Analysis Overview
SHA256
361a1afce4df0787df73f1d3dc1beb8917d7f0f943806bff27219db611d56b9f
Threat Level: Shows suspicious behavior
The file Slack_mac.dmg was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries the macOS version information.
System Checks
Resource Forking
AppleScript
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 12:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 12:50
Reported
2024-02-23 12:53
Platform
macos-20240214-en
Max time kernel
143s
Max time network
162s
Command Line
Signatures
Queries the macOS version information.
| Description | Indicator | Process | Target |
| N/A | sh -c sw_vers | N/A | N/A |
| N/A | sw_vers | N/A | N/A |
System Checks
| Description | Indicator | Process | Target |
| N/A | system_profiler SPHardwareDataType | N/A | N/A |
| N/A | sh -c "system_profiler SPHardwareDataType" | N/A | N/A |
AppleScript
| Description | Indicator | Process | Target |
| N/A | sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" | N/A | N/A |
| N/A | sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" | N/A | N/A |
| N/A | osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" | N/A | N/A |
| N/A | osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" | N/A | N/A |
| N/A | osascript -e "tell application \"Terminal\" to set visible of front window to false" | N/A | N/A |
| N/A | osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" | N/A | N/A |
| N/A | osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "open /Volumes/Slack_mac"]
/bin/bash
[sh -c sudo /bin/zsh -c "open /Volumes/Slack_mac"]
/usr/bin/sudo
[sudo /bin/zsh -c open /Volumes/Slack_mac]
/bin/zsh
[/bin/zsh -c open /Volumes/Slack_mac]
/usr/bin/open
[open /Volumes/Slack_mac]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump]
/usr/sbin/spindump
[/usr/sbin/spindump]
/usr/libexec/xpcproxy
[xpcproxy com.apple.tailspind]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump_agent]
/usr/libexec/tailspind
[/usr/libexec/tailspind]
/usr/libexec/spindump_agent
[/usr/libexec/spindump_agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.TextInputMenuAgent]
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
[/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.TextInputSwitcher]
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
[/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.ui.helper]
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.metadata.mdwrite]
/usr/bin/login
[login -pf run]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AccountPolicyHelper]
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]
/bin/zsh
[-zsh]
/usr/libexec/path_helper
[/usr/libexec/path_helper -s]
/usr/bin/locale
[locale LC_CTYPE]
/Volumes/Slack_mac/Slack_mac
[/Volumes/Slack_mac/Slack_mac]
/bin/sh
[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']
/bin/bash
[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']
/usr/bin/osascript
[osascript -e tell application "Terminal" to set visible of front window to false]
/bin/sh
[sh -c mkdir /Users/run/182481170]
/bin/bash
[sh -c mkdir /Users/run/182481170]
/bin/mkdir
[mkdir /Users/run/182481170]
/bin/sh
[sh -c system_profiler SPHardwareDataType]
/bin/bash
[sh -c system_profiler SPHardwareDataType]
/usr/sbin/system_profiler
[system_profiler SPHardwareDataType]
/bin/sh
[sh -c system_profiler SPDisplaysDataType]
/bin/bash
[sh -c system_profiler SPDisplaysDataType]
/usr/sbin/system_profiler
[system_profiler SPDisplaysDataType]
/bin/sh
[sh -c sw_vers]
/bin/bash
[sh -c sw_vers]
/usr/bin/sw_vers
[sw_vers]
/bin/sh
[sh -c dscl /Local/Default -authonly run ""]
/bin/bash
[sh -c dscl /Local/Default -authonly run ""]
/usr/bin/dscl
[dscl /Local/Default -authonly run ]
/bin/sh
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/bin/bash
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/usr/bin/osascript
[osascript -e display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.cfprefsd.xpc.agent]
/usr/sbin/cfprefsd
[/usr/sbin/cfprefsd agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.akd]
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]
/bin/sh
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/bin/bash
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/usr/bin/osascript
[osascript -e display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/bin/sh
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/bin/bash
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/usr/bin/osascript
[osascript -e display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportMemoryException]
/usr/libexec/ReportMemoryException
[/usr/libexec/ReportMemoryException]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportCrash.Root]
/System/Library/CoreServices/ReportCrash
[/System/Library/CoreServices/ReportCrash daemon]
/bin/sh
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/bin/bash
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/usr/bin/osascript
[osascript -e display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/bin/sh
[sh -c /usr/sbin/kextstat]
/bin/bash
[sh -c /usr/sbin/kextstat]
/usr/sbin/kextstat
[/usr/sbin/kextstat]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.courier-push-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.42.72.131:443 | tcp | |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 23.200.147.24:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| GB | 104.91.71.86:443 | a1366.dscapi6.akamai.net | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| JP | 40.79.189.59:443 | mobile.events.data.trafficmanager.net | tcp |
| US | 20.189.173.11:443 | mobile.events.data.trafficmanager.net | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| RO | 82.78.25.240:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 23.44.233.108:443 | help.apple.com | tcp |
| GB | 23.44.233.108:443 | help.apple.com | tcp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | a6ef4856e99c9d8e1d9bb762c5a8503a |
| SHA1 | 25d5405ad91791b716ae5a56b37aa2b393854967 |
| SHA256 | 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa |
| SHA512 | 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489 |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1168.xml
| MD5 | 76ebb0196d42a294b69ef118cbb301d5 |
| SHA1 | 61e5ab752d351af1661716bc48c0520f66cd1d1b |
| SHA256 | aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759 |
| SHA512 | 8dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 3787ae55247ef0a97cd8d31d20db2311 |
| SHA1 | 11a0ec4bc37c1c46160499ed1afa5a42185d0c54 |
| SHA256 | 50782ea8f6df98e0170125b6112be40ab4cafcc24fab69d1dcddfc0587ddbb43 |
| SHA512 | ea9dd363975710b48a43e4c548ee8f9b2c17f83d48a45199d6eaf704708712e2d3ba1a3be94af86bd57a2d51182085462de0ba45652ee957cd3428774f796f39 |
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data
| MD5 | bb55e27ee415cb9fa7a2442e0b049c80 |
| SHA1 | 12b08a0ff728ed9e03ec963a648b2d6314c58151 |
| SHA256 | 078e1c2fbb659dd049de3d018ffa1739689769d6a2fe198ea77c02b65bd3d9f3 |
| SHA512 | da10e77eb98dc478af1ecbe4e429ab77b8d1f7bb60e003a06ff05f783c5910c8b7998add639747f2337808503d7c65cf079200b330b7873d2b0e18101d8e0bd2 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 2f01f7a00c85e424f82b00b2bf794a7c |
| SHA1 | c75cb52aa31012888dd7c65373d5faba6048c425 |
| SHA256 | 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32 |
| SHA512 | 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data
| MD5 | 0f931ace03b6cc51a3aae8d476886d1b |
| SHA1 | dc5b13667d0fab85c59588caffb8990d3d474ab1 |
| SHA256 | 9f2d809b4ebb4c8b777a544dfb8b8e518c4d9fa19befae99b7bf52b138597d30 |
| SHA512 | 9cb52e42fcf2484afac2fe46a009050555a2d0eefa45ba43ef61f8e864e64cde9e16d4febb5763782ae141d6b62d16395a74eb6728f61bcc4b292bfff5eb327e |
/private/var/db/spindump/tailspin-trace.2024-02-23_12-52-01.tailspin
| MD5 | 9f2097b6f1692426535f4676ec855863 |
| SHA1 | a18e00a5b8bd0587e22ff3cf096e246d6ad46366 |
| SHA256 | 9b093d5780117b627342e3b39f738a778e2784fdfb58a5586d31c266ed6340aa |
| SHA512 | 99f271f6eff4047784e56184b6a1858d5a7f2f3cf066b3099325c4dc80a3c80b68ce241c66cda0d7373ca2ec656617fbc87acc65d516fa8873541ddd2288b7af |
/private/var/db/spindump/tailspin-trace.2024-02-23_12-52-01.tailspin
| MD5 | 90ac42bec4141dfd816c1e6d97478a2c |
| SHA1 | ca87727865a87fc6c640ebd30090baa17937ffee |
| SHA256 | 762f13ca175aad1a7e5ccbc4c377e88890b67ea1a025866527cdf01354f8bb19 |
| SHA512 | 250d9198e49f0fb5403f5e3fed9b52cb9e2ba5e840949359e4febaaabb4ff82bca55e0e40635ee6287cef9e8469cdb3563851246bc92d3c1b6d49f35a0853e0f |
/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data
| MD5 | 60d8b91ad68dd3d08790e980b85772b1 |
| SHA1 | b21a026c47907c00b5aee3768e877c779095ea0d |
| SHA256 | 98c18d65bc3d4e49fdcebf39dffec2dd99c04ff6993fdcf15760276e0ad3d581 |
| SHA512 | 38b074d7542867efba289f362589ac1bb026887027d6f379c5f49462ba39fc2a7014e8a5af28674ef330a752455f990dc0a07e1fbc554b26ee0c6c718282c17a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 12:50
Reported
2024-02-23 12:53
Platform
macos-20240214-en
Max time kernel
136s
Max time network
154s
Command Line
Signatures
AppleScript
| Description | Indicator | Process | Target |
| N/A | sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'" | N/A | N/A |
| N/A | osascript -e "tell application \"Terminal\" to set visible of front window to false" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" | N/A | N/A |
| N/A | osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Slack_mac/Slack_mac"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Slack_mac/Slack_mac"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Slack_mac/Slack_mac]
/bin/zsh
[/bin/zsh -c /Users/run/Slack_mac/Slack_mac]
/Users/run/Slack_mac/Slack_mac
[/Users/run/Slack_mac/Slack_mac]
/bin/sh
[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']
/bin/bash
[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']
/usr/bin/osascript
[osascript -e tell application "Terminal" to set visible of front window to false]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/bin/sh
[sh -c mkdir /Users/root/181775276]
/bin/bash
[sh -c mkdir /Users/root/181775276]
/bin/mkdir
[mkdir /Users/root/181775276]
/bin/sh
[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']
/bin/bash
[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']
/usr/bin/osascript
[osascript -e display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ViewBridgeAuxiliary]
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sandboxd]
/usr/libexec/sandboxd
[/usr/libexec/sandboxd]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 104.91.71.86:443 | a1366.dscapi6.akamai.net | tcp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 17.137.170.10:443 | tcp | |
| US | 17.137.170.34:443 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| GB | 17.253.77.202:80 | valid.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| RO | 82.78.25.240:443 | cds.apple.com | tcp |
Files
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 520bb9b65b89f03050030e5a985b9cd1 |
| SHA1 | 91defba6d4540d4c8ede177730d104d747e8f57b |
| SHA256 | 6bb23965fd46b9ffe67a1cdb2144943543894e063c05db3a4de54e94b84968a0 |
| SHA512 | 81eebb3eda761a9ecc94aa9564deab4d476522d94025ec19e002e91b12b7fbf2bffda23e7c393c09cb91b6ecd953ec1bf39ef5f787058b70289a5a5d777f0cf6 |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1168.xml
| MD5 | 76ebb0196d42a294b69ef118cbb301d5 |
| SHA1 | 61e5ab752d351af1661716bc48c0520f66cd1d1b |
| SHA256 | aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759 |
| SHA512 | 8dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 84aec7851af30046c1688e469e08aaab |
| SHA1 | 254bf5170a4f2eb1ac2f2685df3f713be6e5885e |
| SHA256 | ff8a3621d9358058c05e7b7641784247927d18f75def94a0f402151bdd519447 |
| SHA512 | 719c1eedabd5d4f3588dedee033fa961c3267c5617feeec4038ef2281db8ce0b9fa990658077b96f2fd1ec5d904304fac6615a2452b4af1126fec048a0ac5888 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 52ef57acdaa153c35594e46bde4fe42c |
| SHA1 | c2a5b1748aa61c311b670ef319d92663e3f92b00 |
| SHA256 | 58add3e6d1d91409a9ddd9bb9b7cb173f3ec1162905d907839ab007e43cf2d2a |
| SHA512 | defea7dd6200a17dbf0b619e16efb2919dc14199e7f3cb6755b4e5f1fdc8fb2942fa9f7c8c4c19d9026acb0c64a7df0462c7e10685c7482e710e94ed15964209 |