Edit tour

macOS Analysis Report
AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg

Overview

General Information

Sample name:	AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg
Analysis ID:	1638554
MD5:	0c4913bc52df24b80409570358c81e96
SHA1:	8a2ebc29232d3f3d1b679eca0b44e4d1d57c68cd
SHA256:	97eeac45e7e201c6e0e60b43d46666673eecb23423879a8779a376cda1f9cf03
Infos:

Detection

Score:	48
Range:	0 - 100

Signatures

Creates a notice file (html or txt) to demand a ransom

Writes Mach-O files to hidden directories

Changes permissions of written Mach-O files

Creates hidden files, links and/or directories

Creates system-wide 'launchd' managed services aka launch daemons

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Executes the "grep" command used to find patterns in files or piped streams

Executes the "mkdir" command used to create folders

Executes the "mktemp" command used to create a temporary unique file name

Executes the "rm" command used to delete files or directories

Executes the "sudo" command used to execute a command as another user

Executes the "touch" command used to create files or modify time stamps

Executes the "uname" command used to read OS and architecture name

Explicitly unloads, stops, and/or removes launch services

Reads hardware related sysctl values

Reads the systems OS release and/or type

Reads the systems hostname

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Uses Security framework containing interfaces for system-level user authentication and authorization

Writes 64-bit Mach-O files to disk

Writes HTML files containing JavaScript to disk

Writes Mach-O files to the tmp directory

Writes a file containing only its PID

Classification

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638554
Start date and time:	2025-03-14 14:28:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Sample name:	AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg
Detection:	MAL
Classification:	mal48.rans.evad.macPKG@0/449@4/0

Warnings

Excluded IPs from analysis (whitelisted): 104.18.38.233, 23.207.53.102, 172.64.149.23, 17.253.7.140, 17.253.7.135, 17.253.7.138, 17.36.200.79, 17.253.7.143, 17.253.7.133, 184.31.52.29, 96.7.224.10, 96.7.224.34
Excluded domains from analysis (whitelisted): e11408.d.akamaiedge.net, updates.cdn-apple.com.akadns.net, builds.dotnet.microsoft.com.edgesuite.net, crl.apple.com, ocsp.comodoca.com, itunes.apple.com.edgekey.net, a441.dscd.akamai.net, help.apple.com, init.itunes.apple.com, lcdn-locator-usuqo.apple.com.akadns.net, dotnetcli.trafficmanager.net, ocsp.comodoca.com.cdn.cloudflare.net, ocsp.usertrust.com, e673.dsce9.akamaiedge.net, help-ar.apple.com.edgekey.net, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, builds.dotnet.microsoft.com, lcdn-locator.apple.com.akadns.net, help.origin-apple.com.akadns.net, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, mesu.apple.com, updates.cdn-apple.com, init-cdn.itunes-apple.com.akadns.net
Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.
VT rate limit hit for: http://www.mono-project.com/docs/about-mono/
VT rate limit hit for: http://www.novell.com)
VT rate limit hit for: http://www.ookii.org/software/dialogs/
VT rate limit hit for: http://www.ryanjuckett.com/
VT rate limit hit for: http://www.xamarin.com)
VT rate limit hit for: https://www.newtonsoft.com/json
VT rate limit hit for: https://zlib.net/zlib_license.html

Runtime Messages

Command:	open "/Users/bernard/Desktop/AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg"
PID:	622
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is macvm-mojave

mono-sgen32 New Fork (PID: 622, Parent: 537)

open (MD5: 34bd93241fa5d2aee225941b1ca14fa4) Arguments: /usr/bin/open /Users/bernard/Desktop/AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg

xpcproxy New Fork (PID: 623, Parent: 1)

Installer (MD5: 50c84168359b295c12427b3461315322) Arguments: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer

xpcproxy New Fork (PID: 628, Parent: 1)

installd (MD5: 4a55e40799072bad8663cf8f5d2d845a) Arguments: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

install_monitor New Fork (PID: 661, Parent: 628)

preinstall New Fork (PID: 662, Parent: 628)

bash New Fork (PID: 663, Parent: 662)

bash New Fork (PID: 664, Parent: 663)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: date +%Y-%m-%d %H:%M:%S

bash New Fork (PID: 665, Parent: 662)

bash New Fork (PID: 666, Parent: 665)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: date +%Y-%m-%d %H:%M:%S

bash New Fork (PID: 667, Parent: 662)

basename (MD5: a04543e587bc0beaee437aaaa90ea4f8) Arguments: basename /Users/bernard/Desktop/AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg .pkg

bash New Fork (PID: 668, Parent: 662)

bash New Fork (PID: 669, Parent: 668)

bash New Fork (PID: 670, Parent: 668)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr _ \n

bash New Fork (PID: 671, Parent: 662)

bash New Fork (PID: 672, Parent: 671)

bash New Fork (PID: 673, Parent: 671)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr - /

bash New Fork (PID: 674, Parent: 662)

bash New Fork (PID: 675, Parent: 674)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: date +%Y-%m-%d %H:%M:%S

bash New Fork (PID: 676, Parent: 662)

bash New Fork (PID: 677, Parent: 676)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: date +%Y-%m-%d %H:%M:%S

bash New Fork (PID: 678, Parent: 662)

sudo (MD5: ce7f467d6b8b6fda34a09a23288e5eef) Arguments: sudo launchctl unload /Library/LaunchDaemons/com.atera.agent.plist

sudo New Fork (PID: 679, Parent: 678)

launchctl (MD5: 319fb0be5351f6db28b612cb36df9704) Arguments: launchctl unload /Library/LaunchDaemons/com.atera.agent.plist

bash New Fork (PID: 680, Parent: 662)

sudo (MD5: ce7f467d6b8b6fda34a09a23288e5eef) Arguments: sudo launchctl stop com.atera.agent

sudo New Fork (PID: 681, Parent: 680)

launchctl (MD5: 319fb0be5351f6db28b612cb36df9704) Arguments: launchctl stop com.atera.agent

bash New Fork (PID: 682, Parent: 662)

bash New Fork (PID: 683, Parent: 682)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: date +%Y-%m-%d %H:%M:%S

shove New Fork (PID: 684, Parent: 628)

postinstall New Fork (PID: 685, Parent: 628)

bash New Fork (PID: 686, Parent: 685)

bash New Fork (PID: 687, Parent: 686)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: date +%Y-%m-%d %H:%M:%S

bash New Fork (PID: 688, Parent: 685)

bash New Fork (PID: 689, Parent: 688)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: date +%Y-%m-%d %H:%M:%S

bash New Fork (PID: 690, Parent: 685)

bash New Fork (PID: 691, Parent: 690)

date (MD5: 7b68e7f0831d96715d519e8138529cfd) Arguments: date +%Y-%m-%d %H:%M:%S

bash New Fork (PID: 692, Parent: 685)

sudo (MD5: ce7f467d6b8b6fda34a09a23288e5eef) Arguments: sudo curl -sSL https://dot.net/v1/dotnet-install.sh

sudo New Fork (PID: 695, Parent: 692)

curl (MD5: 2418204e23e2952e7995f1819a1f78f5) Arguments: curl -sSL https://dot.net/v1/dotnet-install.sh

bash New Fork (PID: 693, Parent: 685)

sudo (MD5: ce7f467d6b8b6fda34a09a23288e5eef) Arguments: sudo bash -s -- -Runtime dotnet -Channel 8.0 -InstallDir /Library/Application Support/com.atera.ateraagent/Agent/.dotnet

sudo New Fork (PID: 694, Parent: 693)

bash (MD5: b513c6e7c86e43eb93f4fd56e28bd540) Arguments: bash -s -- -Runtime dotnet -Channel 8.0 -InstallDir /Library/Application Support/com.atera.ateraagent/Agent/.dotnet

bash New Fork (PID: 697, Parent: 694)

basename (MD5: a04543e587bc0beaee437aaaa90ea4f8) Arguments: basename bash

bash New Fork (PID: 698, Parent: 694)

bash New Fork (PID: 699, Parent: 698)

bash New Fork (PID: 700, Parent: 699)

bash New Fork (PID: 701, Parent: 699)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr [:upper:] [:lower:]

bash New Fork (PID: 702, Parent: 698)

bash New Fork (PID: 703, Parent: 702)

bash New Fork (PID: 704, Parent: 703)

uname (MD5: cb4c9f54edc8f93c8abf482e3a020915) Arguments: uname -m

bash New Fork (PID: 705, Parent: 694)

bash New Fork (PID: 706, Parent: 705)

bash New Fork (PID: 707, Parent: 706)

bash New Fork (PID: 708, Parent: 706)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr [:upper:] [:lower:]

bash New Fork (PID: 709, Parent: 705)

bash New Fork (PID: 710, Parent: 709)

bash New Fork (PID: 711, Parent: 710)

uname (MD5: cb4c9f54edc8f93c8abf482e3a020915) Arguments: uname

bash New Fork (PID: 712, Parent: 694)

bash New Fork (PID: 713, Parent: 712)

bash New Fork (PID: 714, Parent: 713)

bash New Fork (PID: 715, Parent: 713)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr [:upper:] [:lower:]

bash New Fork (PID: 716, Parent: 694)

bash New Fork (PID: 717, Parent: 716)

bash New Fork (PID: 718, Parent: 717)

bash New Fork (PID: 719, Parent: 717)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr [:upper:] [:lower:]

bash New Fork (PID: 720, Parent: 694)

bash New Fork (PID: 721, Parent: 720)

bash New Fork (PID: 722, Parent: 721)

bash New Fork (PID: 723, Parent: 721)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr [:upper:] [:lower:]

bash New Fork (PID: 724, Parent: 694)

bash New Fork (PID: 725, Parent: 694)

bash New Fork (PID: 726, Parent: 725)

bash New Fork (PID: 727, Parent: 725)

bash New Fork (PID: 728, Parent: 725)

bash New Fork (PID: 729, Parent: 728)

bash New Fork (PID: 730, Parent: 729)

uname (MD5: cb4c9f54edc8f93c8abf482e3a020915) Arguments: uname

bash New Fork (PID: 731, Parent: 694)

bash New Fork (PID: 732, Parent: 731)

bash New Fork (PID: 733, Parent: 731)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr [:upper:] [:lower:]

bash New Fork (PID: 734, Parent: 694)

bash New Fork (PID: 735, Parent: 734)

curl (MD5: 2418204e23e2952e7995f1819a1f78f5) Arguments: curl -I -sSL --retry 5 --retry-delay 2 --connect-timeout 15 https://aka.ms/dotnet/8.0/dotnet-runtime-osx-x64.tar.gz

bash New Fork (PID: 737, Parent: 694)

bash New Fork (PID: 738, Parent: 737)

bash New Fork (PID: 739, Parent: 737)

awk (MD5: c2a01c11db999f97496e09e12f468956) Arguments: awk $1 ~ /^HTTP/ {print $2}

bash New Fork (PID: 740, Parent: 694)

bash New Fork (PID: 741, Parent: 740)

bash New Fork (PID: 742, Parent: 740)

sed (MD5: 1fee8e981be8ca03f8775ada9b315085) Arguments: sed $d

bash New Fork (PID: 743, Parent: 740)

grep (MD5: 6ff93214c22e9c46b9ac021cfe18c9aa) Arguments: grep -v 301

bash New Fork (PID: 744, Parent: 694)

bash New Fork (PID: 745, Parent: 744)

bash New Fork (PID: 746, Parent: 744)

tail (MD5: 5b752d30895886eae5e001800b8604bd) Arguments: tail -n 1

bash New Fork (PID: 747, Parent: 694)

bash New Fork (PID: 748, Parent: 747)

bash New Fork (PID: 749, Parent: 747)

awk (MD5: c2a01c11db999f97496e09e12f468956) Arguments: awk $1 ~ /^Location/{print $2}

bash New Fork (PID: 750, Parent: 747)

tail (MD5: 5b752d30895886eae5e001800b8604bd) Arguments: tail -1

bash New Fork (PID: 751, Parent: 747)

tr (MD5: 724974697a9bccefdb750e3667f33cf7) Arguments: tr -d \r

bash New Fork (PID: 752, Parent: 694)

bash New Fork (PID: 753, Parent: 752)

bash New Fork (PID: 754, Parent: 753)

bash New Fork (PID: 755, Parent: 754)

bash New Fork (PID: 756, Parent: 754)

grep (MD5: 6ff93214c22e9c46b9ac021cfe18c9aa) Arguments: grep ://

bash New Fork (PID: 757, Parent: 754)

sed (MD5: 1fee8e981be8ca03f8775ada9b315085) Arguments: sed -es,^$.*://$.*,\1,g

bash New Fork (PID: 758, Parent: 753)

bash New Fork (PID: 759, Parent: 758)

bash New Fork (PID: 760, Parent: 758)

grep (MD5: 6ff93214c22e9c46b9ac021cfe18c9aa) Arguments: grep /

bash New Fork (PID: 761, Parent: 758)

cut (MD5: a74f5002e91fff202cb650f65fadabdd) Arguments: cut -d/ -f2-

bash New Fork (PID: 762, Parent: 753)

bash New Fork (PID: 763, Parent: 762)

bash New Fork (PID: 764, Parent: 762)

cut (MD5: a74f5002e91fff202cb650f65fadabdd) Arguments: cut -d/ -f2-

bash New Fork (PID: 765, Parent: 752)

bash New Fork (PID: 766, Parent: 765)

curl (MD5: 2418204e23e2952e7995f1819a1f78f5) Arguments: curl --head -o /dev/null -w %{http_code} -s --fail https://builds.dotnet.microsoft.com/dotnet/Runtime/8.0.14/dotnet-runtime-8.0.14-osx-x64.tar.gz

bash New Fork (PID: 767, Parent: 694)

bash New Fork (PID: 768, Parent: 767)

bash New Fork (PID: 769, Parent: 767)

bash New Fork (PID: 770, Parent: 767)

bash New Fork (PID: 771, Parent: 770)

curl (MD5: 2418204e23e2952e7995f1819a1f78f5) Arguments: curl -s --fail https://builds.dotnet.microsoft.com/dotnet/Runtime/8.0.14/runtime-productVersion.txt

bash New Fork (PID: 772, Parent: 694)

bash New Fork (PID: 773, Parent: 772)

bash New Fork (PID: 774, Parent: 773)

bash New Fork (PID: 775, Parent: 773)

bash New Fork (PID: 776, Parent: 772)

bash New Fork (PID: 777, Parent: 772)

bash New Fork (PID: 778, Parent: 694)

mkdir (MD5: bbbaafd2a4d7dcb9ddd178d814fea708) Arguments: mkdir -p /Library/Application Support/com.atera.ateraagent/Agent/.dotnet

bash New Fork (PID: 779, Parent: 694)

mktemp (MD5: ab78cb00857fefb979f3e8e4ba05b0be) Arguments: mktemp /tmp/dotnet.XXXXXXXXX

bash New Fork (PID: 780, Parent: 694)

curl (MD5: 2418204e23e2952e7995f1819a1f78f5) Arguments: curl --retry 20 --retry-delay 2 --connect-timeout 15 -sSL -f --create-dirs -o /tmp/dotnet.apAJI0d8n https://builds.dotnet.microsoft.com/dotnet/Runtime/8.0.14/dotnet-runtime-8.0.14-osx-x64.tar.gz

bash New Fork (PID: 781, Parent: 694)

bash New Fork (PID: 782, Parent: 781)

bash New Fork (PID: 783, Parent: 782)

curl (MD5: 2418204e23e2952e7995f1819a1f78f5) Arguments: curl -sI https://builds.dotnet.microsoft.com/dotnet/Runtime/8.0.14/dotnet-runtime-8.0.14-osx-x64.tar.gz

bash New Fork (PID: 784, Parent: 782)

grep (MD5: 6ff93214c22e9c46b9ac021cfe18c9aa) Arguments: grep -i content-length

bash New Fork (PID: 785, Parent: 782)

awk (MD5: c2a01c11db999f97496e09e12f468956) Arguments: awk { num = $2 + 0 print num }

bash New Fork (PID: 786, Parent: 694)

mktemp (MD5: ab78cb00857fefb979f3e8e4ba05b0be) Arguments: mktemp -d /tmp/dotnet.XXXXXXXXX

bash New Fork (PID: 787, Parent: 694)

tar (MD5: 822f00f28da9b6b443e79b6e27b859f6) Arguments: tar -xzf /tmp/dotnet.apAJI0d8n -C /tmp/dotnet.DUZHkmnca

bash New Fork (PID: 788, Parent: 694)

find (MD5: 1fe4dde0bbb34131dcd3598dac59751d) Arguments: find /tmp/dotnet.DUZHkmnca -type f

bash New Fork (PID: 789, Parent: 694)

grep (MD5: 6ff93214c22e9c46b9ac021cfe18c9aa) Arguments: grep -Eo ^.*/[0-9]+\.[0-9]+[^/]+/

bash New Fork (PID: 790, Parent: 694)

sort (MD5: eb767b75f4b5035fc9bbeaff838daf4b) Arguments: sort

bash New Fork (PID: 791, Parent: 694)

bash New Fork (PID: 792, Parent: 791)

bash New Fork (PID: 793, Parent: 791)

bash New Fork (PID: 794, Parent: 791)

bash New Fork (PID: 795, Parent: 794)

bash New Fork (PID: 796, Parent: 795)

mktemp (MD5: ab78cb00857fefb979f3e8e4ba05b0be) Arguments: mktemp -d

bash New Fork (PID: 797, Parent: 794)

touch (MD5: 4740c7336a3cb2914b528fbce2d5edc7) Arguments: touch /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u/testfile

bash New Fork (PID: 798, Parent: 794)

cp (MD5: c6c784e59743c03a85e53ac39bf4b1c1) Arguments: cp -u /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u/testfile /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u/testfile2

bash New Fork (PID: 799, Parent: 794)

rm (MD5: 99891a42b47f8a1016bf065e62dfe5b0) Arguments: rm -f /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u/testfile /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u/testfile2

bash New Fork (PID: 800, Parent: 794)

rm (MD5: 99891a42b47f8a1016bf065e62dfe5b0) Arguments: rm -rf /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u

bash New Fork (PID: 801, Parent: 791)

cat (MD5: d4db1aa640ed6d80a0bd350e72d6fa8e) Arguments: cat

bash New Fork (PID: 802, Parent: 791)

uniq (MD5: cc0b12df22d202dc57b5efc4b5d9f6f4) Arguments: uniq

bash New Fork (PID: 803, Parent: 791)

bash New Fork (PID: 804, Parent: 803)

bash New Fork (PID: 805, Parent: 803)

bash New Fork (PID: 806, Parent: 805)

bash New Fork (PID: 807, Parent: 803)

dirname (MD5: 1d082aa299fbbdc31625e0729e1e5271) Arguments: dirname host/fxr/8.0.14/

bash New Fork (PID: 808, Parent: 803)

mkdir (MD5: bbbaafd2a4d7dcb9ddd178d814fea708) Arguments: mkdir -p /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/host/fxr

bash New Fork (PID: 809, Parent: 803)

cp (MD5: c6c784e59743c03a85e53ac39bf4b1c1) Arguments: cp -R /tmp/dotnet.DUZHkmnca/host/fxr/8.0.14/ /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/host/fxr/8.0.14/

bash New Fork (PID: 810, Parent: 803)

bash New Fork (PID: 811, Parent: 803)

bash New Fork (PID: 812, Parent: 811)

bash New Fork (PID: 813, Parent: 803)

dirname (MD5: 1d082aa299fbbdc31625e0729e1e5271) Arguments: dirname shared/Microsoft.NETCore.App/8.0.14/

bash New Fork (PID: 814, Parent: 803)

mkdir (MD5: bbbaafd2a4d7dcb9ddd178d814fea708) Arguments: mkdir -p /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App

bash New Fork (PID: 815, Parent: 803)

cp (MD5: c6c784e59743c03a85e53ac39bf4b1c1) Arguments: cp -R /tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/ /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/

bash New Fork (PID: 816, Parent: 694)

find (MD5: 1fe4dde0bbb34131dcd3598dac59751d) Arguments: find /tmp/dotnet.DUZHkmnca -type f

bash New Fork (PID: 817, Parent: 694)

grep (MD5: 6ff93214c22e9c46b9ac021cfe18c9aa) Arguments: grep -Ev ^.*/[0-9]+\.[0-9]+[^/]+/

bash New Fork (PID: 818, Parent: 694)

bash New Fork (PID: 819, Parent: 818)

bash New Fork (PID: 820, Parent: 818)

bash New Fork (PID: 821, Parent: 818)

bash New Fork (PID: 822, Parent: 818)

cat (MD5: d4db1aa640ed6d80a0bd350e72d6fa8e) Arguments: cat

bash New Fork (PID: 823, Parent: 818)

uniq (MD5: cc0b12df22d202dc57b5efc4b5d9f6f4) Arguments: uniq

bash New Fork (PID: 824, Parent: 818)

bash New Fork (PID: 825, Parent: 824)

bash New Fork (PID: 826, Parent: 824)

dirname (MD5: 1d082aa299fbbdc31625e0729e1e5271) Arguments: dirname ThirdPartyNotices.txt

bash New Fork (PID: 827, Parent: 824)

mkdir (MD5: bbbaafd2a4d7dcb9ddd178d814fea708) Arguments: mkdir -p /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/.

bash New Fork (PID: 828, Parent: 824)

cp (MD5: c6c784e59743c03a85e53ac39bf4b1c1) Arguments: cp -R /tmp/dotnet.DUZHkmnca/ThirdPartyNotices.txt /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/ThirdPartyNotices.txt

bash New Fork (PID: 829, Parent: 824)

bash New Fork (PID: 830, Parent: 824)

dirname (MD5: 1d082aa299fbbdc31625e0729e1e5271) Arguments: dirname dotnet

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49355 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49387 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.76.201.171:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.25.166.183:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49418 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49419 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49420 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49421 version: TLS 1.2

Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 17.248.200.68
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.53.25
Source: unknown	TCP traffic detected without corresponding DNS query: 184.31.53.25
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /v1/dotnet-install.sh HTTP/1.1Host: dot.netUser-Agent: curl/7.54.0Accept: */*

Source: global traffic	DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net
Source: global traffic	DNS traffic detected: DNS query: dot.net
Source: global traffic	DNS traffic detected: DNS query: aka.ms

Source: /usr/bin/curl (PID: 695)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 735)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 766)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 771)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 780)	Reads from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 783)	Reads from socket in process: data	Jump to behavior

Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://7-zip.org/sdk.html
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://angular.io/license
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: .BC.T_Nvks1x.271.dr, .BC.T_KBmNT2.271.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: .BC.T_Nvks1x.271.dr, .BC.T_KBmNT2.271.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://creativecommons.org/publicdomain/zero/1.0/
Source: AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg	String found in binary or memory: http://crl.apple.com/applerootcag3.crl0
Source: preinstall, 00000662.00000334.1.0000000119f0e000.0000000119f37000.r--.sdmp, preinstall, 00000662.00000334.1.000000010d457000.000000010d461000.r--.sdmp, postinstall, 00000685.00000370.1.000000010610f000.0000000106119000.r--.sdmp, postinstall, 00000685.00000370.1.0000000113258000.0000000113281000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg, libhostfxr.dylib.549.dr, libclrjit.dylib.514.dr, libcoreclr.dylib.558.dr, dotnet.514.dr, libSystem.Net.Security.Native.dylib.558.dr, libSystem.Security.Cryptography.Native.Apple.dylib.558.dr, createdump.514.dr, libSystem.Security.Cryptography.Native.OpenSsl.dylib.514.dr, libSystem.Native.dylib.558.dr, libmscordaccore.dylib.558.dr, libclrjit.dylib.558.dr, libSystem.Native.dylib.514.dr	String found in binary or memory: http://crl.apple.com/root.crl0
Source: AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg, libhostfxr.dylib.549.dr, libclrjit.dylib.514.dr, libcoreclr.dylib.558.dr, dotnet.514.dr, libSystem.Net.Security.Native.dylib.558.dr, libSystem.Security.Cryptography.Native.Apple.dylib.558.dr, createdump.514.dr, libSystem.Security.Cryptography.Native.OpenSsl.dylib.514.dr, libSystem.Native.dylib.558.dr, libmscordaccore.dylib.558.dr, libclrjit.dylib.558.dr, libSystem.Native.dylib.514.dr	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: .BC.T_Nvks1x.271.dr, .BC.T_KBmNT2.271.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: .BC.T_Nvks1x.271.dr, .BC.T_KBmNT2.271.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: .BC.T_Nvks1x.271.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: System.Private.Xml.dll.558.dr, System.Private.Xml.dll.514.dr	String found in binary or memory: http://exslt.org/common
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://llvm.org
Source: AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootcag307
Source: AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg	String found in binary or memory: http://ocsp.apple.com/ocsp03-asica4020
Source: AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg	String found in binary or memory: http://ocsp.apple.com/ocsp03-devid070
Source: libhostfxr.dylib.549.dr, libclrjit.dylib.514.dr, libcoreclr.dylib.558.dr, dotnet.514.dr, libSystem.Net.Security.Native.dylib.558.dr, libSystem.Security.Cryptography.Native.Apple.dylib.558.dr, createdump.514.dr, libSystem.Security.Cryptography.Native.OpenSsl.dylib.514.dr, libSystem.Native.dylib.558.dr, libmscordaccore.dylib.558.dr, libclrjit.dylib.558.dr, libSystem.Native.dylib.514.dr	String found in binary or memory: http://ocsp.apple.com/ocsp03-devid080
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: .BC.T_Nvks1x.271.dr, .BC.T_KBmNT2.271.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: .BC.T_Nvks1x.271.dr, .BC.T_KBmNT2.271.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://opensource.org/licenses/MIT
Source: System.Private.Xml.dll.558.dr, System.Private.Xml.dll.514.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://sourceforge.net/projects/slicing-by-8/
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: preinstall, 00000662.00000334.1.0000000119f0e000.0000000119f37000.r--.sdmp, preinstall, 00000662.00000334.1.000000010d457000.000000010d461000.r--.sdmp, postinstall, 00000685.00000370.1.000000010610f000.0000000106119000.r--.sdmp, postinstall, 00000685.00000370.1.0000000113258000.0000000113281000.r--.sdmp, libhostfxr.dylib.549.dr, libclrjit.dylib.514.dr, libcoreclr.dylib.558.dr, dotnet.514.dr, libSystem.Net.Security.Native.dylib.558.dr, libSystem.Security.Cryptography.Native.Apple.dylib.558.dr, createdump.514.dr, libSystem.Security.Cryptography.Native.OpenSsl.dylib.514.dr, libSystem.Native.dylib.558.dr, libmscordaccore.dylib.558.dr, libclrjit.dylib.558.dr, libSystem.Native.dylib.514.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: preinstall, 00000662.00000334.1.0000000119f0e000.0000000119f37000.r--.sdmp, preinstall, 00000662.00000334.1.000000010d457000.000000010d461000.r--.sdmp, postinstall, 00000685.00000370.1.000000010610f000.0000000106119000.r--.sdmp, postinstall, 00000685.00000370.1.0000000113258000.0000000113281000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg, libhostfxr.dylib.549.dr, libclrjit.dylib.514.dr, libcoreclr.dylib.558.dr, dotnet.514.dr, libSystem.Net.Security.Native.dylib.558.dr, libSystem.Security.Cryptography.Native.Apple.dylib.558.dr, createdump.514.dr, libSystem.Security.Cryptography.Native.OpenSsl.dylib.514.dr, libSystem.Native.dylib.558.dr, libmscordaccore.dylib.558.dr, libclrjit.dylib.558.dr, libSystem.Native.dylib.514.dr	String found in binary or memory: http://www.apple.com/appleca0
Source: AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg	String found in binary or memory: http://www.apple.com/certificateauthority/0
Source: preinstall, 00000662.00000334.1.0000000119f0e000.0000000119f37000.r--.sdmp, preinstall, 00000662.00000334.1.000000010d457000.000000010d461000.r--.sdmp, postinstall, 00000685.00000370.1.000000010610f000.0000000106119000.r--.sdmp, postinstall, 00000685.00000370.1.0000000113258000.0000000113281000.r--.sdmp, libhostfxr.dylib.549.dr, libclrjit.dylib.514.dr, libcoreclr.dylib.558.dr, dotnet.514.dr, libSystem.Net.Security.Native.dylib.558.dr, libSystem.Security.Cryptography.Native.Apple.dylib.558.dr, createdump.514.dr, libSystem.Security.Cryptography.Native.OpenSsl.dylib.514.dr, libSystem.Native.dylib.558.dr, libmscordaccore.dylib.558.dr, libclrjit.dylib.558.dr, libSystem.Native.dylib.514.dr	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: .BC.T_Nvks1x.271.dr, .BC.T_KBmNT2.271.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://www.mono-project.com/docs/about-mono/
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://www.novell.com)
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://www.ookii.org/software/dialogs/
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://www.opensource.org/licenses/bsd-license.html.
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://www.ryanjuckett.com/
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: http://www.xamarin.com)
Source: System.Runtime.Serialization.Formatters.dll.558.dr, .BC.T_f7W9g9.271.dr	String found in binary or memory: https://aka.ms/binaryformatter
Source: libhostfxr.dylib.549.dr, dotnet.514.dr	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: libhostfxr.dylib.549.dr	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=&os
Source: .BC.T_f7W9g9.271.dr, System.Transactions.Local.dll.558.dr, System.IO.IsolatedStorage.dll.558.dr, System.ComponentModel.Annotations.dll.514.dr, System.Net.Http.dll.514.dr, Microsoft.VisualBasic.Core.dll.558.dr, System.Security.AccessControl.dll.514.dr, System.ComponentModel.Annotations.dll.558.dr, System.IO.FileSystem.DriveInfo.dll.558.dr, System.Private.Xml.dll.514.dr, System.Net.HttpListener.dll.514.dr, System.ComponentModel.Primitives.dll.514.dr, System.Net.WebSockets.dll.514.dr, System.IO.FileSystem.Watcher.dll.558.dr	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: libhostfxr.dylib.549.dr, dotnet.514.dr	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: libhostfxr.dylib.549.dr	String found in binary or memory: https://aka.ms/dotnet/download
Source: libhostfxr.dylib.549.dr	String found in binary or memory: https://aka.ms/dotnet/downloadUsage:
Source: libhostfxr.dylib.549.dr	String found in binary or memory: https://aka.ms/dotnet/info
Source: libhostfxr.dylib.549.dr	String found in binary or memory: https://aka.ms/dotnet/sdk-not-found
Source: libhostfxr.dylib.549.dr	String found in binary or memory: https://aka.ms/dotnet/sdk-not-foundFailed
Source: System.Data.Common.dll.514.dr, .BC.T_f7W9g9.271.dr	String found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://arxiv.org/pdf/2102.06959.pdf
Source: .BC.T_ysxAdH.271.dr, postinstall	String found in binary or memory: https://dot.net/v1/dotnet-install.sh
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/BurntSushi/aho-corasick
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json/blob/master/LICENSE.md
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/Microsoft/MSBuildLocator
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/Microsoft/RoslynClrHeapAllocationAnalyzer
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/NuGet/NuGet.Client/blob/dev/LICENSE.txt
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/LICENSE
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/src/ImageSharp
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/WojciechMula/sse4-strstr)
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp
Source: .BC.T_Nvks1x.271.dr	String found in binary or memory: https://github.com/dotnet/MQTTnet
Source: .BC.T_Nvks1x.271.dr	String found in binary or memory: https://github.com/dotnet/MQTTnet.git
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt
Source: System.Net.Requests.dll.558.dr, System.Net.WebClient.dll.558.dr, System.Net.Ping.dll.558.dr, System.Reflection.Emit.Lightweight.dll.514.dr, System.Runtime.CompilerServices.VisualC.dll.514.dr, System.Reflection.Emit.dll.558.dr, System.Resources.Reader.dll.558.dr, System.Net.WebProxy.dll.558.dr, System.IO.FileSystem.Primitives.dll.514.dr, System.Linq.Queryable.dll.558.dr, System.Data.Common.dll.514.dr, System.AppContext.dll.514.dr, System.Web.dll.514.dr, .BC.T_mY9F9q.271.dr, System.Private.Xml.dll.558.dr, System.Runtime.Numerics.dll.514.dr, System.Security.Principal.dll.514.dr, System.Threading.Tasks.Dataflow.dll.558.dr, System.ObjectModel.dll.514.dr, System.Data.DataSetExtensions.dll.558.dr, System.AppContext.dll.558.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: System.Resources.Reader.dll.558.dr, System.Data.DataSetExtensions.dll.558.dr, System.Data.DataSetExtensions.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtime#
Source: System.Xml.XmlDocument.dll.558.dr	String found in binary or memory: https://github.com/dotnet/runtime#I
Source: System.Net.dll.558.dr, System.Net.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtime&-
Source: System.Private.Xml.dll.558.dr, System.Private.Xml.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtime/issues/50820
Source: System.Resources.ResourceManager.dll.558.dr	String found in binary or memory: https://github.com/dotnet/runtime9
Source: System.Xml.Linq.dll.558.dr, System.Xml.Linq.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtimeE
Source: Microsoft.VisualBasic.Core.dll.514.dr, Microsoft.VisualBasic.Core.dll.558.dr	String found in binary or memory: https://github.com/dotnet/runtimeR
Source: System.Security.Cryptography.Encoding.dll.558.dr, System.Security.Cryptography.Encoding.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtimeW
Source: System.Security.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtimeZ
Source: Microsoft.VisualBasic.dll.558.dr, System.Web.dll.514.dr, System.Web.dll.558.dr	String found in binary or memory: https://github.com/dotnet/runtimea
Source: System.Security.AccessControl.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtimed
Source: .BC.T_mY9F9q.271.dr	String found in binary or memory: https://github.com/dotnet/runtimel
Source: System.Threading.Tasks.Extensions.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtimelJ
Source: netstandard.dll.558.dr	String found in binary or memory: https://github.com/dotnet/runtimep
Source: System.Diagnostics.Tools.dll.514.dr	String found in binary or memory: https://github.com/dotnet/runtimes_
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/dotnet/templating/blob/main/build/nuget.exe
Source: .BC.T_IJBzQD.271.dr	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc32_ieee_by4.asm
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc64_ecma_norm_by8
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/lemire/fastmod)
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/lemire/fastrange)
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/madler/zlib
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/microsoft/DirectXMath/blob/master/LICENSE
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/microsoft/msquic/blob/main/LICENSE
Source: System.Data.Common.dll.514.dr	String found in binary or memory: https://github.com/mono/linker/issues/1187
Source: .BC.T_9WjK8k.271.dr, Microsoft.CSharp.dll.514.dr	String found in binary or memory: https://github.com/mono/linker/issues/1416.
Source: System.Reflection.DispatchProxy.dll.514.dr, Microsoft.VisualBasic.Core.dll.514.dr, Microsoft.VisualBasic.Core.dll.558.dr	String found in binary or memory: https://github.com/mono/linker/issues/1731
Source: Microsoft.CSharp.dll.514.dr	String found in binary or memory: https://github.com/mono/linker/issues/1906.
Source: System.Data.Common.dll.514.dr	String found in binary or memory: https://github.com/mono/linker/issues/1981
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/nigeltao/parse-number-fxx-test-data)
Source: .BC.T_IZ39Jr.271.dr	String found in binary or memory: https://github.com/serilog/serilog-extensions-hosting
Source: .BC.T_IZ39Jr.271.dr	String found in binary or memory: https://github.com/serilog/serilog-extensions-hostingd
Source: .BC.T_RbFfSO.271.dr	String found in binary or memory: https://github.com/serilog/serilog.git
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/ucb-bar/berkeley-softfloat-3
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://github.com/ucb-bar/berkeley-softfloat-3/blob/master/COPYING.txt
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://llvm.org/LICENSE.txt
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://opensource.org/licenses/MIT
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://sindresorhus.com)
Source: preinstall, 00000662.00000334.1.0000000119f0e000.0000000119f37000.r--.sdmp, preinstall, 00000662.00000334.1.000000010d457000.000000010d461000.r--.sdmp, postinstall, 00000685.00000370.1.000000010610f000.0000000106119000.r--.sdmp, postinstall, 00000685.00000370.1.0000000113258000.0000000113281000.r--.sdmp, AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg, libhostfxr.dylib.549.dr, libclrjit.dylib.514.dr, libcoreclr.dylib.558.dr, dotnet.514.dr, libSystem.Net.Security.Native.dylib.558.dr, libSystem.Security.Cryptography.Native.Apple.dylib.558.dr, createdump.514.dr, libSystem.Security.Cryptography.Native.OpenSsl.dylib.514.dr, libSystem.Native.dylib.558.dr, libmscordaccore.dylib.558.dr, libclrjit.dylib.558.dr, libSystem.Native.dylib.514.dr	String found in binary or memory: https://www.apple.com/appleca/0
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: .BC.T_KBmNT2.271.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://www.unicode.org/copyright.html.
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://www.unicode.org/license.html
Source: ThirdPartyNotices.txt.578.dr	String found in binary or memory: https://zlib.net/zlib_license.html

Source: unknown	Network traffic detected: HTTP traffic on port 49351 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49347
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49389
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49421
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49387
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49420
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49386
Source: unknown	Network traffic detected: HTTP traffic on port 49391 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49355 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49419 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49419
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49418
Source: unknown	Network traffic detected: HTTP traffic on port 49350 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49355
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49396
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49351
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49350
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49391
Source: unknown	Network traffic detected: HTTP traffic on port 49396 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49390
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49387 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49389 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49418 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49421 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49347 -> 443

Source: /usr/bin/curl (PID: 695)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 735)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 766)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 771)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 780)	Writes from socket in process: data	Jump to behavior
Source: /usr/bin/curl (PID: 783)	Writes from socket in process: data	Jump to behavior

Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49351 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49355 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49387 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49389 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49391 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.3.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.76.201.171:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.67.6:443 -> 192.168.11.12:49396 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.25.166.183:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49418 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49419 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49420 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49421 version: TLS 1.2

Spam, unwanted Advertisements and Ransom Demands

Creates a notice file (html or txt) to demand a ransom

Source: /usr/bin/tar	File dropped: /private/tmp/dotnet.DUZHkmnca/ThirdPartyNotices.txt -> instructions. the unsigned division incorporates the"round down" optimization per ridiculous_fish.this is free and unencumbered software. any copyright is dedicated to the public domain.license notice for mimalloc---------------------------mit licensecopyright (c) 2019 microsoft corporation, daan leijenpermission is hereby granted, free of charge, to any person obtaining a copyof this software and associated documentation files (the "software"), to dealin the software without restriction, including without limitation the rightsto use, copy, modify, merge, publish, distribute, sublicense, and/or sellcopies of the software, and to permit persons to whom the software isfurnished to do so, subject to the following conditions:the above copyright notice and this permission notice shall be included in allcopies or substantial portions of the software.the software is provided "as is", without warranty of any kind, express orimplied, including but not limited to the warranties of merchantability			Jump to dropped file
Source: /bin/cp	File dropped: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/ThirdPartyNotices.txt -> instructions. the unsigned division incorporates the"round down" optimization per ridiculous_fish.this is free and unencumbered software. any copyright is dedicated to the public domain.license notice for mimalloc---------------------------mit licensecopyright (c) 2019 microsoft corporation, daan leijenpermission is hereby granted, free of charge, to any person obtaining a copyof this software and associated documentation files (the "software"), to dealin the software without restriction, including without limitation the rightsto use, copy, modify, merge, publish, distribute, sublicense, and/or sellcopies of the software, and to permit persons to whom the software isfurnished to do so, subject to the following conditions:the above copyright notice and this permission notice shall be included in allcopies or substantial portions of the software.the software is provided "as is", without warranty of any kind, express orimplied, including but not limited to the warranties of merchantability			Jump to dropped file

Source: /usr/bin/tar (PID: 787)	HTML file containing JavaScript created: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.IO.Compression.Native.dylib			Jump to dropped file
Source: /bin/cp (PID: 815)	HTML file containing JavaScript created: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.IO.Compression.Native.dylib			Jump to dropped file

Source: classification engine

Classification label: mal48.rans.evad.macPKG@0/449@4/0

Persistence and Installation Behavior

Writes Mach-O files to hidden directories

Source: /bin/cp (PID: 809)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/host/fxr/8.0.14/libhostfxr.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/createdump	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libcoreclr.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Native.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.IO.Compression.Native.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Globalization.Native.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.Apple.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libmscordaccore.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Net.Security.Native.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libmscordbi.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libhostpolicy.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.OpenSsl.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libclrjit.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	64-bit Mach-O written to hidden directory: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libclrgc.dylib	Jump to dropped file

Source: /bin/cp (PID: 809)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/host/fxr/8.0.14/libhostfxr.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/createdump: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libcoreclr.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Native.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.IO.Compression.Native.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Globalization.Native.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.Apple.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libmscordaccore.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Net.Security.Native.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libmscordbi.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libhostpolicy.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.OpenSsl.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libclrjit.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 815)	Permissions modified for written 64-bit Mach-O /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libclrgc.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file

Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd (PID: 628)	Hidden File moved: /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/95B7A872-D4B1-4D95-9C99-9E8876D5ADB6.sandbox/.dat.nosync0274.LHA6rM -> /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/95B7A872-D4B1-4D95-9C99-9E8876D5ADB6.sandbox/.SessionUUID	Jump to behavior
Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor (PID: 661)	Hidden File created: /var/db/.dat.nosync0295.Ai2DQE	Jump to behavior
Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor (PID: 661)	Hidden File moved: /var/db/.dat.nosync0295.Ai2DQE -> /var/db/.InstallerTMExcludes.plist	Jump to behavior
Source: /usr/bin/tar (PID: 787)	Hidden File created: shared/Microsoft.NETCore.App/8.0.14/.version	Jump to behavior
Source: /bin/cp (PID: 815)	Hidden File created: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/.version	Jump to behavior

Source: /usr/bin/sudo (PID: 695)	Curl executable: /usr/bin/curl -> curl -sSL https://dot.net/v1/dotnet-install.sh	Jump to behavior
Source: /bin/bash (PID: 735)	Curl executable: /usr/bin/curl -> curl -I -sSL --retry 5 --retry-delay 2 --connect-timeout 15 https://aka.ms/dotnet/8.0/dotnet-runtime-osx-x64.tar.gz	Jump to behavior
Source: /bin/bash (PID: 766)	Curl executable: /usr/bin/curl -> curl --head -o /dev/null -w %{http_code} -s --fail https://builds.dotnet.microsoft.com/dotnet/Runtime/8.0.14/dotnet-runtime-8.0.14-osx-x64.tar.gz	Jump to behavior
Source: /bin/bash (PID: 771)	Curl executable: /usr/bin/curl -> curl -s --fail https://builds.dotnet.microsoft.com/dotnet/Runtime/8.0.14/runtime-productVersion.txt	Jump to behavior
Source: /bin/bash (PID: 780)	Curl executable: /usr/bin/curl -> curl --retry 20 --retry-delay 2 --connect-timeout 15 -sSL -f --create-dirs -o /tmp/dotnet.apAJI0d8n https://builds.dotnet.microsoft.com/dotnet/Runtime/8.0.14/dotnet-runtime-8.0.14-osx-x64.tar.gz	Jump to behavior
Source: /bin/bash (PID: 783)	Curl executable: /usr/bin/curl -> curl -sI https://builds.dotnet.microsoft.com/dotnet/Runtime/8.0.14/dotnet-runtime-8.0.14-osx-x64.tar.gz	Jump to behavior

Source: /bin/bash (PID: 743)	Grep executable: /usr/bin/grep -> grep -v 301	Jump to behavior
Source: /bin/bash (PID: 756)	Grep executable: /usr/bin/grep -> grep ://	Jump to behavior
Source: /bin/bash (PID: 760)	Grep executable: /usr/bin/grep -> grep /	Jump to behavior
Source: /bin/bash (PID: 784)	Grep executable: /usr/bin/grep -> grep -i content-length	Jump to behavior
Source: /bin/bash (PID: 789)	Grep executable: /usr/bin/grep -> grep -Eo ^.*/[0-9]+\.[0-9]+[^/]+/	Jump to behavior
Source: /bin/bash (PID: 817)	Grep executable: /usr/bin/grep -> grep -Ev ^.*/[0-9]+\.[0-9]+[^/]+/	Jump to behavior

Source: /bin/bash (PID: 778)	Mkdir executable: /bin/mkdir -> mkdir -p /Library/Application Support/com.atera.ateraagent/Agent/.dotnet	Jump to behavior
Source: /bin/bash (PID: 808)	Mkdir executable: /bin/mkdir -> mkdir -p /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/host/fxr	Jump to behavior
Source: /bin/bash (PID: 814)	Mkdir executable: /bin/mkdir -> mkdir -p /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App	Jump to behavior
Source: /bin/bash (PID: 827)	Mkdir executable: /bin/mkdir -> mkdir -p /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/.	Jump to behavior

Source: /bin/bash (PID: 779)	Mktemp executable: /usr/bin/mktemp -> mktemp /tmp/dotnet.XXXXXXXXX	Jump to behavior
Source: /bin/bash (PID: 786)	Mktemp executable: /usr/bin/mktemp -> mktemp -d /tmp/dotnet.XXXXXXXXX	Jump to behavior
Source: /bin/bash (PID: 796)	Mktemp executable: /usr/bin/mktemp -> mktemp -d	Jump to behavior

Source: /bin/bash (PID: 799)	Rm executable: /bin/rm -> rm -f /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u/testfile /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u/testfile2			Jump to behavior
Source: /bin/bash (PID: 800)	Rm executable: /bin/rm -> rm -rf /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u			Jump to behavior

Source: /bin/bash (PID: 678)	Sudo executable: /usr/bin/sudo -> sudo launchctl unload /Library/LaunchDaemons/com.atera.agent.plist	Jump to behavior
Source: /bin/bash (PID: 680)	Sudo executable: /usr/bin/sudo -> sudo launchctl stop com.atera.agent	Jump to behavior
Source: /bin/bash (PID: 692)	Sudo executable: /usr/bin/sudo -> sudo curl -sSL https://dot.net/v1/dotnet-install.sh	Jump to behavior
Source: /bin/bash (PID: 693)	Sudo executable: /usr/bin/sudo -> sudo bash -s -- -Runtime dotnet -Channel 8.0 -InstallDir /Library/Application Support/com.atera.ateraagent/Agent/.dotnet	Jump to behavior

Source: /bin/bash (PID: 797)

Touch executable: /usr/bin/touch -> touch /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/tmp.nMeqc27u/testfile

Jump to behavior

Source: /usr/bin/sudo (PID: 679)	Launch agent/daemon unloaded: launchctl unload /Library/LaunchDaemons/com.atera.agent.plist			Jump to behavior
Source: /usr/bin/sudo (PID: 681)	Launch agent/daemon stopped: launchctl stop com.atera.agent			Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)

CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist

Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist			Jump to behavior
Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd (PID: 628)	Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist			Jump to behavior

Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/dotnet	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/host/fxr/8.0.14/libhostfxr.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/createdump	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Globalization.Native.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.IO.Compression.Native.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Native.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Net.Security.Native.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.Apple.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.OpenSsl.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libclrgc.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libclrjit.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libcoreclr.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libhostpolicy.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libmscordaccore.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	File written: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libmscordbi.dylib	Jump to dropped file
Source: /bin/cp (PID: 809)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/host/fxr/8.0.14/libhostfxr.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/createdump	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libcoreclr.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Native.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.IO.Compression.Native.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Globalization.Native.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.Apple.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libmscordaccore.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Net.Security.Native.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libmscordbi.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libhostpolicy.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.OpenSsl.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libclrjit.dylib	Jump to dropped file
Source: /bin/cp (PID: 815)	File written: /Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/libclrgc.dylib	Jump to dropped file

Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/dotnet	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/host/fxr/8.0.14/libhostfxr.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/createdump	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Globalization.Native.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.IO.Compression.Native.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Native.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Net.Security.Native.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.Apple.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libSystem.Security.Cryptography.Native.OpenSsl.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libclrgc.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libclrjit.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libcoreclr.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libhostpolicy.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libmscordaccore.dylib	Jump to dropped file
Source: /usr/bin/tar (PID: 787)	64-bit Mach-O written to tmp path: /private/tmp/dotnet.DUZHkmnca/shared/Microsoft.NETCore.App/8.0.14/libmscordbi.dylib	Jump to dropped file

Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd (PID: 628)

File written: /private/var/run/.dat.nosync0274.qgOXVG -> contains PID 628

Jump to dropped file

Source: /bin/bash (PID: 739)	Awk executable: /usr/bin/awk -> awk $1 ~ /^HTTP/ {print $2}	Jump to behavior
Source: /bin/bash (PID: 749)	Awk executable: /usr/bin/awk -> awk $1 ~ /^Location/{print $2}	Jump to behavior
Source: /bin/bash (PID: 785)	Awk executable: /usr/bin/awk -> awk { num = $2 + 0 print num }	Jump to behavior

Source: /bin/bash (PID: 742)	Sed executable: /usr/bin/sed -> sed $d			Jump to behavior
Source: /bin/bash (PID: 757)	Sed executable: /usr/bin/sed -> sed -es,^$.://$.,\1,g			Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)

AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Jump to behavior

Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd (PID: 628)	Binary plist file created: /private/var/db/receipts/com.atera.agent.plist	Jump to dropped file
Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd (PID: 628)	XML plist file created: /Library/Receipts/InstallHistory.plist	Jump to dropped file
Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor (PID: 661)	XML plist file created: /private/var/db/.dat.nosync0295.Ai2DQE	Jump to dropped file

Source: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove (PID: 684)

Launch daemon created File moved: /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/95B7A872-D4B1-4D95-9C99-9E8876D5ADB6.activeSandbox/Root/Library/LaunchDaemons/com.atera.agent.plist -> /Library/LaunchDaemons/com.atera.agent.plist

Jump to behavior

Source: libSystem.Native.dylib.514.dr	Binary or memory string: vmhgfs
Source: libSystem.Native.dylib.514.dr	Binary or memory string: Unknown socket error%sadfsaffsanoninodeapfsaufsautofsbefsbdevfsbpf_fsbinfmt_miscbootfsbtrfscephcgroupfscgroup2fscifscodacoherentconfigfscpusetcramfsctfsdevfsdevptsecryptfsexofsext2_oldext2ext3ext4f2fsfdfhgfsfusegfs2gpfshpfshugetlbfsinotifyfsisofsjffsjffs2kafslofslogfslustreminix_oldminixminix2minix2v2minix3mntfsmqueuemsdosnfsdnilfsnovellntfsobjfsocfs2openpromomfsoverlayfspanfspipefsprocpstorefsqnx4qnx6ramfsreiserfsromfsrootfsrpc_pipefssambasdcardfssecurityfssffssmb2sockfssquashfssysfssysv2sysv4tmpfsubifsufscigamufs2usbdevicev9fsvboxfsvmhgfsvxfsvzfsxenfsxenixudevnet.inet.tcp.statsnet.inet.tcp.pcbcountnet.inet.ip.statsnet.inet.ip.ttlnet.inet.ip.forwardingnet.inet.udp.statsnet.inet.udp.pcbcountnet.inet.icmp.statsnet.inet6.icmp6.statsnet.inet.tcp.pcblistnet.inet.udp.pcblist%s %s %saarch64arm64armv6armx86_64amd64sysctl.proc_translateds390xppc64leloongarch64riscv64libc/usr/lib/libc.dylib.NET SigHandler=B
Source: libSystem.Native.dylib.558.dr, System.IO.FileSystem.DriveInfo.dll.558.dr, libSystem.Native.dylib.514.dr	Binary or memory string: fhgfs

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	Sysctl read request: hw.cpu_freq (6.15)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	Sysctl read request: hw.ncpu (6.3)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	Sysctl read request: hw.memsize (6.24)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	Sysctl read request: hw.availcpu (6.25)	Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /usr/bin/uname (PID: 704)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/uname (PID: 704)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /usr/bin/uname (PID: 711)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/uname (PID: 711)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior
Source: /usr/bin/uname (PID: 730)	Sysctl requested: kern.ostype (1.1)	Jump to behavior
Source: /usr/bin/uname (PID: 730)	Sysctl requested: kern.osrelease (1.2)	Jump to behavior

Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /tmp/PKInstallSandbox.rGQEHd/Scripts/com.atera.agent.ul7Ws7/preinstall (PID: 662)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /tmp/PKInstallSandbox.rGQEHd/Scripts/com.atera.agent.ul7Ws7/postinstall (PID: 685)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 694)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/uname (PID: 704)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/uname (PID: 711)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /usr/bin/uname (PID: 730)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /usr/bin/open (PID: 622)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior
Source: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer (PID: 623)	System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist			Jump to behavior

Source: /bin/bash (PID: 704)	Uname executable: /usr/bin/uname -> uname -m	Jump to behavior
Source: /bin/bash (PID: 711)	Uname executable: /usr/bin/uname -> uname	Jump to behavior
Source: /bin/bash (PID: 730)	Uname executable: /usr/bin/uname -> uname	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 LC_LOAD_DYLIB Addition	1 LC_LOAD_DYLIB Addition	1 Hide Artifacts	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	1 Exfiltration Over Alternative Protocol	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Launchctl	1 Launch Daemon	1 Launch Daemon	11 Hidden Files and Directories	LSASS Memory	41 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Sudo and Sudo Caching	1 Indicator Removal	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Sudo and Sudo Caching	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Source	Detection	Scanner
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.CSharp.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.VisualBasic.Core.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.VisualBasic.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.Win32.Primitives.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.Win32.Registry.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.AppContext.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Buffers.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.Concurrent.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.Immutable.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.NonGeneric.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.Specialized.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.Annotations.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.DataAnnotations.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.EventBasedAsync.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.Primitives.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.TypeConverter.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Configuration.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Console.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Core.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Data.Common.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Data.DataSetExtensions.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Data.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.Contracts.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.Debug.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.DiagnosticSource.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.FileVersionInfo.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.Process.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.StackTrace.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.TextWriterTraceListener.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.Tools.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.TraceSource.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Diagnostics.Tracing.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Drawing.Primitives.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Drawing.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Dynamic.Runtime.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Formats.Asn1.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Formats.Tar.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Globalization.Calendars.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Globalization.Extensions.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Globalization.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.Compression.Brotli.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.Compression.FileSystem.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.Compression.ZipFile.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.Compression.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.FileSystem.AccessControl.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.FileSystem.DriveInfo.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.FileSystem.Primitives.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.FileSystem.Watcher.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.FileSystem.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.IsolatedStorage.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.MemoryMappedFiles.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.Pipes.AccessControl.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.Pipes.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.UnmanagedMemoryStream.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.IO.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Linq.Expressions.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Linq.Parallel.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Linq.Queryable.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Linq.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Memory.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Http.Json.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Http.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.HttpListener.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Mail.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.NameResolution.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.NetworkInformation.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Ping.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Primitives.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Quic.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Requests.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Security.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.ServicePoint.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.Sockets.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.WebClient.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.WebHeaderCollection.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.WebProxy.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.WebSockets.Client.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.WebSockets.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Net.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Numerics.Vectors.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Numerics.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ObjectModel.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Private.CoreLib.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Private.DataContractSerialization.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Private.Uri.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Private.Xml.Linq.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Private.Xml.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.DispatchProxy.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.Emit.ILGeneration.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.Emit.Lightweight.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.Emit.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.Extensions.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.Metadata.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.Primitives.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.TypeExtensions.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Reflection.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Resources.Reader.dll	0%	ReversingLabs
/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Resources.ResourceManager.dll	0%	ReversingLabs

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.novell.com)	0%	Avira URL Cloud	safe
http://www.xamarin.com)	0%	Avira URL Cloud	safe
https://www.newtonsoft.com/json	0%	Avira URL Cloud	safe
http://www.ookii.org/software/dialogs/	0%	Avira URL Cloud	safe
https://zlib.net/zlib_license.html	0%	Avira URL Cloud	safe
http://www.opensource.org/licenses/bsd-license.html.	0%	Avira URL Cloud	safe
http://www.mono-project.com/docs/about-mono/	0%	Avira URL Cloud	safe
https://sindresorhus.com)	0%	Avira URL Cloud	safe
http://exslt.org/common	0%	Avira URL Cloud	safe
http://www.ryanjuckett.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dot.net	20.76.201.171	true	false	high
aka.ms	184.25.166.183	true	false	high
h3.apis.apple.map.fastly.net	151.101.3.6	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://dot.net/v1/dotnet-install.sh	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mono/linker/issues/1731	System.Reflection.DispatchProxy.dll.514.dr, Microsoft.VisualBasic.Core.dll.514.dr, Microsoft.VisualBasic.Core.dll.558.dr	false		high
https://github.com/dotnet/templating/blob/main/build/nuget.exe	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/dotnet/runtime9	System.Resources.ResourceManager.dll.558.dr	false		high
https://aka.ms/dotnet/info	libhostfxr.dylib.549.dr	false		high
https://github.com/lemire/fastrange)	ThirdPartyNotices.txt.578.dr	false		high
http://www.novell.com)	ThirdPartyNotices.txt.578.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtime&-	System.Net.dll.558.dr, System.Net.dll.514.dr	false		high
https://github.com/dotnet/runtimeE	System.Xml.Linq.dll.558.dr, System.Xml.Linq.dll.514.dr	false		high
https://llvm.org/LICENSE.txt	ThirdPartyNotices.txt.578.dr	false		high
https://opensource.org/licenses/MIT	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/aappleby/smhasher/blob/master/src/MurmurHash3.cpp	ThirdPartyNotices.txt.578.dr	false		high
https://www.newtonsoft.com/json	.BC.T_KBmNT2.271.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/app-launch-failed	libhostfxr.dylib.549.dr, dotnet.514.dr	false		high
https://github.com/dotnet/runtimes_	System.Diagnostics.Tools.dll.514.dr	false		high
http://llvm.org	ThirdPartyNotices.txt.578.dr	false		high
http://creativecommons.org/publicdomain/zero/1.0/	ThirdPartyNotices.txt.578.dr	false		high
http://www.mono-project.com/docs/about-mono/	ThirdPartyNotices.txt.578.dr	false	Avira URL Cloud: safe	unknown
http://www.xamarin.com)	ThirdPartyNotices.txt.578.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/sdk-not-foundFailed	libhostfxr.dylib.549.dr	false		high
https://aka.ms/dotnet-core-applaunch?	libhostfxr.dylib.549.dr, dotnet.514.dr	false		high
https://github.com/dotnet/runtime	System.Net.Requests.dll.558.dr, System.Net.WebClient.dll.558.dr, System.Net.Ping.dll.558.dr, System.Reflection.Emit.Lightweight.dll.514.dr, System.Runtime.CompilerServices.VisualC.dll.514.dr, System.Reflection.Emit.dll.558.dr, System.Resources.Reader.dll.558.dr, System.Net.WebProxy.dll.558.dr, System.IO.FileSystem.Primitives.dll.514.dr, System.Linq.Queryable.dll.558.dr, System.Data.Common.dll.514.dr, System.AppContext.dll.514.dr, System.Web.dll.514.dr, .BC.T_mY9F9q.271.dr, System.Private.Xml.dll.558.dr, System.Runtime.Numerics.dll.514.dr, System.Security.Principal.dll.514.dr, System.Threading.Tasks.Dataflow.dll.558.dr, System.ObjectModel.dll.514.dr, System.Data.DataSetExtensions.dll.558.dr, System.AppContext.dll.558.dr	false		high
http://7-zip.org/sdk.html	ThirdPartyNotices.txt.578.dr	false		high
http://www.ryanjuckett.com/	ThirdPartyNotices.txt.578.dr	false	Avira URL Cloud: safe	unknown
https://github.com/dotnet/runtimelJ	System.Threading.Tasks.Extensions.dll.514.dr	false		high
https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=&os	libhostfxr.dylib.549.dr	false		high
https://github.com/dotnet/runtimeW	System.Security.Cryptography.Encoding.dll.558.dr, System.Security.Cryptography.Encoding.dll.514.dr	false		high
https://aka.ms/dotnet-warnings/	.BC.T_f7W9g9.271.dr, System.Transactions.Local.dll.558.dr, System.IO.IsolatedStorage.dll.558.dr, System.ComponentModel.Annotations.dll.514.dr, System.Net.Http.dll.514.dr, Microsoft.VisualBasic.Core.dll.558.dr, System.Security.AccessControl.dll.514.dr, System.ComponentModel.Annotations.dll.558.dr, System.IO.FileSystem.DriveInfo.dll.558.dr, System.Private.Xml.dll.514.dr, System.Net.HttpListener.dll.514.dr, System.ComponentModel.Primitives.dll.514.dr, System.Net.WebSockets.dll.514.dr, System.IO.FileSystem.Watcher.dll.558.dr	false		high
https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/LICENSE	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/dotnet/runtimeZ	System.Security.dll.514.dr	false		high
https://github.com/BurntSushi/aho-corasick	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/JamesNK/Newtonsoft.Json/blob/master/LICENSE.md	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/dotnet/runtimed	System.Security.AccessControl.dll.514.dr	false		high
https://aka.ms/serializationformat-binary-obsolete	System.Data.Common.dll.514.dr, .BC.T_f7W9g9.271.dr	false		high
https://github.com/dotnet/runtimea	Microsoft.VisualBasic.dll.558.dr, System.Web.dll.514.dr, System.Web.dll.558.dr	false		high
http://www.ookii.org/software/dialogs/	ThirdPartyNotices.txt.578.dr	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet/sdk-not-found	libhostfxr.dylib.549.dr	false		high
https://aka.ms/binaryformatter	System.Runtime.Serialization.Formatters.dll.558.dr, .BC.T_f7W9g9.271.dr	false		high
https://github.com/Microsoft/MSBuildLocator	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt	ThirdPartyNotices.txt.578.dr	false		high
https://zlib.net/zlib_license.html	ThirdPartyNotices.txt.578.dr	false	Avira URL Cloud: safe	unknown
https://github.com/microsoft/msquic/blob/main/LICENSE	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/JamesNK/Newtonsoft.Json	.BC.T_KBmNT2.271.dr	false		high
https://github.com/dotnet/runtimeR	Microsoft.VisualBasic.Core.dll.514.dr, Microsoft.VisualBasic.Core.dll.558.dr	false		high
https://github.com/dotnet/MQTTnet.git	.BC.T_Nvks1x.271.dr	false		high
https://github.com/madler/zlib	ThirdPartyNotices.txt.578.dr	false		high
http://www.apache.org/licenses/LICENSE-2.0	ThirdPartyNotices.txt.578.dr	false		high
http://www.opensource.org/licenses/bsd-license.html.	ThirdPartyNotices.txt.578.dr	false	Avira URL Cloud: safe	unknown
https://github.com/WojciechMula/sse4-strstr)	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/ucb-bar/berkeley-softfloat-3	ThirdPartyNotices.txt.578.dr	false		high
https://www.unicode.org/license.html	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/serilog/serilog.git	.BC.T_RbFfSO.271.dr	false		high
https://github.com/dotnet/runtime#I	System.Xml.XmlDocument.dll.558.dr	false		high
https://sindresorhus.com)	ThirdPartyNotices.txt.578.dr	false	Avira URL Cloud: safe	unknown
https://github.com/icsharpcode/SharpZipLib	.BC.T_IJBzQD.271.dr	false		high
http://exslt.org/common	System.Private.Xml.dll.558.dr, System.Private.Xml.dll.514.dr	false	Avira URL Cloud: safe	unknown
https://github.com/mono/linker/issues/1416.	.BC.T_9WjK8k.271.dr, Microsoft.CSharp.dll.514.dr	false		high
https://github.com/dotnet/MQTTnet	.BC.T_Nvks1x.271.dr	false		high
https://github.com/serilog/serilog-extensions-hostingd	.BC.T_IZ39Jr.271.dr	false		high
https://github.com/dotnet/runtimel	.BC.T_mY9F9q.271.dr	false		high
http://opensource.org/licenses/MIT	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/NuGet/NuGet.Client/blob/dev/LICENSE.txt	ThirdPartyNotices.txt.578.dr	false		high
http://angular.io/license	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc32_ieee_by4.asm	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/nigeltao/parse-number-fxx-test-data)	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/ucb-bar/berkeley-softfloat-3/blob/master/COPYING.txt	ThirdPartyNotices.txt.578.dr	false		high
http://james.newtonking.com/projects/json	.BC.T_KBmNT2.271.dr	false		high
https://github.com/microsoft/DirectXMath/blob/master/LICENSE	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/dotnet/runtimep	netstandard.dll.558.dr	false		high
https://aka.ms/dotnet/downloadUsage:	libhostfxr.dylib.549.dr	false		high
https://github.com/Microsoft/RoslynClrHeapAllocationAnalyzer	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/SixLabors/ImageSharp/blob/f4f689ce67ecbcc35cebddba5aacb603e6d1068a/src/ImageSharp	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/mono/linker/issues/1981	System.Data.Common.dll.514.dr	false		high
https://arxiv.org/pdf/2102.06959.pdf	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/lemire/fastmod)	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/dotnet/runtime#	System.Resources.Reader.dll.558.dr, System.Data.DataSetExtensions.dll.558.dr, System.Data.DataSetExtensions.dll.514.dr	false		high
https://github.com/mono/linker/issues/1906.	Microsoft.CSharp.dll.514.dr	false		high
http://schemas.xmlsoap.org/wsdl/	System.Private.Xml.dll.558.dr, System.Private.Xml.dll.514.dr	false		high
https://www.newtonsoft.com/jsonschema	.BC.T_KBmNT2.271.dr	false		high
https://github.com/dotnet/runtime/issues/50820	System.Private.Xml.dll.558.dr, System.Private.Xml.dll.514.dr	false		high
http://sourceforge.net/projects/slicing-by-8/	ThirdPartyNotices.txt.578.dr	false		high
https://github.com/serilog/serilog-extensions-hosting	.BC.T_IZ39Jr.271.dr	false		high
https://www.nuget.org/packages/Newtonsoft.Json.Bson	.BC.T_KBmNT2.271.dr	false		high
https://github.com/intel/isa-l/blob/33a2d9484595c2d6516c920ce39a694c144ddf69/crc/crc64_ecma_norm_by8	ThirdPartyNotices.txt.578.dr	false		high
https://www.unicode.org/copyright.html.	ThirdPartyNotices.txt.578.dr	false		high
https://aka.ms/dotnet/download	libhostfxr.dylib.549.dr	false		high
https://github.com/mono/linker/issues/1187	System.Data.Common.dll.514.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
20.76.201.171	dot.net	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
184.31.53.25	unknown	United States	16625	AKAMAI-ASUS	false
184.25.166.183	aka.ms	United States	9498	BBIL-APBHARTIAirtelLtdIN	false
151.101.3.6	h3.apis.apple.map.fastly.net	United States	54113	FASTLYUS	false
151.101.195.6	unknown	United States	54113	FASTLYUS	false
151.101.67.6	unknown	United States	54113	FASTLYUS	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
20.76.201.171	1AIemYSAZy.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	outlook2.com/administrator/
151.101.3.6	Chrome	Get hash	malicious	AMOS Stealer	Browse
	http://www.citibank2.com/citibank/citi/index	Get hash	malicious	Unknown	Browse
	AvayaWorkplaceMacOS-3.38.0.147.18.dmg	Get hash	malicious	Unknown	Browse
	https://jok.darfeistud.ru/n0raBLCJ/	Get hash	malicious	Unknown	Browse
	https://vdot.virginia-ticketrb.xin/us/	Get hash	malicious	Unknown	Browse
	TotalAV.dmg	Get hash	malicious	Unknown	Browse
	Factura.pdf	Get hash	malicious	Unknown	Browse
	Chrome_7.13.dmg-Malware.dmg	Get hash	malicious	AMOS Stealer	Browse
	https://u1.tightlyreporter.shop/sosalkino.mov	Get hash	malicious	Unknown	Browse
	https://email.m.teachable.com/c/eJwsjjmO7CAYBk8DoQUfZgsIXuJrtH4WP9DYsgVMn3_kVsdVKlUO0RTyvARplYO2UjleTmrHq5dU2j1fLQcGSOu8kMY5zwBeg4_KRMRd7xnaU8YaNZHNWpTVi2R4CxDQQiohrYR0SwasszBxjzkqZdgqzmUWSpXiUZZ0nfwIdc57MPWPYWPYcm-jzkb5PR_OsNHvrPwsY9D_8j1TqzBeq2erh5N6esLUf65-f6Ij1es6vjIUrBUf-R3wFwAA__9VN0p8#a2FzcGFyYXNrckB1bml0eTNkLmNvbQ==	Get hash	malicious	Unknown	Browse
184.31.53.25	Chrome	Get hash	malicious	AMOS Stealer	Browse
151.101.195.6	http://www.citibank2.com/citibank/citi/index	Get hash	malicious	Unknown	Browse
	https://jok.darfeistud.ru/n0raBLCJ/	Get hash	malicious	Unknown	Browse
	https://vdot.virginia-ticketrb.xin/us	Get hash	malicious	Unknown	Browse
	TotalAV.dmg	Get hash	malicious	Unknown	Browse
	https://DvRg.atbuovpkz.com/TYjSz/	Get hash	malicious	Unknown	Browse
	Factura.pdf	Get hash	malicious	Unknown	Browse
	https://streetfurniture.com/r-u-ok/	Get hash	malicious	Unknown	Browse
	Chrome_7.13.dmg-Malware.dmg	Get hash	malicious	AMOS Stealer	Browse
	Chrome	Get hash	malicious	AMOS Stealer	Browse
	https://share-na2.hsforms.com/1PjEWHU0rTgy9Ph9sIQQEsg403mgg	Get hash	malicious	Unknown	Browse
184.25.166.183	Nezur.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
h3.apis.apple.map.fastly.net	http://www.citibank2.com/citibank/citi/index	Get hash	malicious	Unknown	Browse	151.101.195.6
	AvayaWorkplaceMacOS-3.38.0.147.18.dmg	Get hash	malicious	Unknown	Browse	151.101.131.6
	https://jok.darfeistud.ru/n0raBLCJ/	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://vdot.virginia-ticketrb.xin/us	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://vdot.virginia-ticketrb.xin/us/	Get hash	malicious	Unknown	Browse	151.101.67.6
	TotalAV.dmg	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://DvRg.atbuovpkz.com/TYjSz/	Get hash	malicious	Unknown	Browse	151.101.131.6
	Factura.pdf	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://streetfurniture.com/r-u-ok/	Get hash	malicious	Unknown	Browse	151.101.195.6
	Chrome_7.13.dmg-Malware.dmg	Get hash	malicious	AMOS Stealer	Browse	151.101.131.6
aka.ms	https://aka.ms/getTSS	Get hash	malicious	Unknown	Browse	173.223.118.95
	ID_60232912649455456988.eml	Get hash	malicious	HTMLPhisher	Browse	72.246.170.70
	(No subject) (1).eml	Get hash	malicious	Unknown	Browse	92.122.18.57
	(No subject) (1).eml	Get hash	malicious	Unknown	Browse	2.20.158.181
	SecuriteInfo.com.Win64.Trojan.Agent.3CB6HA.7357.22454.exe	Get hash	malicious	Unknown	Browse	104.123.42.57
	GlxMassive.exe	Get hash	malicious	Unknown	Browse	104.119.110.121
	(No subject).eml	Get hash	malicious	Unknown	Browse	92.123.22.10
	UFMp7JcgA2.exe	Get hash	malicious	GhostRat	Browse	23.32.221.157
	14_49 PM.eml	Get hash	malicious	Unknown	Browse	92.122.18.57
	14_30 PM.eml	Get hash	malicious	Unknown	Browse	92.123.45.160

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	http://allstareventsmiami.com	Get hash	malicious	Unknown	Browse	92.123.12.13
	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	23.57.90.79
	https://www.google.co.zm/url?q=https%3A%2F%2Fembalagenspontual.com%2F.dnd%2F&sa=D&sntz=1&usg=AOvVaw2fQzlrSA6WjuVq4o5C-GZh#?470265860475745Family=X2NlYzY3QG5hc2hpbnRsLmNvbQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	92.123.12.186
	Chrome	Get hash	malicious	AMOS Stealer	Browse	184.31.53.25
	http://188.114.96.0	Get hash	malicious	Unknown	Browse	2.23.65.88
	Quotation.xls	Get hash	malicious	Unknown	Browse	23.60.203.209
	http://188.114.97.3	Get hash	malicious	Unknown	Browse	104.73.230.208
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	104.73.230.208
	Quotation.xls	Get hash	malicious	Unknown	Browse	23.199.214.10
	RV Please verify your email preferences.msg	Get hash	malicious	Unknown	Browse	23.60.203.209
BBIL-APBHARTIAirtelLtdIN	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	182.73.94.192
	nabx86.elf	Get hash	malicious	Unknown	Browse	125.20.166.169
	mpsl.elf	Get hash	malicious	Mirai	Browse	23.211.224.113
	nabx86.elf	Get hash	malicious	Unknown	Browse	184.26.54.85
	jklm68k.elf	Get hash	malicious	Unknown	Browse	23.211.211.83
	morte.ppc.elf	Get hash	malicious	Unknown	Browse	203.101.2.158
	morte.arm.elf	Get hash	malicious	Unknown	Browse	203.101.87.145
	morte.sh4.elf	Get hash	malicious	Unknown	Browse	203.101.16.31
	morte.mpsl.elf	Get hash	malicious	Unknown	Browse	203.101.39.207
	morte.sh4.elf	Get hash	malicious	Unknown	Browse	203.101.39.208
MICROSOFT-CORP-MSN-AS-BLOCKUS	Spacey Sun 11.12.411.exe	Get hash	malicious	Vidar	Browse	204.79.197.203
	http://188.114.96.0	Get hash	malicious	Unknown	Browse	13.107.42.14
	VM Orger Acknowledged.zip	Get hash	malicious	Unknown	Browse	52.109.76.144
	Quotation.xls	Get hash	malicious	Unknown	Browse	13.89.179.8
	http://188.114.97.3	Get hash	malicious	Unknown	Browse	13.107.42.14
	Quotation.xls	Get hash	malicious	Unknown	Browse	13.107.253.72
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	13.107.42.14
	Quotation.xls	Get hash	malicious	Unknown	Browse	13.107.246.60
	http://boaoni-001-site1.ktempurl.com/	Get hash	malicious	Unknown	Browse	52.247.36.244
	RV Please verify your email preferences.msg	Get hash	malicious	Unknown	Browse	52.109.32.39
FASTLYUS	https://www.google.co.zm/url?q=https%3A%2F%2Fembalagenspontual.com%2F.dnd%2F&sa=D&sntz=1&usg=AOvVaw2fQzlrSA6WjuVq4o5C-GZh#?470265860475745Family=X2NlYzY3QG5hc2hpbnRsLmNvbQ==	Get hash	malicious	HTMLPhisher, Invisible JS, Tycoon2FA	Browse	151.101.2.137
	https://fortuneurl.com/qdQgK	Get hash	malicious	Unknown	Browse	151.101.194.137
	Chrome	Get hash	malicious	AMOS Stealer	Browse	151.101.67.6
	http://188.114.96.0	Get hash	malicious	Unknown	Browse	151.101.65.229
	https://encryption-marinha.jkndfuzv.ru/PtM2i/$nadia.sofia.rijo@marinha.pt	Get hash	malicious	Unknown	Browse	185.199.108.133
	VM Orger Acknowledged.zip	Get hash	malicious	Unknown	Browse	151.101.66.137
	http://188.114.97.3	Get hash	malicious	Unknown	Browse	151.101.65.140
	http://188.114.96.3	Get hash	malicious	Unknown	Browse	151.101.1.140
	https://unifranckm.weebly.com	Get hash	malicious	Unknown	Browse	151.101.1.46
	https://mietamasklogiene.webflow.io/	Get hash	malicious	HTMLPhisher	Browse	151.101.1.140

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5c118da645babe52f060d0754256a73c	Chrome	Get hash	malicious	AMOS Stealer	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	AvayaWorkplaceMacOS-3.38.0.147.18.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://jok.darfeistud.ru/n0raBLCJ/	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://vdot.virginia-ticketrb.xin/us	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://vdot.virginia-ticketrb.xin/us/	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	TotalAV.dmg	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://DvRg.atbuovpkz.com/TYjSz/	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	Factura.pdf	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	https://streetfurniture.com/r-u-ok/	Get hash	malicious	Unknown	Browse	151.101.3.6 151.101.195.6 151.101.67.6
	Chrome_7.13.dmg-Malware.dmg	Get hash	malicious	AMOS Stealer	Browse	151.101.3.6 151.101.195.6 151.101.67.6
a7a5e32c2ca29907256b5de4fbdf61ed	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFkILOsO1UnLItklUwD68rhtr94fRPJI4HAEjYZ7vdlgHTiHU_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZPRzSyzWe4FlQQyqQA-2BOTqGjWjoN-2BuPm4tzM5LM6f6tO2PXKa74YSjAhzL6onG-2BuKO989bZZj9vupVvXtBWU0qXeI6VZny9p-2FgjssbU9Je1I2RDoZPOLgxX8gxf2-2BzsuoGYoVqnaS5CYR1Z5WEWAcZP0wmQbm4ikqer-2BGrlVppyDdPw-2BxPiObQZTbU2ZeclEy9V5nUC-2BnwlvdDmQwsjghHkHuJFiwInVWpyiCgGFo0uYjlPs3G8hdAgJBJu-2F-2B0K864-3D#ZmluYW5jZUBjbGVhcnZpZXcuYWk=	Get hash	malicious	Unknown	Browse	184.25.166.183 20.76.201.171
	extracted-pkg.ziphttps://fluencydirect-distro.s3.amazonaws.com/releases.macOS/FluencyDirect-11.0.10.40.pkg	Get hash	malicious	Unknown	Browse	184.25.166.183 20.76.201.171
	Aunteficator-installer-1it5dZOj.pkg	Get hash	malicious	Unknown	Browse	184.25.166.183 20.76.201.171
	MacKeeper.6.7.1.pkg	Get hash	malicious	Unknown	Browse	184.25.166.183 20.76.201.171

Process:	/bin/cp
File Type:	Unicode text, UTF-8 text, with very long lines (755)
Category:	dropped
Size (bytes):	94355
Entropy (8bit):	5.215380552271277
Encrypted:	false
SSDEEP:	1536:oV1VXrAatwbImlxJBD2XbUntFRavzWCHr9N4rlKS7SIuVZ1d6iA1QGdVbU9erlNc:oV1Jr/8l7BqAFQvaqrIr8ZVArerlCpSh
MD5:	94D8370133696C4CA9F8B09E82CE7B65
SHA1:	BFD81CE77A8F92D80077180658A8DEEBC007F887
SHA-256:	FB47C97D2919D9584F25564058F973DE424DA8B500D51B46E406391C6E9ADCA6
SHA-512:	42267A7F2A361B94D7205E7D8D125928F58C8BF80DF876345FF1A5B8D247B6852E01A373A1E28F0BD146A75136B190089CF46A690A3D89E55BACED3A9CFBE558
Malicious:	true
Reputation:	low
Preview:	.NET Runtime uses third-party libraries or other resources that may be.distributed under licenses different than the .NET Runtime software...In the event that we accidentally failed to list a required notice, please.bring it to our attention. Post an issue or email us:.. dotnet@microsoft.com..The attached notices are provided for information only...License notice for ASP.NET.-------------------------------..Copyright (c) .NET Foundation. All rights reserved..Licensed under the Apache License, Version 2.0...Available at.https://github.com/dotnet/aspnetcore/blob/main/LICENSE.txt..License notice for Slicing-by-8.-------------------------------..http://sourceforge.net/projects/slicing-by-8/..Copyright (c) 2004-2006 Intel Corporation - All Rights Reserved...This software program is licensed subject to the BSD License, available at.http://www.opensource.org/licenses/bsd-license.html...License notice for Unicode data.-------------------------------..https://www.unicode.org/license.

Process:	/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	6554
Entropy (8bit):	4.942035555950273
Encrypted:	false
SSDEEP:	96:CyCz9Aj19AdTfMNTMMNTrvMNTRMT6P/oulO7u6luE7O7O+QfWfNfvvfufRMfsGO/:XYypy9/W6D/oykVlVyJr69
MD5:	12FBFCEB319D87C1D9495C16ED23FE05
SHA1:	8D25EAE2AF078B61E32DC835ABB71C3834625515
SHA-256:	B7B52A6FE66804C60851760D124090AA0A111084E48633E42963C13266C210CB
SHA-512:	92C38638DAA3EA5B7CE741FB1C5FAC5DB6457F4F89A71FE1DFF20E1CE3BDCD9CA12CA6FC9713BF36424DF276957ACAAC33B427D94455F4CF2D1F624FDBF92CCF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<array>..<dict>...<key>date</key>...<date>2019-07-01T11:46:14Z</date>...<key>displayName</key>...<string>SU_TITLE</string>...<key>displayVersion</key>...<string></string>...<key>packageIdentifiers</key>...<array>....<string>com.apple.pkg.Core</string>....<string>com.apple.pkg.EmbeddedOSFirmware</string>....<string>com.apple.pkg.SecureBoot</string>...</array>...<key>processName</key>...<string>macOS Installer</string>..</dict>..<dict>...<key>date</key>...<date>2019-07-01T13:09:51Z</date>...<key>displayName</key>...<string>SU_TITLE</string>...<key>displayVersion</key>...<string></string>...<key>packageIdentifiers</key>...<array>....<string>com.apple.pkg.Core</string>....<string>com.apple.pkg.EmbeddedOSFirmware</string>....<string>com.apple.pkg.SecureBoot</string>...</array>...<key>processName</key>...<string>macOS Installer</s

Process:	/usr/bin/tar
File Type:	ASCII text
Category:	dropped
Size (bytes):	1116
Entropy (8bit):	5.081922599985454
Encrypted:	false
SSDEEP:	24:b9rmJHHH0yN3gtsHw1hC09QHOsUv4eOk4/+/m3oqLFh:b9aJHlxE3dQHOs5exm3ogFh
MD5:	9FC642FF452B28D62AB19B7EEA50DFB9
SHA1:	28D4EA6C2F895F6CE371AEE5A98B6C9C40105B3A
SHA-256:	CFC21F5E8BD655AE997EEC916138B707B1D290B83272C02A95C9F821B8C87310
SHA-512:	27F511FEFEA2390347BB7EA63F7795A26780AD43ECA80D717C92C70A434D28FDF136C4B902750B52813ED9CF0D3C51AF206062323A0496459461D985A34AC5C7
Malicious:	false
Preview:	The MIT License (MIT)..Copyright (c) .NET Foundation and Contributors..All rights reserved...Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in all.copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT

Process:	/usr/bin/curl
File Type:	gzip compressed data, was "dotnet-runtime-8.0.14-osx-x64.tar", last modified: Fri Feb 14 06:59:32 2025, max compression, original size modulo 2^32 72171520
Category:	dropped
Size (bytes):	30721387
Entropy (8bit):	7.996705576569949
Encrypted:	true
SSDEEP:	786432:jVOR4Mc4NEVadXBpPMjjCAPl7afu4S6cIL5PHDEm1x+:0CMc4NIuEe24uItPHY3
MD5:	01E2C1AF269617B53E52B74C9DD2F5D4
SHA1:	A0E956F5BE52895A41864C900725DCD7D43AEDE9
SHA-256:	A57719F0999C94E0EF62A043B1EEF495F2E263F2A2502EF25294B4C94FB42E6F
SHA-512:	110DDC273596770B1E638A7B2464B49C6ABE9BBCC1241E4447C949BA1D9AFE01E9564D9DE7485281B5DE2C6C22746D6156D2193332B8D212BFFA42DBBA54E831
Malicious:	false
Preview:	......g..dotnet-runtime-8.0.14-osx-x64.tar...\|.W.(..i.....[J.P.Me...n.6.,[J.Gm..+.cid......48..zo..K...R...[....i...4m..BS....t.R..[..%......H._.....K3s.<...}..vUo.v.e),+...a..kjj......]g.w....j.......Z1.E............W.`+}.!.W..o.....k.w......Y...uk.jj..kq.....k......\...E"..._..%.o...uk...;....^_{....N#.o......Z.7...{.<w..k..5o.......~Yl...hHN..X.....M..+.~M..U..v_....aI.&......dBS....TTA..b".WEEVeeP....SV.QU.W.../+r..H.M.;.".b2"..%.Ov.Z....dE......MD.}.$..7......5..$E.^H...E%.O.'Cz\Nh...hLV..............RL.&D\|f<...Z.R..0.......PL.c...h<.[.....TWa..O..O.....iX.zo,..;.pTe....$.;q..IET.XL....o.k.wT..>...8.T.3...$...]I@.2..N...[.w.x$..%.ph.d"....W.......i,...I.....0..U.H.`.{e.0h..+Y..`..ZT...I....&`L..'vw..l.t..@....qm...,..t.....-.....#B..O{..bG..i.^..hov...:.\|..bG..h...\|p/...nm........@..`9T..!b......+k.uy.p.....z.w.-..v....K.....wk..%vn.....A..Pm{....Z...{\...}..........................l...M>.gS...Ay..@.Sl..yZ}.V...%`1.;q....=

Process:	/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
File Type:	Mac OS X Keychain File
Category:	dropped
Size (bytes):	48908
Entropy (8bit):	3.533814637805397
Encrypted:	false
SSDEEP:	384:xSMdGleGkIG7FF3theSMVXBD0tgcNrGB5pBfbouR6/chQOnGqwc2U+v+h/:8MdGleOhpBouRwchQOnGqwc2U+v+h/
MD5:	0E4A0D1CEB2AF6F0F8D0167CE77BE2D3
SHA1:	414BA4C1DC5FC8BF53D550E296FD6F5AD669918C
SHA-256:	CCA093BCFC65E25DD77C849866E110DF72526DFFBE29D76E11E29C7D888A4030
SHA-512:	1DC5282D27C49A4B6F921BA5DFC88B8C1D32289DF00DD866F9AC6669A5A8D99AFEDA614BFFC7CF61A44375AE73E09CD52606B443B63636977C9CD2EF4FA68A20
Malicious:	false
Preview:	kych...........................`...X...p..S0..SX..Th..T...T...[...^h...........L...X...............T...........d...................t...............t...........<...............P...........0...........$...p...........l...........X.......@.......................!...%........CSSM_DL_DB_SCHEMA_INFO.....D.......................!...%........CSSM_DL_DB_SCHEMA_ATTRIBUTES...D.......................!...%........CSSM_DL_DB_SCHEMA_INDEXES......H.......................!...%....... CSSM_DL_DB_SCHEMA_PARSING_MODULE...D.......................!...%@.......MDS_CDSADIR_CSSM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_KRMM_RECORDTYPE....D.......................!...%@.......MDS_CDSADIR_EMM_RECORDTYPE.....L.......................!...%@......"MDS_CDSADIR_EMM_PRIMARY_RECORDTYPE.....H.......................!...%@.......MDS_CDSADIR_COMMON_RECORDTYPE......L.......................!...%@......"MDS_CDSADIR_CSP_PRIMARY_RECORDTYPE.....P.......................!...%@......%MDS_CDSADIR_CSP_CAPABILITY_R

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

Compliance

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/ThirdPartyNotices.txt

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/host/fxr/8.0.14/libhostfxr.dylib

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/.version

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.CSharp.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.NETCore.App.deps.json

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.NETCore.App.runtimeconfig.json

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.VisualBasic.Core.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.VisualBasic.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.Win32.Primitives.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/Microsoft.Win32.Registry.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.AppContext.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Buffers.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.Concurrent.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.Immutable.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.NonGeneric.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.Specialized.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Collections.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.Annotations.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.DataAnnotations.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.EventBasedAsync.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.Primitives.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.TypeConverter.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.ComponentModel.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Configuration.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Console.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Core.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Data.Common.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Data.DataSetExtensions.dll

/Library/Application Support/com.atera.ateraagent/Agent/.dotnet/shared/Microsoft.NETCore.App/8.0.14/System.Data.dll

macOS Analysis Report
AteraAgent_xzZFJv3k-005lqqFBKy66Ehl79dMF+xnAE9HV0nREpQ=_Production_2_.pkg