d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

Analysis

max time kernel
201s
max time network
202s
platform
macos-10.15_amd64
resource
macos-20241101-en
resource tags

arch:amd64arch:i386image:macos-20241101-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
02-12-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

070E0202839D9D67350CD2613E78E416
Size

1KB
MD5

55540a230bdab55187a841cfe1aa1545
SHA1

363e4734f757bdeb89868efe94907774a327695e
SHA256

d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512

c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Score

6^/10

evasion

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
50	drive.google.com
52	drive.google.com
62	drive.google.com
72	discord.com
73	discord.com

Resource Forking 1 TTPs 22 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool	Process not Found
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 6A6C6A9B-8824-49FA-AB5F-FFDB8DADB42C -post-exec 4	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk3s1	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk3s1	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk3s1	Process not Found
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck	Process not Found
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref	Process not Found
"/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/Resources/DiskImages UI Agent.app/Contents/MacOS/DiskImages UI Agent" 6A6C6A9B-8824-49FA-AB5F-FFDB8DADB42C	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk3s1	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool	Process not Found
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 6A6C6A9B-8824-49FA-AB5F-FFDB8DADB42C	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd	Process not Found
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk3s1 removable readonly	Process not Found
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd	Process not Found
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd	Process not Found
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk3s1 removable readonly	Process not Found
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/070E0202839D9D67350CD2613E78E416\""
1⤵
PID:457

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/070E0202839D9D67350CD2613E78E416\""
1⤵
PID:457

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/070E0202839D9D67350CD2613E78E416
1⤵
PID:457
- /bin/zsh
  /bin/zsh -c /Users/run/070E0202839D9D67350CD2613E78E416
  2⤵
  PID:460
- /Users/run/070E0202839D9D67350CD2613E78E416
  /Users/run/070E0202839D9D67350CD2613E78E416
  2⤵
  PID:460

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:448

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:451

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:442

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:444

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:453

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.2028
1⤵
PID:482

/Applications/Safari.app/Contents/MacOS/Safari
/Applications/Safari.app/Contents/MacOS/Safari
1⤵
PID:482

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.History
1⤵
PID:483

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
1⤵
PID:483

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.B321BB91-C13E-4826-84F4-06B9FD3BA4D3 482
1⤵
PID:484

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:484

/usr/libexec/xpcproxy
xpcproxy com.apple.SafariLaunchAgent
1⤵
PID:489

/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent
1⤵
PID:489

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.AFE9484F-36C7-4A66-9C0F-AEE38EC877F1 482
1⤵
PID:490

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:490

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SafeBrowsing.Service
1⤵
PID:497

/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
1⤵
PID:497

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.6A49B724-BC20-499F-81A1-DFDDC62C5C71 482
1⤵
PID:498

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:498

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SearchHelper 482
1⤵
PID:500

/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
1⤵
PID:500

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:501

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.388F5C3C-11EF-44EF-9F8F-3141DC50BF79 482
1⤵
PID:502

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.88ED1D65-3EA1-4FFD-AFB8-725465F22FF1 482
1⤵
PID:507

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.9266F49B-12CF-4FC6-B43F-2C7A0A2D06EB 482
1⤵
PID:510

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:510

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.291ED6A5-9FA9-4025-AE00-5CFE50B054FF 482
1⤵
PID:513

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.E30871BE-D936-4C84-BE84-6ED5D7ED95B7 482
1⤵
PID:514

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.345D44D2-78E4-4B5D-AACA-2C9D0882D96E 482
1⤵
PID:515

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.93B4E1C2-C9E6-4A23-9E36-37FA6D1C5AB6 482
1⤵
PID:516

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.2BA68A55-E768-4316-BCF2-1A1F25411C0A 482
1⤵
PID:517

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:517

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.8E4772F7-946C-4386-8A88-7CB2A822E825 482
1⤵
PID:518

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:518

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.39CFC6FE-84BF-4236-ABCF-CFE7646FAF85 482
1⤵
PID:519

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.D22FC1A1-F502-46E3-A685-884DA3DB8B5D 482
1⤵
PID:520

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.WebKit.WebContent.7877DEDB-F600-4830-986F-B57922575D34 482
1⤵
PID:521

/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.systempreferences.2140
1⤵
PID:524

/System/Applications/System Preferences.app/Contents/MacOS/System Preferences
"/System/Applications/System Preferences.app/Contents/MacOS/System Preferences"
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountProfileRemoteViewService 524
1⤵
PID:525

/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
/System/Library/PrivateFrameworks/AOSUI.framework/Versions/A/XPCServices/AccountProfileRemoteViewService.xpc/Contents/MacOS/AccountProfileRemoteViewService
1⤵
PID:525

/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
/System/Library/PreferencePanes/ClassroomSettings.prefPane/Contents/Resources/ClassroomSettingsVisibilityCheckTool
1⤵
PID:526

/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
/System/Library/PreferencePanes/Profiles.prefPane/Contents/Resources/CPPrefPaneEnabledTool
1⤵
PID:527

/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
/System/Library/PreferencePanes/Sidecar.prefPane/Contents/Resources/sidecarPrefCheck
1⤵
PID:528

/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
/System/Library/PreferencePanes/TouchID.prefPane/Contents/Resources/AllowPasswordPref
1⤵
PID:529

/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
/System/Library/PreferencePanes/Wallet.prefPane/Contents/Resources/walletAvailabilityCheckTool
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.studentd
1⤵
PID:531

/usr/libexec/studentd
/usr/libexec/studentd
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.nfcd
1⤵
PID:532

/usr/libexec/nfcd
/usr/libexec/nfcd
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:533

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:534

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:536

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:536

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.SandboxBroker 482
1⤵
PID:537

/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
/Applications/Safari.app/Contents/XPCServices/com.apple.Safari.SandboxBroker.xpc/Contents/MacOS/com.apple.Safari.SandboxBroker
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.xpc.launchd.oneshot.0x10000001.DiskImageMounter
1⤵
PID:538

/System/Library/CoreServices/DiskImageMounter.app/Contents/MacOS/DiskImageMounter
/System/Library/CoreServices/DiskImageMounter.app/Contents/MacOS/DiskImageMounter -psn_0_237626
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.XprotectFramework.AnalysisService 402
1⤵
PID:539

/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy com.apple.hdiejectd
1⤵
PID:540

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd
1⤵
PID:540

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 6A6C6A9B-8824-49FA-AB5F-FFDB8DADB42C
1⤵
PID:541

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 6A6C6A9B-8824-49FA-AB5F-FFDB8DADB42C -post-exec 4
1⤵
PID:542

/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/Resources/DiskImages UI Agent.app/Contents/MacOS/DiskImages UI Agent
"/System/Library/PrivateFrameworks/DiskImages.framework/Versions/A/Resources/DiskImages UI Agent.app/Contents/MacOS/DiskImages UI Agent" 6A6C6A9B-8824-49FA-AB5F-FFDB8DADB42C
1⤵
PID:543

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:544

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:544

/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk3s1 removable readonly
1⤵
PID:545

/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk3s1
1⤵
PID:546

/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs
/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk3s1
1⤵
PID:547

/sbin/fsck_hfs
/sbin/fsck_hfs -f -n /dev/disk3s1
1⤵
PID:548

/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk3s1 removable readonly
1⤵
PID:549

/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
/System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk3s1
1⤵
PID:550

/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs
/System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk3s1
1⤵
PID:551

/sbin/mount
/sbin/mount -t hfs -o "-u=502,-g=20,-m=755,nodev,noowners,nosuid,rdonly,quarantine" /dev/disk3s1 /Volumes/Discord
1⤵
PID:552
- /sbin/mount_hfs
  /sbin/mount_hfs -u 502 -g 20 -m 755 -o nodev -o noowners -o nosuid -o rdonly -o quarantine /dev/disk3s1 /Volumes/Discord
  2⤵
  PID:553

/usr/libexec/xpcproxy
xpcproxy com.apple.hdiejectd
1⤵
PID:555

/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd
/System/Library/PrivateFrameworks/DiskImages.framework/Resources/hdiejectd
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.appleseed.seedusaged
1⤵
PID:556

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.DesktopServicesHelper.41058E7A-8A96-4435-BC50-43642C704B4F
1⤵
PID:557

/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Resources/DesktopServicesHelper
1⤵
PID:557

/usr/libexec/xpcproxy
xpcproxy com.apple.replayd
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:564

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:567

/usr/libexec/replayd
/usr/libexec/replayd
1⤵
PID:561

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:564

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:567

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 559
1⤵
PID:569

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:569

/usr/libexec/xpcproxy
xpcproxy com.apple.xpc.launchd.oneshot.0x10000002.Discord
1⤵
PID:571

/Applications/Discord.app/Contents/MacOS/Discord
/Applications/Discord.app/Contents/MacOS/Discord -psn_0_249917
1⤵
PID:571

/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
/System/Library/Frameworks/FileProvider.framework/XPCServices/ArchiveService.xpc/Contents/MacOS/ArchiveService
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy com.apple.calculator.2132
1⤵
PID:581

/System/Applications/Calculator.app/Contents/MacOS/Calculator
/System/Applications/Calculator.app/Contents/MacOS/Calculator
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.Chess.1724
1⤵
PID:582

/System/Applications/Chess.app/Contents/MacOS/Chess
/System/Applications/Chess.app/Contents/MacOS/Chess
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy com.apple.iBooksX.1732
1⤵
PID:583

/System/Applications/Books.app/Contents/MacOS/Books
/System/Applications/Books.app/Contents/MacOS/Books
1⤵
PID:583

/usr/libexec/xpcproxy
xpcproxy com.apple.launchpad.launcher.2144
1⤵
PID:584

/System/Applications/Launchpad.app/Contents/MacOS/Launchpad
/System/Applications/Launchpad.app/Contents/MacOS/Launchpad
1⤵
PID:584

/usr/libexec/xpcproxy
xpcproxy com.apple.Automator.2596
1⤵
PID:585

/System/Applications/Automator.app/Contents/MacOS/Automator
/System/Applications/Automator.app/Contents/MacOS/Automator
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy com.apple.Dictionary.1776
1⤵
PID:586

/System/Applications/Dictionary.app/Contents/MacOS/Dictionary
/System/Applications/Dictionary.app/Contents/MacOS/Dictionary
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy org.mozilla.firefoxdeveloperedition.3088
1⤵
PID:587

/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox
"/Applications/Firefox Developer Edition.app/Contents/MacOS/firefox"
1⤵
PID:587

/usr/libexec/xpcproxy
xpcproxy com.apple.FaceTime.1860
1⤵
PID:589

/System/Applications/FaceTime.app/Contents/MacOS/FaceTime
/System/Applications/FaceTime.app/Contents/MacOS/FaceTime
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy com.apple.Notes.1736
1⤵
PID:590

/System/Applications/Notes.app/Contents/MacOS/Notes
/System/Applications/Notes.app/Contents/MacOS/Notes
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy com.apple.Image_Capture.1740
1⤵
PID:591

/System/Applications/Image Capture.app/Contents/MacOS/Image Capture
"/System/Applications/Image Capture.app/Contents/MacOS/Image Capture"
1⤵
PID:591

/System/Applications/Music.app/Contents/MacOS/Music
/System/Applications/Music.app/Contents/MacOS/Music
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.iCal.1908
1⤵
PID:593

/System/Applications/Calendar.app/Contents/MacOS/Calendar
/System/Applications/Calendar.app/Contents/MacOS/Calendar
1⤵
PID:593

/usr/libexec/xpcproxy
xpcproxy com.microsoft.Excel.2032
1⤵
PID:594

/Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel
"/Applications/Microsoft Excel.app/Contents/MacOS/Microsoft Excel"
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy com.apple.Home.1744
1⤵
PID:595

/System/Applications/Home.app/Contents/MacOS/Home
/System/Applications/Home.app/Contents/MacOS/Home
1⤵
PID:595

/usr/libexec/xpcproxy
xpcproxy com.google.Chrome.3056
1⤵
PID:596

/Applications/Google Chrome.app/Contents/MacOS/Google Chrome
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome"
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.exposelauncher.1868
1⤵
PID:597

/System/Applications/Mission Control.app/Contents/MacOS/Mission Control
"/System/Applications/Mission Control.app/Contents/MacOS/Mission Control"
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.microsoft.Outlook.2036
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:599

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
1⤵
PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.GameController.gamecontrollerd
1⤵
PID:600

/usr/libexec/gamecontrollerd
/usr/libexec/gamecontrollerd
1⤵
PID:600

/Applications/Microsoft Outlook.app/Contents/MacOS/Microsoft Outlook
"/Applications/Microsoft Outlook.app/Contents/MacOS/Microsoft Outlook"
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy com.microsoft.onenote.mac.2040
1⤵
PID:601

/Applications/Microsoft OneNote.app/Contents/MacOS/Microsoft OneNote
"/Applications/Microsoft OneNote.app/Contents/MacOS/Microsoft OneNote"
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.mail.2576
1⤵
PID:605

/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/101.0.4951.54/Helpers/chrome_crashpad_handler
"/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/101.0.4951.54/Helpers/chrome_crashpad_handler" "--monitor-self-annotation=ptype=crashpad-handler" "--database=/Users/run/Library/Application Support/Google/Chrome/Crashpad" "--url=https://clients2.google.com/cr/report" "--annotation=channel=" "--annotation=plat=OS X" "--annotation=prod=Chrome_Mac" "--annotation=ver=101.0.4951.54" "--handshake-fd=5"
1⤵
PID:603

/System/Applications/Mail.app/Contents/MacOS/Mail
/System/Applications/Mail.app/Contents/MacOS/Mail
1⤵
PID:605

/usr/libexec/xpcproxy
xpcproxy com.apple.findmy.1716
1⤵
PID:606

/System/Applications/FindMy.app/Contents/MacOS/FindMy
/System/Applications/FindMy.app/Contents/MacOS/FindMy
1⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy com.apple.iChat.1880
1⤵
PID:607

/System/Applications/Messages.app/Contents/MacOS/Messages
/System/Applications/Messages.app/Contents/MacOS/Messages
1⤵
PID:607

/usr/libexec/xpcproxy
xpcproxy com.microsoft.Powerpoint.2044
1⤵
PID:608

/usr/libexec/xpcproxy
xpcproxy com.apple.uikitsystemapp
1⤵
PID:609

/System/Library/CoreServices/UIKitSystem.app/Contents/MacOS/UIKitSystem
/System/Library/CoreServices/UIKitSystem.app/Contents/MacOS/UIKitSystem system_app_start
1⤵
PID:609

/Applications/Microsoft PowerPoint.app/Contents/MacOS/Microsoft PowerPoint
"/Applications/Microsoft PowerPoint.app/Contents/MacOS/Microsoft PowerPoint"
1⤵
PID:608

/usr/libexec/xpcproxy
xpcproxy com.apple.PhotoBooth.2580
1⤵
PID:610

/System/Applications/Photo Booth.app/Contents/MacOS/Photo Booth
"/System/Applications/Photo Booth.app/Contents/MacOS/Photo Booth"
1⤵
PID:610

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Downloads/Discord.dmg

Filesize
170.4MB

MD5
355bd5ef63b96904d575df0e384f4e71

SHA1
47696c03ddbc03146cba3795e683ec719f5d7761

SHA256
e57ce326fd8879b54c56697f7be55354aae56c74c28feb74958b2ad42c2f2e2d

SHA512
2e00448503cd3aef6c676ab899f417704c30d192128690e75df340ceadf7908b3ac6e870baf9e7912d0882cf8f932030138b749c7aea76d90811558ae804b8e6

Download Submit
/Users/run/Downloads/Discord.dmg

Filesize
166.5MB

MD5
c3b04cb5e9b706bd8d5fe7e23c6baddb

SHA1
dda6a78537cc41bcea9b007357ded1951bc5cf1d

SHA256
33006fc21474dabaed118c08bcb6470e74a1628e48b469b747820c741c275323

SHA512
ddcf8af4b46b8a58aa599ec5b8111e4b80c92907a6521fa23989504143485f452e3334872fde8630b53bc95664b1d49b43cf363a9309c1b399119a23022a5ea0

Download Submit
/Users/run/Downloads/Discord.dmg

Filesize
165.5MB

MD5
77324c205f404c1d638aea7bf84ef77d

SHA1
32f72a8a96595047aaaaf10ec441b708da99abbe

SHA256
fd00cd01b1ca36c139cb688a8d4228d528c32a7b28ecc7cd5853f702a66cb331

SHA512
2af6a38ea75ce7b40ec454e50b697e068390c1fdf23dad5072a6730f47684e7eedfe55bffd0785cd793789218dda748d50f1c5d83012eddf60550b10bd530224

Download Submit
/Users/run/Downloads/Discord.dmg

Filesize
166.5MB

MD5
c03352edf28c6d35253405d1124052fd

SHA1
39fc01cdfbd97d40e0f22e17211c648f806cab01

SHA256
a1343f5b92d841d9d0bdbfaba5e5dd78a77af4fe73aa117fa5d0fabea624652b

SHA512
30b412292f70903278971f3d034d16e5f1bc4eaa730a0f9d9f2fc006687c78717bca61e46c9731972e5af1fa9a16d1d5b7cc452b1e1cb6d269029db07265666f

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/0200DBD7BBBA3404A628B9C5310E5956

Filesize
5KB

MD5
cbd5ac2866821ada4d848c152fca243e

SHA1
fb04c3d031f887aa3cbee23b3166b26accc11595

SHA256
f29cd989ccf2095f5e5e0ebcbb07dfaa6d7c69fc04d99e08323e0d946909e4da

SHA512
ea6840696e3f0ce8933e2670cd6e0e97419c65578443f89c11beddfcf63d7645760ed9574b0e5dc18f927a3fd458434a9e2075cc2beeffabca3c128db0226bc5

Download Submit
/Users/run/Library/Safari/Favicon Cache/favicons/25CF8FEA9367B2D2FC2C3111C182148B

Filesize
21KB

MD5
38cfdb248210ffd12a6e774119609de8

SHA1
d10a44e5d06c8a95e4c61ae770cc8f0c8d372253

SHA256
5493c61cf725cf3a1d63cd9d07de75b0d6faa5564e772f7d0a6074f341442938

SHA512
7d0ae6125e5c10d52847ac10e5200f2aaa84932ea5d10af54440c0abc27af19285cb760f0e8dad0bac4371e4b384ffaddcf235f9f1ba29e6dc41ef29deac4fba

Download Submit
/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression

Filesize
355KB

MD5
334fb9f885acf2101d0ad99ef47ed33a

SHA1
58b99ae21e574a600fceb60acabf972360465f5a

SHA256
8c654ab5e1192bee20ed4ea25613a5a76cdde1c642b35e9175773ddc2896b35e

SHA512
aa47e3904f3c356c9c9ec6b6c7dab60da4f123b3e144c5684e40134f2210de870c2cbd6b348f5f281d43ec44eb7c7c650f802ee9907394285f51709b01a86f04

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression

Filesize
17.2MB

MD5
4e7e3037a5c9c6c8559591d0ad9ce888

SHA1
356e7ff2fa0c93d03678eb875c3b2a6556b1667d

SHA256
c24111164b130e787a50fd792f166a666bb52e12f3a7640c61f6a6a025508574

SHA512
1003f190dacb4f901166d5360e2e68e74523027bfb209c942f50cd6dde60fa580547a1acac4fb9f0ebff0431b1d714be1db00ea8c53d03399d9f556ec6f05ead

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression

Filesize
119KB

MD5
bb605906076bc46abf21d3bde85351f9

SHA1
0cbcb83e619c9aac5bdf3b7a03454c62ed15fd26

SHA256
201ff111695a07e427166e02cf78093319859de41b3e567b876be15d907ba31b

SHA512
ff81dd9c05d65d833800f4a8ced59dcd67db7b889428c5133fbec17205114ca1afdead18c993bab7ec4ddee1f18b29f447f620088a6367f97473424253b63a13

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/log/fsck_hfs.log

Filesize
15KB

MD5
89c9597d6725f9ada4e154caa4fe50bc

SHA1
0c60a11634449f73f0bf31e6fd221efdb507e868

SHA256
63cba6c2ad4b83cfa28a20fa886d362e87a63b27d66d39fe69028580a7d3221d

SHA512
26671f15efc1be296a6e720c962beeb40536ffcd5e3e9483247b31f841893a67773ce39ce4b812a0b1501f8a16539788488641eadbfbbb7e9bd7c20c932eb00f

Download Submit