Edit tour

macOS Analysis Report
CorelDRAW

Overview

General Information

Sample Name:	CorelDRAW
Analysis ID:	1797574
MD5:	23699799f496b8e872d05f19d2b397f8
SHA1:	fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
SHA256:	2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
Infos:

Detection

GIMMICK

Score:	64
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected GIMMICK

Writes Mach-O files to untypical directories

Process deletes its process image on disk

Moves itself during installation or deletes itself after installation

Creates system-wide 'launchd' managed services aka launch daemons based on hidden files

Contains symbols with suspicious names likely related to encryption

Reads the sysctl hardware model value (might be used for detecting VM presence)

Sample is code signed by an ad-hoc signature

Contains symbols with suspicious names likely related to networking

Explicitly unloads, stops, and/or removes launch services

Reads the systems hostname

Creates system-wide 'launchd' managed services aka launch daemons

Executes the "grep" command used to find patterns in files or piped streams

Executes the "ps" command used to list the status of processes

Mach-O sample file contains an ARM64 binary that executes on Apple Silicon

Contains symbols with suspicious names likely related to well-known browsers

Sample is a FAT Mach-O sample containing binaries for multiple architectures

Creates memory-persistent launch services

Explicitly loads/starts launch services

Creates launch services that start periodically

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Changes permissions of written Mach-O files

Executes commands using a shell command-line interpreter

Writes FAT Mach-O files to disk

Classification

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	1797574
Start date and time:	2022-03-28 12:12:09 +02:00
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 3m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	CorelDRAW
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311)
Run name:	Potential for more IOCs and behavior
Analysis Mode:	default
Detection:	MAL
Classification:	mal64.troj.evad.mac@0/14@2/0

Warnings

Excluded IPs from analysis (whitelisted): 172.217.168.74, 172.217.168.67
Excluded domains from analysis (whitelisted): oauth2.googleapis.com, ocsp.pki.goog

Runtime Messages

Command:	/Users/drew/Desktop/CorelDRAW
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:	/Library/LaunchDaemons/com.CorelDRAW.va.plist: Could not find specified service Unload failed: 113: Could not find specified service

Process Tree

System is mac-bigsur

mono-sgen64 New Fork (PID: 1612, Parent: 1569)

CorelDRAW (MD5: 23699799f496b8e872d05f19d2b397f8) Arguments: /Users/drew/Desktop/CorelDRAW

sh New Fork (PID: 1613, Parent: 1612)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9

bash New Fork (PID: 1614, Parent: 1613)

ps (MD5: 5441fc94a247a54e76339a9e5b8c2b45) Arguments: ps -ef

bash New Fork (PID: 1615, Parent: 1613)

grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep CorelDRAW

bash New Fork (PID: 1616, Parent: 1613)

grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v /Users/drew/Desktop/CorelDRAW

bash New Fork (PID: 1617, Parent: 1613)

grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v CorelDRAW\s*Graphics\s*Suite

bash New Fork (PID: 1618, Parent: 1613)

awk (MD5: 1780ae04585c36f7b86aaec7523fceb6) Arguments: awk {print $2}

bash New Fork (PID: 1619, Parent: 1613)

xargs (MD5: e5109f0c83efadc46f840033d8c89901) Arguments: xargs kill -9

sh New Fork (PID: 1620, Parent: 1612)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9

bash New Fork (PID: 1621, Parent: 1620)

ps (MD5: 5441fc94a247a54e76339a9e5b8c2b45) Arguments: ps -ef

bash New Fork (PID: 1622, Parent: 1620)

grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep CorelDRAW

bash New Fork (PID: 1623, Parent: 1620)

grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v /Users/drew/Desktop/CorelDRAW

bash New Fork (PID: 1624, Parent: 1620)

grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v CorelDRAW\s*Graphics\s*Suite

bash New Fork (PID: 1625, Parent: 1620)

awk (MD5: 1780ae04585c36f7b86aaec7523fceb6) Arguments: awk {print $2}

bash New Fork (PID: 1626, Parent: 1620)

xargs (MD5: e5109f0c83efadc46f840033d8c89901) Arguments: xargs kill -9

sh New Fork (PID: 1627, Parent: 1612)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW

cp (MD5: 9007c6e0352122c17fbcea99739b716e) Arguments: cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW

sh New Fork (PID: 1628, Parent: 1612)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist

launchctl (MD5: a9ce661111e6db7d90923d46f790e5c7) Arguments: launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist

sh New Fork (PID: 1629, Parent: 1612)

bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist

launchctl (MD5: a9ce661111e6db7d90923d46f790e5c7) Arguments: launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist

xpcproxy New Fork (PID: 1630, Parent: 1)

CorelDRAW (MD5: 23699799f496b8e872d05f19d2b397f8) Arguments: /var/root/Library/Preferences/CorelDRAW/CorelDRAW

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
CorelDRAW	JoeSecurity_GIMMICK	Yara detected GIMMICK	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
/private/var/root/Library/Preferences/CorelDRAW/CorelDRAW	JoeSecurity_GIMMICK	Yara detected GIMMICK	Joe Security

Memory Dumps

Source	Rule	Description	Author
00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmp	JoeSecurity_GIMMICK	Yara detected GIMMICK	Joe Security
00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmp	JoeSecurity_GIMMICK	Yara detected GIMMICK	Joe Security
Process Memory Space: CorelDRAW PID: 1612	JoeSecurity_GIMMICK	Yara detected GIMMICK	Joe Security

Source: submission

Source: /bin/bash (PID: 1629)

Launch agent/daemon loaded: launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist

Jump to behavior

Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)

Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plist

Jump to behavior

Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist			Jump to behavior
Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)	CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist			Jump to behavior

Source: /bin/cp (PID: 1627)

Permissions modified for written FAT Mach-O /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW: bits: - usr: rx grp: rx all: rwx

Jump to dropped file

Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)	Shell command executed: sh -c ps -ef \|grep CorelDRAW \|grep -v /Users/drew/Desktop/CorelDRAW \|grep -v 'CorelDRAW\sGraphics\sSuite' \|awk '{print $2}' \|xargs kill -9	Jump to behavior
Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)	Shell command executed: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW	Jump to behavior
Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)	Shell command executed: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist	Jump to behavior
Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)	Shell command executed: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist	Jump to behavior
Source: /bin/sh (PID: 1613)	Shell command executed: sh -c ps -ef \|grep CorelDRAW \|grep -v /Users/drew/Desktop/CorelDRAW \|grep -v 'CorelDRAW\sGraphics\sSuite' \|awk '{print $2}' \|xargs kill -9	Jump to behavior
Source: /bin/sh (PID: 1620)	Shell command executed: sh -c ps -ef \|grep CorelDRAW \|grep -v /Users/drew/Desktop/CorelDRAW \|grep -v 'CorelDRAW\sGraphics\sSuite' \|awk '{print $2}' \|xargs kill -9	Jump to behavior
Source: /bin/sh (PID: 1627)	Shell command executed: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW	Jump to behavior
Source: /bin/sh (PID: 1628)	Shell command executed: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist	Jump to behavior
Source: /bin/sh (PID: 1629)	Shell command executed: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist	Jump to behavior

Source: /bin/cp (PID: 1627)

File written: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW

Jump to dropped file

Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Source: submission: CorelDRAW	Mach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
Source: submission: CorelDRAW	Mach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
Source: dropped file: CorelDRAW	Mach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
Source: dropped file: CorelDRAW	Mach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Source: /bin/bash (PID: 1618)	Awk executable: /usr/bin/awk -> awk {print $2}			Jump to behavior
Source: /bin/bash (PID: 1625)	Awk executable: /usr/bin/awk -> awk {print $2}			Jump to behavior

Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)

XML plist file created: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0

Jump to dropped file

Source: initial sample	Mach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sample	Mach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sample	Mach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sample	Mach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Source: submission: CorelDRAW	Mach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
Source: submission: CorelDRAW	Mach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
Source: dropped file: CorelDRAW	Mach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
Source: dropped file: CorelDRAW	Mach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)

Random device file read: /dev/urandom

Jump to behavior

Source: submitted sample

Stderr: /Library/LaunchDaemons/com.CorelDRAW.va.plist: Could not find specified serviceUnload failed: 113: Could not find specified service: exit code = 0

Source: submission

CodeSign Info: Executable=/Users/drew/Desktop/CorelDRAW

Boot Survival

Creates system-wide 'launchd' managed services aka launch daemons based on hidden files

Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)

Launch daemon created from hidden file: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plist

Jump to behavior

Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)

Launch daemon created File moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plist

Jump to behavior

Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)

Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plist

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Moves itself during installation or deletes itself after installation

Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)

File deleted: /Users/drew/Desktop/CorelDRAW

Jump to behavior

Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)

Sysctl read request: hw.model (6.2)

Jump to behavior

Source: CorelDRAW, 00001612.00000367.9.000000010245e000.0000000102467000.r--.sdmp	Binary or memory string: framework.vmnet
Source: CorelDRAW, 00001612.00000367.9.000000010245e000.0000000102467000.r--.sdmp	Binary or memory string: framework.vmnet$

Source: /bin/bash (PID: 1613)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1620)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1627)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1628)	Sysctl requested: kern.hostname (1.10)	Jump to behavior
Source: /bin/bash (PID: 1629)	Sysctl requested: kern.hostname (1.10)	Jump to behavior

Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Jump to behavior

Stealing of Sensitive Information

Yara detected GIMMICK

Source: Yara match	File source: CorelDRAW, type: SAMPLE
Source: Yara match	File source: 00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CorelDRAW PID: 1612, type: MEMORYSTR
Source: Yara match	File source: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW, type: DROPPED

Remote Access Functionality

Yara detected GIMMICK

Source: Yara match	File source: CorelDRAW, type: SAMPLE
Source: Yara match	File source: 00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CorelDRAW PID: 1612, type: MEMORYSTR
Source: Yara match	File source: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 LC_LOAD_DYLIB Addition	1 LC_LOAD_DYLIB Addition	1 Masquerading	1 GUI Input Capture	11 Security Software Discovery	Remote Services	1 GUI Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	3 Launch Agent	3 Launch Agent	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Launchctl	14 Launch Daemon	14 Launch Daemon	1 Scripting	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	1 Plist Modification	1 Plist Modification	1 Hidden Files and Directories	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Invalid Code Signature	LSA Secrets	21 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Code Signing	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 File Deletion	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Name	IP	Active	Malicious	Antivirus Detection	Reputation
pki-goog.l.google.com	172.217.168.67	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://cgi1.apnic.net/cgi-bin/my-ip.php	CorelDRAW.398.dr	false		high

Samplename	Analysis ID	SHA256	Similarity

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
pki-goog.l.google.com	WalkmeAllInOneInstaller_mac_firefox_safari.pkg	Get hash	malicious	Browse	172.217.168.67
	https://l.wl.co/l?u=https://abre.ai/eeN1?userid=GKywgnP7	Get hash	malicious	Browse	172.217.168.67
	WalkmeAllInOneInstaller_mac_firefox_safari.pkg	Get hash	malicious	Browse	142.250.186.163
	218.exe	Get hash	malicious	Browse	172.217.168.35
	103.dll	Get hash	malicious	Browse	172.217.168.35
	7zx.dmg	Get hash	malicious	Browse	142.250.185.67
	ntfsformac.dmg	Get hash	malicious	Browse	142.250.185.99

Process:	/Users/drew/Desktop/CorelDRAW
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	582
Entropy (8bit):	5.131006203834412
Encrypted:	false
SSDEEP:	6:TMVBd/4o+tJCc4EyfdUdBRECcgVvMVX/C1iXnvT+M6AGJav9svEq7EgJ1AYj6RA7:TMHdgo+tJVEdQiCXFM560vPV6EuC/kn
MD5:	93B1FBA1725A0553AE1C33B7E9F507D3
SHA1:	4EAEF620D7C09BAAFA96D6EE7D40CC5C8925FE23
SHA-256:	3FFF484073E2DCB8E724BB6527BCEA19AFEB9408BC179B358B299E369B7B0937
SHA-512:	5D3A52B8B513354409FC1793D89B3CC51863CDCE732A06F3A01C66944DB4832ACB4C9E6DFFC30FF05CB6FB5CA438326BDFF5149ECCC10BE8A8ADB57A728AFF24
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>Label</key>..<string>com.CorelDRAW.va.plist</string>..<key>ProgramArguments</key>..<array>...<string>/var/root/Library/Preferences/CorelDRAW/CorelDRAW</string>..</array>..<key>RunAtLoad</key>..<true/>..<key>StartInterval</key>..<integer>30</integer>..<key>ThrottleInterval</key>..<integer>2</integer>..<key>WorkingDirectory</key>..<string>/var/root/Library/Preferences/CorelDRAW</string>.</dict>.</plist>.

/private/var/root/Library/Preferences/CorelDRAW/CorelDRAW

Download File

Process:	/bin/cp
File Type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>]
Category:	dropped
Size (bytes):	730896
Entropy (8bit):	5.80386227119502
Encrypted:	false
SSDEEP:	6144:0RDkTCDC628O+i5Npv56/SfQ7WXIRPeTqiKjBAaIeuLkN04b1Z2O/a0csN2oGA8s:q5o657MOPhKCuo64b//nPpA/OGg2Y5
MD5:	23699799F496B8E872D05F19D2B397F8
SHA1:	FE3A3E65B86D2B07654F9A6104C8CB392C88B7E8
SHA-256:	2A9296AC999E78F6C0BEE8ACA8BFA4D4638AA30D9C8CCC65124B1CBFC9CAAB5F
SHA-512:	F347C47AFE06ED7EF2A71B7E40AC0103F4F33E26250661173775B349BBA7452EA458E5D4137A57B34801556959BCA14093A9F693D59C147061F63F2B78614288
Malicious:	true
Yara Hits:	Rule: JoeSecurity_GIMMICK, Description: Yara detected GIMMICK, Source: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW, Author: Joe Security
Reputation:	low
Preview:	..................@...h...................g.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.22ra9E

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.8I2nhj

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.ByPN6V

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.DKSotK

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.FOUaKL

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.G7960P

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.Rg1nyJ

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	data
Category:	dropped
Size (bytes):	576
Entropy (8bit):	7.663922691714716
Encrypted:	false
SSDEEP:	12:M54V1Uirejq+im9KO11fYPOl+0+vbf9fDqtvpAgWfabNFN+Bk6soqDZaJYJsD:71bK2+RKa1fYP4+0+zf9fDWvpWIzNZ6r
MD5:	20134EBEA260D8147E0973D909C5EC76
SHA1:	F5F3AF403C8490A928917B96D027D00BF531A2D1
SHA-256:	227DC0ED1D597D9346FA0F2879D3107A85DC56B6F1E072F2D7D6848B7061E169
SHA-512:	B9041FA31FC5FE6E96A48FCED220C6EB124ECCAAF31D51947BC9B62E341BDBE3B8DB83EC34EB2D4B2328740A27F3DE7D38A154569293D4D5D32E151BD11B8D91
Malicious:	false
Reputation:	low
Preview:	g.j..........O../.xQ.t .46#6S!.]..t@.L...ZZ.`.......F.."../.. ..m..K.[.!.N.k...?..q..0~.\|..p... u.i#....S..(.z...t........r...g...q\..jl...K.s.JL.u..?w..F_E.v87R..)G..05.;.'+..d.j#.(.:..V..#...j......V?...%...._pe.d...b.}.......C....I.O3....$6.zm0w.4..NC........hI.TW....2..=.i%..$......e..,/\|.Y]C\......n..,o..E..M..s"v..Y.w.....g..rB.Td...xZy..A.....o.Z....}.s.+...-.8.kq.[...;......-h\...1.O.@.2..RpRW.....+..<.............9.EE&..:.A._..Y.6`!.P.....L..GO..)~E.E[J..yF.Vq+ ....(.oLy.$....#J..bTT.F.q.!..y..u\.=...A^..c..f.vR....lH...55....G.b.qa.{.

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.ZJYZoW

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.gITfgJ

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.m0dNMH

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.r2Rwit

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	data
Category:	dropped
Size (bytes):	160
Entropy (8bit):	6.837492001110321
Encrypted:	false
SSDEEP:	3:OZQN+uyps0LmtuzJEg10e0C/zIcqidOE7lcaMjYrr6D/rFz6Q/3iqra7n:2QI9p3Laub1x0C/zI+dOE7bMjyr6D/RC
MD5:	21C624CBE49EE68BD5D57F7A70D24829
SHA1:	3ED80F487583C7607E72B5A71072C8E6A56C1FEF
SHA-256:	390390FFBE3E23E80B2922A11725DF064CE25AD39F7079166DEE564331CA8C0B
SHA-512:	83828EE8490A88859635C08BFC5795E81B8282F8113E62CA9D091CE84C37F384B61D3495653591E0A0912AB099175AF86DF0D8455307589960B4C5E4C8212A98
Malicious:	false
Reputation:	low
Preview:	..Id\|s>G..nh-....z......l..~...L..f..F(0....I@.)..33..Q{.6...gY.{rDa.g.=..^O.....B!T..e..F.\.]9.<........O..:...Nx..G...f.. L'....m..$....K.. q)Q&`.

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.vpsM6J

Download File

Process:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	37
Entropy (8bit):	3.719739433770471
Encrypted:	false
SSDEEP:	3:K9S7IkZnAUX:K9SM8AUX
MD5:	8CA9A1D07D3ADD7CB574C0FFE89AE580
SHA1:	2E8232F8238564D4A803603EF768BE7771FCC504
SHA-256:	CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
SHA-512:	1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
Malicious:	false
Reputation:	low
Preview:	/4A29D748-478D-5918-9B3E-821BD949E362

Static File Info

General

File type:	Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|BINDS_TO_WEAK\|PIE>]
Entropy (8bit):	5.80386227119502
TrID:	Java Bytecode (6004/1) 53.25% Mac OS X Universal Binary executable (4004/1) 35.51% HSC music composer song (1267/141) 11.24%
File name:	CorelDRAW
File size:	730896
MD5:	23699799f496b8e872d05f19d2b397f8
SHA1:	fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
SHA256:	2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
SHA512:	f347c47afe06ed7ef2a71b7e40ac0103f4f33e26250661173775b349bba7452ea458e5d4137a57b34801556959bca14093a9f693d59c147061f63f2b78614288
SSDEEP:	6144:0RDkTCDC628O+i5Npv56/SfQ7WXIRPeTqiKjBAaIeuLkN04b1Z2O/a0csN2oGA8s:q5o657MOPhKCuo64b//nPpA/OGg2Y5
File Content Preview:	..................@...h...................g....................................................................................................................................................................................................................

CodeSign Information

["Executable=/Users/drew/Desktop/CorelDRAW","Identifier=mac_g-555549445cd8df8d99113f7e80441e2f666a6787","Format=Mach-O universal (x86_64 arm64)","CodeDirectory v=20400 size=2983 flags=0x2(adhoc) hashes=82+7 location=embedded","VersionPlatform=1","VersionMin=658688","VersionSDK=721152","Hash type=sha256 size=32","CandidateCDHash sha256=6302e519278381c37ef32582033b6314dcf3a0bd","CandidateCDHashFull sha256=6302e519278381c37ef32582033b6314dcf3a0bdc0ee46eb524347ce4dd19465","Hash choices=sha256","CMSDigest=6302e519278381c37ef32582033b6314dcf3a0bdc0ee46eb524347ce4dd19465","CMSDigestType=2","Executable Segment base=0","Executable Segment limit=245760","Executable Segment flags=0x1","Page size=4096","CDHash=6302e519278381c37ef32582033b6314dcf3a0bd","Signature=adhoc","Info.plist=not bound","TeamIdentifier=not set","Sealed Resources=none","Internal requirements count=0 size=12"]

Static Mach Info

General Information for header 1
Endian:	<
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	26
Entry point:	0x2110

segment_command_64 aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x3C000

fileoff

0x0

filesize

0x3C000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100002110	0x2DAEA	0x2110	6.0068	0x4	0x0	0	0x80000400
__stubs	__TEXT	0x10002FBFA	0x3F0	0x2FBFA	3.5534	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x10002FFEC	0x682	0x2FFEC	4.6998	0x2	0x0	0	0x80000400
__gcc_except_tab	__TEXT	0x100030670	0x136C	0x30670	5.7052	0x2	0x0	0	0x0
__cstring	__TEXT	0x1000319DC	0x34F0	0x319DC	5.4365	0x0	0x0	0	0x2
__objc_methname	__TEXT	0x100034ECC	0x5383	0x34ECC	4.8658	0x0	0x0	0	0x2
__const	__TEXT	0x10003A250	0xA0	0x3A250	2.2345	0x4	0x0	0	0x0
__objc_classname	__TEXT	0x10003A2F0	0x39F	0x3A2F0	4.9640	0x0	0x0	0	0x2
__objc_methtype	__TEXT	0x10003A68F	0xF8B	0x3A68F	5.1624	0x0	0x0	0	0x2
__ustring	__TEXT	0x10003B61A	0x52	0x3B61A	4.8240	0x1	0x0	0	0x0
__unwind_info	__TEXT	0x10003B66C	0x994	0x3B66C	5.9544	0x2	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x10003C000

vmsize

0x10000

fileoff

0x3C000

filesize

0x10000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__nl_symbol_ptr	__DATA	0x10003C000	0x8	0x3C000	-0.0000	0x3	0x0	0	0x6
__got	__DATA	0x10003C008	0x150	0x3C008	0.1170	0x3	0x0	0	0x6
__la_symbol_ptr	__DATA	0x10003C158	0x540	0x3C158	2.8703	0x3	0x0	0	0x7
__const	__DATA	0x10003C698	0xD48	0x3C698	2.2345	0x3	0x0	0	0x0
__cfstring	__DATA	0x10003D3E0	0x20C0	0x3D3E0	1.8397	0x3	0x0	0	0x0
__objc_classlist	__DATA	0x10003F4A0	0xE8	0x3F4A0	2.9007	0x3	0x0	0	0x10000000
__objc_nlclslist	__DATA	0x10003F588	0x8	0x3F588	2.0000	0x3	0x0	0	0x10000000
__objc_catlist	__DATA	0x10003F590	0x10	0x3F590	1.9669	0x3	0x0	0	0x10000000
__objc_protolist	__DATA	0x10003F5A0	0x60	0x3F5A0	2.6039	0x3	0x0	0	0x0
__objc_imageinfo	__DATA	0x10003F600	0x8	0x3F600	0.5436	0x2	0x0	0	0x0
__objc_const	__DATA	0x10003F608	0x83A0	0x3F608	3.2948	0x3	0x0	0	0x0
__objc_selrefs	__DATA	0x1000479A8	0x15D0	0x479A8	3.5980	0x3	0x0	0	0x10000005
__objc_protorefs	__DATA	0x100048F78	0x10	0x48F78	1.8419	0x3	0x0	0	0x0
__objc_classrefs	__DATA	0x100048F88	0x220	0x48F88	1.1873	0x3	0x0	0	0x10000000
__objc_superrefs	__DATA	0x1000491A8	0xC8	0x491A8	2.8335	0x3	0x0	0	0x10000000
__objc_ivar	__DATA	0x100049270	0x4A8	0x49270	1.0868	0x3	0x0	0	0x0
__objc_data	__DATA	0x100049718	0x910	0x49718	1.4902	0x3	0x0	0	0x0
__data	__DATA	0x10004A028	0xA60	0x4A028	5.8737	0x3	0x0	0	0x0
__common	__DATA	0x10004AA90	0x30	0x0	-0.0000	0x4	0x0	0	0x1
__bss	__DATA	0x10004AAC0	0x90	0x0	-0.0000	0x3	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x10004C000
vmsize	0xC000
fileoff	0x4C000
filesize	0xA810
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	311296
rebase_size	1432
bind_off	312728
bind_size	3304
weak_bind_off	316032
weak_bind_size	72
lazy_bind_off	316104
lazy_bind_size	4280
export_off	320384
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	321696
nsyms	264
stroff	327440
strsize	5608

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	262
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	325920
nindirectsyms	379
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'\\\xd8\xdf\x8d\x99\x11?~\x80D\x1e/fjg\x87'

version_min_command aggregated: 1

Name	Value
version	658688
sdk	721152

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	8464
stacksize	0

dylib_command aggregated: 11

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1770.255.0

compatibility_version

300.0.0

Datas

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

228.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libobjc.A.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

904.4.0

compatibility_version

1.0.0

Datas

/usr/lib/libc++.1.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1292.60.1

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

2022.20.117

compatibility_version

45.0.0

Datas

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1209.1.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1770.255.0

compatibility_version

150.0.0

Datas

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1122.11.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

275.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

59754.60.13

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/Security.framework/Versions/A/Security

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1109.60.2

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

linkedit_data_command aggregated: 3

Name	Value
dataoff	320416
datasize	1272

Name	Value
dataoff	321688
datasize	8

Name	Value
dataoff	333056
datasize	21264

Internal Symbols

_CCCrypt

_CFArrayCreate

_CFRelease

_CFRetain

_CFRunLoopGetMain

_CFStringTransform

_CFUUIDCreate

_CFUUIDCreateString

_IOObjectRelease

_IORegistryEntryCreateCFProperty

_IOServiceGetMatchingService

_IOServiceMatching

_NSCalendarIdentifierGregorian

_NSClassFromString

_NSDefaultRunLoopMode

_NSFileCreationDate

_NSFileSize

_NSFoundationVersionNumber

_NSGenericException

_NSKeyValueChangeNewKey

_NSLocalizedDescriptionKey

_NSLocalizedFailureReasonErrorKey

_NSLog

_NSRunLoopCommonModes

_NSSearchPathForDirectoriesInDomains

_NSSelectorFromString

_NSStringFromClass

_NSStringFromSelector

_NSURLAuthenticationMethodServerTrust

_NSURLErrorFailingURLErrorKey

_NSURLNameKey

_NSURLSessionTransferSizeUnknown

_NSUnderlyingErrorKey

_NSUserName

_OBJC_CLASS_$_NSArray

_OBJC_CLASS_$_NSBitmapImageRep

_OBJC_CLASS_$_NSBundle

_OBJC_CLASS_$_NSCalendar

_OBJC_CLASS_$_NSCharacterSet

_OBJC_CLASS_$_NSData

_OBJC_CLASS_$_NSDate

_OBJC_CLASS_$_NSDateFormatter

_OBJC_CLASS_$_NSDecimalNumber

_OBJC_CLASS_$_NSDictionary

_OBJC_CLASS_$_NSError

_OBJC_CLASS_$_NSException

_OBJC_CLASS_$_NSFileManager

_OBJC_CLASS_$_NSHTTPURLResponse

_OBJC_CLASS_$_NSImage

_OBJC_CLASS_$_NSIndexSet

_OBJC_CLASS_$_NSInputStream

_OBJC_CLASS_$_NSJSONSerialization

_OBJC_CLASS_$_NSLocale

_OBJC_CLASS_$_NSLock

_OBJC_CLASS_$_NSMutableArray

_OBJC_CLASS_$_NSMutableData

_OBJC_CLASS_$_NSMutableDictionary

_OBJC_CLASS_$_NSMutableSet

_OBJC_CLASS_$_NSMutableString

_OBJC_CLASS_$_NSMutableURLRequest

_OBJC_CLASS_$_NSNotificationCenter

_OBJC_CLASS_$_NSNull

_OBJC_CLASS_$_NSNumber

_OBJC_CLASS_$_NSNumberFormatter

_OBJC_CLASS_$_NSObject

_OBJC_CLASS_$_NSOperationQueue

_OBJC_CLASS_$_NSOutputStream

_OBJC_CLASS_$_NSProcessInfo

_OBJC_CLASS_$_NSProgress

_OBJC_CLASS_$_NSPropertyListSerialization

_OBJC_CLASS_$_NSRecursiveLock

_OBJC_CLASS_$_NSRunLoop

_OBJC_CLASS_$_NSSet

_OBJC_CLASS_$_NSSortDescriptor

_OBJC_CLASS_$_NSString

_OBJC_CLASS_$_NSThread

_OBJC_CLASS_$_NSURL

_OBJC_CLASS_$_NSURLCredential

_OBJC_CLASS_$_NSURLSession

_OBJC_CLASS_$_NSURLSessionConfiguration

_OBJC_CLASS_$_NSXMLDocument

_OBJC_CLASS_$_NSXMLParser

_OBJC_METACLASS_$_NSInputStream

_OBJC_METACLASS_$_NSMutableArray

_OBJC_METACLASS_$_NSObject

_SCNetworkReachabilityCreateWithAddress

_SCNetworkReachabilityCreateWithName

_SCNetworkReachabilityGetFlags

_SCNetworkReachabilityScheduleWithRunLoop

_SCNetworkReachabilitySetCallback

_SCNetworkReachabilityUnscheduleFromRunLoop

_SecCertificateCopyData

_SecCertificateCreateWithData

_SecItemExport

_SecPolicyCreateBasicX509

_SecPolicyCreateSSL

_SecTrustCopyPublicKey

_SecTrustCreateWithCertificates

_SecTrustEvaluate

_SecTrustGetCertificateAtIndex

_SecTrustGetCertificateCount

_SecTrustSetAnchorCertificates

_SecTrustSetPolicies

_UTTypeCopyPreferredTagWithClass

_UTTypeCreatePreferredIdentifierForTag

__Block_copy

__Block_object_assign

__Block_object_dispose

__Block_release

__NSConcreteGlobalBlock

__NSConcreteStackBlock

__Unwind_Resume

__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm

__ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc

__ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_

__ZSt9terminatev

__ZdlPv

__Znam

__Znwm

___CFConstantStringClassReference

___bzero

___cxa_begin_catch

___darwin_check_fd_set_overflow

___gxx_personality_v0

___memcpy_chk

___objc_personality_v0

___sprintf_chk

___stack_chk_fail

___stack_chk_guard

___stderrp

___stdoutp

___strncpy_chk

__dispatch_main_q

__dispatch_queue_attr_concurrent

__dispatch_source_type_timer

__mh_execute_header

__objc_empty_cache

_access

_arc4random

_atoi

_class_addMethod

_class_getInstanceMethod

_close

_closedir

_dispatch_async

_dispatch_barrier_async

_dispatch_get_global_queue

_dispatch_group_async

_dispatch_group_create

_dispatch_once

_dispatch_queue_create

_dispatch_resume

_dispatch_semaphore_create

_dispatch_semaphore_signal

_dispatch_semaphore_wait

_dispatch_source_cancel

_dispatch_source_create

_dispatch_source_set_event_handler

_dispatch_source_set_timer

_dispatch_sync

_dispatch_time

_dispatch_walltime

_dup2

_execvp

_exit

_fclose

_feof

_fgets

_fopen

_fork

_fread

_free

_freeifaddrs

_freopen

_fseek

_ftell

_getcwd

_getifaddrs

_getuid

_grantpt

_host_page_size

_host_statistics64

_if_nametoindex

_inet_addr

_inet_ntoa

_ioctl

_kCFAllocatorDefault

_kCFBundleExecutableKey

_kCFBundleIdentifierKey

_kCFBundleVersionKey

_kCFRunLoopCommonModes

_kCFStreamPropertyHTTPProxyHost

_kCFStreamPropertyHTTPProxyPort

_kCFStreamPropertyHTTPSProxyHost

_kCFStreamPropertyHTTPSProxyPort

_kIOMasterPortDefault

_kUTTagClassFilenameExtension

_kUTTagClassMIMEType

_kill

_mach_host_self

_malloc

_memcpy

_method_exchangeImplementations

_method_getImplementation

_method_getTypeEncoding

_objc_alloc

_objc_autorelease

_objc_autoreleaseReturnValue

_objc_copyWeak

_objc_destroyWeak

_objc_enumerationMutation

_objc_exception_throw

_objc_getProperty

_objc_initWeak

_objc_loadWeakRetained

_objc_msgSend

_objc_msgSendSuper2

_objc_msgSend_stret

_objc_release

_objc_retain

_objc_retainAutorelease

_objc_retainAutoreleaseReturnValue

_objc_retainAutoreleasedReturnValue

_objc_retainBlock

_objc_setProperty_atomic_copy

_objc_setProperty_nonatomic_copy

_objc_storeStrong

_objc_storeWeak

_objc_unsafeClaimAutoreleasedReturnValue

_open

_opendir$INODE64

_pclose

_popen

_printf

_pthread_create

_pthread_join

_puts

_read

_readdir$INODE64

_rename

_rindex

_select$1050

_signal

_sleep

_snprintf

_sprintf

_stat$INODE64

_statfs$INODE64

_strchr

_strcmp

_strcpy

_strlen

_strstr

_strtol

_sysctl

_sysctlbyname

_system

_unlink

_unlockpt

_waitpid

_write

dyld_stub_binder

radr://5614542

External symbols

_CCCrypt

_CFArrayCreate

_CFRelease

_CFRetain

_CFRunLoopGetMain

_CFStringTransform

_CFUUIDCreate

_CFUUIDCreateString

_IOObjectRelease

_IORegistryEntryCreateCFProperty

_IOServiceGetMatchingService

_IOServiceMatching

_NSClassFromString

_NSLog

_NSSearchPathForDirectoriesInDomains

_NSSelectorFromString

_NSStringFromClass

_NSStringFromSelector

_NSUserName

_SCNetworkReachabilityCreateWithAddress

_SCNetworkReachabilityCreateWithName

_SCNetworkReachabilityGetFlags

_SCNetworkReachabilityScheduleWithRunLoop

_SCNetworkReachabilitySetCallback

_SCNetworkReachabilityUnscheduleFromRunLoop

_SecCertificateCopyData

_SecCertificateCreateWithData

_SecItemExport

_SecPolicyCreateBasicX509

_SecPolicyCreateSSL

_SecTrustCopyPublicKey

_SecTrustCreateWithCertificates

_SecTrustEvaluate

_SecTrustGetCertificateAtIndex

_SecTrustGetCertificateCount

_SecTrustSetAnchorCertificates

_SecTrustSetPolicies

_UTTypeCopyPreferredTagWithClass

_UTTypeCreatePreferredIdentifierForTag

__Block_copy

__Block_object_assign

__Block_object_dispose

__Block_release

__Unwind_Resume

__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm

__ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc

__ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_

__ZSt9terminatev

___bzero

___cxa_begin_catch

___darwin_check_fd_set_overflow

___memcpy_chk

___sprintf_chk

___stack_chk_fail

___strncpy_chk

_access

_arc4random

_atoi

_class_addMethod

_class_getInstanceMethod

_close

_closedir

_dispatch_async

_dispatch_barrier_async

_dispatch_get_global_queue

_dispatch_group_async

_dispatch_group_create

_dispatch_once

_dispatch_queue_create

_dispatch_resume

_dispatch_semaphore_create

_dispatch_semaphore_signal

_dispatch_semaphore_wait

_dispatch_source_cancel

_dispatch_source_create

_dispatch_source_set_event_handler

_dispatch_source_set_timer

_dispatch_sync

_dispatch_time

_dispatch_walltime

_dup2

_execvp

_exit

_fclose

_feof

_fgets

_fopen

_fork

_fread

_free

_freeifaddrs

_freopen

_fseek

_ftell

_getcwd

_getifaddrs

_getuid

_grantpt

_host_page_size

_host_statistics64

_if_nametoindex

_inet_addr

_inet_ntoa

_ioctl

_kill

_mach_host_self

_malloc

_memcpy

_method_exchangeImplementations

_method_getImplementation

_method_getTypeEncoding

_objc_alloc

_objc_autorelease

_objc_autoreleaseReturnValue

_objc_copyWeak

_objc_destroyWeak

_objc_enumerationMutation

_objc_exception_throw

_objc_getProperty

_objc_initWeak

_objc_loadWeakRetained

_objc_msgSendSuper2

_objc_msgSend_stret

_objc_retainAutorelease

_objc_retainAutoreleaseReturnValue

_objc_retainAutoreleasedReturnValue

_objc_retainBlock

_objc_setProperty_atomic_copy

_objc_setProperty_nonatomic_copy

_objc_storeStrong

_objc_storeWeak

_objc_unsafeClaimAutoreleasedReturnValue

_open

_opendir$INODE64

_pclose

_popen

_printf

_pthread_create

_pthread_join

_puts

_read

_readdir$INODE64

_rename

_rindex

_select$1050

_signal

_sleep

_snprintf

_sprintf

_stat$INODE64

_statfs$INODE64

_strchr

_strcmp

_strcpy

_strlen

_strstr

_strtol

_sysctl

_sysctlbyname

_system

_unlink

_unlockpt

_waitpid

_write

General Information for header 2
Endian:	<
Size:	32-bit
Architecture:	ARM64
Filetype:	execute
Nbr. of load commands:	27
Entry point:

segment_command_64 aggregated: 5

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x40000

fileoff

0x0

filesize

0x40000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100004B3C	0x2C898	0x4B3C	6.1009	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x1000313D4	0x7F8	0x313D4	4.0031	0x2	0x0	0	0x80000408
__stub_helper	__TEXT	0x100031BCC	0x7EC	0x31BCC	4.2608	0x2	0x0	0	0x80000400
__objc_methlist	__TEXT	0x1000323B8	0x2188	0x323B8	5.4735	0x3	0x0	0	0x0
__gcc_except_tab	__TEXT	0x100034540	0x1378	0x34540	5.0141	0x2	0x0	0	0x0
__cstring	__TEXT	0x1000358B8	0x34F0	0x358B8	5.4413	0x0	0x0	0	0x2
__objc_methname	__TEXT	0x100038DA8	0x5383	0x38DA8	4.8658	0x0	0x0	0	0x2
__const	__TEXT	0x10003E130	0x80	0x3E130	2.2117	0x4	0x0	0	0x0
__objc_classname	__TEXT	0x10003E1B0	0x39F	0x3E1B0	4.9640	0x0	0x0	0	0x2
__objc_methtype	__TEXT	0x10003E54F	0xFA4	0x3E54F	5.1671	0x0	0x0	0	0x2
__ustring	__TEXT	0x10003F4F4	0x52	0x3F4F4	4.8240	0x1	0x0	0	0x0
__unwind_info	__TEXT	0x10003F548	0xA64	0x3F548	5.8119	0x2	0x0	0	0x0
__eh_frame	__TEXT	0x10003FFB0	0x50	0x3FFB0	3.3843	0x3	0x0	0	0x0

Name

Value

segname

__DATA_CONST

vmaddr

0x100040000

vmsize

0x4000

fileoff

0x40000

filesize

0x4000

maxprot

0x3

initprot

0x3

nsects

flags

0x10

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__got	__DATA_CONST	0x100040000	0x138	0x40000	-0.0000	0x3	0x0	0	0x6
__const	__DATA_CONST	0x100040138	0xD48	0x40138	2.2117	0x3	0x0	0	0x0
__cfstring	__DATA_CONST	0x100040E80	0x20C0	0x40E80	1.8528	0x3	0x0	0	0x0
__objc_classlist	__DATA_CONST	0x100042F40	0xE8	0x42F40	2.8607	0x3	0x0	0	0x10000000
__objc_nlclslist	__DATA_CONST	0x100043028	0x8	0x43028	2.0000	0x3	0x0	0	0x10000000
__objc_catlist	__DATA_CONST	0x100043030	0x10	0x43030	2.1250	0x3	0x0	0	0x10000000
__objc_protolist	__DATA_CONST	0x100043040	0x60	0x43040	2.7060	0x3	0x0	0	0x0
__objc_imageinfo	__DATA_CONST	0x1000430A0	0x8	0x430A0	0.5436	0x2	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100044000

vmsize

0x8000

fileoff

0x44000

filesize

0x8000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__la_symbol_ptr	__DATA	0x100044000	0x550	0x44000	3.0587	0x3	0x0	0	0x7
__objc_const	__DATA	0x100044550	0x42C0	0x44550	2.9095	0x3	0x0	0	0x0
__objc_selrefs	__DATA	0x100048810	0x19D8	0x48810	3.6122	0x3	0x0	0	0x10000005
__objc_protorefs	__DATA	0x10004A1E8	0x10	0x4A1E8	2.1250	0x3	0x0	0	0x0
__objc_classrefs	__DATA	0x10004A1F8	0x220	0x4A1F8	1.1749	0x3	0x0	0	0x10000000
__objc_superrefs	__DATA	0x10004A418	0xC8	0x4A418	2.8354	0x3	0x0	0	0x10000000
__objc_ivar	__DATA	0x10004A4E0	0x254	0x4A4E0	1.8978	0x2	0x0	0	0x0
__objc_data	__DATA	0x10004A738	0x910	0x4A738	1.4594	0x3	0x0	0	0x0
__data	__DATA	0x10004B048	0xA68	0x4B048	0.7841	0x3	0x0	0	0x0
__common	__DATA	0x10004BAB0	0x28	0x0	-0.0000	0x3	0x0	0	0x1
__bss	__DATA	0x10004BAD8	0x90	0x0	-0.0000	0x3	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x10004C000
vmsize	0xC000
fileoff	0x4C000
filesize	0xA710
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	311296
rebase_size	1296
bind_off	312592
bind_size	3240
weak_bind_off	315832
weak_bind_size	72
lazy_bind_off	315904
lazy_bind_size	4264
export_off	320168
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	321480
nsyms	264
stroff	327224
strsize	5568

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	262
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	325704
nindirectsyms	379
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'\xf9\xd2\xf6\xdbz\xc2:\xae\xa9<\xadO=p~\xc4'

build_version_command aggregated: 1

Name

Value

platform

minos

720896

sdk

721152

ntools

Datas

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	19260
stacksize	0

dylib_command aggregated: 11

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1770.255.0

compatibility_version

300.0.0

Datas

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

228.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libobjc.A.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

904.4.0

compatibility_version

1.0.0

Datas

/usr/lib/libc++.1.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1292.60.1

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

2022.20.117

compatibility_version

45.0.0

Datas

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1209.1.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1770.255.0

compatibility_version

150.0.0

Datas

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1122.11.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

275.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

59754.60.13

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/Security.framework/Versions/A/Security

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1109.60.2

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

linkedit_data_command aggregated: 3

Name	Value
dataoff	320200
datasize	1280

Name	Value
dataoff	321480
datasize	0

Name	Value
dataoff	332800
datasize	21264

Internal Symbols

_CCCrypt

_CFArrayCreate

_CFRelease

_CFRetain

_CFRunLoopGetMain

_CFStringTransform

_CFUUIDCreate

_CFUUIDCreateString

_IOObjectRelease

_IORegistryEntryCreateCFProperty

_IOServiceGetMatchingService

_IOServiceMatching

_NSCalendarIdentifierGregorian

_NSClassFromString

_NSDefaultRunLoopMode

_NSFileCreationDate

_NSFileSize

_NSFoundationVersionNumber

_NSGenericException

_NSKeyValueChangeNewKey

_NSLocalizedDescriptionKey

_NSLocalizedFailureReasonErrorKey

_NSLog

_NSRunLoopCommonModes

_NSSearchPathForDirectoriesInDomains

_NSSelectorFromString

_NSStringFromClass

_NSStringFromSelector

_NSURLAuthenticationMethodServerTrust

_NSURLErrorFailingURLErrorKey

_NSURLNameKey

_NSURLSessionTransferSizeUnknown

_NSUnderlyingErrorKey

_NSUserName

_OBJC_CLASS_$_NSArray

_OBJC_CLASS_$_NSBitmapImageRep

_OBJC_CLASS_$_NSBundle

_OBJC_CLASS_$_NSCalendar

_OBJC_CLASS_$_NSCharacterSet

_OBJC_CLASS_$_NSData

_OBJC_CLASS_$_NSDate

_OBJC_CLASS_$_NSDateFormatter

_OBJC_CLASS_$_NSDecimalNumber

_OBJC_CLASS_$_NSDictionary

_OBJC_CLASS_$_NSError

_OBJC_CLASS_$_NSException

_OBJC_CLASS_$_NSFileManager

_OBJC_CLASS_$_NSHTTPURLResponse

_OBJC_CLASS_$_NSImage

_OBJC_CLASS_$_NSIndexSet

_OBJC_CLASS_$_NSInputStream

_OBJC_CLASS_$_NSJSONSerialization

_OBJC_CLASS_$_NSLocale

_OBJC_CLASS_$_NSLock

_OBJC_CLASS_$_NSMutableArray

_OBJC_CLASS_$_NSMutableData

_OBJC_CLASS_$_NSMutableDictionary

_OBJC_CLASS_$_NSMutableSet

_OBJC_CLASS_$_NSMutableString

_OBJC_CLASS_$_NSMutableURLRequest

_OBJC_CLASS_$_NSNotificationCenter

_OBJC_CLASS_$_NSNull

_OBJC_CLASS_$_NSNumber

_OBJC_CLASS_$_NSNumberFormatter

_OBJC_CLASS_$_NSObject

_OBJC_CLASS_$_NSOperationQueue

_OBJC_CLASS_$_NSOutputStream

_OBJC_CLASS_$_NSProcessInfo

_OBJC_CLASS_$_NSProgress

_OBJC_CLASS_$_NSPropertyListSerialization

_OBJC_CLASS_$_NSRecursiveLock

_OBJC_CLASS_$_NSRunLoop

_OBJC_CLASS_$_NSSet

_OBJC_CLASS_$_NSSortDescriptor

_OBJC_CLASS_$_NSString

_OBJC_CLASS_$_NSThread

_OBJC_CLASS_$_NSURL

_OBJC_CLASS_$_NSURLCredential

_OBJC_CLASS_$_NSURLSession

_OBJC_CLASS_$_NSURLSessionConfiguration

_OBJC_CLASS_$_NSXMLDocument

_OBJC_CLASS_$_NSXMLParser

_OBJC_METACLASS_$_NSInputStream

_OBJC_METACLASS_$_NSMutableArray

_OBJC_METACLASS_$_NSObject

_SCNetworkReachabilityCreateWithAddress

_SCNetworkReachabilityCreateWithName

_SCNetworkReachabilityGetFlags

_SCNetworkReachabilityScheduleWithRunLoop

_SCNetworkReachabilitySetCallback

_SCNetworkReachabilityUnscheduleFromRunLoop

_SecCertificateCopyData

_SecCertificateCreateWithData

_SecItemExport

_SecPolicyCreateBasicX509

_SecPolicyCreateSSL

_SecTrustCopyPublicKey

_SecTrustCreateWithCertificates

_SecTrustEvaluate

_SecTrustGetCertificateAtIndex

_SecTrustGetCertificateCount

_SecTrustSetAnchorCertificates

_SecTrustSetPolicies

_UTTypeCopyPreferredTagWithClass

_UTTypeCreatePreferredIdentifierForTag

__Block_copy

__Block_object_assign

__Block_object_dispose

__Block_release

__NSConcreteGlobalBlock

__NSConcreteStackBlock

__Unwind_Resume

__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm

__ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc

__ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_

__ZSt9terminatev

__ZdlPv

__Znam

__Znwm

___CFConstantStringClassReference

___chkstk_darwin

___cxa_begin_catch

___darwin_check_fd_set_overflow

___gxx_personality_v0

___memcpy_chk

___objc_personality_v0

___sprintf_chk

___stack_chk_fail

___stack_chk_guard

___stderrp

___stdoutp

___strncpy_chk

__dispatch_main_q

__dispatch_queue_attr_concurrent

__dispatch_source_type_timer

__mh_execute_header

__objc_empty_cache

_access

_arc4random

_atoi

_bzero

_class_addMethod

_class_getInstanceMethod

_close

_closedir

_dispatch_async

_dispatch_barrier_async

_dispatch_get_global_queue

_dispatch_group_async

_dispatch_group_create

_dispatch_once

_dispatch_queue_create

_dispatch_resume

_dispatch_semaphore_create

_dispatch_semaphore_signal

_dispatch_semaphore_wait

_dispatch_source_cancel

_dispatch_source_create

_dispatch_source_set_event_handler

_dispatch_source_set_timer

_dispatch_sync

_dispatch_time

_dispatch_walltime

_dup2

_execvp

_exit

_fclose

_feof

_fgets

_fopen

_fork

_fread

_free

_freeifaddrs

_freopen

_fseek

_ftell

_getcwd

_getifaddrs

_getuid

_grantpt

_host_page_size

_host_statistics64

_if_nametoindex

_inet_addr

_inet_ntoa

_ioctl

_kCFAllocatorDefault

_kCFBundleExecutableKey

_kCFBundleIdentifierKey

_kCFBundleVersionKey

_kCFRunLoopCommonModes

_kCFStreamPropertyHTTPProxyHost

_kCFStreamPropertyHTTPProxyPort

_kCFStreamPropertyHTTPSProxyHost

_kCFStreamPropertyHTTPSProxyPort

_kIOMasterPortDefault

_kUTTagClassFilenameExtension

_kUTTagClassMIMEType

_kill

_mach_host_self

_malloc

_memcpy

_method_exchangeImplementations

_method_getImplementation

_method_getTypeEncoding

_objc_alloc

_objc_autorelease

_objc_autoreleaseReturnValue

_objc_copyWeak

_objc_destroyWeak

_objc_enumerationMutation

_objc_exception_throw

_objc_getProperty

_objc_initWeak

_objc_loadWeakRetained

_objc_msgSend

_objc_msgSendSuper2

_objc_release

_objc_retain

_objc_retainAutorelease

_objc_retainAutoreleaseReturnValue

_objc_retainAutoreleasedReturnValue

_objc_retainBlock

_objc_setProperty_atomic_copy

_objc_setProperty_nonatomic_copy

_objc_storeStrong

_objc_storeWeak

_objc_unsafeClaimAutoreleasedReturnValue

_open

_opendir

_pclose

_popen

_printf

_pthread_create

_pthread_join

_puts

_read

_readdir

_rename

_rindex

_select

_signal

_sleep

_snprintf

_sprintf

_stat

_statfs

_strchr

_strcmp

_strcpy

_strlen

_strstr

_strtol

_sysctl

_sysctlbyname

_system

_unlink

_unlockpt

_waitpid

_write

dyld_stub_binder

radr://5614542

External symbols

_CCCrypt

_CFArrayCreate

_CFRelease

_CFRetain

_CFRunLoopGetMain

_CFStringTransform

_CFUUIDCreate

_CFUUIDCreateString

_IOObjectRelease

_IORegistryEntryCreateCFProperty

_IOServiceGetMatchingService

_IOServiceMatching

_NSClassFromString

_NSLog

_NSSearchPathForDirectoriesInDomains

_NSSelectorFromString

_NSStringFromClass

_NSStringFromSelector

_NSUserName

_SCNetworkReachabilityCreateWithAddress

_SCNetworkReachabilityCreateWithName

_SCNetworkReachabilityGetFlags

_SCNetworkReachabilityScheduleWithRunLoop

_SCNetworkReachabilitySetCallback

_SCNetworkReachabilityUnscheduleFromRunLoop

_SecCertificateCopyData

_SecCertificateCreateWithData

_SecItemExport

_SecPolicyCreateBasicX509

_SecPolicyCreateSSL

_SecTrustCopyPublicKey

_SecTrustCreateWithCertificates

_SecTrustEvaluate

_SecTrustGetCertificateAtIndex

_SecTrustGetCertificateCount

_SecTrustSetAnchorCertificates

_SecTrustSetPolicies

_UTTypeCopyPreferredTagWithClass

_UTTypeCreatePreferredIdentifierForTag

__Block_copy

__Block_object_assign

__Block_object_dispose

__Block_release

__Unwind_Resume

__ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm

__ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv

__ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc

__ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_

__ZSt9terminatev

___cxa_begin_catch

___darwin_check_fd_set_overflow

___memcpy_chk

___sprintf_chk

___stack_chk_fail

___strncpy_chk

_access

_arc4random

_atoi

_bzero

_class_addMethod

_class_getInstanceMethod

_close

_closedir

_dispatch_async

_dispatch_barrier_async

_dispatch_get_global_queue

_dispatch_group_async

_dispatch_group_create

_dispatch_once

_dispatch_queue_create

_dispatch_resume

_dispatch_semaphore_create

_dispatch_semaphore_signal

_dispatch_semaphore_wait

_dispatch_source_cancel

_dispatch_source_create

_dispatch_source_set_event_handler

_dispatch_source_set_timer

_dispatch_sync

_dispatch_time

_dispatch_walltime

_dup2

_execvp

_exit

_fclose

_feof

_fgets

_fopen

_fork

_fread

_free

_freeifaddrs

_freopen

_fseek

_ftell

_getcwd

_getifaddrs

_getuid

_grantpt

_host_page_size

_host_statistics64

_if_nametoindex

_inet_addr

_inet_ntoa

_ioctl

_kill

_mach_host_self

_malloc

_memcpy

_method_exchangeImplementations

_method_getImplementation

_method_getTypeEncoding

_objc_alloc

_objc_autorelease

_objc_autoreleaseReturnValue

_objc_copyWeak

_objc_destroyWeak

_objc_enumerationMutation

_objc_exception_throw

_objc_getProperty

_objc_initWeak

_objc_loadWeakRetained

_objc_msgSend

_objc_msgSendSuper2

_objc_release

_objc_retain

_objc_retainAutorelease

_objc_retainAutoreleaseReturnValue

_objc_retainAutoreleasedReturnValue

_objc_retainBlock

_objc_setProperty_atomic_copy

_objc_setProperty_nonatomic_copy

_objc_storeStrong

_objc_storeWeak

_objc_unsafeClaimAutoreleasedReturnValue

_open

_opendir

_pclose

_popen

_printf

_pthread_create

_pthread_join

_puts

_read

_readdir

_rename

_rindex

_select

_signal

_sleep

_snprintf

_sprintf

_stat

_statfs

_strchr

_strcmp

_strcpy

_strlen

_strstr

_strtol

_sysctl

_sysctlbyname

_system

_unlink

_unlockpt

_waitpid

_write

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2022 14:12:48.311383963 CEST	49302	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670630932 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670660973 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670681000 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670686007 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670691013 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670840979 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670845985 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670850039 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670854092 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670857906 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670953035 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670958042 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670962095 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.670967102 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671062946 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671067953 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671072006 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671076059 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671081066 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671156883 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671164036 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671170950 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671175957 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671180964 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671185017 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671190023 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671194077 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671339035 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671343088 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671417952 CEST	138	138	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671422958 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671427965 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671432018 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671436071 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671439886 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671516895 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671521902 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671525955 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671530008 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671534061 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671539068 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671542883 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671621084 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671626091 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671629906 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671633959 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671638012 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671643019 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671736002 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671741009 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671745062 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671749115 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671753883 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671757936 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671889067 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671894073 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671897888 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:48.671901941 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061182976 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061280966 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061376095 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061381102 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061549902 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061553955 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061558008 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061685085 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061693907 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061698914 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061903954 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061909914 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061913967 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.061918020 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062041998 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062046051 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062050104 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062134981 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062139034 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062144041 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062292099 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062295914 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062299967 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062457085 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062551022 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062555075 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062558889 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.062721968 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813153028 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813345909 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813352108 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813357115 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813360929 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813493013 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813498020 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813626051 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813637972 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813760042 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813766956 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813771009 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813960075 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813963890 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.813968897 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814049006 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814201117 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814204931 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814208984 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814352989 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814357996 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814362049 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814366102 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814443111 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814446926 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814450979 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814590931 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814598083 CEST	137	137	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:49.814604044 CEST	138	138	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:52.819813967 CEST	138	138	192.168.0.52	192.168.0.255
Mar 28, 2022 14:12:54.330102921 CEST	53	56495	8.8.8.8	192.168.0.52
Mar 28, 2022 14:12:54.691968918 CEST	61483	53	192.168.0.52	8.8.8.8
Mar 28, 2022 14:12:54.692070007 CEST	57359	53	192.168.0.52	8.8.8.8
Mar 28, 2022 14:12:54.710969925 CEST	53	57359	8.8.8.8	192.168.0.52
Mar 28, 2022 14:12:54.711069107 CEST	53	61483	8.8.8.8	192.168.0.52
Mar 28, 2022 14:14:14.195482969 CEST	53	50470	8.8.8.8	192.168.0.52

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 28, 2022 14:12:54.691968918 CEST	192.168.0.52	8.8.8.8	0x9fc3	Standard query (0)	pki-goog.l.google.com	65	IN (0x0001)
Mar 28, 2022 14:12:54.692070007 CEST	192.168.0.52	8.8.8.8	0xf745	Standard query (0)	pki-goog.l.google.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Mar 28, 2022 14:12:54.702195883 CEST	8.8.8.8	192.168.0.52	0xe3e	No error (0)	pki-goog.l.google.com		172.217.168.67	A (IP address)	IN (0x0001)
Mar 28, 2022 14:12:54.710969925 CEST	8.8.8.8	192.168.0.52	0xf745	No error (0)	pki-goog.l.google.com		172.217.168.67	A (IP address)	IN (0x0001)

System Behavior

Analysis Process: mono-sgen64 PID: 1612, Parent PID: 1569

General

Start time:	14:12:32
Start date:	28/03/2022
Path:	/Library/Frameworks/Mono.framework/Versions/6.12.0/bin/mono-sgen64
Arguments:	n/a
File size:	4699168 bytes
MD5 hash:	98f65da8c6a62423d3f4cda359f06a87

Start time:	14:12:32
Start date:	28/03/2022
Path:	/Users/drew/Desktop/CorelDRAW
Arguments:	/Users/drew/Desktop/CorelDRAW
File size:	730896 bytes
MD5 hash:	23699799f496b8e872d05f19d2b397f8

Start time:	14:12:32
Start date:	28/03/2022
Path:	/bin/sh
Arguments:	n/a
File size:	120912 bytes
MD5 hash:	8356936fbf1eeb3548896b9206a685a0

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	sh -c ps -ef \|grep CorelDRAW \|grep -v /Users/drew/Desktop/CorelDRAW \|grep -v 'CorelDRAW\sGraphics\sSuite' \|awk '{print $2}' \|xargs kill -9
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/ps
Arguments:	ps -ef
File size:	173728 bytes
MD5 hash:	5441fc94a247a54e76339a9e5b8c2b45

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/grep
Arguments:	grep CorelDRAW
File size:	140304 bytes
MD5 hash:	501a6e2ee4b55292be9321ece0fa2a93

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/grep
Arguments:	grep -v /Users/drew/Desktop/CorelDRAW
File size:	140304 bytes
MD5 hash:	501a6e2ee4b55292be9321ece0fa2a93

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/grep
Arguments:	grep -v CorelDRAW\sGraphics\sSuite
File size:	140304 bytes
MD5 hash:	501a6e2ee4b55292be9321ece0fa2a93

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/awk
Arguments:	awk {print $2}
File size:	305504 bytes
MD5 hash:	1780ae04585c36f7b86aaec7523fceb6

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/xargs
Arguments:	xargs kill -9
File size:	139200 bytes
MD5 hash:	e5109f0c83efadc46f840033d8c89901

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/sh
Arguments:	n/a
File size:	120912 bytes
MD5 hash:	8356936fbf1eeb3548896b9206a685a0

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	sh -c ps -ef \|grep CorelDRAW \|grep -v /Users/drew/Desktop/CorelDRAW \|grep -v 'CorelDRAW\sGraphics\sSuite' \|awk '{print $2}' \|xargs kill -9
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/ps
Arguments:	ps -ef
File size:	173728 bytes
MD5 hash:	5441fc94a247a54e76339a9e5b8c2b45

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/grep
Arguments:	grep CorelDRAW
File size:	140304 bytes
MD5 hash:	501a6e2ee4b55292be9321ece0fa2a93

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/grep
Arguments:	grep -v /Users/drew/Desktop/CorelDRAW
File size:	140304 bytes
MD5 hash:	501a6e2ee4b55292be9321ece0fa2a93

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/grep
Arguments:	grep -v CorelDRAW\sGraphics\sSuite
File size:	140304 bytes
MD5 hash:	501a6e2ee4b55292be9321ece0fa2a93

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/awk
Arguments:	awk {print $2}
File size:	305504 bytes
MD5 hash:	1780ae04585c36f7b86aaec7523fceb6

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	n/a
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/bin/xargs
Arguments:	xargs kill -9
File size:	139200 bytes
MD5 hash:	e5109f0c83efadc46f840033d8c89901

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/sh
Arguments:	n/a
File size:	120912 bytes
MD5 hash:	8356936fbf1eeb3548896b9206a685a0

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/cp
Arguments:	cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW
File size:	123264 bytes
MD5 hash:	9007c6e0352122c17fbcea99739b716e

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/sh
Arguments:	n/a
File size:	120912 bytes
MD5 hash:	8356936fbf1eeb3548896b9206a685a0

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/launchctl
Arguments:	launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
File size:	329344 bytes
MD5 hash:	a9ce661111e6db7d90923d46f790e5c7

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/sh
Arguments:	n/a
File size:	120912 bytes
MD5 hash:	8356936fbf1eeb3548896b9206a685a0

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/bash
Arguments:	sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
File size:	1296704 bytes
MD5 hash:	c1edb59ec6a40884fc3c4e201d31b1d5

Start time:	14:12:33
Start date:	28/03/2022
Path:	/bin/launchctl
Arguments:	launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
File size:	329344 bytes
MD5 hash:	a9ce661111e6db7d90923d46f790e5c7

Start time:	14:12:33
Start date:	28/03/2022
Path:	/usr/libexec/xpcproxy
Arguments:	n/a
File size:	196720 bytes
MD5 hash:	395c4370ee6c31ff7061018e365ee7b9

Start time:	14:12:33
Start date:	28/03/2022
Path:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
Arguments:	/var/root/Library/Preferences/CorelDRAW/CorelDRAW
File size:	730896 bytes
MD5 hash:	23699799f496b8e872d05f19d2b397f8

Source: submission: CorelDRAW	Mach-O symbol: _CCCrypt
Source: submission: CorelDRAW	Mach-O symbol: _CCCrypt
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _CCCrypt
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _CCCrypt

Source: CorelDRAW.398.dr	String found in binary or memory: http://cgi1.apnic.net/cgi-bin/my-ip.php
Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: CorelDRAW, .dat.nosync064c.oZUVM0.367.dr, CorelDRAW.398.dr	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: CorelDRAW, CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/drive/v2/files/trash
Source: CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/drive/v2/files/trash%
Source: CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/drive/v3/files/%
Source: CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/drive/v3/files?fields=id%2C
Source: CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/drive/v3/files?q=%%27%
Source: CorelDRAW, CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?alt=json&uploadType=resumable
Source: CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?alt=json&uploadType=resumable%ldX-Upload-Content-Le
Source: CorelDRAW, CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart
Source: CorelDRAW.398.dr	String found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=multipartdatametadataapplication/json;

Source: submission: CorelDRAW	Mach-O symbol: _objc_msgSend
Source: submission: CorelDRAW	Mach-O symbol: _objc_msgSendSuper2
Source: submission: CorelDRAW	Mach-O symbol: _objc_msgSend_stret
Source: submission: CorelDRAW	Mach-O symbol: _SecItemExport
Source: submission: CorelDRAW	Mach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
Source: submission: CorelDRAW	Mach-O symbol: _NSURLAuthenticationMethodServerTrust
Source: submission: CorelDRAW	Mach-O symbol: _NSSearchPathForDirectoriesInDomains
Source: submission: CorelDRAW	Mach-O symbol: _inet_addr
Source: submission: CorelDRAW	Mach-O symbol: _inet_ntoa
Source: submission: CorelDRAW	Mach-O symbol: _kCFStreamPropertyHTTPProxyHost
Source: submission: CorelDRAW	Mach-O symbol: _kCFStreamPropertyHTTPProxyPort
Source: submission: CorelDRAW	Mach-O symbol: _kCFStreamPropertyHTTPSProxyHost
Source: submission: CorelDRAW	Mach-O symbol: _kCFStreamPropertyHTTPSProxyPort
Source: submission: CorelDRAW	Mach-O symbol: _kIOMasterPortDefault
Source: submission: CorelDRAW	Mach-O symbol: _objc_msgSend
Source: submission: CorelDRAW	Mach-O symbol: _objc_msgSendSuper2
Source: submission: CorelDRAW	Mach-O symbol: _SecItemExport
Source: submission: CorelDRAW	Mach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
Source: submission: CorelDRAW	Mach-O symbol: _NSURLAuthenticationMethodServerTrust
Source: submission: CorelDRAW	Mach-O symbol: _NSSearchPathForDirectoriesInDomains
Source: submission: CorelDRAW	Mach-O symbol: _inet_ntoa
Source: submission: CorelDRAW	Mach-O symbol: _inet_addr
Source: submission: CorelDRAW	Mach-O symbol: _kIOMasterPortDefault
Source: submission: CorelDRAW	Mach-O symbol: _kCFStreamPropertyHTTPProxyHost
Source: submission: CorelDRAW	Mach-O symbol: _kCFStreamPropertyHTTPProxyPort
Source: submission: CorelDRAW	Mach-O symbol: _kCFStreamPropertyHTTPSProxyHost
Source: submission: CorelDRAW	Mach-O symbol: _kCFStreamPropertyHTTPSProxyPort
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _objc_msgSend
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _objc_msgSendSuper2
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _objc_msgSend_stret
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _SecItemExport
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _NSURLAuthenticationMethodServerTrust
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _NSSearchPathForDirectoriesInDomains
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _inet_addr
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _inet_ntoa
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kCFStreamPropertyHTTPProxyHost
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kCFStreamPropertyHTTPProxyPort
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kCFStreamPropertyHTTPSProxyHost
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kCFStreamPropertyHTTPSProxyPort
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kIOMasterPortDefault
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _objc_msgSend
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _objc_msgSendSuper2
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _SecItemExport
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _NSURLAuthenticationMethodServerTrust
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _NSSearchPathForDirectoriesInDomains
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _inet_ntoa
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _inet_addr
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kIOMasterPortDefault
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kCFStreamPropertyHTTPProxyHost
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kCFStreamPropertyHTTPProxyPort
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kCFStreamPropertyHTTPSProxyHost
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _kCFStreamPropertyHTTPSProxyPort

Source: submission: CorelDRAW	Mach-O symbol: _OBJC_CLASS_$_NSOperationQueue
Source: submission: CorelDRAW	Mach-O symbol: _OBJC_CLASS_$_NSOperationQueue
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _OBJC_CLASS_$_NSOperationQueue
Source: dropped file: CorelDRAW.398.dr	Mach-O symbol: _OBJC_CLASS_$_NSOperationQueue

Source: /bin/bash (PID: 1615)	Grep executable: /usr/bin/grep -> grep CorelDRAW	Jump to behavior
Source: /bin/bash (PID: 1616)	Grep executable: /usr/bin/grep -> grep -v /Users/drew/Desktop/CorelDRAW	Jump to behavior
Source: /bin/bash (PID: 1617)	Grep executable: /usr/bin/grep -> grep -v CorelDRAW\sGraphics\sSuite	Jump to behavior
Source: /bin/bash (PID: 1622)	Grep executable: /usr/bin/grep -> grep CorelDRAW	Jump to behavior
Source: /bin/bash (PID: 1623)	Grep executable: /usr/bin/grep -> grep -v /Users/drew/Desktop/CorelDRAW	Jump to behavior
Source: /bin/bash (PID: 1624)	Grep executable: /usr/bin/grep -> grep -v CorelDRAW\sGraphics\sSuite	Jump to behavior

Source: /bin/bash (PID: 1614)	Ps executable: /bin/ps -> ps -ef			Jump to behavior
Source: /bin/bash (PID: 1621)	Ps executable: /bin/ps -> ps -ef			Jump to behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse launchctl to execute commands or programs. Launchctl controls the macOS launchd process, which handles things like Launch Agent s and Launch Daemon s, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Tactics:	Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. There are tools available to perform these changes.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in `/System/Library/LaunchAgents` , `/Library/LaunchAgents` , and `$HOME/Library/LaunchAgents` . These launch agents have property list files which point to the executables that will be launched . Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories . The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in . They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may modify plist files to run a program during system boot or user login. Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as `/Library/Preferences` (which execute with elevated privileges) and `~/Library/Preferences` (which execute with a user's privileges).
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. The certificates used during an operation may be created, acquired, or stolen by the adversary. Unlike Invalid Code Signature , this activity will result in a valid signature.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Access Control ).
Tactics:	Collection, Credential Access
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, User interface
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report CorelDRAW

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Joe Sandbox Signatures

Cryptography

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Signature Similarity

Similar Samples

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/Library/LaunchDaemons/.dat.nosync064c.oZUVM0

/private/var/root/Library/Preferences/CorelDRAW/CorelDRAW

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.22ra9E

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.8I2nhj

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.ByPN6V

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.DKSotK

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.FOUaKL

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.G7960P

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.Rg1nyJ

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.ZJYZoW

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.gITfgJ

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.m0dNMH

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.r2Rwit

/private/var/root/Library/Preferences/CorelDRAW/MGD/tmp/.dat.nosync065e.vpsM6J

Static File Info

General

CodeSign Information

Static Mach Info

General Information for header 1

Internal Symbols

External symbols

General Information for header 2

Internal Symbols

External symbols

Network Behavior

macOS Analysis Report
CorelDRAW

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre