.com/member/edit-profile_
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.icloud.com/ViCloud
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ign.com/account/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ihg.com/rewardsclub/gb/en/account-mgmt/personalInformation_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ikea.com/in/en/profile/dashboard/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.independent.co.uk/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.insider.com/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.instacart.com/store/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.instagram.com/accounts/password/change/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.istockphoto.com/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.jcpenney.com/account/dashboard/personal/info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.kohls.com/myaccount/accountsettings.jsp_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.kroger.com/account/update_
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.linkedin.com/XLinkedIn
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.linkedin.com/psettings/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.livejasmin.com/en/girls/#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.lowes.com/mylowes/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.macys.com/account/profile?cm_sp=macys_account-_-my_account-_-my_profile&linklocation=lef
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.marktplaats.nl/account/password-reset/confirm.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.marriott.com/loyalty/myAccount/changePassword.mi_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.mediafire.com/myaccount/accountbilling.php#change-pwd-block_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.meliuz.com.br/minha-conta/meus-dados/senha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.menards.com/main/accountoverview.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.mercari.com/mypage/email_password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.michaels.com/on/demandware.store/Sites-MichaelsUS-Site/default/Account-EditProfile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.mlb.com/account/general_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.mountainwarehouse.com/account/details-link/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.myfreecams.com/php/account.php?request=status&vcc=1674246522#change_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.mylo.id/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nba.com/account/nbaprofile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.netflix.com/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.netvibes.com/account/password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.newsweek.com/contact_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nike.com/member/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nordstrom.com/my-account/sign-in-info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nordstromrack.com/my-account/sign-in-info_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.nytimes.com/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.officedepot.com/account/editLoginDisplay.do_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.overleaf.com/user/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.overstock.com/myaccount/account/email-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.paramountplus.com/account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.patreon.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.paypal.com/myaccount/security/password/change_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.peacocktv.com/forgot_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.pinterest.com/settings/account-settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.politico.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.pornhub.com/user/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ppomppu.co.kr/myinfo/profile.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.prowlapp.com/settings.php_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.quora.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.rakuten.com/account-settings.htm_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.realtor.com/myaccount/profile/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.reddit.com/prefs/update/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.redfin.com/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.redtube.com/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.rei.com/YourAccountCredentials_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.reuters.com/account/forgot-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.roblox.com/my/account#
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.rottentomatoes.com/user/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.safeway.com/customer-account/account-settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.samsclub.com/account/personal-info?xid=hdr_account_change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.santahelenasaude.com.br/beneficiario/#/alterar-senha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.saturn.de/webapp/wcs/stores/servlet/MultiChannelMAChangePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.scribd.com/account-settings#change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.sephora.com/profile/MyAccount_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.serasa.com.br/meus-dados/alterar-senha_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.shoop.de/einstellungen/benutzerdaten_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.shopback.co.kr/account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.shutterfly.com/account-settings/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.sonos.com/myaccount/user/profile/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.southwest.com/loyalty/myaccount/profile-security.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.spectrum.net/user-preferences/your-info/manage/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.speedway.com/my-account/security/passcode_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.splunk.com/my-account/#/profile-details_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.spotify.com/in-en/account/change-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.swagbucks.com/account/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.swinglifestyle.com/profile/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.tasteofhome.com/login/updatepassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.teacherspayteachers.com/My-Account/Basics/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.temu.com/bgp_account_security.html_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.thesimsresource.com/account#/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.thetrainline.com/my-account/change-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.thetvdb.com/dashboard/account/changepass_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.tiktok.com/login/email/forget-password_
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.tripadvisor.com/
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.tripadvisor.com/Settings-cp_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.trulia.com/account/user_profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.tumblr.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.turkishairlines.com/tr-int/miles-and-smiles/forgot-password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.twilio.com/console/user/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.twitch.tv/settings/security_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.uline.com/MyAccount/ContactPref_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ulta.com/myaccount/index.jsp_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.united.com/ual/en/US/account/security/setpassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ups.com/lasso/updatePass?loc=en_US_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.usaa.com/inet/ent_auth_password/pages/ChangePasswordPage_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ventrachicago.com/account/manage-account/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.victoriassecret.com/us/account/profile#changePassword_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.vrbo.com/traveler/profile/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.walgreens.com/account/user_and_password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.walmart.com/account/profile_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.wayfair.com/v/account/personal_info/edit_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.wikihow.com/Special:ChangeCredentials/MediaWiki%5CAuth%5CPasswordAuthenticationRequest_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.wired.com/account/reset-password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.worldwinner.com/cgi/finance/account.pl_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.wunderground.com/member/settings_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.xvideos.com/account/security_
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.yahoo.com/UYahoo
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.yellowpages.com/settings/password_
Source: TopSites.plist.252.dr	String found in binary or memory: https://www.yelp.com/TYelp
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.youporn.com/settings/change/password/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.zhihu.com/settings/account_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.zillow.com/myzillow/profile/_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.ziprecruiter.com/login/forgot-password?realm=candidates_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.zocdoc.com/patient/editprofile?section=Password_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://www.zulily.com/account/edit?rel=top_flyout_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://xhamster.com/password-recovery_
Source: AutoFillQuirks.plist.252.dr	String found in binary or memory: https://yelp.com/profile_password_

Source: classification engine

Classification label: clean0.mac@0/16@0/0

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Random device file read: /dev/urandom			Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 645)	Random device file read: /dev/random			Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior
Source: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker (PID: 630)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior

Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/AutoFillQuirks.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	XML plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/CloudHistoryRemoteConfiguration.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Info.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/Downloads.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Downloads.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/PerSiteZoomPreferences.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/CacheSettings.plist	Jump to dropped file
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	Binary plist file created: /private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/TopSites.plist	Jump to dropped file

Source: /usr/bin/open (PID: 615)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Applications/Safari.app/Contents/MacOS/Safari (PID: 616)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker (PID: 630)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	Direct Volume Access	OS Credential Dumping	1 System Information Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=dd-smartbutton&utm_location=module&_gl=116li0my_gcl_auMTczNzMwOTg2NC4xNzQyODIzNDgz_gaNjY4NzEwMzU4LjE3NDI4MjM0ODM._ga_XJWPQMJYHQ*MTc0NDA0MDI4OC4yLjEuMTc0NDA0MDMwMy40NS4wLjA.	0%	Avira URL Cloud	safe

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://www.sephora.com/profile/MyAccount_	AutoFillQuirks.plist.252.dr	false	high
https://myaccount.uscis.gov/users/registration/password_	AutoFillQuirks.plist.252.dr	false	high
https://www.dotloop.com/my/account/#/settings_	AutoFillQuirks.plist.252.dr	false	high
https://xhamster.com/password-recovery_	AutoFillQuirks.plist.252.dr	false	high
https://hotels.com/profile/settings.html_	AutoFillQuirks.plist.252.dr	false	high
https://myspace.com/settings/profile/email_	AutoFillQuirks.plist.252.dr	false	high
https://www.usaa.com/inet/ent_auth_password/pages/ChangePasswordPage_	AutoFillQuirks.plist.252.dr	false	high
https://allegro.pl/moje-allegro/moje-konto/logowanie-i-haslo_	AutoFillQuirks.plist.252.dr	false	high
https://customer.xfinity.com/users/me/update-password_	AutoFillQuirks.plist.252.dr	false	high
https://moncompte.lemonde.fr/gcustomer/account/password_	AutoFillQuirks.plist.252.dr	false	high
https://shein.com/user/security_	AutoFillQuirks.plist.252.dr	false	high
https://www.discogs.com/settings/user_	AutoFillQuirks.plist.252.dr	false	high
https://support.opentable.com/s/login/ForgotPassword?language=en_US_	AutoFillQuirks.plist.252.dr	false	high
https://fps.fidelity.com/ftgw/Fps/Fidelity/RtlCust/ChangePIN/Init_	AutoFillQuirks.plist.252.dr	false	high
https://www.amazon.com/ax/account/manage_	AutoFillQuirks.plist.252.dr	false	high
https://www.newsweek.com/contact_	AutoFillQuirks.plist.252.dr	false	high
https://www.birkenstock.com/profile_	AutoFillQuirks.plist.252.dr	false	high
https://id.sonyentertainmentnetwork.com/id/management/#/p/security_	AutoFillQuirks.plist.252.dr	false	high
https://www.nba.com/account/nbaprofile_	AutoFillQuirks.plist.252.dr	false	high
https://cloud.linode.com/profile/auth_	AutoFillQuirks.plist.252.dr	false	high
https://b2c.voegol.com.br/minhas-viagens/meu-perfil_	AutoFillQuirks.plist.252.dr	false	high
https://codepen.io/settings/account_	AutoFillQuirks.plist.252.dr	false	high
https://www.serasa.com.br/meus-dados/alterar-senha_	AutoFillQuirks.plist.252.dr	false	high
https://reg.usps.com/entreg/secure/ChangePasswordAction_input?returnActionName_	AutoFillQuirks.plist.252.dr	false	high
https://www.allrecipes.com/account/profile#/change-password_	AutoFillQuirks.plist.252.dr	false	high
https://pro.housecallpro.com/service_pro/account/reset_password_	AutoFillQuirks.plist.252.dr	false	high
https://user.manganelo.com/user_changes_pass_	AutoFillQuirks.plist.252.dr	false	high
https://www.dailymail.co.uk/registration/profile/change-password.html_	AutoFillQuirks.plist.252.dr	false	high
https://www.11st.co.kr/register/popupModifyPWD.tmall_	AutoFillQuirks.plist.252.dr	false	high
https://www.zulily.com/account/edit?rel=top_flyout_	AutoFillQuirks.plist.252.dr	false	high
https://cam.ana.co.jp/psz/us/amc_us.jsp?index=105_	AutoFillQuirks.plist.252.dr	false	high
https://www.creditkarma.com/myprofile/security_	AutoFillQuirks.plist.252.dr	false	high
https://secure07ea.chase.com/web/auth/dashboard#/dashboard/myProfileSignInSecurity/resetPassword/res	AutoFillQuirks.plist.252.dr	false	high
https://account.magento.com/customer/account/changepassword_	AutoFillQuirks.plist.252.dr	false	high
https://profile.theguardian.com/reset_	AutoFillQuirks.plist.252.dr	false	high
https://reelgood.com/account_	AutoFillQuirks.plist.252.dr	false	high
https://dash.e.jimdo.com/profile_	AutoFillQuirks.plist.252.dr	false	high
https://go.com/profile/account-settings/edit_	AutoFillQuirks.plist.252.dr	false	high
https://genius.com/password_resets/new_	AutoFillQuirks.plist.252.dr	false	high
https://www.macys.com/account/profile?cm_sp=macys_account-_-my_account-_-my_profile&linklocation=lef	AutoFillQuirks.plist.252.dr	false	high
https://logowanie.pl.canalplus.com/zmien-haslo_	AutoFillQuirks.plist.252.dr	false	high
https://www.alternate.de/html/myAccount/account/basicData.html_	AutoFillQuirks.plist.252.dr	false	high
https://blend.io/settings_	AutoFillQuirks.plist.252.dr	false	high
https://www.aesop.com/my-account_	AutoFillQuirks.plist.252.dr	false	high
https://member.daum.net/change/password.daum_	AutoFillQuirks.plist.252.dr	false	high
https://myaccount.virginmobile.ca/MyProfile/Details/EditProfile?editField=PASSWORD_	AutoFillQuirks.plist.252.dr	false	high
https://mastercard.syf.com/login/reset_	AutoFillQuirks.plist.252.dr	false	high
https://www.jcpenney.com/account/dashboard/personal/info_	AutoFillQuirks.plist.252.dr	false	high
https://www.yahoo.com/UYahoo	TopSites.plist.252.dr	false	high
https://worldstarhiphop.com/videos/reset.php_	AutoFillQuirks.plist.252.dr	false	high
https://www.shoop.de/einstellungen/benutzerdaten_	AutoFillQuirks.plist.252.dr	false	high
https://accounts.shopify.com/accounts/186490458/security_	AutoFillQuirks.plist.252.dr	false	high
https://app.carta.com/profiles/update/_	AutoFillQuirks.plist.252.dr	false	high
https://legacy.memoriams.com/Network/Account/ChangePassword_	AutoFillQuirks.plist.252.dr	false	high
https://profile.callofduty.com/cod/info_	AutoFillQuirks.plist.252.dr	false	high
https://blackwells.co.uk/bookshop/account/personal-details_	AutoFillQuirks.plist.252.dr	false	high
https://secure.hulu.com/account_	AutoFillQuirks.plist.252.dr	false	high
https://www.splunk.com/my-account/#/profile-details_	AutoFillQuirks.plist.252.dr	false	high
https://www.yelp.com/TYelp	TopSites.plist.252.dr	false	high
https://news.ycombinator.com/changepw_	AutoFillQuirks.plist.252.dr	false	high
https://classroom.udacity.com/settings/password_	AutoFillQuirks.plist.252.dr	false	high
https://pwrecovery.ruc.dk_	AutoFillQuirks.plist.252.dr	false	high
https://secure.ssa.gov/RIM/UpwdView.action_	AutoFillQuirks.plist.252.dr	false	high
https://www.ancestry.com/account/security/password_	AutoFillQuirks.plist.252.dr	false	high
https://key.harvard.edu/manage-account/change-password_	AutoFillQuirks.plist.252.dr	false	high
https://www.amazon.ca/ax/account/manage_	AutoFillQuirks.plist.252.dr	false	high
https://account.id.me/signin/password_	AutoFillQuirks.plist.252.dr	false	high
https://www.carnival.com/profilemanagement/profiles/changepassword_	AutoFillQuirks.plist.252.dr	false	high
https://thejigsawpuzzles.com/profile/?changepassword_	AutoFillQuirks.plist.252.dr	false	high
https://www.patreon.com/settings/account_	AutoFillQuirks.plist.252.dr	false	high
https://account.deere.com/actmgmt/change-password_	AutoFillQuirks.plist.252.dr	false	high
https://www.ikea.com/in/en/profile/dashboard/_	AutoFillQuirks.plist.252.dr	false	high
https://apps.anatel.gov.br/AnatelConsumidor/ConsumidorEditar.aspx_	AutoFillQuirks.plist.252.dr	false	high
https://www.safeway.com/customer-account/account-settings_	AutoFillQuirks.plist.252.dr	false	high
https://www.amazon.de/ax/account/manage_	AutoFillQuirks.plist.252.dr	false	high
https://www.cars.com/reset_password_	AutoFillQuirks.plist.252.dr	false	high
https://www.amazon.es/ax/account/manage_	AutoFillQuirks.plist.252.dr	false	high
https://www.zocdoc.com/patient/editprofile?section=Password_	AutoFillQuirks.plist.252.dr	false	high
https://www.apartments.com/my-account/#_	AutoFillQuirks.plist.252.dr	false	high
https://logonservices.iam.target.com/change-password/?target=#	AutoFillQuirks.plist.252.dr	false	high
https://www.aerlingus.com/html/user-profile.html_	AutoFillQuirks.plist.252.dr	false	high
https://www.dickssportinggoods.com/MyAccount/AccountSettings_	AutoFillQuirks.plist.252.dr	false	high
https://login.tmon.co.kr/user/info_	AutoFillQuirks.plist.252.dr	false	high
https://my.nextdns.io/account_	AutoFillQuirks.plist.252.dr	false	high
https://secure.indeed.com/account/changepassword_	AutoFillQuirks.plist.252.dr	false	high
https://www.temu.com/bgp_account_security.html_	AutoFillQuirks.plist.252.dr	false	high
https://imgur.com/account/settings/password_	AutoFillQuirks.plist.252.dr	false	high
https://my.norton.com/extspa/account/personalinfo_	AutoFillQuirks.plist.252.dr	false	high
https://account.proton.me/u/0/vpn/account-password_	AutoFillQuirks.plist.252.dr	false	high
https://www.espn.com/_	AutoFillQuirks.plist.252.dr	false	high
https://www.consumidor.gov.br/pages/usuario/editar_	AutoFillQuirks.plist.252.dr	false	high
https://www.nike.com/member/settings_	AutoFillQuirks.plist.252.dr	false	high
https://www.bathandbodyworks.com/my-account/edit-profile_	AutoFillQuirks.plist.252.dr	false	high
https://myvpostpay.verizon.com/ui/bill/secure/_	AutoFillQuirks.plist.252.dr	false	high
https://www.glassdoor.com/member/profile/settings.htm_	AutoFillQuirks.plist.252.dr	false	high
https://employeewe.bamboohr.com/dashboard/password.php_	AutoFillQuirks.plist.252.dr	false	high
https://login.yahoo.com/account/change-password_	AutoFillQuirks.plist.252.dr	false	high
https://www.pornhub.com/user/security_	AutoFillQuirks.plist.252.dr	false	high
https://www.cargurus.com/Cars/myAccount#/accountSettings_	AutoFillQuirks.plist.252.dr	false	high
https://www.prowlapp.com/settings.php_	AutoFillQuirks.plist.252.dr	false	high

World Map of Contacted IPs

⊘No contacted IP infos

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

/dev/null

Download File

Process:	/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
File Type:	ASCII text, with very long lines (341)
Category:	dropped
Size (bytes):	765
Entropy (8bit):	5.1236351528415085
Encrypted:	false
SSDEEP:	12:yQFOr3J4f9QFMF9omEVg2+LgV5e9LgVvvos4QFOr+f9QFityomEVg2+LgV5e9Lgv:yvr3J4FQFMx8EDxGAvr+FQFZ8EDxGd9l
MD5:	9C051EE2515DBCE9A8A2448385F4D837
SHA1:	07CEBB4E07A9476251A2DC8364E02B15538EC509
SHA-256:	8EBB89244795E582B4CB17C7D283AEB25F6A4963097E6C268129FBB2BEA84B4B
SHA-512:	35B2589B96C9E73791C726624DC1FFE06E88C72B6F209966754678BC121461D4D2C53E7A5F0D9E1B24B1FDFE5D4AFF88477B1782D319E312EF4B97CFAAFA228D
Malicious:	false
Reputation:	low
Preview:	objc[630]: Class PurpleButtonCell is implemented in both /System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari (0x7fffaf1c03b0) and /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker (0x103281ec8). One of the two will be used. Which one is undefined..objc[630]: Class PurpleButton is implemented in both /System/Library/PrivateFrameworks/Safari.framework/Versions/A/Safari (0x7fffaf1c0400) and /Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker (0x103281f18). One of the two will be used. Which one is undefined..2025-04-07 10:41:26.358 com.apple.Safari.SandboxBroker[630:5047] ApplePersistence=NO.

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/com.apple.scriptmanager2.le.cache

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	data
Category:	dropped
Size (bytes):	19328
Entropy (8bit):	2.9753497322131066
Encrypted:	false
SSDEEP:	192:XVlGq37NZFFFF/QQQQgdFSGXFFFFnQQQQ:uq37HFFFF/QQQQg3SGXFFFFnQQQQ
MD5:	1D8E1388683DC96ED97907EFCCE83FDA
SHA1:	561FDF03A98032BAAEB7BC214FD6FC2712BA42B0
SHA-256:	A6BE2B32F120066646A50B537477F2D359D7013851F123146CB9B6A7A1371E8C
SHA-512:	70A1E99DAD32B200EB26AD78E6433B3E9E052355ADA3A3AD1CB6C644C1A0513E593CCD89EF8B9B305013B37F3F850F049D787677878F412D23FB517147C18C98
Malicious:	false
Reputation:	low
Preview:	.............J..dJ......clti....0.......mlti........0...blti....2.......blti....2...H...blti....2...\|...blti....2.......blti....2.......blti....2.......blti....2...L...blti~...2.......5lti.@..,.......5lti.B..,....$..5lti.p..,.......5lti.D..,...87..................(....................................... .....................~...f... ...!............... ...4...3.......>.......U.......F...E...G...C...J...K...I...H...L...M...N.......O...?...9...P.......!............. .......t............."...........................................................#...............................^.......X...Y...Z...[...\...].......Q...........S.......R...............$.......(...%.......................&...'........... ...*...+...,...-.......5......./...0...1...6...7...8...:...4...3...........2...<...........T...;...=...>.......)...U...V...W.......@...A...B...F...E...G...C...D...J...K...I...H...L...M...N.......O...?.......9...P.......!...............j...X.....R...........%...7...........\.........".........

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsDirectory.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533814637805397
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGB5pBfbouR6/chQOnGqwc2U+v+h/:8MdGleOhpBouRwchQOnGqwc2U+v+h/
MD5:	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3
SHA1:	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C
SHA-256:	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
SHA-512:	1DC5282D27C49A4B6F921BA5DFC88B8C1D32289DF00DD866F9AC6669A5A8D99AFEDA614BFFC7CF61A44375AE73E09CD52606B443B63636977C9CD2EF4FA68A20
Malicious:	false
Reputation:	low
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsObject.db_

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	4404
Entropy (8bit):	3.5110922853353324
Encrypted:	false
SSDEEP:	24:mFkXs98w/mBr53CEb9ujBbCYoVeA7uBEUMy733Ka2VCneWHrUZRJkWnJI4FNMOQS:m6Xsh+CLjL3Pe3T5FFEfEn8xiYuuSsS
MD5:	D3A1859E6EC593505CC882E6DEF48FC8
SHA1:	F8E6728E3E9DE477A75706FAA95CEAD9CE13CB32
SHA-256:	3EBAFA97782204A4A1D75CFEC22E15FCDEAB45B65BAB3B3E65508707E034A16C
SHA-512:	EA2A749B105759EA33408186B417359DEFFB4A3A5ED0533CB26B459C16BB3524D67EDE5C9CF0D5098921C0C0A9313FB9C2672F1E5BA48810EDA548FA3209E818
Malicious:	false
Reputation:	low
Preview:	kych.......................................d...................0...............0...p...........@...@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...@.......................!...%@.......MDS_OBJECT_RECORDTYPE..............h........... ...`........... ...@.......................-...1...5...9...=@..............................X...............P................... ...p...........l...........d...........P...........H...........,...............h...........P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................RelationName.......P.......................1...5...9...=.......M................RelationID.........P.......................1...5...9...=.......M................AttributeID........X....

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/CacheSettings.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	75
Entropy (8bit):	3.970674352898862
Encrypted:	false
SSDEEP:	3:N1n6NJNsGRbgBD//NtG:N1ncJ+xFNtG
MD5:	BE1622B61C025FD5124B52F166D2BDA0
SHA1:	09B1695369600FC87FA46B8F1894ADA7B1671CD2
SHA-256:	E0E5F38A3D586BC7208B107A169CAC8FF0AA511132FF8C0D143EE3AB5B098EB1
SHA-512:	1AA42AD9A2465A6D7856D529DF0F6EC616A8C7131E51E2F7001A5C01BEC47B880B762E9938FC84230887F552EC94B1408B0E1FADF9D887B6266451F733F46928
Malicious:	false
Reputation:	low
Preview:	bplist00..._..TemplateIconCacheVersion....&...............................(

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/CloudHistoryRemoteConfiguration.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1012
Entropy (8bit):	5.286991847916908
Encrypted:	false
SSDEEP:	24:2dfyiwHuG5Ku3hu65juqVrTrmuGoTxR1F1xW:cfyP5Z/5PrUon1F1xW
MD5:	0C29425555C7FF0CA114B1FD0DC39C50
SHA1:	D7D808E8BE92462F4C3CEBA66734F0E9BB26ACDD
SHA-256:	52826AFEEC974BB7BACB85BDC01DC4F23BF917D65E04773D7CAD393F7866F3FD
SHA-512:	D9C8364A85F4B4A96CAAC1409F32F9D6B2F8AE19201E0ABD2D449A3EEDADD471E99E44BC92DEB5D8FB60287DA64A88E61B45F759E7B9A383A9BBE5F5FD242F95
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>SingleDeviceSaveChangesThrottlingPolicy</key>..<string>1:1440</string>..<key>MultipleDeviceSaveChangesThrottlingPolicy</key>..<string>50:1 \| 10:2 \| 10:5 \| 10:30 \| 9:40 \| 1:510</string>..<key>SingleDeviceFetchChangesThrottlingPolicy</key>..<string>11:15 \| 1:1275</string>..<key>MultipleDeviceFetchChangesThrottlingPolicy</key>..<string>50:1 \| 50:3 \| 20:4 \| 20:5 \| 20:15 \| 20:18 \| 20:20</string>..<key>SyncCircleSizeRetrievalThrottlingPolicy</key>..<string>1:1440</string>..<key>MaximumRequestLimitCharacterCount</key>..<integer>100000</integer>..<key>SyncWindow</key>..<real>1209600</real>..<key>HistoryModificationIdleDelayBeforeSyncAttemptKey</key>..<integer>90</integer>..<key>HistoryRemovalIdleDelayBeforeSyncAttempt</key>..<integer>6</integer>..<key>SaveChangesBeforeTerminationTimeout</key>..<integer>1</integer>.</dic

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/Downloads.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	1703
Entropy (8bit):	5.445078492195745
Encrypted:	false
SSDEEP:	24:tq+1lfu5YEfLwYY8Siv0gpKElQrASz/Jtx/GwNhWwbgphEH+axEZl3Zuyo2:tq7SEfLwYYsvTpK1hvPNhVEDraxuZBP
MD5:	564384C50D19DBDE62607A61ABAB1BE8
SHA1:	7EEC230EFA244D3EECCAA45947EF9124A17B4B65
SHA-256:	2C4B183E1E6C18ADE43A8295D80960AC55A2349F66677BADF2541E75DB73511E
SHA-512:	206294D0860460ADF1BE8FD34FBD50CD86C8FD2406FF7CBBF1D940D25DEE2ED0F6403BD43EEB96724AA0C3E42B5C197694C41EB56FD5D503F18A7DF6A93B4FA3
Malicious:	false
Reputation:	low
Preview:	bplist00..._..DownloadHistory....................._..DownloadEntryProgressBytesSoFar_. DownloadEntryProgressTotalToLoad_..DownloadEntryBookmarkBlob_..DownloadEntryDateAddedKey_..DownloadEntryIdentifier_..DownloadEntryURL_..DownloadEntryRemoveWhenDoneKey_..DownloadEntryPath_.9DownloadEntryShouldUseRequestURLAsOriginURLIfNecessaryKey..X...!.V.O...book........0...............................................Users...........bernard.........Downloads...........Docker.dmg.download.........Docker.dmg..................$...8...T...........................H...............H..........................................................................A....+.`........................................file:///........Macintosh HD.........`..............A.e.....$.......6A4B4847-E471-32FD-8A8F-3B8497029445......................................../...................e22c72d343c59426ab22b1baf59784c699551acb;00;00000000;00000000;00000000;0000000000000020;com.apple.app-sandbox.read-write;01;01000006;00000003001a

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/AutoFillQuirks.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	78076
Entropy (8bit):	6.254213413000523
Encrypted:	false
SSDEEP:	1536:QdfFOG6WhAakZtdmhvtMyDhWNQPOhFtGq5oH38O9P:MfzAakzdmltPgNbcq6M0P
MD5:	2F5AEC56286756508A2C5F4DA687D321
SHA1:	93980BD4C2C84E648C341302CFD7F4625EE426B3
SHA-256:	A061D61C0F58F30F4A78E777BEC8E8ADD4F22853DFECC04DC790CE14264505F6
SHA-512:	5B6EBEBCBD7DFE87C3A3611C1798B86424993F54FF4E84F594FAE5A6E621C7BCC2AC3148D5D336BBE76AC703FD8EE6AA82E7402DB333C3224A554E7FE08F4941
Malicious:	false
Reputation:	low
Preview:	bplist00............................r.....Q.............._..PasswordGenerationRequirements_..AppIDsToDomainsAssociations_.;DomainsKnownToDoSameDocumentNavigationInTextEditingCallback_..ChangePasswordURLs_. DomainsWithAssociatedCredentials_..DomainsForPasskeyFallbackUI_.$DomainsIneligibleForStreamlinedLogin]SharedDomains_."DomainsIneligibleForAutomaticLogin_.BDomainsThatWhenEmbeddedAsThirdPartyAskForPasswordsForOtherServices_..DomainsIneligibleForPasskeys_..DomainsToConsiderIdentical...>..................................... .!.".#.$.%.&.'.(.).*.+.,.-.../.0.1.2.3.4.5.6.7.8.9.:.;.<.=.>.?.@.A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z.[.\.].^._.`.a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.{.\|.}.~...........................................................................................................................................................................................................................................................................................

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Downloads.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	1663
Entropy (8bit):	5.466540438441899
Encrypted:	false
SSDEEP:	24:AlUmu5YEfLwYY8St7pKG/AxvLJtx/GZRNhW24u6tH+axEZl3ZWVz5:TSEfLwYY/7pKUyPaRNhYLgaxuZS
MD5:	3F62CCCB79D0F3A5BCC8931C3B3BEC7E
SHA1:	5FCCADA039664CC9E20D006378C276ADA73EE529
SHA-256:	32728A4F6435F9D3957D43449C0C1461C7B36E94EB596553016799BFCA26E318
SHA-512:	34A3C37D93870ED80C929842BC9F125101A4ED75EC9529441D2C562E089BAEBB8E126C2EFDD1F500224444EF5BD8977EA8510E4B4EF7DB23A8F929B924341B3A
Malicious:	false
Reputation:	low
Preview:	bplist00..._..DownloadHistory......................._..DownloadEntryProgressBytesSoFar_. DownloadEntryProgressTotalToLoad_..DownloadEntryBookmarkBlob_..DownloadEntryDateAddedKey_..DownloadEntryDateFinishedKey_..DownloadEntryIdentifier_..DownloadEntryURL_..DownloadEntryRemoveWhenDoneKey_..DownloadEntryPath_.9DownloadEntryShouldUseRequestURLAsOriginURLIfNecessaryKey.!.V.O..8book8.......0...................................X...........Users...........bernard.........Downloads...........Docker.dmg..................$...8...........................H...............H..............................d...t...................A....+.`........................................file:///........Macintosh HD.........`..............A.e.....$.......6A4B4847-E471-32FD-8A8F-3B8497029445......................................../...................fa8acf4afaeffdd85c6b1d9b4f3149daf859d487;00;00000000;00000000;00000000;0000000000000020;com.apple.app-sandbox.read-write;01;01000006;00000003001aafa5;01;/users/bernard/d

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Info.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	1671
Entropy (8bit):	5.405264172422663
Encrypted:	false
SSDEEP:	24:y+AWlfu5YEfLwYY8Sl0gpKElQrASz/Jtx/GwNhWwbgphEH+axEZl3Zu5Ol:yxSEfLwYYnTpK1hvPNhVEDraxuZd
MD5:	8A43FF5FD5314A7734B10846B7ADCE05
SHA1:	53E62B23132048A917CD43A939399E8800A8CF71
SHA-256:	A3576A383D90804AB1BBB64CF2BE5600D6EBD1969BA05B416FC8BB622C63A4C5
SHA-512:	5B1EAA71858A52B5DA7E0FE307963D6CBE0C239EEC44D2447487C89EE2C361A5C353585F21130DE2CEF81F9168D1864B608DACB319E882894BF1515589B0D040
Malicious:	false
Reputation:	low
Preview:	bplist00..................._..DownloadEntryProgressBytesSoFar_. DownloadEntryProgressTotalToLoad_..DownloadEntryBookmarkBlob_..DownloadEntryDateAddedKey_..DownloadEntryIdentifier_..DownloadEntryURL_..DownloadEntryRemoveWhenDoneKey_..DownloadEntryPath_.9DownloadEntryShouldUseRequestURLAsOriginURLIfNecessaryKey...!.V.O...book........0...............................................Users...........bernard.........Downloads...........Docker.dmg.download.........Docker.dmg..................$...8...T...........................H...............H..........................................................................A....+.`........................................file:///........Macintosh HD.........`..............A.e.....$.......6A4B4847-E471-32FD-8A8F-3B8497029445......................................../...................e22c72d343c59426ab22b1baf59784c699551acb;00;00000000;00000000;00000000;0000000000000020;com.apple.app-sandbox.read-write;01;01000006;00000003001aafa5;01;/users/bernard/dow

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	2890
Entropy (8bit):	6.383267531551876
Encrypted:	false
SSDEEP:	48:FMO+0F/o0CCPb/bCCoumzC6kiaR/wN4Gfhb0NegHI5mP0waijwg+tiEe:FMO+EoOfjovzCuv5I12msjtHe
MD5:	99707B6E8B1DAA434DE2A176A458F85C
SHA1:	96324F62483DD7AC8683D1850D694BB900EB3419
SHA-256:	F282D8A52BFDCD208792A47C074E59A1E16D627D53094E11FC73E595AEC7DDAD
SHA-512:	E8018018F91A5CE5C418F5C6445DC11A44B40AA6F619958D496B18507B3FE309415BF9AB293E9C7C0B3E4BA109213D0216D39C0304A7BC3CCE301DB0A729430C
Malicious:	false
Reputation:	low
Preview:	bplist00..=..........!$'*-0369<?BEHKNPRTWZ]`cfilnqtwz}......................._..Bundle Identifier_..Developer Identifier_..com.ci.LetyShopsZ8SY8U2YJ38....._..com.stopallads.stopalladssafariZW5672G9B78....._..com.ci.MyPointsScoreZPV79DKGW8E....._..com.shopicks.safariZ52637H29AM....._..com.mallforafrica.mfaZW67LVM7587....._..com.ci.FatWalletExpressZMUA2CU723E....._..com.ci.CashrewardsZWPDLU326V5....._..com.ci.ObybSecurityZ284W368NRK.....^com.ci.AmikashZP77C556755.... _..com.ci.ShopBackCashbackButtonZ63768R85VC..."#_..com.skaggivara.UniblockZ9ZWDNJ5X28...%&_..com.pcvark.adblockerZRQA86TX865...()_..com.ci.PrescritZDPQ487PKR3...+,^com.ci.CashBagZWPHQAS3C45..../_..com.betteradvertising.ghosteryZHPY23A294X...12_..com.ci.RotaryGumdropZ24MGUH34FU...45_..com.ci.DeippiesnlSpaarhulpZH8MVFTTJJ3...78_..com.ci.Rewards4RacingZL6C8C726SQ...:;_..com.findx.privacycontrolZ5QE6FTCMP9...=>_..com.ci.ShopandGivereminderZ5KWKJVWBTS...@A_..com.el1t.uBlockZ3NU33NW2M3...CD_..com.ci.DealDoktorZN64U5Y52L6...FG_.(co

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	1938
Entropy (8bit):	6.683477999969033
Encrypted:	false
SSDEEP:	24:/MVp+LGmEH3oFqBMSeASSgDhJF5ezhXn6hfrMVp+LGmEH3oFqBMSeASSgFuQPxzh:E3xmrqeQgCzhXZ3xmrqeQgzOzhXw
MD5:	73F7E34A470E32DDC2758754834661E1
SHA1:	092A575DC2BBED51C0A54296265F2BCDE1E8F8E1
SHA-256:	AB3CFE01F0848068361B2A4C7D59C12EEB43B65D11734C5298F10339CCB5B180
SHA-512:	36C34BF8A7A354DE3CFCD516F1DC545B6CF2DE2BA32457B3F9805C1B5D1C97EE78B827C87979360AC0E225C69A47070FF5E76A9B9EEB2E559391B323BCBA1907
Malicious:	false
Reputation:	low
Preview:	bplist00.....^SessionVersion^SessionWindowsS1.0............................5_..SelectedTabIndex\TabBarHiddenZDateClosed_..FavoritesBarHidden]IsPopupWindow_. PrefersReadingListSidebarVisible\Miniaturized_..WindowStateVersionZWindowUUID_..WindowContentRectYTabStates_..IsPrivateWindow_..SelectedPinnedTabIndex...3A....>......S2.0_.$D0A89824-D821-41DE-98DF-9B80BA137FA3_..{{0, 49}, {1024, 696}}.... !."#.$%&'(.+,....0123\IsDisposable\SessionState_..AncestorTabIdentifers_..SessionStateIsEncryptedXTabIndexWIsMutedWTabUUID]TabIdentifierXTabTitle_..ProcessIdentifier.O...".`..7.. ...\|..?c...^.r.D+..:xi.....W.U..L..n~..O.-.........j.....)....{..v.hQ.#........ig.n,...Ok.......S.!@...B\|......g..-._sP...{..Cn....'6..3A....>..._.$D0A89824-D821-41DE-98DF-9B80BA137FA3._.$14234449-AAD6-4C72-A4B1-654A6596B45F..XUntitled..l.................+./.1.L._.l.w...................3.5.6.?.@.A.B.C.G.n.........................2.3.............%.'.0.3.4...............6...............=bplist00.....^SessionVersion^Se

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/PerSiteZoomPreferences.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	111
Entropy (8bit):	4.497473103500974
Encrypted:	false
SSDEEP:	3:NsmoyyODAXuGAW665DAXuGAHfyXl/NtoltV:Nxoo7Gj57G86XtNt4f
MD5:	A52EA796C85C81502845C14BBF6A934C
SHA1:	2188E8AA5C6F49DF71545AE776286FB50398F2EC
SHA-256:	F2904D42E87C5B100913976C76E123252C8889996A561B5BFF32AAF49E3B4B1D
SHA-512:	EDD17BA654E59D5EEAB2534BC93C9A065FBB177ECC490C3554A9C2A2341DC7C9F275CD3567E6E46E10F53CAFF86FCFE8E9240F431B19E91F9083FD7621EE595D
Malicious:	false
Reputation:	low
Preview:	bplist00....._..MapOfHostnamesToZoomPreferences_..ZoomPreferenceVersion.Q1../GH...............................J

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.9370658315190226
Encrypted:	false
SSDEEP:	3:N1n6qMvRGNMTAnd/t1tH:N1nleRaMTAltH
MD5:	CDC65B5F112547EAFAE0F16F9C149426
SHA1:	AEAF9908A5B6FF3E2F7B738ABF5FE9E79108BA01
SHA-256:	1C6D085D871A855CE4A3902BAB4B9B92631B8EE8F0B7F6536768A2AAF427B45C
SHA-512:	E8B0E4CE6A760A718A19976D3CFE9063F04FB4BF179947AECA84E94C83F21459FB9DC0FFABEA8F633BD2D0BA94FE1E15D8C97E9604FDE8BD0DEA961EB83BDDB7
Malicious:	false
Reputation:	low
Preview:	bplist00..._..ExtensionArchivesExtracted...(...............................)

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/TopSites.plist

Download File

Process:	/Applications/Safari.app/Contents/MacOS/Safari
File Type:	Apple binary property list
Category:	dropped
Size (bytes):	860
Entropy (8bit):	5.912811086548238
Encrypted:	false
SSDEEP:	12:ieuslRs6o7xIdVPVVfRX7f/jQ7OPJdVDbN8fRUJBTGFY80rHxYipSlQ7nmZ1FyX2:l9RsHyVXxzjQ7OlDD8b0jRpSlsyUyp
MD5:	4B526202A5C6AB2E75836C0F4AF269A6
SHA1:	B406BB0BEA93297127E2D0D59B5045F72200F7CD
SHA-256:	DE2241D85EFB64B3742E719486FDC31CAB3A2E77ED0664CAD87CFF52F053A8E3
SHA-512:	66836CE8A75CB8DA74DE9E541B8F1FE7235526D3B4765275F86AA6C904B24E68BDBD259A2868FB25BAE385665EE3C75A88B415767A4C22CC51D25656F2838F54
Malicious:	false
Reputation:	low
Preview:	bplist00......89:XTopSites_..DisplayedSitesLastModifiedYDemoSites_..BannedURLStrings....... $(,04....._..TopSiteIsBuiltIn_..TopSiteURLString._."http://www.apple.com/uk/startpage/.......\TopSiteTitle._..https://www.icloud.com/ViCloud........_..https://www.yahoo.com/UYahoo........_..https://www.bing.com/TBing........_.4https://www.google.com/?client=safari&channel=mac_bmVGoogle........_..https://www.wikipedia.org/YWikipedia....."#._..https://www.facebook.com/XFacebook.....&'._..https://twitter.com/WTwitter.....+._..https://www.linkedin.com/XLinkedIn....../._..https://www.weather.com/_..The Weather Channel.....23._..https://www.yelp.com/TYelp.....67._..https://www.tripadvisor.com/[TripAdvisor3A.....d.........7.A.T.a.f.y............................./.4.;.<.s.z.............................!..1.2.M.c.j.k...............................;................

Static File Info

⊘No static file info

Network Behavior

⊘Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

System Behavior

Analysis Process: xpcproxy PID: 610, Parent PID: 1

General

Start time (UTC):	15:40:57
Start date (UTC):	07/04/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

File Activities

File Opened

File Read

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: nsurlstoraged PID: 610, Parent PID: 1

General

Start time (UTC):	15:40:57
Start date (UTC):	07/04/2025
Path:	/usr/libexec/nsurlstoraged
Arguments:	/usr/libexec/nsurlstoraged --privileged
File size:	246624 bytes
MD5 hash:	321b0a40e24b45f0af49ba42742b3f64

File Activities

File Opened

File Read

Directory Enumerated

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: mono-sgen32 PID: 615, Parent PID: 537

General

Start time (UTC):	15:40:58
Start date (UTC):	07/04/2025
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

File Activities

File Read (Anonymous Pipes)

Process Activities

Process Overlayed (Exec)

Chronological Activities

Analysis Process: open PID: 615, Parent PID: 537

General

Start time (UTC):	15:40:58
Start date (UTC):	07/04/2025
Path:	/usr/bin/open
Arguments:	/usr/bin/open -a Safari https://desktop.docker.com/mac/main/amd64/Docker.dmg?utm_source=docker&utm_medium=webreferral&utm_campaign=dd-smartbutton&utm_location=module&_gl=116li0my_gcl_auMTczNzMwOTg2NC4xNzQyODIzNDgz_gaNjY4NzEwMzU4LjE3NDI4MjM0ODM._ga_XJWPQMJYHQ*MTc0NDA0MDI4OC4yLjEuMTc0NDA0MDMwMy40NS4wLjA.
File size:	105952 bytes
MD5 hash:	34bd93241fa5d2aee225941b1ca14fa4

File Activities

File Opened

File Read

File Seeked

Directory Enumerated

Process Activities

Process Exited

Process Killed

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: xpcproxy PID: 616, Parent PID: 1

General

Start time (UTC):	15:40:58
Start date (UTC):	07/04/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

File Activities

File Opened

Directory Created

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: Safari PID: 616, Parent PID: 1

General

Start time (UTC):	15:40:58
Start date (UTC):	07/04/2025
Path:	/Applications/Safari.app/Contents/MacOS/Safari
Arguments:	/Applications/Safari.app/Contents/MacOS/Safari
File size:	27120 bytes
MD5 hash:	2dde28c2f8a38ed2701ba17a0893cbc1

File Activities

File Opened

File Created

File Deleted

File Truncated

File Read

File Read (Anonymous Pipes)

File Written

File Seeked

File Moved

Directory Enumerated

Directory Attributes Enumerated Bulk

Directory Created

Directory Deleted

Permission Modified

Extended Attributes Set

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: xpcproxy PID: 630, Parent PID: 1

General

Start time (UTC):	15:41:25
Start date (UTC):	07/04/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

File Activities

File Opened

Directory Created

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: com.apple.Safari.SandboxBroker PID: 630, Parent PID: 1

General

Start time (UTC):	15:41:26
Start date (UTC):	07/04/2025
Path:	/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
Arguments:	/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
File size:	64864 bytes
MD5 hash:	dbc4069451b58fff752f6b018b3f2c4e

File Activities

File Opened

File Read

File Written

File Seeked

Directory Enumerated

Directory Created

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: xpcproxy PID: 645, Parent PID: 1

General

Start time (UTC):	15:42:02
Start date (UTC):	07/04/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

File Activities

File Opened

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: eficheck PID: 645, Parent PID: 1

General

Start time (UTC):	15:42:02
Start date (UTC):	07/04/2025
Path:	/usr/libexec/firmwarecheckers/eficheck/eficheck
Arguments:	/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
File size:	74048 bytes
MD5 hash:	328beb81a2263449258057506bb4987f

File Activities

File Opened

File Read

File Seeked

Process Activities

Process Exited

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: xpcproxy PID: 646, Parent PID: 1

General

Start time (UTC):	15:42:02
Start date (UTC):	07/04/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

File Activities

File Opened

Directory Created

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: silhouette PID: 646, Parent PID: 1

General

Start time (UTC):	15:42:02
Start date (UTC):	07/04/2025
Path:	/usr/libexec/silhouette
Arguments:	/usr/libexec/silhouette
File size:	65920 bytes
MD5 hash:	485ec1bd3cd09293e26d05f6fe464bfd

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Persistence and Installation Behavior

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/null

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/com.apple.scriptmanager2.le.cache

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsDirectory.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/C/com.apple.Safari/mds/mdsObject.db_

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/CacheSettings.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/CloudHistoryRemoteConfiguration.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari 2)/Downloads.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/AutoFillQuirks.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Downloads.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Info.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/KnownExtensions.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/LastSession.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/PerSiteZoomPreferences.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/Preferences.plist

/private/var/folders/t9/r5v5jljx0rb04g1yc95c7hw40000gp/T/com.apple.Safari/TemporaryItems/(A Document Being Saved By Safari)/TopSites.plist

Static File Info

Network Behavior

System Behavior

Analysis Process: xpcproxy PID: 610, Parent PID: 1

General

File Activities

File Opened

File Read

Process Activities

Process Spawned

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: nsurlstoraged PID: 610, Parent PID: 1

General

File Activities

File Opened

File Read

Directory Enumerated

System Activities

Sysctl Requested

Chronological Activities

Analysis Process: mono-sgen32 PID: 615, Parent PID: 537