Malware Analysis Report

2024-09-23 03:23

Sample ID 240625-p5krtstfrk
Target Nursultan NextGen Crack.exe
SHA256 e766bc3bd8513eadc0d54e511049f1d35bc5c503aeef6cd38aa500d39d66da11
Tags
stormkitty xworm execution persistence rat spyware stealer trojan evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e766bc3bd8513eadc0d54e511049f1d35bc5c503aeef6cd38aa500d39d66da11

Threat Level: Known bad

The file Nursultan NextGen Crack.exe was found to be: Known bad.

Malicious Activity Summary

stormkitty xworm execution persistence rat spyware stealer trojan evasion

StormKitty payload

Xworm

StormKitty

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Resource Forking

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-25 12:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 12:54

Reported

2024-06-25 12:57

Platform

win11-20240611-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe N/A
N/A N/A C:\Users\Admin\wininit N/A
N/A N/A C:\Users\Admin\wininit N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-952492217-3293592999-1071733403-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "C:\\Users\\Admin\\wininit" C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\wininit N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\wininit N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe
PID 2780 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe
PID 2780 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe C:\Windows\system32\cmd.exe
PID 2780 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe C:\Windows\system32\cmd.exe
PID 404 wrote to memory of 4792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 404 wrote to memory of 4792 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 404 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 404 wrote to memory of 3236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 5116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5116 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\schtasks.exe
PID 5116 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan NextGen Crack.exe"

C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe

"C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\и.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\choice.exe

choice /c 12 /n /m "Enter your choice:"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan NextGen Crack.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\Admin\wininit"

C:\Users\Admin\wininit

C:\Users\Admin\wininit

C:\Users\Admin\wininit

C:\Users\Admin\wininit

Network

Country Destination Domain Proto
US 8.8.8.8:53 seems-poet.gl.at.ply.gg udp
US 147.185.221.20:30996 seems-poet.gl.at.ply.gg tcp
US 147.185.221.20:30996 seems-poet.gl.at.ply.gg tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 147.185.221.20:30996 seems-poet.gl.at.ply.gg tcp

Files

memory/2780-0-0x00007FF880483000-0x00007FF880485000-memory.dmp

memory/2780-1-0x0000000000030000-0x000000000006A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nursultan NextGen Crack.exe

MD5 a9aee64b701db5f8cfc3c963872403b4
SHA1 48079f6822d84ea354f301cdb97d2ecb59552e06
SHA256 f46d7ae8973b42a0cb892c6aa8d6a559b4cc1d0c67b1d5df3072c4f7f77b53fb
SHA512 696e745d488841c3b1a55a350d754b69a1d6b0d83fd9eac247229239951b12bfd98d8cbbcbfffd567966495a10950040edd77398702763071f6eeb50f13a3a1e

memory/5116-17-0x0000000000080000-0x00000000000A6000-memory.dmp

C:\Users\Admin\AppData\Roaming\и.bat

MD5 9885bc1f632421f329efe28818361344
SHA1 9d0838fa885728361703a6e2b36e2aa3603b05ce
SHA256 6a218880f23edb2a809ee20919f355f80ef4a0b545c3d79ffa8c848441eced7a
SHA512 ddb5252457e9e02a91073f58662cd2eb72d670827f5173e8705c9e41d55a4ba4efdab80f24371ff61573d250f7b8463ce05f9cec7c48085dcacd38cd21e65203

memory/5116-19-0x00007FF880480000-0x00007FF880F42000-memory.dmp

memory/2184-25-0x00000131D8D60000-0x00000131D8D82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lv2jskwd.401.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aa4f31835d07347297d35862c9045f4a
SHA1 83e728008935d30f98e5480fba4fbccf10cefb05
SHA256 99c83bc5c531e49d4240700142f3425aba74e18ebcc23556be32238ffde9cce0
SHA512 ec3a4bee8335007b8753ae8ac42287f2b3bcbb258f7fc3fb15c9f8d3e611cb9bf6ae2d3034953286a34f753e9ec33f7495e064bab0e8c7fcedd75d6e5eb66629

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bba038a5b7f0d834cccd3c07218dfd84
SHA1 d0e54860c01f4783d5973c4fceeaa04a8b15b59b
SHA256 3d27ee1f7890592931e39e357cd8ac14f522fa4bd7dfa8043435fd4d72db6d2d
SHA512 2bed9ad6a2aecd69e1431c3b929be9d91b485383d8d818ff173acb6f59ad5d04bf8cd9f678ca35c9208c87eef8ba3192ee0bb245c3937f474f6bfbf44d0b7d52

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f0e62045515b66d0a0105abc22dbf19
SHA1 894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512 f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

memory/5116-63-0x00007FF880480000-0x00007FF880F42000-memory.dmp

memory/5116-64-0x00007FF880480000-0x00007FF880F42000-memory.dmp

memory/5116-65-0x000000001B8B0000-0x000000001B8BC000-memory.dmp

memory/5116-66-0x00007FF880480000-0x00007FF880F42000-memory.dmp

memory/5116-69-0x000000001C5D0000-0x000000001C6F0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 12:54

Reported

2024-06-25 12:57

Platform

macos-20240611-en

Max time kernel

137s

Max time network

140s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Nursultan NextGen Crack.exe"]

Signatures

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd N/A N/A
N/A /System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/BDBEB0EA-9CEA-41B6-A54A-399E3D39BA99.activeSandbox/Root / N/A N/A
N/A /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd N/A N/A
N/A "/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated" N/A N/A
N/A "/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd" N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd N/A N/A
N/A /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Nursultan NextGen Crack.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Nursultan NextGen Crack.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Nursultan NextGen Crack.exe]

/bin/zsh

[/bin/zsh -c /Users/run/Nursultan NextGen Crack.exe]

/Users/run/Nursultan

[/Users/run/Nursultan NextGen Crack.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.PerformanceAnalysis.animationperfd]

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd

[/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.cloudkeychainproxy3]

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputMenuAgent]

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent

[/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputSwitcher]

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher

[/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.systemprofiler]

/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information

[/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storedownloadd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd

[/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.system_installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.replayd]

/usr/libexec/replayd

[/usr/libexec/replayd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Safari.CacheDeleteExtension 613]

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension

[/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.STMExtension.Trash 612]

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/TrashStorageExtension.appex/Contents/MacOS/TrashStorageExtension

[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/TrashStorageExtension.appex/Contents/MacOS/TrashStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.messages.StorageManagementExtension 612]

/System/Applications/Messages.app/Contents/PlugIns/Messages Storage Management Extension.appex/Contents/MacOS/Messages Storage Management Extension

[/System/Applications/Messages.app/Contents/PlugIns/Messages Storage Management Extension.appex/Contents/MacOS/Messages Storage Management Extension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Photos.StorageManagementExtension 612]

/System/Applications/Photos.app/Contents/PlugIns/PhotosStorageExtension.appex/Contents/MacOS/PhotosStorageExtension

[/System/Applications/Photos.app/Contents/PlugIns/PhotosStorageExtension.appex/Contents/MacOS/PhotosStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.STMExtension.iOSFiles 612]

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/iOSFilesStorageExtension.appex/Contents/MacOS/iOSFilesStorageExtension

[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/iOSFilesStorageExtension.appex/Contents/MacOS/iOSFilesStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.STMExtension.AppleInternal 612]

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/AppleInternalStorageExtension.appex/Contents/MacOS/AppleInternalStorageExtension

[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/AppleInternalStorageExtension.appex/Contents/MacOS/AppleInternalStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CloudDocsDaemon.StorageManagement 612]

/System/Applications/Music.app/Contents/PlugIns/MusicStorageExtension.appex/Contents/MacOS/MusicStorageExtension

[/System/Applications/Music.app/Contents/PlugIns/MusicStorageExtension.appex/Contents/MacOS/MusicStorageExtension]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/PlugIns/CloudDocsStorageManagement.appex/Contents/MacOS/CloudDocsStorageManagement

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/PlugIns/CloudDocsStorageManagement.appex/Contents/MacOS/CloudDocsStorageManagement]

/System/Applications/Podcasts.app/Contents/PlugIns/MacPodcastsStorageExtension.appex/Contents/MacOS/MacPodcastsStorageExtension

[/System/Applications/Podcasts.app/Contents/PlugIns/MacPodcastsStorageExtension.appex/Contents/MacOS/MacPodcastsStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.STMExtension.CloudFiles 612]

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/CloudFilesStorageExtension.appex/Contents/MacOS/CloudFilesStorageExtension

[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/CloudFilesStorageExtension.appex/Contents/MacOS/CloudFilesStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.STMExtension.OtherUsers 612]

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension

[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/OtherUsersStorageExtension.appex/Contents/MacOS/OtherUsersStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.STMExtension.Mail 612]

/usr/libexec/xpcproxy

[xpcproxy com.apple.STMExtension.Applications 612]

/System/Applications/Mail.app/Contents/PlugIns/MailStorageManagement.appex/Contents/MacOS/MailStorageManagement

[/System/Applications/Mail.app/Contents/PlugIns/MailStorageManagement.appex/Contents/MacOS/MailStorageManagement]

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/ApplicationsStorageExtension.appex/Contents/MacOS/ApplicationsStorageExtension

[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/ApplicationsStorageExtension.appex/Contents/MacOS/ApplicationsStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.STMExtension.GarageBand 612]

/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/GarageBandStorageExtension.appex/Contents/MacOS/GarageBandStorageExtension

[/System/Library/PrivateFrameworks/StorageManagement.framework/PlugIns/GarageBandStorageExtension.appex/Contents/MacOS/GarageBandStorageExtension]

/System/Applications/TV.app/Contents/PlugIns/TVStorageExtension.appex/Contents/MacOS/TVStorageExtension

[/System/Applications/TV.app/Contents/PlugIns/TVStorageExtension.appex/Contents/MacOS/TVStorageExtension]

/usr/libexec/xpcproxy

[xpcproxy com.apple.iBooksX.DiskSpaceEfficiency]

/System/Applications/Books.app/Contents/PlugIns/DiskSpaceEfficiency.appex/Contents/MacOS/DiskSpaceEfficiency

[/System/Applications/Books.app/Contents/PlugIns/DiskSpaceEfficiency.appex/Contents/MacOS/DiskSpaceEfficiency]

/usr/libexec/xpcproxy

[xpcproxy com.apple.CloudPhotosConfiguration]

/System/Library/PrivateFrameworks/CloudPhotoServices.framework/Versions/A/XPCServices/com.apple.CloudPhotosConfiguration.xpc/Contents/MacOS/com.apple.CloudPhotosConfiguration

[/System/Library/PrivateFrameworks/CloudPhotoServices.framework/Versions/A/XPCServices/com.apple.CloudPhotosConfiguration.xpc/Contents/MacOS/com.apple.CloudPhotosConfiguration]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.automountd]

/usr/libexec/automountd

[automountd]

/usr/libexec/od_user_homes

[/usr/libexec/od_user_homes .localized]

/usr/libexec/xpcproxy

[xpcproxy com.apple.installandsetup.systemmigrationd]

/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd

[/System/Library/PrivateFrameworks/SystemMigration.framework/Resources/systemmigrationd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.storagekitd]

/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd

[/System/Library/PrivateFrameworks/StorageKit.framework/Resources/storagekitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportCrash]

/usr/libexec/xpcproxy

[xpcproxy com.apple.iconservices.iconservicesagent]

/System/Library/CoreServices/iconservicesagent

[/System/Library/CoreServices/iconservicesagent runAsRoot]

/usr/libexec/od_user_homes

[/usr/libexec/od_user_homes .localized]

/usr/libexec/xpcproxy

[xpcproxy com.apple.icloud.findmydeviced]

/usr/libexec/findmydeviced

[/usr/libexec/findmydeviced]

/usr/bin/csrutil

[/usr/bin/csrutil status]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump]

/usr/sbin/spindump

[/usr/sbin/spindump]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.spindump_agent]

/usr/libexec/spindump_agent

[/usr/libexec/spindump_agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.softwareupdated]

/usr/libexec/xpcproxy

[xpcproxy com.apple.mobile.keybagd]

/usr/libexec/keybagd

[/usr/libexec/keybagd -t 15]

/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated

[/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suhelperd]

/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd

[/System/Library/CoreServices/Software Update.app/Contents/Resources/suhelperd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextEdit.2092]

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit

[/System/Applications/TextEdit.app/Contents/MacOS/TextEdit]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.satellite.BA89B14E-7E09-4B70-8547-6D5FD67592AF 560]

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite

[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/BDBEB0EA-9CEA-41B6-A54A-399E3D39BA99.activeSandbox/Root /]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c]

/System/Library/CoreServices/ReportCrash

[/System/Library/CoreServices/ReportCrash agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.adid]

/System/Library/PrivateFrameworks/CoreADI.framework/adid

[/System/Library/PrivateFrameworks/CoreADI.framework/adid]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportCrash.Root]

/System/Library/CoreServices/ReportCrash

[/System/Library/CoreServices/ReportCrash daemon]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.coreduetd]

/usr/libexec/coreduetd

[/usr/libexec/coreduetd]

/usr/libexec/od_user_homes

[/usr/libexec/od_user_homes .localized]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.contacts.donation-agent]

/System/Library/PrivateFrameworks/ContactsDonation.framework/Versions/A/Support/contactsdonationagent

[/System/Library/PrivateFrameworks/ContactsDonation.framework/Versions/A/Support/contactsdonationagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.mobile.keybagd]

/usr/libexec/keybagd

[/usr/libexec/keybagd -t 15]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 b._dns-sd._udp.0.0.127.10.in-addr.arpa udp
US 8.8.8.8:53 db._dns-sd._udp.0.0.127.10.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.77.118.129:443 tcp
US 8.8.8.8:53 bag-cdn.itunes-apple.com.akadns.net udp
US 8.8.8.8:53 gsp-ssl.ls.apple.com udp
GB 17.253.77.203:443 gsp-ssl.ls.apple.com tcp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp
GB 17.57.146.13:5223 tcp
US 8.8.8.8:53 50-courier.push.apple.com udp
US 8.8.8.8:53 swcdn.apple.com udp
US 151.101.3.8:80 swcdn.apple.com tcp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 cds.apple.com udp
US 23.219.244.63:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.21.189.171:443 help.apple.com tcp
GB 2.21.189.171:443 help.apple.com tcp

Files

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 3c6a5bdddbb2396e0e73a6690143a846
SHA1 5576206e58a6833df45d2fd5bafc2ced944d90a5
SHA256 7eaacc3cc2d691d501f45c374478f7a0f032fa2230b3ee3f40dd62e04926b715
SHA512 721c195652f16e0227ac1a4b952f4e548ac29befa0dbe84d8395db14d83e2d91999bbf0d0df6f6c2b7cb1af009cc7b0701d4933d05b08b31bfde049914a6362f

/Users/run/Library/Caches/GeoServices/Experiments.pbd

MD5 3f91fb8618cf8705b18c10dc24c36519
SHA1 84bb6878edca2b32925f7be76c1700e3bbcaf27b
SHA256 651d1b426e76b6b1cfba5979cffac9be31ac4071d81515e31c3cb0f6bd2e45bf
SHA512 dbe693b3ec9e34033cc7aaa977a189586d4c30d72ea4474a755108d2c87fdbb842f518c7f2f4216fd9ddda9fc4891e3e8a8dca918680278b83724cdd20ddb2de

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/SMIncompatibleAppUpdate/CFNetworkDownload_gfj27S.tmp

MD5 8ac8e766276bb799857b359b3a4f2347
SHA1 075fe1052e1e6de0a38aaa7711a54e8a77bb65f8
SHA256 a0ee16e403dd8609ce56b56a111b2926b591d368b6e99a41c836beb280dcf687
SHA512 60f88aacc4d89e7a52aa30a469b430f781006fac52b320c2acd05d8f3ace9638a042fa0b0000885293cf6ee391915e7d68ffc656f4056fcb6de3b638d52a6439

/Library/Apple/System/Library/InstallerSandboxes/.PKInstallSandboxManager-SystemSoftware/BDBEB0EA-9CEA-41B6-A54A-399E3D39BA99.activeSandbox/Boms/com.apple.pkg.IncompatibleAppList.10_15.16U1923.bom

MD5 2f0f49de9ad6128f83b55002ddc0c733
SHA1 348b668dd78199b508fa73253568f3024a03410f
SHA256 4bde0dc120c8239b758f62e655e23be5f09b41f32f666bffa05e0104e8109d46
SHA512 6ed163e207886dd7661e67944197ef84c663eb129ca8c988d2fade90fa7e626b581627165521b3e9a8be77c04c12936ac40e1311750c2ad0aae4f6707910a4aa

/private/var/run/installd.commit.pid

MD5 85fc37b18c57097425b52fc7afbb6969
SHA1 dc51d239fbced2ce3562b4cf820eac1e2b2344c7
SHA256 90b0ce469fbd8e30a2862bb24d562dc641c534a9b43c7c33c25cfaefe25e5e47
SHA512 5f48cf37c08a7ffeb3ae8b3ec66162c97e915e80245844e8ea2142ee7885ae9660a08d552d27a558f8e331108e54d467c2a57168576e8a54bcd48afac8cb9401

/var/db/fpsd/adi/adi.pb

MD5 e2384aeda4d3ba4e615cf1bc4ccd2a7f
SHA1 c02ac1df5d31e043d7ac85095e7922c1cc80d5ab
SHA256 8fe049bc9e3f9c2f9ccc08d993014c99cf7dc274e16f268574eb2d92816757cd
SHA512 656b3dafb0de2997fa01f1e27afac3cad82204657a5df249e3dfe720f6391ddb1d2faf16c3860397e535a788b33d0a92c7f0ebc67200ccac54724dd5faa02b36

/private/var/db//keybags/persona.kb

MD5 45470925605843090b70a58026b0aa31
SHA1 dd267ff58a8c0401e701735fea784657ec5c49cd
SHA256 773f492fbd23cb2e16a6f336ca9a931b86bb50fcb510b58eec0147eb3fa8daef
SHA512 e52e9a24da527a5c0e8529f9511525b2908f196b9422cd5a76604208635ed513eeaf0b6be672691713d32f37138f0e0774a8572e863c3e3cc3f7eedd7a79b03e