Analysis Overview
SHA256
e766bc3bd8513eadc0d54e511049f1d35bc5c503aeef6cd38aa500d39d66da11
Threat Level: Known bad
The file Nursultan NextGen Crack.exe was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
Xworm
StormKitty
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Resource Forking
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-25 12:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 12:54
Reported
2024-06-25 12:57
Platform
win11-20240611-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\wininit | N/A |
| N/A | N/A | C:\Users\Admin\wininit | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\wininit" | C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\wininit | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\wininit | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe"
C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe
"C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\и.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\choice.exe
choice /c 12 /n /m "Enter your choice:"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan NextGen Crack.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\Admin\wininit"
C:\Users\Admin\wininit
C:\Users\Admin\wininit
C:\Users\Admin\wininit
C:\Users\Admin\wininit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | seems-poet.gl.at.ply.gg | udp |
| US | 147.185.221.20:30996 | seems-poet.gl.at.ply.gg | tcp |
| US | 147.185.221.20:30996 | seems-poet.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 147.185.221.20:30996 | seems-poet.gl.at.ply.gg | tcp |
Files
memory/2780-0-0x00007FF880483000-0x00007FF880485000-memory.dmp
memory/2780-1-0x0000000000030000-0x000000000006A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe
| MD5 | a9aee64b701db5f8cfc3c963872403b4 |
| SHA1 | 48079f6822d84ea354f301cdb97d2ecb59552e06 |
| SHA256 | f46d7ae8973b42a0cb892c6aa8d6a559b4cc1d0c67b1d5df3072c4f7f77b53fb |
| SHA512 | 696e745d488841c3b1a55a350d754b69a1d6b0d83fd9eac247229239951b12bfd98d8cbbcbfffd567966495a10950040edd77398702763071f6eeb50f13a3a1e |
memory/5116-17-0x0000000000080000-0x00000000000A6000-memory.dmp
C:\Users\Admin\AppData\Roaming\и.bat
| MD5 | 9885bc1f632421f329efe28818361344 |
| SHA1 | 9d0838fa885728361703a6e2b36e2aa3603b05ce |
| SHA256 | 6a218880f23edb2a809ee20919f355f80ef4a0b545c3d79ffa8c848441eced7a |
| SHA512 | ddb5252457e9e02a91073f58662cd2eb72d670827f5173e8705c9e41d55a4ba4efdab80f24371ff61573d250f7b8463ce05f9cec7c48085dcacd38cd21e65203 |
memory/5116-19-0x00007FF880480000-0x00007FF880F42000-memory.dmp
memory/2184-25-0x00000131D8D60000-0x00000131D8D82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lv2jskwd.401.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | aa4f31835d07347297d35862c9045f4a |
| SHA1 | 83e728008935d30f98e5480fba4fbccf10cefb05 |
| SHA256 | 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0 |
| SHA512 | ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bba038a5b7f0d834cccd3c07218dfd84 |
| SHA1 | d0e54860c01f4783d5973c4fceeaa04a8b15b59b |
| SHA256 | 3d27ee1f7890592931e39e357cd8ac14f522fa4bd7dfa8043435fd4d72db6d2d |
| SHA512 | 2bed9ad6a2aecd69e1431c3b929be9d91b485383d8d818ff173acb6f59ad5d04bf8cd9f678ca35c9208c87eef8ba3192ee0bb245c3937f474f6bfbf44d0b7d52 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6f0e62045515b66d0a0105abc22dbf19 |
| SHA1 | 894d685122f3f3c9a3457df2f0b12b0e851b394c |
| SHA256 | 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319 |
| SHA512 | f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a |
memory/5116-63-0x00007FF880480000-0x00007FF880F42000-memory.dmp
memory/5116-64-0x00007FF880480000-0x00007FF880F42000-memory.dmp
memory/5116-65-0x000000001B8B0000-0x000000001B8BC000-memory.dmp
memory/5116-66-0x00007FF880480000-0x00007FF880F42000-memory.dmp
memory/5116-69-0x000000001C5D0000-0x000000001C6F0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 12:54
Reported
2024-06-25 12:57
Platform
macos-20240611-en
Max time kernel
137s
Max time network
140s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/BDBEB0EA-9CEA-41B6-A54A-399E3D39BA99.activeSandbox/Root / | N/A | N/A |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd | N/A | N/A |
| N/A | "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated" | N/A | N/A |
| N/A | "/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd" | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd | N/A | N/A |
| N/A | /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/Nursultan NextGen Crack.exe"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/Nursultan NextGen Crack.exe"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/Nursultan NextGen Crack.exe]
/bin/zsh
[/bin/zsh -c /Users/run/Nursultan NextGen Crack.exe]
/Users/run/Nursultan
[/Users/run/Nursultan NextGen Crack.exe]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pluginkit.pkd]
/usr/libexec/pkd
[/usr/libexec/pkd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.PerformanceAnalysis.animationperfd]
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/xpcproxy
[xpcproxy com.apple.TextInputMenuAgent]
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
[/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.TextInputSwitcher]
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
[/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.suggestd]
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.knowledge-agent]
/usr/libexec/knowledge-agent
[/usr/libexec/knowledge-agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.siri.context.service]
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.systemprofiler]
/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information
[/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportMemoryException]
/usr/libexec/ReportMemoryException
[/usr/libexec/ReportMemoryException]
/usr/libexec/xpcproxy
[xpcproxy com.apple.storedownloadd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.installd]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.system_installd]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.replayd]
/usr/libexec/replayd
[/usr/libexec/replayd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Safari.CacheDeleteExtension 613]
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
[/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.STMExtension.Trash 612]
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/TrashStorageExtension.appex/Contents/MacOS/TrashStorageExtension
[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/TrashStorageExtension.appex/Contents/MacOS/TrashStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.messages.StorageManagementExtension 612]
/System/Applications/Messages.app/Contents/PlugIns/Messages Storage Management Extension.appex/Contents/MacOS/Messages Storage Management Extension
[/System/Applications/Messages.app/Contents/PlugIns/Messages Storage Management Extension.appex/Contents/MacOS/Messages Storage Management Extension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Photos.StorageManagementExtension 612]
/System/Applications/Photos.app/Contents/PlugIns/PhotosStorageExtension.appex/Contents/MacOS/PhotosStorageExtension
[/System/Applications/Photos.app/Contents/PlugIns/PhotosStorageExtension.appex/Contents/MacOS/PhotosStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.STMExtension.iOSFiles 612]
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/iOSFilesStorageExtension.appex/Contents/MacOS/iOSFilesStorageExtension
[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/iOSFilesStorageExtension.appex/Contents/MacOS/iOSFilesStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.STMExtension.AppleInternal 612]
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/AppleInternalStorageExtension.appex/Contents/MacOS/AppleInternalStorageExtension
[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/AppleInternalStorageExtension.appex/Contents/MacOS/AppleInternalStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.CloudDocsDaemon.StorageManagement 612]
/System/Applications/Music.app/Contents/PlugIns/MusicStorageExtension.appex/Contents/MacOS/MusicStorageExtension
[/System/Applications/Music.app/Contents/PlugIns/MusicStorageExtension.appex/Contents/MacOS/MusicStorageExtension]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/PlugIns/CloudDocsStorageManagement.appex/Contents/MacOS/CloudDocsStorageManagement
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/PlugIns/CloudDocsStorageManagement.appex/Contents/MacOS/CloudDocsStorageManagement]
/System/Applications/Podcasts.app/Contents/PlugIns/MacPodcastsStorageExtension.appex/Contents/MacOS/MacPodcastsStorageExtension
[/System/Applications/Podcasts.app/Contents/PlugIns/MacPodcastsStorageExtension.appex/Contents/MacOS/MacPodcastsStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.STMExtension.CloudFiles 612]
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/CloudFilesStorageExtension.appex/Contents/MacOS/CloudFilesStorageExtension
[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/CloudFilesStorageExtension.appex/Contents/MacOS/CloudFilesStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.STMExtension.OtherUsers 612]
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension
[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.STMExtension.Mail 612]
/usr/libexec/xpcproxy
[xpcproxy com.apple.STMExtension.Applications 612]
/System/Applications/Mail.app/Contents/PlugIns/MailStorageManagement.appex/Contents/MacOS/MailStorageManagement
[/System/Applications/Mail.app/Contents/PlugIns/MailStorageManagement.appex/Contents/MacOS/MailStorageManagement]
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/ApplicationsStorageExtension.appex/Contents/MacOS/ApplicationsStorageExtension
[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/ApplicationsStorageExtension.appex/Contents/MacOS/ApplicationsStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.STMExtension.GarageBand 612]
/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/GarageBandStorageExtension.appex/Contents/MacOS/GarageBandStorageExtension
[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/GarageBandStorageExtension.appex/Contents/MacOS/GarageBandStorageExtension]
/System/Applications/TV.app/Contents/PlugIns/TVStorageExtension.appex/Contents/MacOS/TVStorageExtension
[/System/Applications/TV.app/Contents/PlugIns/TVStorageExtension.appex/Contents/MacOS/TVStorageExtension]
/usr/libexec/xpcproxy
[xpcproxy com.apple.iBooksX.DiskSpaceEfficiency]
/System/Applications/Books.app/Contents/PlugIns/DiskSpaceEfficiency.appex/Contents/MacOS/DiskSpaceEfficiency
[/System/Applications/Books.app/Contents/PlugIns/DiskSpaceEfficiency.appex/Contents/MacOS/DiskSpaceEfficiency]
/usr/libexec/xpcproxy
[xpcproxy com.apple.CloudPhotosConfiguration]
/System/Library/PrivateFrameworks/CloudPhotoServices.framework/Versions/A/XPCServices/com.apple.CloudPhotosConfiguration.xpc/Contents/MacOS/com.apple.CloudPhotosConfiguration
[/System/Library/PrivateFrameworks/CloudPhotoServices.framework/Versions/A/XPCServices/com.apple.CloudPhotosConfiguration.xpc/Contents/MacOS/com.apple.CloudPhotosConfiguration]
/usr/libexec/xpcproxy
[xpcproxy com.apple.akd]
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.automountd]
/usr/libexec/automountd
[automountd]
/usr/libexec/od_user_homes
[/usr/libexec/od_user_homes .localized]
/usr/libexec/xpcproxy
[xpcproxy com.apple.installandsetup.systemmigrationd]
/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd
[/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.storagekitd]
/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd
[/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportCrash]
/usr/libexec/xpcproxy
[xpcproxy com.apple.iconservices.iconservicesagent]
/System/Library/CoreServices/iconservicesagent
[/System/Library/CoreServices/iconservicesagent runAsRoot]
/usr/libexec/od_user_homes
[/usr/libexec/od_user_homes .localized]
/usr/libexec/xpcproxy
[xpcproxy com.apple.icloud.findmydeviced]
/usr/libexec/findmydeviced
[/usr/libexec/findmydeviced]
/usr/bin/csrutil
[/usr/bin/csrutil status]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump]
/usr/sbin/spindump
[/usr/sbin/spindump]
/usr/libexec/xpcproxy
[xpcproxy com.apple.tailspind]
/usr/libexec/tailspind
[/usr/libexec/tailspind]
/usr/libexec/xpcproxy
[xpcproxy com.apple.spindump_agent]
/usr/libexec/spindump_agent
[/usr/libexec/spindump_agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.softwareupdated]
/usr/libexec/xpcproxy
[xpcproxy com.apple.mobile.keybagd]
/usr/libexec/keybagd
[/usr/libexec/keybagd -t 15]
/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated
[/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated]
/usr/libexec/xpcproxy
[xpcproxy com.apple.suhelperd]
/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd
[/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.TextEdit.2092]
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
[/System/Applications/TextEdit.app/Contents/MacOS/TextEdit]
/usr/libexec/xpcproxy
[xpcproxy com.apple.quicklook.satellite.BA89B14E-7E09-4B70-8547-6D5FD67592AF 560]
/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/BDBEB0EA-9CEA-41B6-A54A-399E3D39BA99.activeSandbox/Root /]
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c]
/System/Library/CoreServices/ReportCrash
[/System/Library/CoreServices/ReportCrash agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.adid]
/System/Library/PrivateFrameworks/CoreADI.framework/adid
[/System/Library/PrivateFrameworks/CoreADI.framework/adid]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportMemoryException]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportCrash.Root]
/System/Library/CoreServices/ReportCrash
[/System/Library/CoreServices/ReportCrash daemon]
/usr/libexec/ReportMemoryException
[/usr/libexec/ReportMemoryException]
/usr/libexec/xpcproxy
[xpcproxy com.apple.coreduetd]
/usr/libexec/coreduetd
[/usr/libexec/coreduetd]
/usr/libexec/od_user_homes
[/usr/libexec/od_user_homes .localized]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.contacts.donation-agent]
/System/Library/PrivateFrameworks/ContactsDonation.framework/Versions/A/Support/contactsdonationagent
[/System/Library/PrivateFrameworks/ContactsDonation.framework/Versions/A/Support/contactsdonationagent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.mobile.keybagd]
/usr/libexec/keybagd
[/usr/libexec/keybagd -t 15]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | api.apple-cloudkit.fe2.apple-dns.net | udp |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| GB | 104.77.118.129:443 | tcp | |
| US | 8.8.8.8:53 | bag-cdn.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | gsp-ssl.ls.apple.com | udp |
| GB | 17.253.77.203:443 | gsp-ssl.ls.apple.com | tcp |
| US | 8.8.8.8:53 | gsp64-ssl.ls-apple.com.akadns.net | udp |
| GB | 17.57.146.13:5223 | tcp | |
| US | 8.8.8.8:53 | 50-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | swcdn.apple.com | udp |
| US | 151.101.3.8:80 | swcdn.apple.com | tcp |
| US | 8.8.8.8:53 | e673.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| US | 23.219.244.63:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
| GB | 2.21.189.171:443 | help.apple.com | tcp |
Files
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | 3c6a5bdddbb2396e0e73a6690143a846 |
| SHA1 | 5576206e58a6833df45d2fd5bafc2ced944d90a5 |
| SHA256 | 7eaacc3cc2d691d501f45c374478f7a0f032fa2230b3ee3f40dd62e04926b715 |
| SHA512 | 721c195652f16e0227ac1a4b952f4e548ac29befa0dbe84d8395db14d83e2d91999bbf0d0df6f6c2b7cb1af009cc7b0701d4933d05b08b31bfde049914a6362f |
/Users/run/Library/Caches/GeoServices/Experiments.pbd
| MD5 | 3f91fb8618cf8705b18c10dc24c36519 |
| SHA1 | 84bb6878edca2b32925f7be76c1700e3bbcaf27b |
| SHA256 | 651d1b426e76b6b1cfba5979cffac9be31ac4071d81515e31c3cb0f6bd2e45bf |
| SHA512 | dbe693b3ec9e34033cc7aaa977a189586d4c30d72ea4474a755108d2c87fdbb842f518c7f2f4216fd9ddda9fc4891e3e8a8dca918680278b83724cdd20ddb2de |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/SMIncompatibleAppUpdate/CFNetworkDownload_gfj27S.tmp
| MD5 | 8ac8e766276bb799857b359b3a4f2347 |
| SHA1 | 075fe1052e1e6de0a38aaa7711a54e8a77bb65f8 |
| SHA256 | a0ee16e403dd8609ce56b56a111b2926b591d368b6e99a41c836beb280dcf687 |
| SHA512 | 60f88aacc4d89e7a52aa30a469b430f781006fac52b320c2acd05d8f3ace9638a042fa0b0000885293cf6ee391915e7d68ffc656f4056fcb6de3b638d52a6439 |
/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/BDBEB0EA-9CEA-41B6-A54A-399E3D39BA99.activeSandbox/Boms/com.apple.pkg.IncompatibleAppList.10_15.16U1923.bom
| MD5 | 2f0f49de9ad6128f83b55002ddc0c733 |
| SHA1 | 348b668dd78199b508fa73253568f3024a03410f |
| SHA256 | 4bde0dc120c8239b758f62e655e23be5f09b41f32f666bffa05e0104e8109d46 |
| SHA512 | 6ed163e207886dd7661e67944197ef84c663eb129ca8c988d2fade90fa7e626b581627165521b3e9a8be77c04c12936ac40e1311750c2ad0aae4f6707910a4aa |
/private/var/run/installd.commit.pid
| MD5 | 85fc37b18c57097425b52fc7afbb6969 |
| SHA1 | dc51d239fbced2ce3562b4cf820eac1e2b2344c7 |
| SHA256 | 90b0ce469fbd8e30a2862bb24d562dc641c534a9b43c7c33c25cfaefe25e5e47 |
| SHA512 | 5f48cf37c08a7ffeb3ae8b3ec66162c97e915e80245844e8ea2142ee7885ae9660a08d552d27a558f8e331108e54d467c2a57168576e8a54bcd48afac8cb9401 |
/var/db/fpsd/adi/adi.pb
| MD5 | e2384aeda4d3ba4e615cf1bc4ccd2a7f |
| SHA1 | c02ac1df5d31e043d7ac85095e7922c1cc80d5ab |
| SHA256 | 8fe049bc9e3f9c2f9ccc08d993014c99cf7dc274e16f268574eb2d92816757cd |
| SHA512 | 656b3dafb0de2997fa01f1e27afac3cad82204657a5df249e3dfe720f6391ddb1d2faf16c3860397e535a788b33d0a92c7f0ebc67200ccac54724dd5faa02b36 |
/private/var/db//keybags/persona.kb
| MD5 | 45470925605843090b70a58026b0aa31 |
| SHA1 | dd267ff58a8c0401e701735fea784657ec5c49cd |
| SHA256 | 773f492fbd23cb2e16a6f336ca9a931b86bb50fcb510b58eec0147eb3fa8daef |
| SHA512 | e52e9a24da527a5c0e8529f9511525b2908f196b9422cd5a76604208635ed513eeaf0b6be672691713d32f37138f0e0774a8572e863c3e3cc3f7eedd7a79b03e |