Malware Analysis Report

2024-09-09 19:11

Sample ID 240518-bmxf1sda96
Target virus.zip
SHA256 38ac33f0f69975fa05bdf1708a496b8a044527cc0b455476a60ce4011ce20d22
Tags
evasion execution persistence privilege_escalation
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

38ac33f0f69975fa05bdf1708a496b8a044527cc0b455476a60ce4011ce20d22

Threat Level: Shows suspicious behavior

The file virus.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion execution persistence privilege_escalation

Login Items

JavaScript

Resource Forking

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-18 01:16

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-18 01:16

Reported

2024-05-18 01:19

Platform

macos-20240410-en

Max time kernel

124s

Max time network

133s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf N/A N/A
N/A sh /Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf N/A N/A
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A
N/A sh -c "sudo /bin/zsh -c \"/Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf\"" N/A N/A
N/A sudo /bin/zsh -c /Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf N/A N/A
N/A /bin/zsh -c /Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf]

/bin/zsh

[/bin/zsh -c /Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf]

/Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf

[/Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf]

/bin/sh

[sh /Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf]

/bin/bash

[sh /Users/run/virus/virus.app/Contents/Resources/description.rtfd/TXT.rtf]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
NL 23.209.125.28:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
NL 72.246.172.153:443 tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
NL 23.209.125.6:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.73.25:443 tcp

Files

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1281.xml

MD5 4b83b8564ef37e681421517132a79483
SHA1 c53490db81ccdf4012fc0a184cb6bed56d2fde3c
SHA256 49ee8902d335eaa69e7a62b890f8f49d776187965315cc8a628b2530e50418ff
SHA512 107ec81b0d99c3c02836bce271a16fe3cb86da2fc191090da10de548b9ec0b6731eb4c4d293a62810acd5f9e9ffc4511278d187aff26cc2c21ae338aefb5ca67

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 d18f1d9d870f395f6724a4c0f1902083
SHA1 c6862ac370d9805784e96d38dded44a1f9dd6a80
SHA256 307f4b24659726735bf3cab92372c3686bf3e0eb7d24ef4932a49cb529d54d28
SHA512 020fb6ffc8045c3d207fd9570da9ee9f5d3884acaf5c1f7182bae765a3ed73d41a207c49fe2c8fc0317a07c62b177fbe749a9dd6ffc8fdf12211600b5eb2aff9

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-18 01:16

Reported

2024-05-18 01:19

Platform

macos-20240410-en

Max time kernel

144s

Max time network

142s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus_test.py"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus_test.py"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus_test.py"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/virus/virus_test.py]

/bin/zsh

[/bin/zsh -c /Users/run/virus/virus_test.py]

/Users/run/virus/virus_test.py

[/Users/run/virus/virus_test.py]

/bin/sh

[sh /Users/run/virus/virus_test.py]

/bin/bash

[sh /Users/run/virus/virus_test.py]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
DE 20.52.64.201:443 tcp
DE 51.116.246.105:443 tcp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
GB 17.250.81.67:443 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 01:16

Reported

2024-05-18 01:19

Platform

macos-20240410-en

Max time kernel

137s

Max time network

146s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus.app/Contents/MacOS/applet"]

Signatures

Login Items

persistence privilege_escalation
Description Indicator Process Target
N/A "/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events" N/A N/A

JavaScript

execution
Description Indicator Process Target
N/A "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java" -jar /Users/run/tmp/hello.jar N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A
N/A /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus.app/Contents/MacOS/applet"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/virus/virus.app/Contents/MacOS/applet"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/virus/virus.app/Contents/MacOS/applet]

/bin/zsh

[/bin/zsh -c /Users/run/virus/virus.app/Contents/MacOS/applet]

/Users/run/virus/virus.app/Contents/MacOS/applet

[/Users/run/virus/virus.app/Contents/MacOS/applet]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ViewBridgeAuxiliary]

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary

[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2036]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.BABCECE1-601C-433F-999F-9BEA5BAC045F 494]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.1B1E085A-ACC0-4016-948C-33409FE3A820 494]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterB516C108/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.03DA995E-AA4B-447B-8EE1-CCC0449C570B 494]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.SandboxHelper 504]

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper

[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ScriptEditor2.1836]

/System/Applications/Utilities/Script Editor.app/Contents/MacOS/Script Editor

[/System/Applications/Utilities/Script Editor.app/Contents/MacOS/Script Editor]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accessibility.mediaaccessibilityd]

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd

[/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SearchHelper 494]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 504]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.27464032-F963-4E3E-ADA2-54656F7CD744 494]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemevents.2156]

/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events

[/System/Library/CoreServices/System Events.app/Contents/MacOS/System Events]

/usr/libexec/xpcproxy

[xpcproxy com.apple.FolderActionsDispatcher]

/System/Library/CoreServices/FolderActionsDispatcher.app/Contents/MacOS/FolderActionsDispatcher

[/System/Library/CoreServices/FolderActionsDispatcher.app/Contents/MacOS/FolderActionsDispatcher launchd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.speech.speechsynthesisd]

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd

[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.SandboxHelper 548]

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper

[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PerformanceAnalysis.animationperfd]

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd

[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.SandboxHelper 508]

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper

[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 508]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.B6B411C5-373C-472B-B84B-F0A0797AF930 494]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.JarLauncher.2128]

/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher

[/System/Library/CoreServices/Jar Launcher.app/Contents/MacOS/Jar Launcher]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java

[/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/bin/java -jar /Users/run/tmp/hello.jar]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump_agent]

/usr/libexec/spindump_agent

[/usr/libexec/spindump_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 itunes.apple.com udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.23:443 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
US 8.8.8.8:53 i.ytimg.com udp
GB 216.58.213.22:443 i.ytimg.com tcp
US 8.8.8.8:53 rr5---sn-aigl6nz7.googlevideo.com udp
GB 74.125.168.106:443 rr5---sn-aigl6nz7.googlevideo.com tcp
GB 74.125.168.106:443 rr5---sn-aigl6nz7.googlevideo.com tcp
US 8.8.8.8:53 rr2---sn-aigl6nl7.googlevideo.com udp
GB 173.194.183.199:443 rr2---sn-aigl6nl7.googlevideo.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.187.202:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 accounts.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 rr5---sn-5hnednsz.googlevideo.com udp
NL 74.125.8.234:443 rr5---sn-5hnednsz.googlevideo.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
NL 74.125.8.234:443 rr5---sn-5hnednsz.googlevideo.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 api-glb-aeuw3b.smoot.apple.com udp
US 8.8.8.8:53 e6858.dscx.akamaiedge.net udp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gateway.fe2.apple-dns.net udp
GB 74.125.168.106:443 rr5---sn-aigl6nz7.googlevideo.com tcp
GB 74.125.168.106:443 rr5---sn-aigl6nz7.googlevideo.com tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Safari/Favicon Cache/favicons/3997C07B42738127C845BEB29CE06F3D

MD5 80f7367cb52983d2b58c2570460a9e9b
SHA1 8b1020b84f2c57bc43c0b0e504529fbd176fc694
SHA256 d7dd223f488a3dc314edecff758abc774093909d8cdaabb5c6b3f5a84a6f4be7
SHA512 ec16f486883b31551597eaa82406989c159a5e186ec33fcc8fbc85093d1ac758bfab065a9a8f91ef3087456cc2a0b2b097dbb074f567280f5ccf8f3838eaceb3

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 be13ab9ee2eedc98807c8be70bc99ed5
SHA1 cd46d37f1cabadebb7bb3109496a002fff3c65a6
SHA256 70d66e8777411496ec4ba22dbe698d458893cd75b060fcf83eaaf5f267035e31
SHA512 095ec61092f7a21a61fb8b8a2af7c17400d4f1dbbf1bc7312c3e6f435e38c79c02bca88a0e231ee23f65ff79baa2fdc0593771d5d8def1f9ce2c2e4261073fae

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 1c340d4679654ca4e9908502c4a689a5
SHA1 f14a54a1b44d0d6ab445ff7f39dd01a9d0342978
SHA256 7870b294328070933cfa7f4dcc77ca50e730f38d03654bb6f6695b7dd6017eb4
SHA512 37532652e6785d93c09a12396433abdff05c525a6a86f8b31f17f4e446302fbf449c9b54240b2f501f900828f26e4c48c4dc3146cdacf3f1dd763cda09cedb21

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 21bf4966c41ddd6e5d414583b1c6ff0c
SHA1 ac171a6dedf0e74fddcfc963265d0595c9f1386b
SHA256 7ef26c376498df1635297bcccc9a0ce58942e193e411b17b4fc83373e839ebd4
SHA512 a457ba0b5a02cea44f982f6f5b3853790f05e215a6ade56961978e26023e9a9c7921a81ea9639eaf9d5b41c57be2424b8dacc8add6a179ea6f1b1665162a6f65

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 01:16

Reported

2024-05-18 01:19

Platform

macos-20240410-en

Max time kernel

150s

Max time network

154s

Command Line

[sh -c sudo /bin/zsh -c "osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A sh -c "sudo /bin/zsh -c \"osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt\"" N/A N/A
N/A sudo /bin/zsh -c "osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt" N/A N/A
N/A /bin/zsh -c "osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt" N/A N/A
N/A osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt N/A N/A
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt"]

/bin/bash

[sh -c sudo /bin/zsh -c "osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt"]

/usr/bin/sudo

[sudo /bin/zsh -c osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt]

/bin/zsh

[/bin/zsh -c osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt]

/usr/bin/osascript

[osascript /Users/run/virus/virus.app/Contents/Resources/Scripts/main.scpt]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.2036]

/Applications/Safari.app/Contents/MacOS/Safari

[/Applications/Safari.app/Contents/MacOS/Safari]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.History]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History]

/usr/libexec/dmd

[/usr/libexec/dmd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.3EB713D4-3810-4AF8-AB43-FB23F12F88CE 525]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.SafariLaunchAgent]

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent

[/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.9423F688-400B-489A-8744-DB8BD3E782DD 525]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CoreAuthentication.agent]

/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd

[/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.E0AFD0C0-33C5-4E99-AF44-EC70C2679373 525]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SafeBrowsing.Service]

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service

[/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.mediaremoted]

/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted

[/System/Library/PrivateFrameworks/MediaRemote.framework/Support/mediaremoted]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.SandboxHelper 558]

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper

[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump_agent]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/spindump_agent

[/usr/libexec/spindump_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.SearchHelper 525]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accessibility.mediaaccessibilityd]

/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd

[/System/Library/Frameworks/MediaAccessibility.framework/Versions/A/XPCServices/com.apple.accessibility.mediaaccessibilityd.xpc/Contents/MacOS/com.apple.accessibility.mediaaccessibilityd]

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper

[/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coremedia.videodecoder 558]

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService

[/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.mobile.keybagd]

/usr/libexec/keybagd

[/usr/libexec/keybagd -t 15]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.cfprefsd.xpc.agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/sbin/cfprefsd

[/usr/sbin/cfprefsd agent]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged --privileged]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.B14DBE71-0C91-458E-9881-D0F21DACC247 525]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.WebKit.WebContent.2538E8A8-2C83-4100-8F34-A7FED496A047 525]

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent

[/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputMenuAgent]

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent

[/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sandboxd]

/usr/libexec/sandboxd

[/usr/libexec/sandboxd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
AU 40.79.173.41:443 tcp
DE 17.253.79.202:80 tcp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 23.200.147.27:443 tcp
US 8.8.8.8:53 gspe35-ssl.ls-apple.com.akadns.net udp
NL 72.246.172.153:443 tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 8.8.8.8:53 rr5---sn-aigl6nz7.googlevideo.com udp
GB 216.58.213.22:443 i.ytimg.com tcp
GB 74.125.168.106:443 rr5---sn-aigl6nz7.googlevideo.com tcp
GB 74.125.168.106:443 rr5---sn-aigl6nz7.googlevideo.com tcp
US 8.8.8.8:53 rr2---sn-aigl6nl7.googlevideo.com udp
GB 173.194.183.199:443 rr2---sn-aigl6nl7.googlevideo.com tcp
US 8.8.8.8:53 jnn-pa.googleapis.com udp
GB 142.250.187.234:443 jnn-pa.googleapis.com tcp
US 8.8.8.8:53 accounts.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
US 8.8.8.8:53 itunes.apple.com udp
GB 142.250.178.14:443 www.youtube.com tcp
GB 142.250.178.14:443 www.youtube.com tcp
US 8.8.8.8:53 safebrowsing.googleapis.com udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
US 8.8.8.8:53 api-glb-aeuw3b.smoot.apple.com udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
NL 23.209.125.28:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 gspe21-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 yt3.ggpht.com udp
GB 142.250.180.1:443 yt3.ggpht.com tcp
US 8.8.8.8:53 rr5---sn-5hnednsz.googlevideo.com udp
NL 74.125.8.234:443 rr5---sn-5hnednsz.googlevideo.com tcp
US 8.8.8.8:53 bag-cdn.itunes-apple.com.akadns.net udp
US 151.101.3.6:443 bag-cdn.itunes-apple.com.akadns.net tcp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
NL 23.209.125.6:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 youtube.com udp
GB 142.250.200.46:443 youtube.com tcp
US 8.8.8.8:53 a479.dscg4.akamai.net udp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
SE 23.34.233.79:443 help.apple.com tcp
SE 23.34.233.79:443 help.apple.com tcp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/Safari/Favicon Cache/favicons/6CA59E575DB2C085199545A7D5019870

MD5 c51bd7dbb85f0faa1f44e01aae7d74a8
SHA1 bde21653b3d1176ffdb60f797b09fafadc67669c
SHA256 61f8e1e6a14f8405364678a7d593b6893a1c5619afde92fc0c0c7c82f71a3eee
SHA512 8c1f0983547559975aec0a34f8a72f2afea85013eb9bf6e1e50d2516ea18266beefcbaa8ab2ca90dd14bad31c559fd57e79c7eca4906e9adcde5ea37829a1db0

/Users/run/Library/Safari/Favicon Cache/favicons/79D062218A744368AD4E8B2970A019A7

MD5 80f7367cb52983d2b58c2570460a9e9b
SHA1 8b1020b84f2c57bc43c0b0e504529fbd176fc694
SHA256 d7dd223f488a3dc314edecff758abc774093909d8cdaabb5c6b3f5a84a6f4be7
SHA512 ec16f486883b31551597eaa82406989c159a5e186ec33fcc8fbc85093d1ac758bfab065a9a8f91ef3087456cc2a0b2b097dbb074f567280f5ccf8f3838eaceb3

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 90d8ac6b9328f8e785b3f68dbffb86a6
SHA1 919a0ab0896a4078f90e1aed665851661aac9018
SHA256 37e1e9d0fd2756cbbd9c88881fc4772b2dc5c3c29569a76ff78aecc6abce13fc
SHA512 88189d7c591d02e0a5339e4ed52b90f3c46abc9249b726e0e840bc93631a8a1df6aeb49566e54553ab20e52a7a5e63582562342f45379f0ed38d9192d35f7a37

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 f8064febf9e82937a539ffd38687e034
SHA1 897196cce331c30ac601972fac808cbb44c98bdd
SHA256 5cd0e7cec68c4a8bd8e25ccbe764cb80e2fe4c107cf39239b5142863a4d38cf1
SHA512 fcad821f31bf56d8869c0a70e0b3979c27a4a224facb8ae1265f2119811b2eb52db4e8f1db357e3facb9848a1da43812660448525348b82d3bff7e6aabe5cce3

/Users/run/Library/Caches/GeoServices/Resources/altitude-1281.xml

MD5 4b83b8564ef37e681421517132a79483
SHA1 c53490db81ccdf4012fc0a184cb6bed56d2fde3c
SHA256 49ee8902d335eaa69e7a62b890f8f49d776187965315cc8a628b2530e50418ff
SHA512 107ec81b0d99c3c02836bce271a16fe3cb86da2fc191090da10de548b9ec0b6731eb4c4d293a62810acd5f9e9ffc4511278d187aff26cc2c21ae338aefb5ca67

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 658dc4c2ef9a16e1e79d6e5dc0eae394
SHA1 27591624ce826ab3a1fba6ab6a4152a23ad233ba
SHA256 3d2fcf68a5350c2bd752b4d363362258d7be864069cfcd0b75dd664afb82ced4
SHA512 ba4ae7413520bee6f734ca60b6ae316553005c00e8958d68786ed633780ad1bb781e6dd1b45bcdb23a6c9831e937eabc31449779ad08d976e14563c37b2ddbff

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 520bb9b65b89f03050030e5a985b9cd1
SHA1 91defba6d4540d4c8ede177730d104d747e8f57b
SHA256 6bb23965fd46b9ffe67a1cdb2144943543894e063c05db3a4de54e94b84968a0
SHA512 81eebb3eda761a9ecc94aa9564deab4d476522d94025ec19e002e91b12b7fbf2bffda23e7c393c09cb91b6ecd953ec1bf39ef5f787058b70289a5a5d777f0cf6

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 583518d498a5f35a7a5a7ad12f9991c7
SHA1 6272050e9c1eab852c4219172700b33686ac859f
SHA256 d58978f5c204d9e0e41c703fb89daa22174ff0c608013e3d611d354156736680
SHA512 f8af9de9f1b9db91ac25ddc33f68cca32e3380b016a5c726061afb6a462666d44597bdb874f8c7e84a7ac9979b06de77ba51279f25b976df3ff9e5c3aa4f8a9f

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

MD5 9382a3850467d51385c2f50d29b84faf
SHA1 c989bdfabe860e8a1669f988289e2255eb3168ae
SHA256 21010dbd9784ddbcd7479984fea44f0e234f17098f76101e31f8618c73ab8cb6
SHA512 92152fc5b340d168427b9983569936e1256bca3d6224d15f2169e3ab15dd83b5756b9fb0eb84791568bc6456d0f73dc41c73d323d557e7013e00e6b487255103

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

MD5 62fa1b538c44a7d4c4eb0d424b3d6152
SHA1 aec13bdb8d1aef6dbbc22146ba82d853e5f676ca
SHA256 8a76a039a8c01c6e2c4ef2a2c6fb588481dd5d7b5b58b4f2bb731700483666ce
SHA512 d410f64f580d0f57034abdf56d2e6a546dda797574fd4fe123643bc9f672b3d320e07410439891945d5f64f1598d44dcbc4748af75a11581bcb8ca33237dde8b

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

MD5 f03b833a6da250465572c0422b9f8903
SHA1 66b3303ca4ea86b5e7ff9b05ee6dfaf9b2067c60
SHA256 d70e34e462aefd861988cb5b7704d2f1774a4177ed56938f5dcaa025f3297356
SHA512 57a680816ed144e17f24307ebab0b5a508649cb169e445d6be59dad91b35dadcef9bcb47353fc5fe9e82fdb0b7e2c417fb247244470bc0cca6e20e3dd1771bcd

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 dd693cb4e34467b89927044334c03335
SHA1 2afca057a1d4cb73407328d97041ac5b0f6a1644
SHA256 439109a0a31a867e6a60df8f87e93551232f885f16c0b54ce58316e530bd1b53
SHA512 c549f09bfa92e2a0d4b26daeb1b4d5031d563c5362522d7c863d408e07bba3adadf4e040a2a06d0dae0b64c0423e368641f086d5e9e909366538a741fe3b6cd1

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 41531bfeb1fcaa0616c0cac52bb384d3
SHA1 4c17da98d22bc143f3ce373027ed8c9088a1d35d
SHA256 e011a72bbc74022b95a19b372a056dea8fc8a79528ec31ce0187a0192460c842
SHA512 20ce2edfe1860d8d79350ba8646ec6cf269aaba05f144fd57388c06ddb7db2e8248729c6775932400e3cd07759b4bf99a41bc3b83f17601814214239eb274325