Edit tour

macOS Analysis Report
R2n8x3VrH8.dmg

Overview

General Information

Sample name:	R2n8x3VrH8.dmg (renamed file extension from none to dmg)
Original sample name:	R2n8x3VrH8
Analysis ID:	1431950
MD5:	50ea75b971ec961867377b45b29bf356
SHA1:	d68faef1b80f376cdf1524e14f8baa49f0074b9d
SHA256:	558c66e7283fed4e16cfbd7889f3d5500e89f637cc48968bed0450852083dbf1
Infos:

Detection

Score:	29
Range:	0 - 100
Whitelisted:	false

Signatures

Executes the "dscl" command with authonly argument (probably to verify the login password)

Changes permissions of common UNIX (system) binary directories

Contains symbols with suspicious names likely related to anti-analysis

Contains symbols with suspicious names likely related to encryption

Contains symbols with suspicious names likely related to networking

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "rm" command used to delete files or directories

Executes the "touch" command used to create files or modify time stamps

Reads file resource fork extended attributes

Reads hardware related sysctl values

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Reads the systems OS release and/or type

Reads the systems hostname

Uses AppleScript framework/components containing Apple Script related functionalities

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Writes FAT Mach-O files to disk

Writes Mach-O files to the tmp directory

Classification

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431950
Start date and time:	2024-04-26 03:59:32 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Sample name:	R2n8x3VrH8.dmg (renamed file extension from none to dmg)
Original Sample Name:	R2n8x3VrH8
Detection:	SUS
Classification:	sus29.spyw.macDMG@0/11@2/0

Warnings

Excluded IPs from analysis (whitelisted): 23.209.57.222, 17.253.21.205, 17.253.119.201, 23.222.200.29, 17.36.200.79, 17.253.3.195, 17.253.3.201
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, mesu-cdn.apple.com.akadns.net, lcdn-locator-usuqo.apple.com.akadns.net, updates.cdn-apple.com.akadns.net, e673.dsce9.akamaiedge.net, db._dns-sd._udp.0.11.168.192.in-addr.arpa, help-ar.apple.com.edgekey.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, mesu-cdn.origin-apple.com.akadns.net, b._dns-sd._udp.0.11.168.192.in-addr.arpa, lcdn-locator.apple.com.akadns.net, help.origin-apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, itunes.apple.com.edgekey.net, help.apple.com, mesu.apple.com, init.itunes.apple.com, init-cdn.itunes-apple.com.akadns.net

Runtime Messages

Command:	open "/Volumes/Notion/Notion"
PID:	632
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is macvm-mojave

mono-sgen32 New Fork (PID: 632, Parent: 537)

open (MD5: 34bd93241fa5d2aee225941b1ca14fa4) Arguments: /usr/bin/open /Volumes/Notion/Notion

Terminal New Fork (PID: 634, Parent: 253)

bash (MD5: b513c6e7c86e43eb93f4fd56e28bd540) Arguments: -bash

bash New Fork (PID: 636, Parent: 635)

bash New Fork (PID: 637, Parent: 636)

path_helper (MD5: 4e20b24d35f3257bd2b4b4454224ef2d) Arguments: /usr/libexec/path_helper -s

bash New Fork (PID: 638, Parent: 635)

mkdir (MD5: bbbaafd2a4d7dcb9ddd178d814fea708) Arguments: mkdir -m 700 -p /Users/bernard/.bash_sessions

bash New Fork (PID: 639, Parent: 635)

bash New Fork (PID: 640, Parent: 639)

touch (MD5: 4740c7336a3cb2914b528fbce2d5edc7) Arguments: /usr/bin/touch /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew

bash New Fork (PID: 641, Parent: 635)

Notion (MD5: 7f8c7e490f909f853949822f53645514) Arguments: /Volumes/Notion/Notion

Notion New Fork (PID: 642, Parent: 641)

sh New Fork (PID: 643, Parent: 642)

sh New Fork (PID: 646, Parent: 643)

osascript (MD5: f13b7c85f3c1c08fae3b709a536281a1) Arguments: osascript -e tell application 'Terminal' to close first window

sh New Fork (PID: 664, Parent: 642)

chmod (MD5: 917cfbf6084318922f8091f050a0bbed) Arguments: chmod +x /tmp/binary

sh New Fork (PID: 665, Parent: 642)

binary (MD5: 334ea98682699ce32fa14b293e67f502) Arguments: /tmp/binary

binary New Fork (PID: 666, Parent: 665)

dscl (MD5: 9a2337f2a5a6271e0187153296de3c9f) Arguments: dscl . authonly bernard

binary New Fork (PID: 667, Parent: 665)

osascript (MD5: f13b7c85f3c1c08fae3b709a536281a1) Arguments: osascript -e display dialog 'Required Application Helper. Please enter password:' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answer

bash New Fork (PID: 644, Parent: 635)

bash New Fork (PID: 645, Parent: 644)

bash New Fork (PID: 647, Parent: 645)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: /bin/date +%s

bash New Fork (PID: 648, Parent: 635)

bash New Fork (PID: 649, Parent: 648)

touch (MD5: 4740c7336a3cb2914b528fbce2d5edc7) Arguments: /usr/bin/touch /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew

bash New Fork (PID: 650, Parent: 635)

bash New Fork (PID: 651, Parent: 650)

cp (MD5: c6c784e59743c03a85e53ac39bf4b1c1) Arguments: /bin/cp /Users/bernard/.bash_history /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.history

bash New Fork (PID: 652, Parent: 635)

bash New Fork (PID: 653, Parent: 652)

bash New Fork (PID: 654, Parent: 635)

bash New Fork (PID: 655, Parent: 654)

cat (MD5: d4db1aa640ed6d80a0bd350e72d6fa8e) Arguments: /bin/cat /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew

bash New Fork (PID: 656, Parent: 635)

bash New Fork (PID: 657, Parent: 635)

shlock (MD5: 09db517b7ada5f7825b1ac0e590e7149) Arguments: /usr/bin/shlock -f /Users/bernard/.bash_sessions/_expiration_lockfile -p 635

bash New Fork (PID: 658, Parent: 635)

bash New Fork (PID: 659, Parent: 658)

find (MD5: 1fe4dde0bbb34131dcd3598dac59751d) Arguments: /usr/bin/find /Users/bernard/.bash_sessions -type f -mtime +2w -print -delete

bash New Fork (PID: 660, Parent: 658)

wc (MD5: b4a2b4a093f04a17608cac3ccc4dc69b) Arguments: /usr/bin/wc -l

bash New Fork (PID: 661, Parent: 635)

bash New Fork (PID: 662, Parent: 661)

touch (MD5: 4740c7336a3cb2914b528fbce2d5edc7) Arguments: /usr/bin/touch /Users/bernard/.bash_sessions/_expiration_check_timestamp

bash New Fork (PID: 663, Parent: 635)

rm (MD5: 99891a42b47f8a1016bf065e62dfe5b0) Arguments: /bin/rm /Users/bernard/.bash_sessions/_expiration_lockfile

xpcproxy New Fork (PID: 676, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

xpcproxy New Fork (PID: 688, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

cleanup

Yara Signatures

⊘No yara matches

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: dropped file: binary.297.dr	Mach-O symbol: _main.EncryptDecrypt
Source: dropped file: binary.297.dr	Mach-O symbol: _context.cancelCtxKey
Source: dropped file: binary.297.dr	Mach-O symbol: _main.EncryptDecrypt
Source: dropped file: binary.297.dr	Mach-O symbol: _context.cancelCtxKey

Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2

Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.(*mspan).reportZombies
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*IPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*Resolver).LookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*Resolver).lookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*TCPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*UDPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _main.send_data_via_http
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*UnixAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*dnsConfig).serverOffset
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.sigsend
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func3
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func2
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.(*FD).SetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.(*FD).SetsockoptInt.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.SendFile
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.SendFile.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.runtime_pollServerInit
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.serverInit
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.socket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.setsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.minRoutingSockaddrLen
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_socket_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_setsockopt_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_sendfile_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_getsockopt_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_getsockname_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_connect_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansendpc
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend1
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/abi.Name.IsExported
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrDatalink,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrInet4,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrInet6,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrUnix,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _getsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.unixSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sysSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.socketFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.getsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnixpacket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _net.socket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnix
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnixgram
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUDP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToIP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToTCP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultMulticastSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultListenerSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sendFile.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.selfConnect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sendFile
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.connect
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.anyToSockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.parsePort
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.SocketDisableIPv6
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Socket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.SetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.GetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Connect
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrUnix).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrInet6).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrInet4).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrDatalink).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _sync/atomic.(*Pointer[go.shape.struct { net.servers []string; net.search []string; net.ndots int; net.timeout time.Duration; net.attempts int; net.rotate bool; net.unknownOpt bool; net.lookup []string; net.err error; net.mtime time.Time; net.soffset uint32; net.singleRequest bool; net.useTCP bool; net.trustAD bool; net.noReload bool }]).Store
Source: dropped file: binary.297.dr	Mach-O symbol: _sync/atomic.(*Pointer[go.shape.struct { net.servers []string; net.search []string; net.ndots int; net.timeout time.Duration; net.attempts int; net.rotate bool; net.unknownOpt bool; net.lookup []string; net.err error; net.mtime time.Time; net.soffset uint32; net.singleRequest bool; net.useTCP bool; net.trustAD bool; net.noReload bool }]).Load
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errServerTemporarilyMisbehaving
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errNoAnswerFromDNSServer
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errServerMisbehaving
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.syscall.SockaddrUnix
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.syscall.SockaddrInet4
Source: dropped file: binary.297.dr	Mach-O symbol: _net.getsockoptIntFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.sendDirect
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.send
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.selectnbsend
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ErrWriteToConnected
Source: dropped file: binary.297.dr	Mach-O symbol: _net.JoinHostPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.SplitHostPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.SplitHostPort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.absDomainName
Source: dropped file: binary.297.dr	Mach-O symbol: _net._C_ai_socktype
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupPort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupServicePort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupServicePort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.connectFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _time.sendTime
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.IPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.UnixAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.TCPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.UDPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.goLookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.internetSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddrInet4
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddrInet6
Source: dropped file: binary.297.dr	Mach-O symbol: _net.isDomainName
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _socket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.lookupPortMap
Source: dropped file: binary.297.dr	Mach-O symbol: _setsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.isExportedRuntime
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.(*mspan).reportZombies
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*IPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*Resolver).LookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*Resolver).lookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*TCPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _main.send_data_via_http
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func2
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*netFD).connect.func3
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.sigsend
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*UDPAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*UnixAddr).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.send
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.sendDirect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.(*dnsConfig).serverOffset
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.(*FD).SetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.(*FD).SetsockoptInt.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.SendFile
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.SendFile.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.serverInit
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/poll.runtime_pollServerInit
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansendpc
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend1
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.chansend
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_sendfile_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_getsockopt_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_getsockname_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_connect_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.getsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.connect
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.anyToSockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.SocketDisableIPv6
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Socket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.SetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _internal/abi.Name.IsExported
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.UnixAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrDatalink,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrInet4,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrInet6,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*syscall.SockaddrUnix,syscall.Sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.unixSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sysSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.socket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.socketFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnixgram
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnixpacket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUDP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToUnix
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToTCP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sockaddrToIP
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultListenerSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _net.setDefaultMulticastSockopts
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.GetsockoptInt
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sendFile
Source: dropped file: binary.297.dr	Mach-O symbol: _net.sendFile.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _net.selfConnect
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.Connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.parsePort
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrUnix).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrInet6).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrInet4).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.(*SockaddrDatalink).sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _sync/atomic.(*Pointer[go.shape.struct { net.servers []string; net.search []string; net.ndots int; net.timeout time.Duration; net.attempts int; net.rotate bool; net.unknownOpt bool; net.lookup []string; net.err error; net.mtime time.Time; net.soffset uint32; net.singleRequest bool; net.useTCP bool; net.trustAD bool; net.noReload bool }]).Store
Source: dropped file: binary.297.dr	Mach-O symbol: _sync/atomic.(*Pointer[go.shape.struct { net.servers []string; net.search []string; net.ndots int; net.timeout time.Duration; net.attempts int; net.rotate bool; net.unknownOpt bool; net.lookup []string; net.err error; net.mtime time.Time; net.soffset uint32; net.singleRequest bool; net.useTCP bool; net.trustAD bool; net.noReload bool }]).Load
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.syscall.SockaddrUnix
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.syscall.SockaddrInet4
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errNoAnswerFromDNSServer
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errServerMisbehaving
Source: dropped file: binary.297.dr	Mach-O symbol: _net.errServerTemporarilyMisbehaving
Source: dropped file: binary.297.dr	Mach-O symbol: _time.sendTime
Source: dropped file: binary.297.dr	Mach-O symbol: _net.connectFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.selectnbsend
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ErrWriteToConnected
Source: dropped file: binary.297.dr	Mach-O symbol: _net.JoinHostPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.SplitHostPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.SplitHostPort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.absDomainName
Source: dropped file: binary.297.dr	Mach-O symbol: _net._C_ai_socktype
Source: dropped file: binary.297.dr	Mach-O symbol: _socket
Source: dropped file: binary.297.dr	Mach-O symbol: _setsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupPort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupServicePort
Source: dropped file: binary.297.dr	Mach-O symbol: _net.cgoLookupServicePort.func1
Source: dropped file: binary.297.dr	Mach-O symbol: _sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.isExportedRuntime
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.socket
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.setsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.sendfile
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.minRoutingSockaddrLen
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_socket_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_setsockopt_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.IPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.UDPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _go:itab.*net.TCPAddr,net.sockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _net.getsockoptIntFunc
Source: dropped file: binary.297.dr	Mach-O symbol: _net.goLookupPort
Source: dropped file: binary.297.dr	Mach-O symbol: _getsockopt
Source: dropped file: binary.297.dr	Mach-O symbol: _getsockname
Source: dropped file: binary.297.dr	Mach-O symbol: _net.internetSocket
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddrInet6
Source: dropped file: binary.297.dr	Mach-O symbol: _net.isDomainName
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddr
Source: dropped file: binary.297.dr	Mach-O symbol: _connect
Source: dropped file: binary.297.dr	Mach-O symbol: _net.ipToSockaddrInet4
Source: dropped file: binary.297.dr	Mach-O symbol: _net.lookupPortMap

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.69
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.67
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.67
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.228.67
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.203
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.21.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: updates.cdn-apple.com

Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp, R2n8x3VrH8.dmg	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: Notion, 00000641.00000296.1.000000010792b000.0000000107954000.r--.sdmp, Notion, 00000642.00000297.1.000000010792b000.0000000107954000.r--.sdmp, binary, 00000665.00000332.1.000000000a339000.000000000a362000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 49327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49346
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49368
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49397 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49397
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49395
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49371
Source: unknown	Network traffic detected: HTTP traffic on port 49395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49381
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49371 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49368 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49346 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49327
Source: unknown	Network traffic detected: HTTP traffic on port 49381 -> 443

Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49350 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49368 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49371 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49381 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49395 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49397 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2

Source: classification engine

Classification label: sus29.spyw.macDMG@0/11@2/0

Source: /bin/sh (PID: 664)

Chmod directory: /bin/chmod -> chmod +x /tmp/binary

Jump to behavior

Source: /bin/sh (PID: 646)	Osascript command executed: osascript -e tell application 'Terminal' to close first window			Jump to behavior
Source: /private/tmp/binary (PID: 667)	Osascript command executed: osascript -e display dialog 'Required Application Helper. Please enter password:' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answer			Jump to behavior

Source: /Volumes/Notion/Notion (PID: 642)	Shell command executed: sh -c osascript -e 'tell application 'Terminal' to close first window' & exit	Jump to behavior
Source: /Volumes/Notion/Notion (PID: 642)	Shell command executed: sh -c chmod +x /tmp/binary	Jump to behavior
Source: /Volumes/Notion/Notion (PID: 642)	Shell command executed: sh -c /tmp/binary	Jump to behavior

Source: /bin/sh (PID: 664)

Chmod executable: /bin/chmod -> chmod +x /tmp/binary

Jump to behavior

Source: /bin/bash (PID: 663)

Rm executable: /bin/rm -> /bin/rm /Users/bernard/.bash_sessions/_expiration_lockfile

Jump to behavior

Source: /bin/bash (PID: 662)

Touch executable: /usr/bin/touch -> /usr/bin/touch /Users/bernard/.bash_sessions/_expiration_check_timestamp

Jump to behavior

Source: /usr/bin/osascript (PID: 646)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 646)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist	Jump to behavior

Source: /usr/bin/osascript (PID: 646)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 646)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist	Jump to behavior

Source: /Volumes/Notion/Notion (PID: 642)

File written: /private/tmp/binary

Jump to dropped file

Source: /Volumes/Notion/Notion (PID: 642)

FAT Mach-O written to tmp path: /private/tmp/binary

Jump to dropped file

Source: /usr/bin/osascript (PID: 646)	Random device file read: /dev/random	Jump to behavior
Source: /tmp/binary (PID: 665)	Random device file read: /dev/urandom	Jump to behavior
Source: /tmp/binary (PID: 665)	Random device file read: /dev/urandom	Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Random device file read: /dev/random	Jump to behavior
Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 688)	Random device file read: /dev/random	Jump to behavior

Source: /usr/bin/osascript (PID: 646)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist			Jump to behavior

Source: /usr/bin/osascript (PID: 646)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Reads from a resource fork: /usr/bin/osascript/..namedfork/rsrc			Jump to behavior

Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.fpTracebackPCs
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.ptrace1
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.ptrace
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_ptrace_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _ptrace
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.runtime.pTraceState
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.libc_ptrace_trampoline.abi0
Source: dropped file: binary.297.dr	Mach-O symbol: _type:.eq.runtime.pTraceState
Source: dropped file: binary.297.dr	Mach-O symbol: _runtime.fpTracebackPCs
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.ptrace1
Source: dropped file: binary.297.dr	Mach-O symbol: _syscall.ptrace
Source: dropped file: binary.297.dr	Mach-O symbol: _ptrace

Source: /usr/bin/osascript (PID: 667)

Sysctl read request: kern.safeboot (1.66)

Jump to behavior

Source: /tmp/binary (PID: 665)	Sysctl read request: hw.ncpu (6.3)			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Sysctl read request: hw.availcpu (6.25)			Jump to behavior

Source: /usr/bin/osascript (PID: 667)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /bin/bash (PID: 635)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 643)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 664)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/sh (PID: 665)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/osascript (PID: 667)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /usr/bin/open (PID: 632)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 646)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 667)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist	Jump to behavior

Stealing of Sensitive Information

Executes the "dscl" command with authonly argument (probably to verify the login password)

Source: /private/tmp/binary (PID: 666)

Security executable: /usr/bin/dscl dscl . authonly bernard

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	3 AppleScript	1 Scripting	Path Interception	1 File and Directory Permissions Modification	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Hidden Files and Directories	Security Account Manager	41 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Indicator Removal	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
/private/tmp/binary	17%	ReversingLabs	MacOS.Trojan.Amos
/private/tmp/binary	2%	Virustotal		Browse

Domains

Source	Detection	Scanner	Label	Link
h3.apis.apple.map.fastly.net	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
h3.apis.apple.map.fastly.net	151.101.195.6	true	false	0%, Virustotal, Browse	unknown
updates.cdn-apple.com	unknown	unknown	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
151.101.131.6	unknown	United States		54113	FASTLYUS	false
151.101.195.6	h3.apis.apple.map.fastly.net	United States		54113	FASTLYUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
151.101.131.6	Calendly.dmg	Get hash	malicious	Unknown	Browse
	malw_sampl	Get hash	malicious	Unknown	Browse
	Arc12645415	Get hash	malicious	Unknown	Browse
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse
	https://pub.marq.com/Downloadiiii-Fileee/	Get hash	malicious	Unknown	Browse
	todoist-setup.dmg	Get hash	malicious	Unknown	Browse
	Diogenes	Get hash	malicious	Unknown	Browse
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:c139e8bc-e6cf-46e4-b94b-c8b5dea21199	Get hash	malicious	Unknown	Browse
	Phoenix5b.ipa	Get hash	malicious	Unknown	Browse
	B8rrKspvSE.sample	Get hash	malicious	DDosia	Browse
151.101.195.6	ot-test-app	Get hash	malicious	Unknown	Browse
	Calendly.dmg	Get hash	malicious	Unknown	Browse
	malw_sampl	Get hash	malicious	Unknown	Browse
	89.kk	Get hash	malicious	Unknown	Browse
	Arc12645415	Get hash	malicious	Unknown	Browse
	SME.dmg	Get hash	malicious	Unknown	Browse
	3MVd1q7ygy.macho	Get hash	malicious	Unknown	Browse
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse
	todoist-setup.dmg	Get hash	malicious	Unknown	Browse
	Diogenes	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://marinatitle.com	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	151.101.129.44
	https://pub-9af459faa3e54a63ae5d1f2be8790ad0.r2.dev/get-authenticated.html	Get hash	malicious	Unknown	Browse	185.199.108.154
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.2.217
	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	151.101.1.44
	http://neoparts.com.br./driz/oybe/am9sZW5lLmJ1cm5zQHNlY3VydXN0ZWNobm9sb2dpZXMuY29t$?utp=consumer&	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://colunroad.info/?utm_campaign=y0rsMyowMImIDv9DTSX69oig88PrjKrJ9agQ3DpV-9I1&t=back	Get hash	malicious	GRQ Scam	Browse	151.101.65.229
	http://www.mh3solaroh.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.217
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137
FASTLYUS	https://marinatitle.com	Get hash	malicious	Unknown	Browse	151.101.2.137
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	151.101.129.44
	https://pub-9af459faa3e54a63ae5d1f2be8790ad0.r2.dev/get-authenticated.html	Get hash	malicious	Unknown	Browse	185.199.108.154
	https://autode.sk/4bb5BeV	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	151.101.2.217
	https://lide.alosalca.fun/highbox#joeblow@xyz.com	Get hash	malicious	HTMLPhisher	Browse	151.101.2.137
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	151.101.1.44
	http://neoparts.com.br./driz/oybe/am9sZW5lLmJ1cm5zQHNlY3VydXN0ZWNobm9sb2dpZXMuY29t$?utp=consumer&	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
	https://colunroad.info/?utm_campaign=y0rsMyowMImIDv9DTSX69oig88PrjKrJ9agQ3DpV-9I1&t=back	Get hash	malicious	GRQ Scam	Browse	151.101.65.229
	http://www.mh3solaroh.com/	Get hash	malicious	HTMLPhisher	Browse	151.101.2.217
	https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==	Get hash	malicious	HTMLPhisher	Browse	151.101.130.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5c118da645babe52f060d0754256a73c	ot-test-app	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://cloudflare-ipfs.com/ipfs/bafybeiagiq7tdzbkrrgr6pdgcm3qpbokwry3qqk2gedyazwwolhwfy4suy/nodex.html#	Get hash	malicious	Unknown	Browse	151.101.195.6
	Calendly.dmg	Get hash	malicious	Unknown	Browse	151.101.195.6
	malw_sampl	Get hash	malicious	Unknown	Browse	151.101.195.6
	89.kk	Get hash	malicious	Unknown	Browse	151.101.195.6
	Arc12645415	Get hash	malicious	Unknown	Browse	151.101.195.6
	SME.dmg	Get hash	malicious	Unknown	Browse	151.101.195.6
	3MVd1q7ygy.macho	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://www.flazio.com/server.html	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://pub.marq.com/Downloadiiii-Fileee/	Get hash	malicious	Unknown	Browse	151.101.195.6

Dropped Files

⊘No context

Created / dropped Files

/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.history

Download File

Process:	/bin/cat
File Type:	ASCII text
Category:	dropped
Size (bytes):	31
Entropy (8bit):	3.7969607303569646
Encrypted:	false
SSDEEP:	3:XQWyKUKMKdORwn:XvMXRwn
MD5:	3CF1D83B4D3FB88C6FBFF03AF9B073E5
SHA1:	537E5D6281B9F46447D0144B993508C17718B4A5
SHA-256:	E8CA75DCF6851C873A9AFE480B80459702AD6B5D0C5226D307C358E913C0E0B7
SHA-512:	F127A9316289AB343A481D094D4E27457A91ADA0CE2A5A297373BEB716632FD30F0D4EBE4FE10A42D13D41CDABA8BCF4F206203CE5CD6379029F86A85BD88AFA
Malicious:	false
Reputation:	low
Preview:	/Volumes/Notion/Notion ; exit;.

/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	31
Entropy (8bit):	3.7969607303569646
Encrypted:	false
SSDEEP:	3:XQWyKUKMKdORwn:XvMXRwn
MD5:	3CF1D83B4D3FB88C6FBFF03AF9B073E5
SHA1:	537E5D6281B9F46447D0144B993508C17718B4A5
SHA-256:	E8CA75DCF6851C873A9AFE480B80459702AD6B5D0C5226D307C358E913C0E0B7
SHA-512:	F127A9316289AB343A481D094D4E27457A91ADA0CE2A5A297373BEB716632FD30F0D4EBE4FE10A42D13D41CDABA8BCF4F206203CE5CD6379029F86A85BD88AFA
Malicious:	false
Reputation:	low
Preview:	/Volumes/Notion/Notion ; exit;.

/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.session

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.624013401774993
Encrypted:	false
SSDEEP:	3:jpQ6z/KPbiiTSGvn:xz/EbiuSGvn
MD5:	9438A480B4F54968EEA9381026C61C51
SHA1:	6744568DB0F3C288A3D5D2DCC4AC702F696723D5
SHA-256:	C6AC7551B00AEBE975775A371E401A2289F7270D88674CCA1EA1AF2E68645A89
SHA-512:	84789C797ECDA85F8619CD31E75A520EAE7813B27E70497E916743ACD47E6CAE09443EBA1852B6F1EBA38E196E1D189AF61B98F6816D6667F98AD17890CB3689
Malicious:	false
Reputation:	low
Preview:	echo Restored session: "$(/bin/date -r 1714096847)".

/Users/bernard/.bash_sessions/shlock657

Download File

Process:	/usr/bin/shlock
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:bv:L
MD5:	10E705DB6A746B814E49B5ED13EB0CDD
SHA1:	E5A54B4C8E808F104E56A3D8E02269CB497F4CCC
SHA-256:	368EDA846164B56222286D7FA32728CC65AC749D44113F354480E033BE6CA9FF
SHA-512:	62BFB48D83081BF72D538C78C17585DCF3D1473176A3160774793D03D3AB7F5CFA9EB8CA279205574A83A5DE607E35EFDB6609E2107D7D8C2D8F3BDDAEF63DC9
Malicious:	false
Reputation:	low
Preview:	635.

/dev/ttys000

Download File

Process:	/bin/bash
File Type:	ASCII text
Category:	dropped
Size (bytes):	55
Entropy (8bit):	4.178541933189731
Encrypted:	false
SSDEEP:	3:6EWaw3WKHpcmLIX2L3v:6EW7m2OCv
MD5:	3E0868EAFD1323B0CE1CD226BA287923
SHA1:	EDC321C4056F0A0E3BD73C0E6A4677FED187E2FC
SHA-256:	34B887C405F07ED4B27F9F9348B490C75B81C854BF67915CC4DFC2D998CB1972
SHA-512:	AE06849CB89796C9170A5C39F0B6E898690667F09654F4A75294236880F0F402E3E5085FF39A034079176D605ACC06700EC0B6EFA98622D683F4FFF9683FEC6D
Malicious:	false
Reputation:	low
Preview:	-bash: /Users/bernard/.bash_history: Permission denied.

/private/tmp/binary

Download File

Process:	/Volumes/Notion/Notion
File Type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable] [arm64]
Category:	dropped
Size (bytes):	4045890
Entropy (8bit):	6.049275262814168
Encrypted:	false
SSDEEP:	49152:AkeP5hdwQpraS8V1HHL9DGg4Gfa9tluadMOhhv5nd18lIpG2mf/xS:uSr9igfa9/uadMOh91XGNf/xS
MD5:	334EA98682699CE32FA14B293E67F502
SHA1:	0821046B23C25C0CFDC2368D49018AEC57300716
SHA-256:	FDAAA25CC6BE47BC893F773FCD7C0D8AD6C3618BF931F4B728EB5A1D920527F5
SHA-512:	6EAA4603902D3BEC4388B0FC77045EF0FB578EFCE1994293D4CBD429EF6E0B8731C7DCC6E4908A2C25454650EC17643EEDCE8FD51420ED9283F9650E5EA47F21
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17% Antivirus: Virustotal, Detection: 2%, Browse
Reputation:	low
Preview:	..................@........................@............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/private/tmp/xuyna/username

Download File

Process:	/tmp/binary
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.5216406363433186
Encrypted:	false
SSDEEP:	3:ZB:ZB
MD5:	78D6810E1299959F3A8DB157045AA926
SHA1:	0B8E0B1F37895567811A9D382317C26804F86E3A
SHA-256:	DC814A25C3AE905AD4BA942072B101599F8E7C3617C79E3B10E9C20CA8952339
SHA-512:	1D378A2C44276CC07158D94768D94FF22B0EF66EC3627E99FF0C4D5747CE11C5B26879C2C030BD29B5542A7FC51091B2EB31AC0382941D6578E849C0A82EF69A
Malicious:	false
Reputation:	low
Preview:	bernard

/private/var/run/utmpx

Download File

Process:	/usr/bin/login
File Type:	data
Category:	dropped
Size (bytes):	1256
Entropy (8bit):	0.444619173570201
Encrypted:	false
SSDEEP:	3:ZpXcV2illfolxvXplZpXcV2illfV/Dpl:Z+EillQT5lZ+Eillzl
MD5:	2A03D50FBDC5C2B757B6EA9287369DBE
SHA1:	4527363E7D46DF6EAE7E8435CAA54806C2453CB0
SHA-256:	6A1726D42F1B6DCB5BF5B1D19C632891760363EC8AD9F28281BA0AC4EF0CF547
SHA-512:	54B4B9987EE6994D52E9EF31C6D5574312FB91B39D3EE8394BF1440BD3D907AD319AF3B87F0F2E183D949677E0CF682D26E76B5A2B597D62F2E2F2595EE25748
Malicious:	false
Reputation:	low
Preview:	bernard.........................................................................................................................................................................................................................................................s000ttys000.........................z.........+flo..................................................................................................................................................................................................................................................................................................................................bernard.........................................................................................................................................................................................................................................................s000ttys000.........................z.........+flo..................................................................

Static File Info

General

File type:	zlib compressed data
Entropy (8bit):	7.927279492640909
TrID:	Disk Image (Macintosh), GPT (HFS) (47000/0) 49.21% Disk Image (Macintosh), GPT (APFS) (35500/0) 37.17% Disk Image (Macintosh), zlib, GPT (10001/1) 10.47% Disk Image (Macintosh), bzlib (best compression) (2002/1) 2.10% ZLIB compressed file (1001/1) 1.05%
File name:	R2n8x3VrH8.dmg
File size:	4'412'863 bytes
MD5:	50ea75b971ec961867377b45b29bf356
SHA1:	d68faef1b80f376cdf1524e14f8baa49f0074b9d
SHA256:	558c66e7283fed4e16cfbd7889f3d5500e89f637cc48968bed0450852083dbf1
SHA512:	647831bf84212d71e6829d7531e55ef94239150152e35068ab416108bd68c641b0088ca242c0d275a26c5e0f362f7f1bb02268a731be3a91f53e831fefb44528
SSDEEP:	98304:U/SA+ELoHf3EpQioKSHejUSOuairOrLBzvKkYc0nhBaMEcRaBDywa:U/SA+EkHfyn3ISOupO3pvG/nhBaMxRiD
TLSH:	421633BEBE5637C6EDF049F9090EA9A87CC718DF3A949419C466AC0A404C33D55C4FAB
File Content Preview:	x.c`..C.......3..~..$k.].....Nx.su.T.p..a``d.a``X_.....<.......\|](......\|.K............2..N0..A...c..x...!..........dIP.`.....LF.!"......@.*&.x........Z,..l.....ZL....Q_...Y.O.\|..E~m..9..>....M.................t....x...OlTE...o.....R.zPi.BB....Z..Z.!6$$

Archive DMG

Archived Files

File Path	File Attributes	File Size
Notion		11'032'224 bytes

Extracted Files

Notion

File path:	Notion
File size:	11'032'224 bytes
File type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|WEAK_DEFINES\|BINDS_TO_WEAK\|PIE>] [arm64]

Static Mach Info

General Information for header 1
Endian:	little-endian
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	17
Entry point:	0x100001220

segment_64 load command - aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x528000

fileoff

0x0

filesize

0x528000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x1000008D0	0x1E5D	0x8D0	6.19390035	4	0x0	0	0x80000400
__stubs	__TEXT	0x10000272E	0x14A	0x272E	3.52659187	1	0x0	0	0x80000400
__stub_helper	__TEXT	0x100002878	0x20E	0x2878	4.20546873	2	0x0	0	0x80000400
__gcc_except_tab	__TEXT	0x100002A88	0x25C	0x2A88	5.18224906	2	0x0	0	0x0
__const	__TEXT	0x100002CF0	0x7F	0x2CF0	4.08457011	4	0x0	0	0x0
__cstring	__TEXT	0x100002D6F	0x525145	0x2D6F	5.01809110	0	0x0	0	0x0
__unwind_info	__TEXT	0x100527EB4	0x140	0x527EB4	4.06096909	2	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100528000

vmsize

0x4000

fileoff

0x528000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__nl_symbol_ptr	__DATA	0x100528000	0x8	0x528000	-0.00000000	3	0x0	0	0x0
__got	__DATA	0x100528008	0x60	0x528008	1.01951732	3	0x0	0	0x0
__la_symbol_ptr	__DATA	0x100528068	0x1B8	0x528068	2.27987117	3	0x0	0	0x0
__mod_init_func	__DATA	0x100528220	0x8	0x528220	1.54879494	3	0x0	0	0x0
__const	__DATA	0x100528228	0x170	0x528228	2.11767428	3	0x0	0	0x0
__data	__DATA	0x100528398	0x8	0x528398	1.54879494	3	0x0	0	0x0
__common	__DATA	0x1005283A0	0x18	0x0	0.00000000	4	0x0	0	0x0

Name	Value
segname	__LINKEDIT
vmaddr	0x10052C000
vmsize	0x14000
fileoff	0x52C000
filesize	0x11840
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_only load command - aggregated: 1

Name	Value
rebase_off	5423104
rebase_size	32
bind_off	5423136
bind_size	1104
weak_bind_off	5424240
weak_bind_size	344
lazy_bind_off	5424584
lazy_bind_size	1856
export_off	5426440
export_size	504

symtab load command - aggregated: 1

Name	Value
symoff	5426992
nsyms	124
stroff	5429472
strsize	4648

dysymtab load command - aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	39
iextdefsym	39
nextdefsym	11
iundefsym	50
nundefsym	74
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	5428976
nindirectsyms	123
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

load_dylinker load command - aggregated: 1

Name	Value

uuid load command - aggregated: 1

Name	Value
uuid	b603af7f-a99f-33b4-a0a2-235dd147e871

version_min_macosx load command - aggregated: 1

Name	Value
version	10.13.0
sdk	13.1.0

source_version load command - aggregated: 1

Name	Value
path	0.0.0.0.0

main load command - aggregated: 1

Name	Value

load_dylib load command - aggregated: 2

Name

Value

compatibility_version

1.0.0

current_version

1300.36.0

timestamp

1970-01-01

Datas

/usr/lib/libc++.1.dylib

Name

Value

compatibility_version

1.0.0

current_version

1319.0.0

timestamp

1970-01-01

Datas

/usr/lib/libSystem.B.dylib

function_starts load command - aggregated: 1

Name	Value
dataoff	5426944
datasize	48

data_in_code load command - aggregated: 1

Name	Value
dataoff	5426992
datasize	0

code_signature load command - aggregated: 1

Name	Value
dataoff	5434128
datasize	60720

Symbols

Name	Category	Origin	Segment Name	Bind Address	Library Name
__Z13base64_decodeRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE	EXTERNAL	LC_SYMTAB
__Z5dehexRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE	EXTERNAL	LC_SYMTAB
__Z5xuynaPv	EXTERNAL	LC_SYMTAB
__ZTINSt3__113basic_filebufIcNS_11char_traitsIcEEEE	EXTERNAL	LC_SYMTAB	__DATA	0x100528308
__ZTINSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE	EXTERNAL	LC_SYMTAB	__DATA	0x100528260
__ZTSNSt3__113basic_filebufIcNS_11char_traitsIcEEEE	EXTERNAL	LC_SYMTAB	__DATA	0x100528388
__ZTSNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE	EXTERNAL	LC_SYMTAB	__DATA	0x1005282F0
__mh_execute_header	EXTERNAL	LC_SYMTAB
_base64_chars	EXTERNAL	LC_SYMTAB
_hexed	EXTERNAL	LC_SYMTAB
_main	EXTERNAL	LC_SYMTAB
GCC_except_table0	LOCAL	LC_SYMTAB
GCC_except_table10	LOCAL	LC_SYMTAB
GCC_except_table11	LOCAL	LC_SYMTAB
GCC_except_table2	LOCAL	LC_SYMTAB
GCC_except_table22	LOCAL	LC_SYMTAB
GCC_except_table23	LOCAL	LC_SYMTAB
GCC_except_table24	LOCAL	LC_SYMTAB
GCC_except_table3	LOCAL	LC_SYMTAB
GCC_except_table4	LOCAL	LC_SYMTAB
GCC_except_table5	LOCAL	LC_SYMTAB
GCC_except_table6	LOCAL	LC_SYMTAB
GCC_except_table7	LOCAL	LC_SYMTAB
GCC_except_table8	LOCAL	LC_SYMTAB
__GLOBAL__sub_I_main.cpp	LOCAL	LC_SYMTAB
__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE20__throw_length_errorEv	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE4syncEv	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE5imbueERKNS_6localeE	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE6setbufEPcl	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE7seekoffExNS_8ios_base7seekdirEj	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE7seekposENS_4fposI11__mbstate_tEEj	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE8overflowEi	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE9pbackfailEi	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE9underflowEv	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEEC2Ev	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEED0Ev	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEED1Ev	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEED2Ev	LOCAL	LC_SYMTAB
__ZNSt3__114basic_ofstreamIcNS_11char_traitsIcEEED0Ev	LOCAL	LC_SYMTAB
__ZNSt3__114basic_ofstreamIcNS_11char_traitsIcEEED1Ev	LOCAL	LC_SYMTAB
__ZNSt3__116__pad_and_outputIcNS_11char_traitsIcEEEENS_19ostreambuf_iteratorIT_T0_EES6_PKS4_S8_S8_RNS_8ios_baseES4_	LOCAL	LC_SYMTAB
__ZNSt3__124__put_character_sequenceIcNS_11char_traitsIcEEEERNS_13basic_ostreamIT_T0_EES7_PKS4_m	LOCAL	LC_SYMTAB
__ZNSt3__1L16__throw_bad_castEv	LOCAL	LC_SYMTAB
__ZTCNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE0_NS_13basic_ostreamIcS2_EE	LOCAL	LC_SYMTAB
__ZTTNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTVNSt3__113basic_filebufIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTVNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTv0_n24_NSt3__114basic_ofstreamIcNS_11char_traitsIcEEED0Ev	LOCAL	LC_SYMTAB
__ZTv0_n24_NSt3__114basic_ofstreamIcNS_11char_traitsIcEEED1Ev	LOCAL	LC_SYMTAB
___clang_call_terminate	LOCAL	LC_SYMTAB
__Unwind_Resume	UNDEFINED	LC_SYMTAB	__DATA	0x100528068	/usr/lib/libSystem.B.dylib
__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4findEcm	UNDEFINED	LC_SYMTAB	__DATA	0x100528070	/usr/lib/libc++.1.dylib
__ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv	UNDEFINED	LC_SYMTAB	__DATA	0x100528078	/usr/lib/libc++.1.dylib
__ZNKSt3__16locale9has_facetERNS0_2idE	UNDEFINED	LC_SYMTAB	__DATA	0x100528080	/usr/lib/libc++.1.dylib
__ZNKSt3__16locale9use_facetERNS0_2idE	UNDEFINED	LC_SYMTAB	__DATA	0x100528088	/usr/lib/libc++.1.dylib
__ZNKSt3__18ios_base6getlocEv	UNDEFINED	LC_SYMTAB	__DATA	0x100528090	/usr/lib/libc++.1.dylib
__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9push_backEc	UNDEFINED	LC_SYMTAB	__DATA	0x100528098	/usr/lib/libc++.1.dylib
__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_	UNDEFINED	LC_SYMTAB	__DATA	0x1005280A0	/usr/lib/libc++.1.dylib
__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_mmRKS4_	UNDEFINED	LC_SYMTAB	__DATA	0x1005280A8	/usr/lib/libc++.1.dylib
__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x100528008	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryC1ERS3_	UNDEFINED	LC_SYMTAB	__DATA	0x1005280B0	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryD1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005280B8	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED0Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005282B8	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005282B0	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED2Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005280C0	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE5uflowEv	UNDEFINED	LC_SYMTAB	__DATA	0x100528360	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6xsgetnEPcl	UNDEFINED	LC_SYMTAB	__DATA	0x100528350	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6xsputnEPKcl	UNDEFINED	LC_SYMTAB	__DATA	0x100528370	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE9showmanycEv	UNDEFINED	LC_SYMTAB	__DATA	0x100528348	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEEC2Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005280C8	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEED2Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005280D0	/usr/lib/libc++.1.dylib
__ZNSt3__15ctypeIcE2idE	UNDEFINED	LC_SYMTAB	__DATA	0x100528010	/usr/lib/libc++.1.dylib
__ZNSt3__15stollERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi	UNDEFINED	LC_SYMTAB	__DATA	0x1005280D8	/usr/lib/libc++.1.dylib
__ZNSt3__16localeC1ERKS0_	UNDEFINED	LC_SYMTAB	__DATA	0x1005280E0	/usr/lib/libc++.1.dylib
__ZNSt3__16localeD1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005280E8	/usr/lib/libc++.1.dylib
__ZNSt3__17codecvtIcc11__mbstate_tE2idE	UNDEFINED	LC_SYMTAB	__DATA	0x100528018	/usr/lib/libc++.1.dylib
__ZNSt3__18ios_base33__set_badbit_and_consider_rethrowEv	UNDEFINED	LC_SYMTAB	__DATA	0x1005280F0	/usr/lib/libc++.1.dylib
__ZNSt3__18ios_base4initEPv	UNDEFINED	LC_SYMTAB	__DATA	0x1005280F8	/usr/lib/libc++.1.dylib
__ZNSt3__18ios_base5clearEj	UNDEFINED	LC_SYMTAB	__DATA	0x100528100	/usr/lib/libc++.1.dylib
__ZNSt3__19basic_iosIcNS_11char_traitsIcEEED2Ev	UNDEFINED	LC_SYMTAB	__DATA	0x100528108	/usr/lib/libc++.1.dylib
__ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_	UNDEFINED	LC_SYMTAB	__DATA	0x100528110	/usr/lib/libc++.1.dylib
__ZNSt8bad_castC1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x100528118	/usr/lib/libc++.1.dylib
__ZNSt8bad_castD1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x100528020	/usr/lib/libc++.1.dylib
__ZSt9terminatev	UNDEFINED	LC_SYMTAB	__DATA	0x100528120	/usr/lib/libc++.1.dylib
__ZTINSt3__113basic_ostreamIcNS_11char_traitsIcEEEE	UNDEFINED	LC_SYMTAB	__DATA	0x1005282F8	/usr/lib/libc++.1.dylib
__ZTINSt3__115basic_streambufIcNS_11char_traitsIcEEEE	UNDEFINED	LC_SYMTAB	__DATA	0x100528390	/usr/lib/libc++.1.dylib
__ZTISt8bad_cast	UNDEFINED	LC_SYMTAB	__DATA	0x100528030	/usr/lib/libc++.1.dylib
__ZTVN10__cxxabiv120__si_class_type_infoE	UNDEFINED	LC_SYMTAB	__DATA	0x100528380	/usr/lib/libc++.1.dylib
__ZTv0_n24_NSt3__113basic_ostreamIcNS_11char_traitsIcEEED0Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005282E0	/usr/lib/libc++.1.dylib
__ZTv0_n24_NSt3__113basic_ostreamIcNS_11char_traitsIcEEED1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x1005282D8	/usr/lib/libc++.1.dylib
__ZdaPv	UNDEFINED	LC_SYMTAB	__DATA	0x100528128
__ZdlPv	UNDEFINED	LC_SYMTAB	__DATA	0x100528130
__Znam	UNDEFINED	LC_SYMTAB	__DATA	0x100528138
__Znwm	UNDEFINED	LC_SYMTAB	__DATA	0x100528140
___bzero	UNDEFINED	LC_SYMTAB	__DATA	0x100528148	/usr/lib/libSystem.B.dylib
___cxa_allocate_exception	UNDEFINED	LC_SYMTAB	__DATA	0x100528150	/usr/lib/libc++.1.dylib
___cxa_atexit	UNDEFINED	LC_SYMTAB	__DATA	0x100528158	/usr/lib/libSystem.B.dylib
___cxa_begin_catch	UNDEFINED	LC_SYMTAB	__DATA	0x100528160	/usr/lib/libc++.1.dylib
___cxa_call_unexpected	UNDEFINED	LC_SYMTAB	__DATA	0x100528168	/usr/lib/libc++.1.dylib
___cxa_end_catch	UNDEFINED	LC_SYMTAB	__DATA	0x100528170	/usr/lib/libc++.1.dylib
___cxa_throw	UNDEFINED	LC_SYMTAB	__DATA	0x100528178	/usr/lib/libc++.1.dylib
___gxx_personality_v0	UNDEFINED	LC_SYMTAB	__DATA	0x100528050	/usr/lib/libc++.1.dylib
___stack_chk_fail	UNDEFINED	LC_SYMTAB	__DATA	0x100528180	/usr/lib/libSystem.B.dylib
___stack_chk_guard	UNDEFINED	LC_SYMTAB	__DATA	0x100528058	/usr/lib/libSystem.B.dylib
_exit	UNDEFINED	LC_SYMTAB	__DATA	0x100528188	/usr/lib/libSystem.B.dylib
_fclose	UNDEFINED	LC_SYMTAB	__DATA	0x100528190	/usr/lib/libSystem.B.dylib
_fflush	UNDEFINED	LC_SYMTAB	__DATA	0x100528198	/usr/lib/libSystem.B.dylib
_fopen	UNDEFINED	LC_SYMTAB	__DATA	0x1005281A0	/usr/lib/libSystem.B.dylib
_fork	UNDEFINED	LC_SYMTAB	__DATA	0x1005281A8	/usr/lib/libSystem.B.dylib
_fread	UNDEFINED	LC_SYMTAB	__DATA	0x1005281B0	/usr/lib/libSystem.B.dylib
_fseeko	UNDEFINED	LC_SYMTAB	__DATA	0x1005281B8	/usr/lib/libSystem.B.dylib
_ftello	UNDEFINED	LC_SYMTAB	__DATA	0x1005281C0	/usr/lib/libSystem.B.dylib
_fwrite	UNDEFINED	LC_SYMTAB	__DATA	0x1005281C8	/usr/lib/libSystem.B.dylib
_memcpy	UNDEFINED	LC_SYMTAB	__DATA	0x1005281D0	/usr/lib/libSystem.B.dylib
_memmove	UNDEFINED	LC_SYMTAB	__DATA	0x1005281D8	/usr/lib/libSystem.B.dylib
_memset	UNDEFINED	LC_SYMTAB	__DATA	0x1005281E0	/usr/lib/libSystem.B.dylib
_pthread_create	UNDEFINED	LC_SYMTAB	__DATA	0x1005281E8	/usr/lib/libSystem.B.dylib
_pthread_join	UNDEFINED	LC_SYMTAB	__DATA	0x1005281F0	/usr/lib/libSystem.B.dylib
_setsid	UNDEFINED	LC_SYMTAB	__DATA	0x1005281F8	/usr/lib/libSystem.B.dylib
_signal	UNDEFINED	LC_SYMTAB	__DATA	0x100528200	/usr/lib/libSystem.B.dylib
_sleep	UNDEFINED	LC_SYMTAB	__DATA	0x100528208	/usr/lib/libSystem.B.dylib
_strlen	UNDEFINED	LC_SYMTAB	__DATA	0x100528210	/usr/lib/libSystem.B.dylib
_system	UNDEFINED	LC_SYMTAB	__DATA	0x100528218	/usr/lib/libSystem.B.dylib
dyld_stub_binder	UNDEFINED	LC_SYMTAB	__DATA	0x100528060	/usr/lib/libSystem.B.dylib

General Information for header 2
Endian:	little-endian
Size:	64-bit
Architecture:	arm64
Filetype:	execute
Nbr. of load commands:	18
Entry point:	0x1000011C0

segment_64 load command - aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x528000

fileoff

0x0

filesize

0x528000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100000944	0x1C60	0x944	6.24974284	2	0x0	0	0x80000400
__stubs	__TEXT	0x1000025A4	0x288	0x25A4	3.87561405	2	0x0	0	0x80000400
__stub_helper	__TEXT	0x10000282C	0x270	0x282C	3.97135960	2	0x0	0	0x80000400
__gcc_except_tab	__TEXT	0x100002A9C	0x264	0x2A9C	4.73789222	2	0x0	0	0x0
__const	__TEXT	0x100002D00	0x7F	0x2D00	4.16804082	4	0x0	0	0x0
__cstring	__TEXT	0x100002D7F	0x525145	0x2D7F	5.01809110	0	0x0	0	0x0
__unwind_info	__TEXT	0x100527EC4	0x130	0x527EC4	3.86044824	2	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100528000

vmsize

0x4000

fileoff

0x528000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100528000	0x60	0x528000	1.10049234	3	0x0	0	0x0
__mod_init_func	__DATA_CONST	0x100528060	0x8	0x528060	1.54879494	3	0x0	0	0x0
__const	__DATA_CONST	0x100528068	0x170	0x528068	2.21794266	3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x10052C000

vmsize

0x4000

fileoff

0x52C000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x10052C000	0x1B0	0x52C000	2.28043763	3	0x0	0	0x0
__data	__DATA	0x10052C1B0	0x10	0x52C1B0	0.99339273	3	0x0	0	0x0
__common	__DATA	0x10052C1C0	0x18	0x0	0.00000000	3	0x0	0	0x0

Name	Value
segname	__LINKEDIT
vmaddr	0x100530000
vmsize	0x14000
fileoff	0x530000
filesize	0x116A0
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_only load command - aggregated: 1

Name	Value
rebase_off	5439488
rebase_size	32
bind_off	5439520
bind_size	1088
weak_bind_off	5440608
weak_bind_size	88
lazy_bind_off	5440696
lazy_bind_size	1824
export_off	5442520
export_size	280

symtab load command - aggregated: 1

Name	Value
symoff	5442848
nsyms	124
stroff	5445312
strsize	4648

dysymtab load command - aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	44
iextdefsym	44
nextdefsym	7
iundefsym	51
nundefsym	73
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	5444832
nindirectsyms	120
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

load_dylinker load command - aggregated: 1

Name	Value

uuid load command - aggregated: 1

Name	Value
uuid	4fdf244a-2dbd-3789-a535-57f342b41fe4

build_version load command - aggregated: 1

Name	Value

source_version load command - aggregated: 1

Name	Value
path	0.0.0.0.0

main load command - aggregated: 1

Name	Value

load_dylib load command - aggregated: 2

Name

Value

compatibility_version

1.0.0

current_version

1300.36.0

timestamp

1970-01-01

Datas

/usr/lib/libc++.1.dylib

Name

Value

compatibility_version

1.0.0

current_version

1319.0.0

timestamp

1970-01-01

Datas

/usr/lib/libSystem.B.dylib

function_starts load command - aggregated: 1

Name	Value
dataoff	5442800
datasize	48

data_in_code load command - aggregated: 1

Name	Value
dataoff	5442848
datasize	0

code_signature load command - aggregated: 1

Name	Value
dataoff	5449968
datasize	60848

Symbols

Name	Category	Origin	Segment Name	Bind Address	Library Name
__Z13base64_decodeRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE	EXTERNAL	LC_SYMTAB
__Z5dehexRKNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEE	EXTERNAL	LC_SYMTAB
__Z5xuynaPv	EXTERNAL	LC_SYMTAB
__mh_execute_header	EXTERNAL	LC_SYMTAB
_base64_chars	EXTERNAL	LC_SYMTAB
_hexed	EXTERNAL	LC_SYMTAB
_main	EXTERNAL	LC_SYMTAB
GCC_except_table0	LOCAL	LC_SYMTAB
GCC_except_table10	LOCAL	LC_SYMTAB
GCC_except_table11	LOCAL	LC_SYMTAB
GCC_except_table2	LOCAL	LC_SYMTAB
GCC_except_table22	LOCAL	LC_SYMTAB
GCC_except_table23	LOCAL	LC_SYMTAB
GCC_except_table24	LOCAL	LC_SYMTAB
GCC_except_table3	LOCAL	LC_SYMTAB
GCC_except_table4	LOCAL	LC_SYMTAB
GCC_except_table5	LOCAL	LC_SYMTAB
GCC_except_table6	LOCAL	LC_SYMTAB
GCC_except_table7	LOCAL	LC_SYMTAB
GCC_except_table8	LOCAL	LC_SYMTAB
__GLOBAL__sub_I_main.cpp	LOCAL	LC_SYMTAB
__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE20__throw_length_errorEv	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE4syncEv	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE5imbueERKNS_6localeE	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE6setbufEPcl	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE7seekoffExNS_8ios_base7seekdirEj	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE7seekposENS_4fposI11__mbstate_tEEj	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE8overflowEi	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE9pbackfailEi	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEE9underflowEv	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEEC2Ev	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEED0Ev	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEED1Ev	LOCAL	LC_SYMTAB
__ZNSt3__113basic_filebufIcNS_11char_traitsIcEEED2Ev	LOCAL	LC_SYMTAB
__ZNSt3__114basic_ofstreamIcNS_11char_traitsIcEEED0Ev	LOCAL	LC_SYMTAB
__ZNSt3__114basic_ofstreamIcNS_11char_traitsIcEEED1Ev	LOCAL	LC_SYMTAB
__ZNSt3__116__pad_and_outputIcNS_11char_traitsIcEEEENS_19ostreambuf_iteratorIT_T0_EES6_PKS4_S8_S8_RNS_8ios_baseES4_	LOCAL	LC_SYMTAB
__ZNSt3__124__put_character_sequenceIcNS_11char_traitsIcEEEERNS_13basic_ostreamIT_T0_EES7_PKS4_m	LOCAL	LC_SYMTAB
__ZNSt3__1L16__throw_bad_castEv	LOCAL	LC_SYMTAB
__ZTCNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE0_NS_13basic_ostreamIcS2_EE	LOCAL	LC_SYMTAB
__ZTINSt3__113basic_filebufIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTINSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTSNSt3__113basic_filebufIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTSNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTTNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTVNSt3__113basic_filebufIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTVNSt3__114basic_ofstreamIcNS_11char_traitsIcEEEE	LOCAL	LC_SYMTAB
__ZTv0_n24_NSt3__114basic_ofstreamIcNS_11char_traitsIcEEED0Ev	LOCAL	LC_SYMTAB
__ZTv0_n24_NSt3__114basic_ofstreamIcNS_11char_traitsIcEEED1Ev	LOCAL	LC_SYMTAB
___clang_call_terminate	LOCAL	LC_SYMTAB
__dyld_private	LOCAL	LC_SYMTAB
__Unwind_Resume	UNDEFINED	LC_SYMTAB	__DATA	0x10052C000	/usr/lib/libSystem.B.dylib
__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE4findEcm	UNDEFINED	LC_SYMTAB	__DATA	0x10052C008	/usr/lib/libc++.1.dylib
__ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv	UNDEFINED	LC_SYMTAB	__DATA	0x10052C010	/usr/lib/libc++.1.dylib
__ZNKSt3__16locale9has_facetERNS0_2idE	UNDEFINED	LC_SYMTAB	__DATA	0x10052C018	/usr/lib/libc++.1.dylib
__ZNKSt3__16locale9use_facetERNS0_2idE	UNDEFINED	LC_SYMTAB	__DATA	0x10052C020	/usr/lib/libc++.1.dylib
__ZNKSt3__18ios_base6getlocEv	UNDEFINED	LC_SYMTAB	__DATA	0x10052C028	/usr/lib/libc++.1.dylib
__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE9push_backEc	UNDEFINED	LC_SYMTAB	__DATA	0x10052C030	/usr/lib/libc++.1.dylib
__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_	UNDEFINED	LC_SYMTAB	__DATA	0x10052C038	/usr/lib/libc++.1.dylib
__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEC1ERKS5_mmRKS4_	UNDEFINED	LC_SYMTAB	__DATA	0x10052C040	/usr/lib/libc++.1.dylib
__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEED1Ev	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528000	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryC1ERS3_	UNDEFINED	LC_SYMTAB	__DATA	0x10052C048	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEE6sentryD1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x10052C050	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED0Ev	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x1005280F8	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED1Ev	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x1005280F0	/usr/lib/libc++.1.dylib
__ZNSt3__113basic_ostreamIcNS_11char_traitsIcEEED2Ev	UNDEFINED	LC_SYMTAB	__DATA	0x10052C058	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE5uflowEv	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x1005281A0	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6xsgetnEPcl	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528190	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE6xsputnEPKcl	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x1005281B0	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEE9showmanycEv	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528188	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEEC2Ev	UNDEFINED	LC_SYMTAB	__DATA	0x10052C060	/usr/lib/libc++.1.dylib
__ZNSt3__115basic_streambufIcNS_11char_traitsIcEEED2Ev	UNDEFINED	LC_SYMTAB	__DATA	0x10052C068	/usr/lib/libc++.1.dylib
__ZNSt3__15ctypeIcE2idE	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528008	/usr/lib/libc++.1.dylib
__ZNSt3__15stollERKNS_12basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEEEPmi	UNDEFINED	LC_SYMTAB	__DATA	0x10052C070	/usr/lib/libc++.1.dylib
__ZNSt3__16localeC1ERKS0_	UNDEFINED	LC_SYMTAB	__DATA	0x10052C078	/usr/lib/libc++.1.dylib
__ZNSt3__16localeD1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x10052C080	/usr/lib/libc++.1.dylib
__ZNSt3__17codecvtIcc11__mbstate_tE2idE	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528010	/usr/lib/libc++.1.dylib
__ZNSt3__18ios_base33__set_badbit_and_consider_rethrowEv	UNDEFINED	LC_SYMTAB	__DATA	0x10052C088	/usr/lib/libc++.1.dylib
__ZNSt3__18ios_base4initEPv	UNDEFINED	LC_SYMTAB	__DATA	0x10052C090	/usr/lib/libc++.1.dylib
__ZNSt3__18ios_base5clearEj	UNDEFINED	LC_SYMTAB	__DATA	0x10052C098	/usr/lib/libc++.1.dylib
__ZNSt3__19basic_iosIcNS_11char_traitsIcEEED2Ev	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0A0	/usr/lib/libc++.1.dylib
__ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0A8	/usr/lib/libc++.1.dylib
__ZNSt8bad_castC1Ev	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0B0	/usr/lib/libc++.1.dylib
__ZNSt8bad_castD1Ev	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528018	/usr/lib/libc++.1.dylib
__ZSt9terminatev	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0B8	/usr/lib/libc++.1.dylib
__ZTINSt3__113basic_ostreamIcNS_11char_traitsIcEEEE	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528138	/usr/lib/libc++.1.dylib
__ZTINSt3__115basic_streambufIcNS_11char_traitsIcEEEE	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x1005281D0	/usr/lib/libc++.1.dylib
__ZTISt8bad_cast	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528028	/usr/lib/libc++.1.dylib
__ZTVN10__cxxabiv120__si_class_type_infoE	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x1005281C0	/usr/lib/libc++.1.dylib
__ZTv0_n24_NSt3__113basic_ostreamIcNS_11char_traitsIcEEED0Ev	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528120	/usr/lib/libc++.1.dylib
__ZTv0_n24_NSt3__113basic_ostreamIcNS_11char_traitsIcEEED1Ev	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528118	/usr/lib/libc++.1.dylib
__ZdaPv	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0C0
__ZdlPv	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0C8
__Znam	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0D0
__Znwm	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0D8
___cxa_allocate_exception	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0E0	/usr/lib/libc++.1.dylib
___cxa_atexit	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0E8	/usr/lib/libSystem.B.dylib
___cxa_begin_catch	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0F0	/usr/lib/libc++.1.dylib
___cxa_call_unexpected	UNDEFINED	LC_SYMTAB	__DATA	0x10052C0F8	/usr/lib/libc++.1.dylib
___cxa_end_catch	UNDEFINED	LC_SYMTAB	__DATA	0x10052C100	/usr/lib/libc++.1.dylib
___cxa_throw	UNDEFINED	LC_SYMTAB	__DATA	0x10052C108	/usr/lib/libc++.1.dylib
___gxx_personality_v0	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528048	/usr/lib/libc++.1.dylib
___stack_chk_fail	UNDEFINED	LC_SYMTAB	__DATA	0x10052C110	/usr/lib/libSystem.B.dylib
___stack_chk_guard	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528050	/usr/lib/libSystem.B.dylib
_exit	UNDEFINED	LC_SYMTAB	__DATA	0x10052C118	/usr/lib/libSystem.B.dylib
_fclose	UNDEFINED	LC_SYMTAB	__DATA	0x10052C120	/usr/lib/libSystem.B.dylib
_fflush	UNDEFINED	LC_SYMTAB	__DATA	0x10052C128	/usr/lib/libSystem.B.dylib
_fopen	UNDEFINED	LC_SYMTAB	__DATA	0x10052C130	/usr/lib/libSystem.B.dylib
_fork	UNDEFINED	LC_SYMTAB	__DATA	0x10052C138	/usr/lib/libSystem.B.dylib
_fread	UNDEFINED	LC_SYMTAB	__DATA	0x10052C140	/usr/lib/libSystem.B.dylib
_fseeko	UNDEFINED	LC_SYMTAB	__DATA	0x10052C148	/usr/lib/libSystem.B.dylib
_ftello	UNDEFINED	LC_SYMTAB	__DATA	0x10052C150	/usr/lib/libSystem.B.dylib
_fwrite	UNDEFINED	LC_SYMTAB	__DATA	0x10052C158	/usr/lib/libSystem.B.dylib
_memcpy	UNDEFINED	LC_SYMTAB	__DATA	0x10052C160	/usr/lib/libSystem.B.dylib
_memmove	UNDEFINED	LC_SYMTAB	__DATA	0x10052C168	/usr/lib/libSystem.B.dylib
_memset	UNDEFINED	LC_SYMTAB	__DATA	0x10052C170	/usr/lib/libSystem.B.dylib
_pthread_create	UNDEFINED	LC_SYMTAB	__DATA	0x10052C178	/usr/lib/libSystem.B.dylib
_pthread_join	UNDEFINED	LC_SYMTAB	__DATA	0x10052C180	/usr/lib/libSystem.B.dylib
_setsid	UNDEFINED	LC_SYMTAB	__DATA	0x10052C188	/usr/lib/libSystem.B.dylib
_signal	UNDEFINED	LC_SYMTAB	__DATA	0x10052C190	/usr/lib/libSystem.B.dylib
_sleep	UNDEFINED	LC_SYMTAB	__DATA	0x10052C198	/usr/lib/libSystem.B.dylib
_strlen	UNDEFINED	LC_SYMTAB	__DATA	0x10052C1A0	/usr/lib/libSystem.B.dylib
_system	UNDEFINED	LC_SYMTAB	__DATA	0x10052C1A8	/usr/lib/libSystem.B.dylib
dyld_stub_binder	UNDEFINED	LC_SYMTAB	__DATA_CONST	0x100528058	/usr/lib/libSystem.B.dylib

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 04:00:34.265036106 CEST	443	49350	151.101.131.6	192.168.11.12
Apr 26, 2024 04:00:34.267462969 CEST	443	49350	151.101.131.6	192.168.11.12
Apr 26, 2024 04:00:34.267540932 CEST	443	49350	151.101.131.6	192.168.11.12
Apr 26, 2024 04:00:34.267599106 CEST	443	49350	151.101.131.6	192.168.11.12
Apr 26, 2024 04:00:34.267653942 CEST	443	49350	151.101.131.6	192.168.11.12
Apr 26, 2024 04:00:34.267699957 CEST	443	49350	151.101.131.6	192.168.11.12
Apr 26, 2024 04:00:34.269084930 CEST	49350	443	192.168.11.12	151.101.131.6
Apr 26, 2024 04:00:34.269373894 CEST	49350	443	192.168.11.12	151.101.131.6
Apr 26, 2024 04:00:34.269428968 CEST	49350	443	192.168.11.12	151.101.131.6
Apr 26, 2024 04:00:34.269597054 CEST	49350	443	192.168.11.12	151.101.131.6
Apr 26, 2024 04:00:34.274720907 CEST	49350	443	192.168.11.12	151.101.131.6
Apr 26, 2024 04:00:34.378768921 CEST	443	49350	151.101.131.6	192.168.11.12
Apr 26, 2024 04:00:34.378834963 CEST	443	49350	151.101.131.6	192.168.11.12
Apr 26, 2024 04:00:34.380311012 CEST	49350	443	192.168.11.12	151.101.131.6
Apr 26, 2024 04:00:34.508780003 CEST	49346	443	192.168.11.12	17.248.228.69
Apr 26, 2024 04:00:34.608928919 CEST	443	49346	17.248.228.69	192.168.11.12
Apr 26, 2024 04:00:36.737927914 CEST	49346	443	192.168.11.12	17.248.228.69
Apr 26, 2024 04:00:36.739615917 CEST	49346	443	192.168.11.12	17.248.228.69
Apr 26, 2024 04:00:36.838340044 CEST	443	49346	17.248.228.69	192.168.11.12
Apr 26, 2024 04:00:36.839663029 CEST	443	49346	17.248.228.69	192.168.11.12
Apr 26, 2024 04:00:36.840166092 CEST	49346	443	192.168.11.12	17.248.228.69
Apr 26, 2024 04:00:37.672981024 CEST	49327	443	192.168.11.12	17.248.228.67
Apr 26, 2024 04:00:37.673646927 CEST	49327	443	192.168.11.12	17.248.228.67
Apr 26, 2024 04:00:37.773444891 CEST	443	49327	17.248.228.67	192.168.11.12
Apr 26, 2024 04:00:37.773507118 CEST	443	49327	17.248.228.67	192.168.11.12
Apr 26, 2024 04:00:37.773835897 CEST	443	49327	17.248.228.67	192.168.11.12
Apr 26, 2024 04:00:37.774539948 CEST	49327	443	192.168.11.12	17.248.228.67
Apr 26, 2024 04:01:11.654330969 CEST	49368	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:11.654434919 CEST	443	49368	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:11.655147076 CEST	49368	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:11.656683922 CEST	49368	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:11.656744957 CEST	443	49368	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:11.899857044 CEST	443	49368	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:11.900707960 CEST	49368	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:11.900866032 CEST	49368	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:11.974817038 CEST	49368	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:11.975016117 CEST	443	49368	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:11.975682020 CEST	443	49368	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:11.975758076 CEST	49368	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:11.976258039 CEST	49368	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:12.031941891 CEST	49371	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:12.032058001 CEST	443	49371	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:12.032574892 CEST	49371	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:12.033399105 CEST	49371	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:12.033463001 CEST	443	49371	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:12.253946066 CEST	443	49371	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:12.254573107 CEST	49371	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:12.254659891 CEST	49371	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:12.292665005 CEST	49371	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:12.292757034 CEST	443	49371	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:12.292932987 CEST	443	49371	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:12.293409109 CEST	49371	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:12.293746948 CEST	49371	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:13.341506958 CEST	49381	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:13.341525078 CEST	443	49381	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:13.342086077 CEST	49381	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:13.345196962 CEST	49381	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:13.345208883 CEST	443	49381	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:13.567389965 CEST	443	49381	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:13.568195105 CEST	49381	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:13.568264961 CEST	49381	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:13.586435080 CEST	49381	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:13.586725950 CEST	443	49381	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:13.587361097 CEST	443	49381	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:13.587410927 CEST	49381	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:13.588419914 CEST	49381	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:30.723474979 CEST	49395	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:30.723609924 CEST	443	49395	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:30.724313021 CEST	49395	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:30.725807905 CEST	49395	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:30.725915909 CEST	443	49395	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:30.947118044 CEST	443	49395	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:30.949120998 CEST	49395	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:30.949203014 CEST	49395	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:30.956020117 CEST	49395	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:30.956074953 CEST	443	49395	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:30.956265926 CEST	443	49395	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:30.957048893 CEST	49395	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:30.957140923 CEST	49395	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.003882885 CEST	49396	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.004004955 CEST	443	49396	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.004885912 CEST	49396	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.006051064 CEST	49396	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.006158113 CEST	443	49396	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.231595993 CEST	443	49396	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.232538939 CEST	49396	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.232539892 CEST	49396	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.246289015 CEST	49396	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.246524096 CEST	443	49396	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.247180939 CEST	49396	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.274632931 CEST	49397	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.274730921 CEST	443	49397	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.275413990 CEST	49397	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.276313066 CEST	49397	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.276381969 CEST	443	49397	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.498132944 CEST	443	49397	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.499439955 CEST	49397	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.499439955 CEST	49397	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.506057024 CEST	49397	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.506156921 CEST	443	49397	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.506448030 CEST	443	49397	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.507252932 CEST	49397	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.507349968 CEST	49397	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.524523020 CEST	49398	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.524642944 CEST	443	49398	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.525485992 CEST	49398	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.526381969 CEST	49398	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.526453018 CEST	443	49398	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.752610922 CEST	443	49398	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.753441095 CEST	49398	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.753494978 CEST	49398	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.759232044 CEST	49398	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.759383917 CEST	443	49398	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.759898901 CEST	443	49398	151.101.195.6	192.168.11.12
Apr 26, 2024 04:01:31.760521889 CEST	49398	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:31.760575056 CEST	49398	443	192.168.11.12	151.101.195.6
Apr 26, 2024 04:01:32.800576925 CEST	49343	80	192.168.11.12	17.253.21.203
Apr 26, 2024 04:01:32.900316000 CEST	80	49343	17.253.21.203	192.168.11.12
Apr 26, 2024 04:01:32.901159048 CEST	49343	80	192.168.11.12	17.253.21.203

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 04:00:41.697119951 CEST	53	62393	1.1.1.1	192.168.11.12
Apr 26, 2024 04:00:41.701829910 CEST	53	53123	1.1.1.1	192.168.11.12
Apr 26, 2024 04:00:41.711078882 CEST	53	61227	1.1.1.1	192.168.11.12
Apr 26, 2024 04:00:41.711141109 CEST	53	58636	1.1.1.1	192.168.11.12
Apr 26, 2024 04:00:54.828146935 CEST	53	52458	1.1.1.1	192.168.11.12
Apr 26, 2024 04:01:11.547271013 CEST	60180	53	192.168.11.12	1.1.1.1
Apr 26, 2024 04:01:11.647203922 CEST	53	60180	1.1.1.1	192.168.11.12
Apr 26, 2024 04:01:15.761977911 CEST	59154	53	192.168.11.12	1.1.1.1
Apr 26, 2024 04:01:18.777220011 CEST	137	137	192.168.11.12	192.168.11.255
Apr 26, 2024 04:01:18.777220964 CEST	137	137	192.168.11.12	192.168.11.255
Apr 26, 2024 04:01:45.468962908 CEST	53	61227	1.1.1.1	192.168.11.12
Apr 26, 2024 04:01:45.469047070 CEST	53	58636	1.1.1.1	192.168.11.12

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Apr 26, 2024 04:00:41.697829008 CEST	192.168.11.12	1.1.1.1	8cc	(Port unreachable)	Destination Unreachable
Apr 26, 2024 04:00:41.702570915 CEST	192.168.11.12	1.1.1.1	2d01	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 04:01:11.547271013 CEST	192.168.11.12	1.1.1.1	0x5bfb	Standard query (0)	h3.apis.apple.map.fastly.net	A (IP address)	IN (0x0001)	false
Apr 26, 2024 04:01:15.761977911 CEST	192.168.11.12	1.1.1.1	0x9a5a	Standard query (0)	updates.cdn-apple.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 04:01:11.647203922 CEST	1.1.1.1	192.168.11.12	0x5bfb	No error (0)	h3.apis.apple.map.fastly.net		151.101.195.6	A (IP address)	IN (0x0001)	false
Apr 26, 2024 04:01:11.647203922 CEST	1.1.1.1	192.168.11.12	0x5bfb	No error (0)	h3.apis.apple.map.fastly.net		151.101.67.6	A (IP address)	IN (0x0001)	false
Apr 26, 2024 04:01:11.647203922 CEST	1.1.1.1	192.168.11.12	0x5bfb	No error (0)	h3.apis.apple.map.fastly.net		151.101.131.6	A (IP address)	IN (0x0001)	false
Apr 26, 2024 04:01:11.647203922 CEST	1.1.1.1	192.168.11.12	0x5bfb	No error (0)	h3.apis.apple.map.fastly.net		151.101.3.6	A (IP address)	IN (0x0001)	false
Apr 26, 2024 04:01:15.863272905 CEST	1.1.1.1	192.168.11.12	0x9a5a	No error (0)	updates.cdn-apple.com	updates.cdn-apple.com.akadns.net		CNAME (Canonical name)	IN (0x0001)	false

HTTPS Connections

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 26, 2024 04:00:34.267599106 CEST	151.101.131.6	443	192.168.11.12	49350	CN=bag.itunes.apple.com, O=Apple Inc., L=Cupertino, ST=California, C=US, SERIALNUMBER=C0806592, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Fri Apr 26 02:39:11 CEST 2024 Wed Apr 29 14:54:50 CEST 2020	Wed Oct 23 02:49:11 CEST 2024 Thu Apr 11 01:59:59 CEST 2030
Apr 26, 2024 04:00:34.267599106 CEST	151.101.131.6	443	192.168.11.12	49350	CN=Apple Public EV Server RSA CA 2 - G1, O=Apple Inc., C=US	CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Wed Apr 29 14:54:50 CEST 2020	Thu Apr 11 01:59:59 CEST 2030

System Behavior

Analysis Process: mono-sgen32 PID: 632, Parent PID: 537

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: open PID: 632, Parent PID: 537

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/usr/bin/open
Arguments:	/usr/bin/open /Volumes/Notion/Notion
File size:	105952 bytes
MD5 hash:	34bd93241fa5d2aee225941b1ca14fa4

Chronological Activities

Analysis Process: Terminal PID: 634, Parent PID: 253

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
Arguments:	-
File size:	1160896 bytes
MD5 hash:	5467df0048051ac8c0a4ed2b0158557f

Chronological Activities

Analysis Process: login PID: 634, Parent PID: 253

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/usr/bin/login
Arguments:	login -pf bernard
File size:	76288 bytes
MD5 hash:	d60183cc9225ae9b73af45e09e77277c

Chronological Activities

Analysis Process: login PID: 635, Parent PID: 634

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/usr/bin/login
Arguments:	-
File size:	76288 bytes
MD5 hash:	d60183cc9225ae9b73af45e09e77277c

Chronological Activities

Analysis Process: bash PID: 635, Parent PID: 634

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-bash
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 636, Parent PID: 635

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 637, Parent PID: 636

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: path_helper PID: 637, Parent PID: 636

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/usr/libexec/path_helper
Arguments:	/usr/libexec/path_helper -s
File size:	18992 bytes
MD5 hash:	4e20b24d35f3257bd2b4b4454224ef2d

Chronological Activities

Analysis Process: bash PID: 638, Parent PID: 635

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: mkdir PID: 638, Parent PID: 635

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/bin/mkdir
Arguments:	mkdir -m 700 -p /Users/bernard/.bash_sessions
File size:	18592 bytes
MD5 hash:	bbbaafd2a4d7dcb9ddd178d814fea708

Chronological Activities

Analysis Process: bash PID: 639, Parent PID: 635

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 640, Parent PID: 639

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: touch PID: 640, Parent PID: 639

General

Start time (UTC):	02:00:46
Start date (UTC):	26/04/2024
Path:	/usr/bin/touch
Arguments:	/usr/bin/touch /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew
File size:	23392 bytes
MD5 hash:	4740c7336a3cb2914b528fbce2d5edc7

Chronological Activities

Analysis Process: bash PID: 641, Parent PID: 635

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: Notion PID: 641, Parent PID: 635

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/Volumes/Notion/Notion
Arguments:	/Volumes/Notion/Notion
File size:	11245416 bytes
MD5 hash:	7f8c7e490f909f853949822f53645514

Chronological Activities

Analysis Process: Notion PID: 642, Parent PID: 641

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/Volumes/Notion/Notion
Arguments:	-
File size:	11245416 bytes
MD5 hash:	7f8c7e490f909f853949822f53645514

Chronological Activities

Analysis Process: sh PID: 643, Parent PID: 642

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: sh PID: 646, Parent PID: 643

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: osascript PID: 646, Parent PID: 643

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/usr/bin/osascript
Arguments:	osascript -e tell application 'Terminal' to close first window
File size:	43232 bytes
MD5 hash:	f13b7c85f3c1c08fae3b709a536281a1

Chronological Activities

Analysis Process: sh PID: 664, Parent PID: 642

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: chmod PID: 664, Parent PID: 642

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/chmod
Arguments:	chmod +x /tmp/binary
File size:	34144 bytes
MD5 hash:	917cfbf6084318922f8091f050a0bbed

Chronological Activities

Analysis Process: sh PID: 665, Parent PID: 642

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/sh
Arguments:	-
File size:	618480 bytes
MD5 hash:	be55e8952a262d0e524239dbf82191ed

Chronological Activities

Analysis Process: binary PID: 665, Parent PID: 642

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/tmp/binary
Arguments:	/tmp/binary
File size:	4045890 bytes
MD5 hash:	334ea98682699ce32fa14b293e67f502

Chronological Activities

Analysis Process: binary PID: 666, Parent PID: 665

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/private/tmp/binary
Arguments:	-
File size:	4045890 bytes
MD5 hash:	334ea98682699ce32fa14b293e67f502

Chronological Activities

Analysis Process: dscl PID: 666, Parent PID: 665

General

Start time (UTC):	02:00:49
Start date (UTC):	26/04/2024
Path:	/usr/bin/dscl
Arguments:	dscl . authonly bernard
File size:	202560 bytes
MD5 hash:	9a2337f2a5a6271e0187153296de3c9f

Chronological Activities

Analysis Process: binary PID: 667, Parent PID: 665

General

Start time (UTC):	02:00:49
Start date (UTC):	26/04/2024
Path:	/private/tmp/binary
Arguments:	-
File size:	4045890 bytes
MD5 hash:	334ea98682699ce32fa14b293e67f502

Chronological Activities

Analysis Process: osascript PID: 667, Parent PID: 665

General

Start time (UTC):	02:00:49
Start date (UTC):	26/04/2024
Path:	/usr/bin/osascript
Arguments:	osascript -e display dialog 'Required Application Helper. Please enter password:' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answer
File size:	43232 bytes
MD5 hash:	f13b7c85f3c1c08fae3b709a536281a1

Chronological Activities

Analysis Process: bash PID: 644, Parent PID: 635

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 645, Parent PID: 644

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 647, Parent PID: 645

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: date PID: 647, Parent PID: 645

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/date
Arguments:	/bin/date +%s
File size:	28608 bytes
MD5 hash:	7b68e7f0831d96715d519e8138529cfd

Chronological Activities

Analysis Process: bash PID: 648, Parent PID: 635

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 649, Parent PID: 648

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: touch PID: 649, Parent PID: 648

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/usr/bin/touch
Arguments:	/usr/bin/touch /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew
File size:	23392 bytes
MD5 hash:	4740c7336a3cb2914b528fbce2d5edc7

Chronological Activities

Analysis Process: bash PID: 650, Parent PID: 635

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 651, Parent PID: 650

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: cp PID: 651, Parent PID: 650

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/cp
Arguments:	/bin/cp /Users/bernard/.bash_history /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.history
File size:	29024 bytes
MD5 hash:	c6c784e59743c03a85e53ac39bf4b1c1

Chronological Activities

Analysis Process: bash PID: 652, Parent PID: 635

General

Start time (UTC):	02:00:47
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 653, Parent PID: 652

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 654, Parent PID: 635

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 655, Parent PID: 654

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: cat PID: 655, Parent PID: 654

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/cat
Arguments:	/bin/cat /Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew
File size:	23648 bytes
MD5 hash:	d4db1aa640ed6d80a0bd350e72d6fa8e

Chronological Activities

Analysis Process: bash PID: 656, Parent PID: 635

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 657, Parent PID: 635

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: shlock PID: 657, Parent PID: 635

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/usr/bin/shlock
Arguments:	/usr/bin/shlock -f /Users/bernard/.bash_sessions/_expiration_lockfile -p 635
File size:	23024 bytes
MD5 hash:	09db517b7ada5f7825b1ac0e590e7149

Chronological Activities

Analysis Process: bash PID: 658, Parent PID: 635

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 659, Parent PID: 658

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: find PID: 659, Parent PID: 658

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/usr/bin/find
Arguments:	/usr/bin/find /Users/bernard/.bash_sessions -type f -mtime +2w -print -delete
File size:	51808 bytes
MD5 hash:	1fe4dde0bbb34131dcd3598dac59751d

Chronological Activities

Analysis Process: bash PID: 660, Parent PID: 658

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: wc PID: 660, Parent PID: 658

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/usr/bin/wc
Arguments:	/usr/bin/wc -l
File size:	23072 bytes
MD5 hash:	b4a2b4a093f04a17608cac3ccc4dc69b

Chronological Activities

Analysis Process: bash PID: 661, Parent PID: 635

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: bash PID: 662, Parent PID: 661

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: touch PID: 662, Parent PID: 661

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/usr/bin/touch
Arguments:	/usr/bin/touch /Users/bernard/.bash_sessions/_expiration_check_timestamp
File size:	23392 bytes
MD5 hash:	4740c7336a3cb2914b528fbce2d5edc7

Chronological Activities

Analysis Process: bash PID: 663, Parent PID: 635

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/bash
Arguments:	-
File size:	618416 bytes
MD5 hash:	b513c6e7c86e43eb93f4fd56e28bd540

Chronological Activities

Analysis Process: rm PID: 663, Parent PID: 635

General

Start time (UTC):	02:00:48
Start date (UTC):	26/04/2024
Path:	/bin/rm
Arguments:	/bin/rm /Users/bernard/.bash_sessions/_expiration_lockfile
File size:	23968 bytes
MD5 hash:	99891a42b47f8a1016bf065e62dfe5b0

Chronological Activities

Analysis Process: xpcproxy PID: 676, Parent PID: 1

General

Start time (UTC):	02:01:09
Start date (UTC):	26/04/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: nsurlstoraged PID: 676, Parent PID: 1

General

Start time (UTC):	02:01:09
Start date (UTC):	26/04/2024
Path:	/usr/libexec/nsurlstoraged
Arguments:	/usr/libexec/nsurlstoraged --privileged
File size:	246624 bytes
MD5 hash:	321b0a40e24b45f0af49ba42742b3f64

Chronological Activities

Analysis Process: xpcproxy PID: 688, Parent PID: 1

General

Start time (UTC):	02:01:29
Start date (UTC):	26/04/2024
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: eficheck PID: 688, Parent PID: 1

General

Start time (UTC):	02:01:29
Start date (UTC):	26/04/2024
Path:	/usr/libexec/firmwarecheckers/eficheck/eficheck
Arguments:	/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
File size:	74048 bytes
MD5 hash:	328beb81a2263449258057506bb4987f

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.
Tactics:	Execution
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report R2n8x3VrH8.dmg

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.history

/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.historynew

/Users/bernard/.bash_sessions/06F2F4B9-607D-4378-A15E-4D86AF0A91F0.session

/Users/bernard/.bash_sessions/shlock657

/dev/ttys000

/private/tmp/binary

/private/tmp/xuyna/username

/private/var/run/utmpx

Static File Info

General

Archive DMG

Archived Files

Extracted Files

Notion

Static Mach Info

General Information for header 1

Symbols

General Information for header 2

Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTPS Connections

System Behavior

Analysis Process: mono-sgen32 PID: 632, Parent PID: 537

General

macOS Analysis Report
R2n8x3VrH8.dmg