Malware Analysis Report

2025-08-05 09:28

Sample ID 240223-p2341aga6v
Target Slack_mac.dmg
SHA256 361a1afce4df0787df73f1d3dc1beb8917d7f0f943806bff27219db611d56b9f
Tags
discovery evasion execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

361a1afce4df0787df73f1d3dc1beb8917d7f0f943806bff27219db611d56b9f

Threat Level: Shows suspicious behavior

The file Slack_mac.dmg was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion execution

Queries the macOS version information.

System Checks

Resource Forking

AppleScript

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 12:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 12:50

Reported

2024-02-23 12:53

Platform

macos-20240214-en

Max time kernel

143s

Max time network

162s

Command Line

[sh -c sudo /bin/zsh -c "open /Volumes/Slack_mac"]

Signatures

Queries the macOS version information.

discovery
Description Indicator Process Target
N/A sh -c sw_vers N/A N/A
N/A sw_vers N/A N/A

System Checks

evasion
Description Indicator Process Target
N/A system_profiler SPHardwareDataType N/A N/A
N/A sh -c "system_profiler SPHardwareDataType" N/A N/A

AppleScript

execution
Description Indicator Process Target
N/A sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" N/A N/A
N/A sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'" N/A N/A
N/A sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" N/A N/A
N/A osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" N/A N/A
N/A sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" N/A N/A
N/A osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" N/A N/A
N/A osascript -e "tell application \"Terminal\" to set visible of front window to false" N/A N/A
N/A osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" N/A N/A
N/A sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" N/A N/A
N/A osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Volumes/Slack_mac"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Volumes/Slack_mac"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Volumes/Slack_mac]

/bin/zsh

[/bin/zsh -c open /Volumes/Slack_mac]

/usr/bin/open

[open /Volumes/Slack_mac]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump_agent]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/spindump_agent

[/usr/libexec/spindump_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputMenuAgent]

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent

[/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputSwitcher]

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher

[/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/usr/bin/login

[login -pf run]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AccountPolicyHelper]

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper

[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]

/bin/zsh

[-zsh]

/usr/libexec/path_helper

[/usr/libexec/path_helper -s]

/usr/bin/locale

[locale LC_CTYPE]

/Volumes/Slack_mac/Slack_mac

[/Volumes/Slack_mac/Slack_mac]

/bin/sh

[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']

/bin/bash

[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']

/usr/bin/osascript

[osascript -e tell application "Terminal" to set visible of front window to false]

/bin/sh

[sh -c mkdir /Users/run/182481170]

/bin/bash

[sh -c mkdir /Users/run/182481170]

/bin/mkdir

[mkdir /Users/run/182481170]

/bin/sh

[sh -c system_profiler SPHardwareDataType]

/bin/bash

[sh -c system_profiler SPHardwareDataType]

/usr/sbin/system_profiler

[system_profiler SPHardwareDataType]

/bin/sh

[sh -c system_profiler SPDisplaysDataType]

/bin/bash

[sh -c system_profiler SPDisplaysDataType]

/usr/sbin/system_profiler

[system_profiler SPDisplaysDataType]

/bin/sh

[sh -c sw_vers]

/bin/bash

[sh -c sw_vers]

/usr/bin/sw_vers

[sw_vers]

/bin/sh

[sh -c dscl /Local/Default -authonly run ""]

/bin/bash

[sh -c dscl /Local/Default -authonly run ""]

/usr/bin/dscl

[dscl /Local/Default -authonly run ]

/bin/sh

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/bin/bash

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/usr/bin/osascript

[osascript -e display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.cfprefsd.xpc.agent]

/usr/sbin/cfprefsd

[/usr/sbin/cfprefsd agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/bin/sh

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/bin/bash

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/usr/bin/osascript

[osascript -e display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/bin/sh

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/bin/bash

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/usr/bin/osascript

[osascript -e display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportCrash.Root]

/System/Library/CoreServices/ReportCrash

[/System/Library/CoreServices/ReportCrash daemon]

/bin/sh

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/bin/bash

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/usr/bin/osascript

[osascript -e display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/bin/sh

[sh -c /usr/sbin/kextstat]

/bin/bash

[sh -c /usr/sbin/kextstat]

/usr/sbin/kextstat

[/usr/sbin/kextstat]

Network

Country Destination Domain Proto
US 8.8.8.8:53 31.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.72.131:443 tcp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 23.200.147.24:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.86:443 a1366.dscapi6.akamai.net tcp
GB 17.253.77.202:80 valid.apple.com tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
JP 40.79.189.59:443 mobile.events.data.trafficmanager.net tcp
US 20.189.173.11:443 mobile.events.data.trafficmanager.net tcp
US 8.8.8.8:53 cds.apple.com udp
RO 82.78.25.240:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 23.44.233.108:443 help.apple.com tcp
GB 23.44.233.108:443 help.apple.com tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a6ef4856e99c9d8e1d9bb762c5a8503a
SHA1 25d5405ad91791b716ae5a56b37aa2b393854967
SHA256 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

/Users/run/Library/Caches/GeoServices/Resources/altitude-1168.xml

MD5 76ebb0196d42a294b69ef118cbb301d5
SHA1 61e5ab752d351af1661716bc48c0520f66cd1d1b
SHA256 aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759
SHA512 8dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 3787ae55247ef0a97cd8d31d20db2311
SHA1 11a0ec4bc37c1c46160499ed1afa5a42185d0c54
SHA256 50782ea8f6df98e0170125b6112be40ab4cafcc24fab69d1dcddfc0587ddbb43
SHA512 ea9dd363975710b48a43e4c548ee8f9b2c17f83d48a45199d6eaf704708712e2d3ba1a3be94af86bd57a2d51182085462de0ba45652ee957cd3428774f796f39

/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

MD5 bb55e27ee415cb9fa7a2442e0b049c80
SHA1 12b08a0ff728ed9e03ec963a648b2d6314c58151
SHA256 078e1c2fbb659dd049de3d018ffa1739689769d6a2fe198ea77c02b65bd3d9f3
SHA512 da10e77eb98dc478af1ecbe4e429ab77b8d1f7bb60e003a06ff05f783c5910c8b7998add639747f2337808503d7c65cf079200b330b7873d2b0e18101d8e0bd2

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 2f01f7a00c85e424f82b00b2bf794a7c
SHA1 c75cb52aa31012888dd7c65373d5faba6048c425
SHA256 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32
SHA512 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

MD5 0f931ace03b6cc51a3aae8d476886d1b
SHA1 dc5b13667d0fab85c59588caffb8990d3d474ab1
SHA256 9f2d809b4ebb4c8b777a544dfb8b8e518c4d9fa19befae99b7bf52b138597d30
SHA512 9cb52e42fcf2484afac2fe46a009050555a2d0eefa45ba43ef61f8e864e64cde9e16d4febb5763782ae141d6b62d16395a74eb6728f61bcc4b292bfff5eb327e

/private/var/db/spindump/tailspin-trace.2024-02-23_12-52-01.tailspin

MD5 9f2097b6f1692426535f4676ec855863
SHA1 a18e00a5b8bd0587e22ff3cf096e246d6ad46366
SHA256 9b093d5780117b627342e3b39f738a778e2784fdfb58a5586d31c266ed6340aa
SHA512 99f271f6eff4047784e56184b6a1858d5a7f2f3cf066b3099325c4dc80a3c80b68ce241c66cda0d7373ca2ec656617fbc87acc65d516fa8873541ddd2288b7af

/private/var/db/spindump/tailspin-trace.2024-02-23_12-52-01.tailspin

MD5 90ac42bec4141dfd816c1e6d97478a2c
SHA1 ca87727865a87fc6c640ebd30090baa17937ffee
SHA256 762f13ca175aad1a7e5ccbc4c377e88890b67ea1a025866527cdf01354f8bb19
SHA512 250d9198e49f0fb5403f5e3fed9b52cb9e2ba5e840949359e4febaaabb4ff82bca55e0e40635ee6287cef9e8469cdb3563851246bc92d3c1b6d49f35a0853e0f

/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

MD5 60d8b91ad68dd3d08790e980b85772b1
SHA1 b21a026c47907c00b5aee3768e877c779095ea0d
SHA256 98c18d65bc3d4e49fdcebf39dffec2dd99c04ff6993fdcf15760276e0ad3d581
SHA512 38b074d7542867efba289f362589ac1bb026887027d6f379c5f49462ba39fc2a7014e8a5af28674ef330a752455f990dc0a07e1fbc554b26ee0c6c718282c17a

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 12:50

Reported

2024-02-23 12:53

Platform

macos-20240214-en

Max time kernel

136s

Max time network

154s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Slack_mac/Slack_mac"]

Signatures

AppleScript

execution
Description Indicator Process Target
N/A sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'" N/A N/A
N/A osascript -e "tell application \"Terminal\" to set visible of front window to false" N/A N/A
N/A sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" N/A N/A
N/A osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Slack_mac/Slack_mac"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Slack_mac/Slack_mac"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Slack_mac/Slack_mac]

/bin/zsh

[/bin/zsh -c /Users/run/Slack_mac/Slack_mac]

/Users/run/Slack_mac/Slack_mac

[/Users/run/Slack_mac/Slack_mac]

/bin/sh

[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']

/bin/bash

[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']

/usr/bin/osascript

[osascript -e tell application "Terminal" to set visible of front window to false]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/bin/sh

[sh -c mkdir /Users/root/181775276]

/bin/bash

[sh -c mkdir /Users/root/181775276]

/bin/mkdir

[mkdir /Users/root/181775276]

/bin/sh

[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']

/bin/bash

[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']

/usr/bin/osascript

[osascript -e display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ViewBridgeAuxiliary]

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary

[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sandboxd]

/usr/libexec/sandboxd

[/usr/libexec/sandboxd]

Network

Country Destination Domain Proto
US 52.182.143.208:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 104.91.71.86:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 17.137.170.10:443 tcp
US 17.137.170.34:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 52.182.143.208:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 17.253.77.202:80 valid.apple.com tcp
GB 17.253.77.202:80 valid.apple.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
RO 82.78.25.240:443 cds.apple.com tcp

Files

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 520bb9b65b89f03050030e5a985b9cd1
SHA1 91defba6d4540d4c8ede177730d104d747e8f57b
SHA256 6bb23965fd46b9ffe67a1cdb2144943543894e063c05db3a4de54e94b84968a0
SHA512 81eebb3eda761a9ecc94aa9564deab4d476522d94025ec19e002e91b12b7fbf2bffda23e7c393c09cb91b6ecd953ec1bf39ef5f787058b70289a5a5d777f0cf6

/Users/run/Library/Caches/GeoServices/Resources/altitude-1168.xml

MD5 76ebb0196d42a294b69ef118cbb301d5
SHA1 61e5ab752d351af1661716bc48c0520f66cd1d1b
SHA256 aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759
SHA512 8dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 84aec7851af30046c1688e469e08aaab
SHA1 254bf5170a4f2eb1ac2f2685df3f713be6e5885e
SHA256 ff8a3621d9358058c05e7b7641784247927d18f75def94a0f402151bdd519447
SHA512 719c1eedabd5d4f3588dedee033fa961c3267c5617feeec4038ef2281db8ce0b9fa990658077b96f2fd1ec5d904304fac6615a2452b4af1126fec048a0ac5888

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 52ef57acdaa153c35594e46bde4fe42c
SHA1 c2a5b1748aa61c311b670ef319d92663e3f92b00
SHA256 58add3e6d1d91409a9ddd9bb9b7cb173f3ec1162905d907839ab007e43cf2d2a
SHA512 defea7dd6200a17dbf0b619e16efb2919dc14199e7f3cb6755b4e5f1fdc8fb2942fa9f7c8c4c19d9026acb0c64a7df0462c7e10685c7482e710e94ed15964209