Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
CorelDRAW

Overview

General Information

Sample Name:CorelDRAW
Analysis ID:1797574
MD5:23699799f496b8e872d05f19d2b397f8
SHA1:fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
SHA256:2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
Infos:

Detection

GIMMICK
Score:64
Range:0 - 100
Whitelisted:false

Signatures

Yara detected GIMMICK
Writes Mach-O files to untypical directories
Process deletes its process image on disk
Moves itself during installation or deletes itself after installation
Creates system-wide 'launchd' managed services aka launch daemons based on hidden files
Contains symbols with suspicious names likely related to encryption
Reads the sysctl hardware model value (might be used for detecting VM presence)
Sample is code signed by an ad-hoc signature
Contains symbols with suspicious names likely related to networking
Explicitly unloads, stops, and/or removes launch services
Reads the systems hostname
Creates system-wide 'launchd' managed services aka launch daemons
Executes the "grep" command used to find patterns in files or piped streams
Executes the "ps" command used to list the status of processes
Mach-O sample file contains an ARM64 binary that executes on Apple Silicon
Contains symbols with suspicious names likely related to well-known browsers
Sample is a FAT Mach-O sample containing binaries for multiple architectures
Creates memory-persistent launch services
Explicitly loads/starts launch services
Creates launch services that start periodically
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Changes permissions of written Mach-O files
Executes commands using a shell command-line interpreter
Writes FAT Mach-O files to disk

Classification

Joe Sandbox Version:34.0.0 Boulder Opal
Analysis ID:1797574
Start date and time:2022-03-28 12:12:09 +02:00
Joe Sandbox Product:Cloud
Overall analysis duration:0h 3m 52s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:CorelDRAW
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, Big Sur (Office 2019 16.55, Java 1.8.0_311)
Run name:Potential for more IOCs and behavior
Analysis Mode:default
Detection:MAL
Classification:mal64.troj.evad.mac@0/14@2/0
  • Excluded IPs from analysis (whitelisted): 172.217.168.74, 172.217.168.67
  • Excluded domains from analysis (whitelisted): oauth2.googleapis.com, ocsp.pki.goog
Command:/Users/drew/Desktop/CorelDRAW
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:/Library/LaunchDaemons/com.CorelDRAW.va.plist: Could not find specified service
Unload failed: 113: Could not find specified service
  • System is mac-bigsur
  • CorelDRAW (MD5: 23699799f496b8e872d05f19d2b397f8) Arguments: /Users/drew/Desktop/CorelDRAW
    • sh New Fork (PID: 1613, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9
      • bash New Fork (PID: 1614, Parent: 1613)
      • ps (MD5: 5441fc94a247a54e76339a9e5b8c2b45) Arguments: ps -ef
      • bash New Fork (PID: 1615, Parent: 1613)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep CorelDRAW
      • bash New Fork (PID: 1616, Parent: 1613)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v /Users/drew/Desktop/CorelDRAW
      • bash New Fork (PID: 1617, Parent: 1613)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v CorelDRAW\s*Graphics\s*Suite
      • bash New Fork (PID: 1618, Parent: 1613)
      • awk (MD5: 1780ae04585c36f7b86aaec7523fceb6) Arguments: awk {print $2}
      • bash New Fork (PID: 1619, Parent: 1613)
      • xargs (MD5: e5109f0c83efadc46f840033d8c89901) Arguments: xargs kill -9
    • sh New Fork (PID: 1620, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9
      • bash New Fork (PID: 1621, Parent: 1620)
      • ps (MD5: 5441fc94a247a54e76339a9e5b8c2b45) Arguments: ps -ef
      • bash New Fork (PID: 1622, Parent: 1620)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep CorelDRAW
      • bash New Fork (PID: 1623, Parent: 1620)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v /Users/drew/Desktop/CorelDRAW
      • bash New Fork (PID: 1624, Parent: 1620)
      • grep (MD5: 501a6e2ee4b55292be9321ece0fa2a93) Arguments: grep -v CorelDRAW\s*Graphics\s*Suite
      • bash New Fork (PID: 1625, Parent: 1620)
      • awk (MD5: 1780ae04585c36f7b86aaec7523fceb6) Arguments: awk {print $2}
      • bash New Fork (PID: 1626, Parent: 1620)
      • xargs (MD5: e5109f0c83efadc46f840033d8c89901) Arguments: xargs kill -9
    • sh New Fork (PID: 1627, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW
    • cp (MD5: 9007c6e0352122c17fbcea99739b716e) Arguments: cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW
    • sh New Fork (PID: 1628, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
    • launchctl (MD5: a9ce661111e6db7d90923d46f790e5c7) Arguments: launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
    • sh New Fork (PID: 1629, Parent: 1612)
    • bash (MD5: c1edb59ec6a40884fc3c4e201d31b1d5) Arguments: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
    • launchctl (MD5: a9ce661111e6db7d90923d46f790e5c7) Arguments: launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
  • xpcproxy New Fork (PID: 1630, Parent: 1)
  • CorelDRAW (MD5: 23699799f496b8e872d05f19d2b397f8) Arguments: /var/root/Library/Preferences/CorelDRAW/CorelDRAW
  • cleanup
SourceRuleDescriptionAuthorStrings
CorelDRAWJoeSecurity_GIMMICKYara detected GIMMICKJoe Security
    SourceRuleDescriptionAuthorStrings
    /private/var/root/Library/Preferences/CorelDRAW/CorelDRAWJoeSecurity_GIMMICKYara detected GIMMICKJoe Security
      SourceRuleDescriptionAuthorStrings
      00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmpJoeSecurity_GIMMICKYara detected GIMMICKJoe Security
        00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmpJoeSecurity_GIMMICKYara detected GIMMICKJoe Security
          Process Memory Space: CorelDRAW PID: 1612JoeSecurity_GIMMICKYara detected GIMMICKJoe Security

            Click to jump to signature section

            Show All Signature Results
            Source: submission: CorelDRAWMach-O symbol: _CCCrypt
            Source: submission: CorelDRAWMach-O symbol: _CCCrypt
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _CCCrypt
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _CCCrypt
            Source: CorelDRAW.398.drString found in binary or memory: http://cgi1.apnic.net/cgi-bin/my-ip.php
            Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
            Source: CorelDRAW, .dat.nosync064c.oZUVM0.367.dr, CorelDRAW.398.drString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
            Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
            Source: CorelDRAW, 00001612.00000367.1.00000001028f3000.000000010292b000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
            Source: CorelDRAW, CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v2/files/trash
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v2/files/trash%
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v3/files/%
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v3/files?fields=id%2C
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/drive/v3/files?q=%%27%
            Source: CorelDRAW, CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?alt=json&uploadType=resumable
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?alt=json&uploadType=resumable%ldX-Upload-Content-Le
            Source: CorelDRAW, CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=multipart
            Source: CorelDRAW.398.drString found in binary or memory: https://www.googleapis.com/upload/drive/v3/files?uploadType=multipartdatametadataapplication/json;
            Source: unknownDNS traffic detected: queries for: pki-goog.l.google.com
            Source: classification engineClassification label: mal64.troj.evad.mac@0/14@2/0
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSend
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSendSuper2
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSend_stret
            Source: submission: CorelDRAWMach-O symbol: _SecItemExport
            Source: submission: CorelDRAWMach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
            Source: submission: CorelDRAWMach-O symbol: _NSURLAuthenticationMethodServerTrust
            Source: submission: CorelDRAWMach-O symbol: _NSSearchPathForDirectoriesInDomains
            Source: submission: CorelDRAWMach-O symbol: _inet_addr
            Source: submission: CorelDRAWMach-O symbol: _inet_ntoa
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPProxyHost
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPProxyPort
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPSProxyHost
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPSProxyPort
            Source: submission: CorelDRAWMach-O symbol: _kIOMasterPortDefault
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSend
            Source: submission: CorelDRAWMach-O symbol: _objc_msgSendSuper2
            Source: submission: CorelDRAWMach-O symbol: _SecItemExport
            Source: submission: CorelDRAWMach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
            Source: submission: CorelDRAWMach-O symbol: _NSURLAuthenticationMethodServerTrust
            Source: submission: CorelDRAWMach-O symbol: _NSSearchPathForDirectoriesInDomains
            Source: submission: CorelDRAWMach-O symbol: _inet_ntoa
            Source: submission: CorelDRAWMach-O symbol: _inet_addr
            Source: submission: CorelDRAWMach-O symbol: _kIOMasterPortDefault
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPProxyHost
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPProxyPort
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPSProxyHost
            Source: submission: CorelDRAWMach-O symbol: _kCFStreamPropertyHTTPSProxyPort
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSend
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSendSuper2
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSend_stret
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _SecItemExport
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _NSURLAuthenticationMethodServerTrust
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _NSSearchPathForDirectoriesInDomains
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _inet_addr
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _inet_ntoa
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPProxyHost
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPProxyPort
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPSProxyHost
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPSProxyPort
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kIOMasterPortDefault
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSend
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _objc_msgSendSuper2
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _SecItemExport
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _OBJC_CLASS_$_NSHTTPURLResponse
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _NSURLAuthenticationMethodServerTrust
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _NSSearchPathForDirectoriesInDomains
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _inet_ntoa
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _inet_addr
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kIOMasterPortDefault
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPProxyHost
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPProxyPort
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPSProxyHost
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _kCFStreamPropertyHTTPSProxyPort
            Source: submission: CorelDRAWMach-O symbol: _OBJC_CLASS_$_NSOperationQueue
            Source: submission: CorelDRAWMach-O symbol: _OBJC_CLASS_$_NSOperationQueue
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _OBJC_CLASS_$_NSOperationQueue
            Source: dropped file: CorelDRAW.398.drMach-O symbol: _OBJC_CLASS_$_NSOperationQueue

            Persistence and Installation Behavior

            barindex
            Source: /bin/cp (PID: 1627)FAT Mach-O written to unusual path: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAWJump to dropped file
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Process image deleted: /Users/drew/Desktop/CorelDRAWJump to behavior
            Source: submissionCode Signing Info: Signature=adhoc
            Source: /bin/bash (PID: 1628)Launch agent/daemon unloaded: launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /bin/bash (PID: 1615)Grep executable: /usr/bin/grep -> grep CorelDRAWJump to behavior
            Source: /bin/bash (PID: 1616)Grep executable: /usr/bin/grep -> grep -v /Users/drew/Desktop/CorelDRAWJump to behavior
            Source: /bin/bash (PID: 1617)Grep executable: /usr/bin/grep -> grep -v CorelDRAW\s*Graphics\s*SuiteJump to behavior
            Source: /bin/bash (PID: 1622)Grep executable: /usr/bin/grep -> grep CorelDRAWJump to behavior
            Source: /bin/bash (PID: 1623)Grep executable: /usr/bin/grep -> grep -v /Users/drew/Desktop/CorelDRAWJump to behavior
            Source: /bin/bash (PID: 1624)Grep executable: /usr/bin/grep -> grep -v CorelDRAW\s*Graphics\s*SuiteJump to behavior
            Source: /bin/bash (PID: 1614)Ps executable: /bin/ps -> ps -efJump to behavior
            Source: /bin/bash (PID: 1621)Ps executable: /bin/ps -> ps -efJump to behavior
            Source: submissionMach-O header: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
            Source: submissionFile header: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
            Source: /bin/bash (PID: 1629)Launch agent/daemon loaded: launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
            Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
            Source: /bin/cp (PID: 1627)Permissions modified for written FAT Mach-O /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW: bits: - usr: rx grp: rx all: rwxJump to dropped file
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Shell command executed: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9Jump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Shell command executed: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAWJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Shell command executed: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Shell command executed: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /bin/sh (PID: 1613)Shell command executed: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9Jump to behavior
            Source: /bin/sh (PID: 1620)Shell command executed: sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9Jump to behavior
            Source: /bin/sh (PID: 1627)Shell command executed: sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAWJump to behavior
            Source: /bin/sh (PID: 1628)Shell command executed: sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /bin/sh (PID: 1629)Shell command executed: sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /bin/cp (PID: 1627)File written: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAWJump to dropped file
            Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
            Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
            Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
            Source: submissionMach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
            Source: submission: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
            Source: submission: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
            Source: dropped file: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
            Source: dropped file: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
            Source: /bin/bash (PID: 1618)Awk executable: /usr/bin/awk -> awk {print $2}Jump to behavior
            Source: /bin/bash (PID: 1625)Awk executable: /usr/bin/awk -> awk {print $2}Jump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)XML plist file created: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0Jump to dropped file
            Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
            Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
            Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
            Source: initial sampleMach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
            Source: submission: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
            Source: submission: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
            Source: dropped file: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
            Source: dropped file: CorelDRAWMach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
            Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)Random device file read: /dev/urandomJump to behavior
            Source: submitted sampleStderr: /Library/LaunchDaemons/com.CorelDRAW.va.plist: Could not find specified serviceUnload failed: 113: Could not find specified service: exit code = 0
            Source: submissionCodeSign Info: Executable=/Users/drew/Desktop/CorelDRAW

            Boot Survival

            barindex
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Launch daemon created from hidden file: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Launch daemon created File moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file moved: /Library/LaunchDaemons/.dat.nosync064c.oZUVM0 -> /Library/LaunchDaemons/com.CorelDRAW.va.plistJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: /Users/drew/Desktop/CorelDRAW (PID: 1612)File deleted: /Users/drew/Desktop/CorelDRAWJump to behavior
            Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)Sysctl read request: hw.model (6.2)Jump to behavior
            Source: CorelDRAW, 00001612.00000367.9.000000010245e000.0000000102467000.r--.sdmpBinary or memory string: framework.vmnet
            Source: CorelDRAW, 00001612.00000367.9.000000010245e000.0000000102467000.r--.sdmpBinary or memory string: framework.vmnet$
            Source: /bin/bash (PID: 1613)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /bin/bash (PID: 1620)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /bin/bash (PID: 1627)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /bin/bash (PID: 1628)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /bin/bash (PID: 1629)Sysctl requested: kern.hostname (1.10)Jump to behavior
            Source: /var/root/Library/Preferences/CorelDRAW/CorelDRAW (PID: 1630)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: CorelDRAW, type: SAMPLE
            Source: Yara matchFile source: 00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CorelDRAW PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW, type: DROPPED

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: CorelDRAW, type: SAMPLE
            Source: Yara matchFile source: 00001612.00000367.1.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: 00001612.00000367.9.00000001023ae000.00000001023ea000.r-x.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: CorelDRAW PID: 1612, type: MEMORYSTR
            Source: Yara matchFile source: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW, type: DROPPED
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Command and Scripting Interpreter
            1
            LC_LOAD_DYLIB Addition
            1
            LC_LOAD_DYLIB Addition
            1
            Masquerading
            1
            GUI Input Capture
            11
            Security Software Discovery
            Remote Services1
            GUI Input Capture
            Exfiltration Over Other Network Medium1
            Encrypted Channel
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Scripting
            3
            Launch Agent
            3
            Launch Agent
            1
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Virtualization/Sandbox Evasion
            Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Non-Application Layer Protocol
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Launchctl
            14
            Launch Daemon
            14
            Launch Daemon
            1
            Scripting
            Security Account Manager1
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration1
            Application Layer Protocol
            Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)1
            Plist Modification
            1
            Plist Modification
            1
            Hidden Files and Directories
            NTDS1
            System Network Configuration Discovery
            Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
            Invalid Code Signature
            LSA Secrets21
            System Information Discovery
            SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common11
            Code Signing
            Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items2
            File Deletion
            DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Number of created Files
            • Shell
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1797574 Sample: CorelDRAW Startdate: 28/03/2022 Architecture: MAC Score: 64 44 pki-goog.l.google.com 2->44 46 Yara detected GIMMICK 2->46 8 mono-sgen64 CorelDRAW 2->8         started        12 xpcproxy CorelDRAW 2->12         started        signatures3 process4 file5 40 /Library/LaunchDae...t.nosync064c.oZUVM0, XML 8->40 dropped 48 Creates system-wide 'launchd' managed services aka launch daemons based on hidden files 8->48 50 Process deletes its process image on disk 8->50 52 Moves itself during installation or deletes itself after installation 8->52 14 sh bash cp 1 8->14         started        18 sh bash 8->18         started        20 sh bash 8->20         started        22 2 other processes 8->22 signatures6 process7 file8 42 /private/var/root/...CorelDRAW/CorelDRAW, Mach-O 14->42 dropped 54 Writes Mach-O files to untypical directories 14->54 24 bash ps 18->24         started        26 bash grep 18->26         started        28 bash grep 18->28         started        36 3 other processes 18->36 30 bash ps 20->30         started        32 bash grep 20->32         started        34 bash grep 20->34         started        38 3 other processes 20->38 signatures9 process10

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            cam-macmac-stand
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            NameIPActiveMaliciousAntivirus DetectionReputation
            pki-goog.l.google.com
            172.217.168.67
            truefalse
              high
              NameSourceMaliciousAntivirus DetectionReputation
              http://cgi1.apnic.net/cgi-bin/my-ip.phpCorelDRAW.398.drfalse
                high
                No contacted IP infos
                Sample Distance (10 = nearest)
                10 9 8 7 6 5 4 3 2 1
                SamplenameAnalysis IDSHA256Similarity
                No context
                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                pki-goog.l.google.comWalkmeAllInOneInstaller_mac_firefox_safari.pkgGet hashmaliciousBrowse
                • 172.217.168.67
                https://l.wl.co/l?u=https://abre.ai/eeN1?userid=GKywgnP7Get hashmaliciousBrowse
                • 172.217.168.67
                WalkmeAllInOneInstaller_mac_firefox_safari.pkgGet hashmaliciousBrowse
                • 142.250.186.163
                218.exeGet hashmaliciousBrowse
                • 172.217.168.35
                103.dllGet hashmaliciousBrowse
                • 172.217.168.35
                7zx.dmgGet hashmaliciousBrowse
                • 142.250.185.67
                ntfsformac.dmgGet hashmaliciousBrowse
                • 142.250.185.99
                No context
                No context
                No context
                Process:/Users/drew/Desktop/CorelDRAW
                File Type:XML 1.0 document, ASCII text
                Category:dropped
                Size (bytes):582
                Entropy (8bit):5.131006203834412
                Encrypted:false
                SSDEEP:6:TMVBd/4o+tJCc4EyfdUdBRECcgVvMVX/C1iXnvT+M6AGJav9svEq7EgJ1AYj6RA7:TMHdgo+tJVEdQiCXFM560vPV6EuC/kn
                MD5:93B1FBA1725A0553AE1C33B7E9F507D3
                SHA1:4EAEF620D7C09BAAFA96D6EE7D40CC5C8925FE23
                SHA-256:3FFF484073E2DCB8E724BB6527BCEA19AFEB9408BC179B358B299E369B7B0937
                SHA-512:5D3A52B8B513354409FC1793D89B3CC51863CDCE732A06F3A01C66944DB4832ACB4C9E6DFFC30FF05CB6FB5CA438326BDFF5149ECCC10BE8A8ADB57A728AFF24
                Malicious:true
                Reputation:low
                Preview:<?xml version="1.0" encoding="UTF-8"?>.<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">.<plist version="1.0">.<dict>..<key>Label</key>..<string>com.CorelDRAW.va.plist</string>..<key>ProgramArguments</key>..<array>...<string>/var/root/Library/Preferences/CorelDRAW/CorelDRAW</string>..</array>..<key>RunAtLoad</key>..<true/>..<key>StartInterval</key>..<integer>30</integer>..<key>ThrottleInterval</key>..<integer>2</integer>..<key>WorkingDirectory</key>..<string>/var/root/Library/Preferences/CorelDRAW</string>.</dict>.</plist>.
                Process:/bin/cp
                File Type:Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
                Category:dropped
                Size (bytes):730896
                Entropy (8bit):5.80386227119502
                Encrypted:false
                SSDEEP:6144:0RDkTCDC628O+i5Npv56/SfQ7WXIRPeTqiKjBAaIeuLkN04b1Z2O/a0csN2oGA8s:q5o657MOPhKCuo64b//nPpA/OGg2Y5
                MD5:23699799F496B8E872D05F19D2B397F8
                SHA1:FE3A3E65B86D2B07654F9A6104C8CB392C88B7E8
                SHA-256:2A9296AC999E78F6C0BEE8ACA8BFA4D4638AA30D9C8CCC65124B1CBFC9CAAB5F
                SHA-512:F347C47AFE06ED7EF2A71B7E40AC0103F4F33E26250661173775B349BBA7452EA458E5D4137A57B34801556959BCA14093A9F693D59C147061F63F2B78614288
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_GIMMICK, Description: Yara detected GIMMICK, Source: /private/var/root/Library/Preferences/CorelDRAW/CorelDRAW, Author: Joe Security
                Reputation:low
                Preview:..................@...h...................g.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:data
                Category:dropped
                Size (bytes):576
                Entropy (8bit):7.663922691714716
                Encrypted:false
                SSDEEP:12:M54V1Uirejq+im9KO11fYPOl+0+vbf9fDqtvpAgWfabNFN+Bk6soqDZaJYJsD:71bK2+RKa1fYP4+0+zf9fDWvpWIzNZ6r
                MD5:20134EBEA260D8147E0973D909C5EC76
                SHA1:F5F3AF403C8490A928917B96D027D00BF531A2D1
                SHA-256:227DC0ED1D597D9346FA0F2879D3107A85DC56B6F1E072F2D7D6848B7061E169
                SHA-512:B9041FA31FC5FE6E96A48FCED220C6EB124ECCAAF31D51947BC9B62E341BDBE3B8DB83EC34EB2D4B2328740A27F3DE7D38A154569293D4D5D32E151BD11B8D91
                Malicious:false
                Reputation:low
                Preview:g.*j..........O../.xQ*.t .46#6S!.]..t@.L...ZZ.`.......F.."../.. ..m..K.[.!.N.k...?..q..0~.|..p... u.i#....S..(.z...t........r...g...q\..jl...K.s.JL.u..?w..F_E.v87R..)G..05.;.'+..d.j#.(.:..V..#...j......V?...%...._pe.d...b.}.......C....I.O3....$6.zm0w.4..NC........hI.TW....2..=.i%..$......e..,/|.Y]C\......n..,o..E..M..s"v..Y.w.....g..rB.Td...xZy..A.....o.Z....}.s.+...-.8.kq.[...;......-h\...1.O.@.2..RpRW.....+..<.............9.EE&..:.A._..Y.6`!.P.....L..GO..)~E.E[J..yF.Vq+ ....(.oLy.$....#J..bTT.F.q.!..y..u\.=...A^..c..f.vR....lH...55....G.b.qa.{.
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:data
                Category:dropped
                Size (bytes):160
                Entropy (8bit):6.837492001110321
                Encrypted:false
                SSDEEP:3:OZQN+uyps0LmtuzJEg10e0C/zIcqidOE7lcaMjYrr6D/rFz6Q/3iqra7n:2QI9p3Laub1x0C/zI+dOE7bMjyr6D/RC
                MD5:21C624CBE49EE68BD5D57F7A70D24829
                SHA1:3ED80F487583C7607E72B5A71072C8E6A56C1FEF
                SHA-256:390390FFBE3E23E80B2922A11725DF064CE25AD39F7079166DEE564331CA8C0B
                SHA-512:83828EE8490A88859635C08BFC5795E81B8282F8113E62CA9D091CE84C37F384B61D3495653591E0A0912AB099175AF86DF0D8455307589960B4C5E4C8212A98
                Malicious:false
                Reputation:low
                Preview:..Id|s>G..nh-....z......l..~...L..f..F(0....I@.)..33..Q{.6...gY.{rDa.g.=..^O.....B!T..e..F.\.]9.<........O..:...Nx..G...f.. L'....m..$....K.. q)Q&`.
                Process:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):37
                Entropy (8bit):3.719739433770471
                Encrypted:false
                SSDEEP:3:K9S7IkZnAUX:K9SM8AUX
                MD5:8CA9A1D07D3ADD7CB574C0FFE89AE580
                SHA1:2E8232F8238564D4A803603EF768BE7771FCC504
                SHA-256:CBD9437B6DCDDB06AE0E9193DAC3934235EDC0054E645603609EFCA0AE6C205E
                SHA-512:1F222FAB485F89E833A4E263881768170F1987D1256A82F59CF5F9F831ABF1C8540526A9447CD5885AF674A937E96BC0929C8C5EAF593B9DAE7FD88AC3AA7F7D
                Malicious:false
                Reputation:low
                Preview:/4A29D748-478D-5918-9B3E-821BD949E362
                File type:Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|BINDS_TO_WEAK|PIE>]
                Entropy (8bit):5.80386227119502
                TrID:
                • Java Bytecode (6004/1) 53.25%
                • Mac OS X Universal Binary executable (4004/1) 35.51%
                • HSC music composer song (1267/141) 11.24%
                File name:CorelDRAW
                File size:730896
                MD5:23699799f496b8e872d05f19d2b397f8
                SHA1:fe3a3e65b86d2b07654f9a6104c8cb392c88b7e8
                SHA256:2a9296ac999e78f6c0bee8aca8bfa4d4638aa30d9c8ccc65124b1cbfc9caab5f
                SHA512:f347c47afe06ed7ef2a71b7e40ac0103f4f33e26250661173775b349bba7452ea458e5d4137a57b34801556959bca14093a9f693d59c147061f63f2b78614288
                SSDEEP:6144:0RDkTCDC628O+i5Npv56/SfQ7WXIRPeTqiKjBAaIeuLkN04b1Z2O/a0csN2oGA8s:q5o657MOPhKCuo64b//nPpA/OGg2Y5
                File Content Preview:..................@...h...................g....................................................................................................................................................................................................................
                ["Executable=/Users/drew/Desktop/CorelDRAW","Identifier=mac_g-555549445cd8df8d99113f7e80441e2f666a6787","Format=Mach-O universal (x86_64 arm64)","CodeDirectory v=20400 size=2983 flags=0x2(adhoc) hashes=82+7 location=embedded","VersionPlatform=1","VersionMin=658688","VersionSDK=721152","Hash type=sha256 size=32","CandidateCDHash sha256=6302e519278381c37ef32582033b6314dcf3a0bd","CandidateCDHashFull sha256=6302e519278381c37ef32582033b6314dcf3a0bdc0ee46eb524347ce4dd19465","Hash choices=sha256","CMSDigest=6302e519278381c37ef32582033b6314dcf3a0bdc0ee46eb524347ce4dd19465","CMSDigestType=2","Executable Segment base=0","Executable Segment limit=245760","Executable Segment flags=0x1","Page size=4096","CDHash=6302e519278381c37ef32582033b6314dcf3a0bd","Signature=adhoc","Info.plist=not bound","TeamIdentifier=not set","Sealed Resources=none","Internal requirements count=0 size=12"]
                General Information for header 1
                Endian:<
                Size:64-bit
                Architecture:x86_64
                Filetype:execute
                Nbr. of load commands:26
                Entry point:0x2110
                NameValue
                segname__PAGEZERO
                vmaddr0x0
                vmsize0x100000000
                fileoff0x0
                filesize0x0
                maxprot0x0
                initprot0x0
                nsects0
                flags0x0
                NameValue
                segname__TEXT
                vmaddr0x100000000
                vmsize0x3C000
                fileoff0x0
                filesize0x3C000
                maxprot0x5
                initprot0x5
                nsects11
                flags0x0
                Datas
                sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
                __text__TEXT0x1000021100x2DAEA0x21106.00680x40x000x80000400
                __stubs__TEXT0x10002FBFA0x3F00x2FBFA3.55340x10x000x80000408
                __stub_helper__TEXT0x10002FFEC0x6820x2FFEC4.69980x20x000x80000400
                __gcc_except_tab__TEXT0x1000306700x136C0x306705.70520x20x000x0
                __cstring__TEXT0x1000319DC0x34F00x319DC5.43650x00x000x2
                __objc_methname__TEXT0x100034ECC0x53830x34ECC4.86580x00x000x2
                __const__TEXT0x10003A2500xA00x3A2502.23450x40x000x0
                __objc_classname__TEXT0x10003A2F00x39F0x3A2F04.96400x00x000x2
                __objc_methtype__TEXT0x10003A68F0xF8B0x3A68F5.16240x00x000x2
                __ustring__TEXT0x10003B61A0x520x3B61A4.82400x10x000x0
                __unwind_info__TEXT0x10003B66C0x9940x3B66C5.95440x20x000x0
                NameValue
                segname__DATA
                vmaddr0x10003C000
                vmsize0x10000
                fileoff0x3C000
                filesize0x10000
                maxprot0x3
                initprot0x3
                nsects20
                flags0x0
                Datas
                sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
                __nl_symbol_ptr__DATA0x10003C0000x80x3C000-0.00000x30x000x6
                __got__DATA0x10003C0080x1500x3C0080.11700x30x000x6
                __la_symbol_ptr__DATA0x10003C1580x5400x3C1582.87030x30x000x7
                __const__DATA0x10003C6980xD480x3C6982.23450x30x000x0
                __cfstring__DATA0x10003D3E00x20C00x3D3E01.83970x30x000x0
                __objc_classlist__DATA0x10003F4A00xE80x3F4A02.90070x30x000x10000000
                __objc_nlclslist__DATA0x10003F5880x80x3F5882.00000x30x000x10000000
                __objc_catlist__DATA0x10003F5900x100x3F5901.96690x30x000x10000000
                __objc_protolist__DATA0x10003F5A00x600x3F5A02.60390x30x000x0
                __objc_imageinfo__DATA0x10003F6000x80x3F6000.54360x20x000x0
                __objc_const__DATA0x10003F6080x83A00x3F6083.29480x30x000x0
                __objc_selrefs__DATA0x1000479A80x15D00x479A83.59800x30x000x10000005
                __objc_protorefs__DATA0x100048F780x100x48F781.84190x30x000x0
                __objc_classrefs__DATA0x100048F880x2200x48F881.18730x30x000x10000000
                __objc_superrefs__DATA0x1000491A80xC80x491A82.83350x30x000x10000000
                __objc_ivar__DATA0x1000492700x4A80x492701.08680x30x000x0
                __objc_data__DATA0x1000497180x9100x497181.49020x30x000x0
                __data__DATA0x10004A0280xA600x4A0285.87370x30x000x0
                __common__DATA0x10004AA900x300x0-0.00000x40x000x1
                __bss__DATA0x10004AAC00x900x0-0.00000x30x000x1
                NameValue
                segname__LINKEDIT
                vmaddr0x10004C000
                vmsize0xC000
                fileoff0x4C000
                filesize0xA810
                maxprot0x1
                initprot0x1
                nsects0
                flags0x0
                NameValue
                rebase_off311296
                rebase_size1432
                bind_off312728
                bind_size3304
                weak_bind_off316032
                weak_bind_size72
                lazy_bind_off316104
                lazy_bind_size4280
                export_off320384
                export_size32
                NameValue
                symoff321696
                nsyms264
                stroff327440
                strsize5608
                NameValue
                ilocalsym0
                nlocalsym1
                iextdefsym1
                nextdefsym1
                iundefsym2
                nundefsym262
                tocoff0
                ntoc0
                modtaboff0
                nmodtab0
                extrefsymoff0
                nextrefsyms0
                indirectsymoff325920
                nindirectsyms379
                extreloff0
                nextrel0
                locreloff0
                nlocrel0
                NameValue
                name12
                Datas/usr/lib/dyld
                NameValue
                uuidb'\\\xd8\xdf\x8d\x99\x11?~\x80D\x1e/fjg\x87'
                NameValue
                version658688
                sdk721152
                NameValue
                version0
                NameValue
                entryoff8464
                stacksize0
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1770.255.0
                compatibility_version300.0.0
                Datas/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version228.0.0
                compatibility_version1.0.0
                Datas/usr/lib/libobjc.A.dylib
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version904.4.0
                compatibility_version1.0.0
                Datas/usr/lib/libc++.1.dylib
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1292.60.1
                compatibility_version1.0.0
                Datas/usr/lib/libSystem.B.dylib
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version2022.20.117
                compatibility_version45.0.0
                Datas/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1209.1.0
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1770.255.0
                compatibility_version150.0.0
                Datas/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1122.11.0
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version275.0.0
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version59754.60.13
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/Security.framework/Versions/A/Security
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1109.60.2
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
                NameValue
                dataoff320416
                datasize1272
                NameValue
                dataoff321688
                datasize8
                NameValue
                dataoff333056
                datasize21264
                _CCCrypt
                _CFArrayCreate
                _CFRelease
                _CFRetain
                _CFRunLoopGetMain
                _CFStringTransform
                _CFUUIDCreate
                _CFUUIDCreateString
                _IOObjectRelease
                _IORegistryEntryCreateCFProperty
                _IOServiceGetMatchingService
                _IOServiceMatching
                _NSCalendarIdentifierGregorian
                _NSClassFromString
                _NSDefaultRunLoopMode
                _NSFileCreationDate
                _NSFileSize
                _NSFoundationVersionNumber
                _NSGenericException
                _NSKeyValueChangeNewKey
                _NSLocalizedDescriptionKey
                _NSLocalizedFailureReasonErrorKey
                _NSLog
                _NSRunLoopCommonModes
                _NSSearchPathForDirectoriesInDomains
                _NSSelectorFromString
                _NSStringFromClass
                _NSStringFromSelector
                _NSURLAuthenticationMethodServerTrust
                _NSURLErrorFailingURLErrorKey
                _NSURLNameKey
                _NSURLSessionTransferSizeUnknown
                _NSUnderlyingErrorKey
                _NSUserName
                _OBJC_CLASS_$_NSArray
                _OBJC_CLASS_$_NSBitmapImageRep
                _OBJC_CLASS_$_NSBundle
                _OBJC_CLASS_$_NSCalendar
                _OBJC_CLASS_$_NSCharacterSet
                _OBJC_CLASS_$_NSData
                _OBJC_CLASS_$_NSDate
                _OBJC_CLASS_$_NSDateFormatter
                _OBJC_CLASS_$_NSDecimalNumber
                _OBJC_CLASS_$_NSDictionary
                _OBJC_CLASS_$_NSError
                _OBJC_CLASS_$_NSException
                _OBJC_CLASS_$_NSFileManager
                _OBJC_CLASS_$_NSHTTPURLResponse
                _OBJC_CLASS_$_NSImage
                _OBJC_CLASS_$_NSIndexSet
                _OBJC_CLASS_$_NSInputStream
                _OBJC_CLASS_$_NSJSONSerialization
                _OBJC_CLASS_$_NSLocale
                _OBJC_CLASS_$_NSLock
                _OBJC_CLASS_$_NSMutableArray
                _OBJC_CLASS_$_NSMutableData
                _OBJC_CLASS_$_NSMutableDictionary
                _OBJC_CLASS_$_NSMutableSet
                _OBJC_CLASS_$_NSMutableString
                _OBJC_CLASS_$_NSMutableURLRequest
                _OBJC_CLASS_$_NSNotificationCenter
                _OBJC_CLASS_$_NSNull
                _OBJC_CLASS_$_NSNumber
                _OBJC_CLASS_$_NSNumberFormatter
                _OBJC_CLASS_$_NSObject
                _OBJC_CLASS_$_NSOperationQueue
                _OBJC_CLASS_$_NSOutputStream
                _OBJC_CLASS_$_NSProcessInfo
                _OBJC_CLASS_$_NSProgress
                _OBJC_CLASS_$_NSPropertyListSerialization
                _OBJC_CLASS_$_NSRecursiveLock
                _OBJC_CLASS_$_NSRunLoop
                _OBJC_CLASS_$_NSSet
                _OBJC_CLASS_$_NSSortDescriptor
                _OBJC_CLASS_$_NSString
                _OBJC_CLASS_$_NSThread
                _OBJC_CLASS_$_NSURL
                _OBJC_CLASS_$_NSURLCredential
                _OBJC_CLASS_$_NSURLSession
                _OBJC_CLASS_$_NSURLSessionConfiguration
                _OBJC_CLASS_$_NSXMLDocument
                _OBJC_CLASS_$_NSXMLParser
                _OBJC_METACLASS_$_NSInputStream
                _OBJC_METACLASS_$_NSMutableArray
                _OBJC_METACLASS_$_NSObject
                _SCNetworkReachabilityCreateWithAddress
                _SCNetworkReachabilityCreateWithName
                _SCNetworkReachabilityGetFlags
                _SCNetworkReachabilityScheduleWithRunLoop
                _SCNetworkReachabilitySetCallback
                _SCNetworkReachabilityUnscheduleFromRunLoop
                _SecCertificateCopyData
                _SecCertificateCreateWithData
                _SecItemExport
                _SecPolicyCreateBasicX509
                _SecPolicyCreateSSL
                _SecTrustCopyPublicKey
                _SecTrustCreateWithCertificates
                _SecTrustEvaluate
                _SecTrustGetCertificateAtIndex
                _SecTrustGetCertificateCount
                _SecTrustSetAnchorCertificates
                _SecTrustSetPolicies
                _UTTypeCopyPreferredTagWithClass
                _UTTypeCreatePreferredIdentifierForTag
                __Block_copy
                __Block_object_assign
                __Block_object_dispose
                __Block_release
                __NSConcreteGlobalBlock
                __NSConcreteStackBlock
                __Unwind_Resume
                __ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm
                __ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv
                __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc
                __ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_
                __ZSt9terminatev
                __ZdlPv
                __Znam
                __Znwm
                ___CFConstantStringClassReference
                ___bzero
                ___cxa_begin_catch
                ___darwin_check_fd_set_overflow
                ___gxx_personality_v0
                ___memcpy_chk
                ___objc_personality_v0
                ___sprintf_chk
                ___stack_chk_fail
                ___stack_chk_guard
                ___stderrp
                ___stdoutp
                ___strncpy_chk
                __dispatch_main_q
                __dispatch_queue_attr_concurrent
                __dispatch_source_type_timer
                __mh_execute_header
                __objc_empty_cache
                _access
                _arc4random
                _atoi
                _class_addMethod
                _class_getInstanceMethod
                _close
                _closedir
                _dispatch_async
                _dispatch_barrier_async
                _dispatch_get_global_queue
                _dispatch_group_async
                _dispatch_group_create
                _dispatch_once
                _dispatch_queue_create
                _dispatch_resume
                _dispatch_semaphore_create
                _dispatch_semaphore_signal
                _dispatch_semaphore_wait
                _dispatch_source_cancel
                _dispatch_source_create
                _dispatch_source_set_event_handler
                _dispatch_source_set_timer
                _dispatch_sync
                _dispatch_time
                _dispatch_walltime
                _dup2
                _execvp
                _exit
                _fclose
                _feof
                _fgets
                _fopen
                _fork
                _fread
                _free
                _freeifaddrs
                _freopen
                _fseek
                _ftell
                _getcwd
                _getifaddrs
                _getuid
                _grantpt
                _host_page_size
                _host_statistics64
                _if_nametoindex
                _inet_addr
                _inet_ntoa
                _ioctl
                _kCFAllocatorDefault
                _kCFBundleExecutableKey
                _kCFBundleIdentifierKey
                _kCFBundleVersionKey
                _kCFRunLoopCommonModes
                _kCFStreamPropertyHTTPProxyHost
                _kCFStreamPropertyHTTPProxyPort
                _kCFStreamPropertyHTTPSProxyHost
                _kCFStreamPropertyHTTPSProxyPort
                _kIOMasterPortDefault
                _kUTTagClassFilenameExtension
                _kUTTagClassMIMEType
                _kill
                _mach_host_self
                _malloc
                _memcpy
                _method_exchangeImplementations
                _method_getImplementation
                _method_getTypeEncoding
                _objc_alloc
                _objc_autorelease
                _objc_autoreleaseReturnValue
                _objc_copyWeak
                _objc_destroyWeak
                _objc_enumerationMutation
                _objc_exception_throw
                _objc_getProperty
                _objc_initWeak
                _objc_loadWeakRetained
                _objc_msgSend
                _objc_msgSendSuper2
                _objc_msgSend_stret
                _objc_release
                _objc_retain
                _objc_retainAutorelease
                _objc_retainAutoreleaseReturnValue
                _objc_retainAutoreleasedReturnValue
                _objc_retainBlock
                _objc_setProperty_atomic_copy
                _objc_setProperty_nonatomic_copy
                _objc_storeStrong
                _objc_storeWeak
                _objc_unsafeClaimAutoreleasedReturnValue
                _open
                _opendir$INODE64
                _pclose
                _popen
                _printf
                _pthread_create
                _pthread_join
                _puts
                _read
                _readdir$INODE64
                _rename
                _rindex
                _select$1050
                _signal
                _sleep
                _snprintf
                _sprintf
                _stat$INODE64
                _statfs$INODE64
                _strchr
                _strcmp
                _strcpy
                _strlen
                _strstr
                _strtol
                _sysctl
                _sysctlbyname
                _system
                _unlink
                _unlockpt
                _waitpid
                _write
                dyld_stub_binder
                radr://5614542
                _CCCrypt
                _CFArrayCreate
                _CFRelease
                _CFRetain
                _CFRunLoopGetMain
                _CFStringTransform
                _CFUUIDCreate
                _CFUUIDCreateString
                _IOObjectRelease
                _IORegistryEntryCreateCFProperty
                _IOServiceGetMatchingService
                _IOServiceMatching
                _NSClassFromString
                _NSLog
                _NSSearchPathForDirectoriesInDomains
                _NSSelectorFromString
                _NSStringFromClass
                _NSStringFromSelector
                _NSUserName
                _SCNetworkReachabilityCreateWithAddress
                _SCNetworkReachabilityCreateWithName
                _SCNetworkReachabilityGetFlags
                _SCNetworkReachabilityScheduleWithRunLoop
                _SCNetworkReachabilitySetCallback
                _SCNetworkReachabilityUnscheduleFromRunLoop
                _SecCertificateCopyData
                _SecCertificateCreateWithData
                _SecItemExport
                _SecPolicyCreateBasicX509
                _SecPolicyCreateSSL
                _SecTrustCopyPublicKey
                _SecTrustCreateWithCertificates
                _SecTrustEvaluate
                _SecTrustGetCertificateAtIndex
                _SecTrustGetCertificateCount
                _SecTrustSetAnchorCertificates
                _SecTrustSetPolicies
                _UTTypeCopyPreferredTagWithClass
                _UTTypeCreatePreferredIdentifierForTag
                __Block_copy
                __Block_object_assign
                __Block_object_dispose
                __Block_release
                __Unwind_Resume
                __ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm
                __ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv
                __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc
                __ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_
                __ZSt9terminatev
                ___bzero
                ___cxa_begin_catch
                ___darwin_check_fd_set_overflow
                ___memcpy_chk
                ___sprintf_chk
                ___stack_chk_fail
                ___strncpy_chk
                _access
                _arc4random
                _atoi
                _class_addMethod
                _class_getInstanceMethod
                _close
                _closedir
                _dispatch_async
                _dispatch_barrier_async
                _dispatch_get_global_queue
                _dispatch_group_async
                _dispatch_group_create
                _dispatch_once
                _dispatch_queue_create
                _dispatch_resume
                _dispatch_semaphore_create
                _dispatch_semaphore_signal
                _dispatch_semaphore_wait
                _dispatch_source_cancel
                _dispatch_source_create
                _dispatch_source_set_event_handler
                _dispatch_source_set_timer
                _dispatch_sync
                _dispatch_time
                _dispatch_walltime
                _dup2
                _execvp
                _exit
                _fclose
                _feof
                _fgets
                _fopen
                _fork
                _fread
                _free
                _freeifaddrs
                _freopen
                _fseek
                _ftell
                _getcwd
                _getifaddrs
                _getuid
                _grantpt
                _host_page_size
                _host_statistics64
                _if_nametoindex
                _inet_addr
                _inet_ntoa
                _ioctl
                _kill
                _mach_host_self
                _malloc
                _memcpy
                _method_exchangeImplementations
                _method_getImplementation
                _method_getTypeEncoding
                _objc_alloc
                _objc_autorelease
                _objc_autoreleaseReturnValue
                _objc_copyWeak
                _objc_destroyWeak
                _objc_enumerationMutation
                _objc_exception_throw
                _objc_getProperty
                _objc_initWeak
                _objc_loadWeakRetained
                _objc_msgSendSuper2
                _objc_msgSend_stret
                _objc_retainAutorelease
                _objc_retainAutoreleaseReturnValue
                _objc_retainAutoreleasedReturnValue
                _objc_retainBlock
                _objc_setProperty_atomic_copy
                _objc_setProperty_nonatomic_copy
                _objc_storeStrong
                _objc_storeWeak
                _objc_unsafeClaimAutoreleasedReturnValue
                _open
                _opendir$INODE64
                _pclose
                _popen
                _printf
                _pthread_create
                _pthread_join
                _puts
                _read
                _readdir$INODE64
                _rename
                _rindex
                _select$1050
                _signal
                _sleep
                _snprintf
                _sprintf
                _stat$INODE64
                _statfs$INODE64
                _strchr
                _strcmp
                _strcpy
                _strlen
                _strstr
                _strtol
                _sysctl
                _sysctlbyname
                _system
                _unlink
                _unlockpt
                _waitpid
                _write

                General Information for header 2
                Endian:<
                Size:32-bit
                Architecture:ARM64
                Filetype:execute
                Nbr. of load commands:27
                Entry point:
                NameValue
                segname__PAGEZERO
                vmaddr0x0
                vmsize0x100000000
                fileoff0x0
                filesize0x0
                maxprot0x0
                initprot0x0
                nsects0
                flags0x0
                NameValue
                segname__TEXT
                vmaddr0x100000000
                vmsize0x40000
                fileoff0x0
                filesize0x40000
                maxprot0x5
                initprot0x5
                nsects13
                flags0x0
                Datas
                sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
                __text__TEXT0x100004B3C0x2C8980x4B3C6.10090x20x000x80000400
                __stubs__TEXT0x1000313D40x7F80x313D44.00310x20x000x80000408
                __stub_helper__TEXT0x100031BCC0x7EC0x31BCC4.26080x20x000x80000400
                __objc_methlist__TEXT0x1000323B80x21880x323B85.47350x30x000x0
                __gcc_except_tab__TEXT0x1000345400x13780x345405.01410x20x000x0
                __cstring__TEXT0x1000358B80x34F00x358B85.44130x00x000x2
                __objc_methname__TEXT0x100038DA80x53830x38DA84.86580x00x000x2
                __const__TEXT0x10003E1300x800x3E1302.21170x40x000x0
                __objc_classname__TEXT0x10003E1B00x39F0x3E1B04.96400x00x000x2
                __objc_methtype__TEXT0x10003E54F0xFA40x3E54F5.16710x00x000x2
                __ustring__TEXT0x10003F4F40x520x3F4F44.82400x10x000x0
                __unwind_info__TEXT0x10003F5480xA640x3F5485.81190x20x000x0
                __eh_frame__TEXT0x10003FFB00x500x3FFB03.38430x30x000x0
                NameValue
                segname__DATA_CONST
                vmaddr0x100040000
                vmsize0x4000
                fileoff0x40000
                filesize0x4000
                maxprot0x3
                initprot0x3
                nsects8
                flags0x10
                Datas
                sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
                __got__DATA_CONST0x1000400000x1380x40000-0.00000x30x000x6
                __const__DATA_CONST0x1000401380xD480x401382.21170x30x000x0
                __cfstring__DATA_CONST0x100040E800x20C00x40E801.85280x30x000x0
                __objc_classlist__DATA_CONST0x100042F400xE80x42F402.86070x30x000x10000000
                __objc_nlclslist__DATA_CONST0x1000430280x80x430282.00000x30x000x10000000
                __objc_catlist__DATA_CONST0x1000430300x100x430302.12500x30x000x10000000
                __objc_protolist__DATA_CONST0x1000430400x600x430402.70600x30x000x0
                __objc_imageinfo__DATA_CONST0x1000430A00x80x430A00.54360x20x000x0
                NameValue
                segname__DATA
                vmaddr0x100044000
                vmsize0x8000
                fileoff0x44000
                filesize0x8000
                maxprot0x3
                initprot0x3
                nsects11
                flags0x0
                Datas
                sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
                __la_symbol_ptr__DATA0x1000440000x5500x440003.05870x30x000x7
                __objc_const__DATA0x1000445500x42C00x445502.90950x30x000x0
                __objc_selrefs__DATA0x1000488100x19D80x488103.61220x30x000x10000005
                __objc_protorefs__DATA0x10004A1E80x100x4A1E82.12500x30x000x0
                __objc_classrefs__DATA0x10004A1F80x2200x4A1F81.17490x30x000x10000000
                __objc_superrefs__DATA0x10004A4180xC80x4A4182.83540x30x000x10000000
                __objc_ivar__DATA0x10004A4E00x2540x4A4E01.89780x20x000x0
                __objc_data__DATA0x10004A7380x9100x4A7381.45940x30x000x0
                __data__DATA0x10004B0480xA680x4B0480.78410x30x000x0
                __common__DATA0x10004BAB00x280x0-0.00000x30x000x1
                __bss__DATA0x10004BAD80x900x0-0.00000x30x000x1
                NameValue
                segname__LINKEDIT
                vmaddr0x10004C000
                vmsize0xC000
                fileoff0x4C000
                filesize0xA710
                maxprot0x1
                initprot0x1
                nsects0
                flags0x0
                NameValue
                rebase_off311296
                rebase_size1296
                bind_off312592
                bind_size3240
                weak_bind_off315832
                weak_bind_size72
                lazy_bind_off315904
                lazy_bind_size4264
                export_off320168
                export_size32
                NameValue
                symoff321480
                nsyms264
                stroff327224
                strsize5568
                NameValue
                ilocalsym0
                nlocalsym1
                iextdefsym1
                nextdefsym1
                iundefsym2
                nundefsym262
                tocoff0
                ntoc0
                modtaboff0
                nmodtab0
                extrefsymoff0
                nextrefsyms0
                indirectsymoff325704
                nindirectsyms379
                extreloff0
                nextrel0
                locreloff0
                nlocrel0
                NameValue
                name12
                Datas/usr/lib/dyld
                NameValue
                uuidb'\xf9\xd2\xf6\xdbz\xc2:\xae\xa9<\xadO=p~\xc4'
                NameValue
                platform1
                minos720896
                sdk721152
                ntools1
                Datas.
                NameValue
                version0
                NameValue
                entryoff19260
                stacksize0
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1770.255.0
                compatibility_version300.0.0
                Datas/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version228.0.0
                compatibility_version1.0.0
                Datas/usr/lib/libobjc.A.dylib
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version904.4.0
                compatibility_version1.0.0
                Datas/usr/lib/libc++.1.dylib
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1292.60.1
                compatibility_version1.0.0
                Datas/usr/lib/libSystem.B.dylib
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version2022.20.117
                compatibility_version45.0.0
                Datas/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1209.1.0
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1770.255.0
                compatibility_version150.0.0
                Datas/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1122.11.0
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version275.0.0
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version59754.60.13
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/Security.framework/Versions/A/Security
                NameValue
                name24
                timestampThu Jan 1 01:00:02 1970
                current_version1109.60.2
                compatibility_version1.0.0
                Datas/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
                NameValue
                dataoff320200
                datasize1280
                NameValue
                dataoff321480
                datasize0
                NameValue
                dataoff332800
                datasize21264
                _CCCrypt
                _CFArrayCreate
                _CFRelease
                _CFRetain
                _CFRunLoopGetMain
                _CFStringTransform
                _CFUUIDCreate
                _CFUUIDCreateString
                _IOObjectRelease
                _IORegistryEntryCreateCFProperty
                _IOServiceGetMatchingService
                _IOServiceMatching
                _NSCalendarIdentifierGregorian
                _NSClassFromString
                _NSDefaultRunLoopMode
                _NSFileCreationDate
                _NSFileSize
                _NSFoundationVersionNumber
                _NSGenericException
                _NSKeyValueChangeNewKey
                _NSLocalizedDescriptionKey
                _NSLocalizedFailureReasonErrorKey
                _NSLog
                _NSRunLoopCommonModes
                _NSSearchPathForDirectoriesInDomains
                _NSSelectorFromString
                _NSStringFromClass
                _NSStringFromSelector
                _NSURLAuthenticationMethodServerTrust
                _NSURLErrorFailingURLErrorKey
                _NSURLNameKey
                _NSURLSessionTransferSizeUnknown
                _NSUnderlyingErrorKey
                _NSUserName
                _OBJC_CLASS_$_NSArray
                _OBJC_CLASS_$_NSBitmapImageRep
                _OBJC_CLASS_$_NSBundle
                _OBJC_CLASS_$_NSCalendar
                _OBJC_CLASS_$_NSCharacterSet
                _OBJC_CLASS_$_NSData
                _OBJC_CLASS_$_NSDate
                _OBJC_CLASS_$_NSDateFormatter
                _OBJC_CLASS_$_NSDecimalNumber
                _OBJC_CLASS_$_NSDictionary
                _OBJC_CLASS_$_NSError
                _OBJC_CLASS_$_NSException
                _OBJC_CLASS_$_NSFileManager
                _OBJC_CLASS_$_NSHTTPURLResponse
                _OBJC_CLASS_$_NSImage
                _OBJC_CLASS_$_NSIndexSet
                _OBJC_CLASS_$_NSInputStream
                _OBJC_CLASS_$_NSJSONSerialization
                _OBJC_CLASS_$_NSLocale
                _OBJC_CLASS_$_NSLock
                _OBJC_CLASS_$_NSMutableArray
                _OBJC_CLASS_$_NSMutableData
                _OBJC_CLASS_$_NSMutableDictionary
                _OBJC_CLASS_$_NSMutableSet
                _OBJC_CLASS_$_NSMutableString
                _OBJC_CLASS_$_NSMutableURLRequest
                _OBJC_CLASS_$_NSNotificationCenter
                _OBJC_CLASS_$_NSNull
                _OBJC_CLASS_$_NSNumber
                _OBJC_CLASS_$_NSNumberFormatter
                _OBJC_CLASS_$_NSObject
                _OBJC_CLASS_$_NSOperationQueue
                _OBJC_CLASS_$_NSOutputStream
                _OBJC_CLASS_$_NSProcessInfo
                _OBJC_CLASS_$_NSProgress
                _OBJC_CLASS_$_NSPropertyListSerialization
                _OBJC_CLASS_$_NSRecursiveLock
                _OBJC_CLASS_$_NSRunLoop
                _OBJC_CLASS_$_NSSet
                _OBJC_CLASS_$_NSSortDescriptor
                _OBJC_CLASS_$_NSString
                _OBJC_CLASS_$_NSThread
                _OBJC_CLASS_$_NSURL
                _OBJC_CLASS_$_NSURLCredential
                _OBJC_CLASS_$_NSURLSession
                _OBJC_CLASS_$_NSURLSessionConfiguration
                _OBJC_CLASS_$_NSXMLDocument
                _OBJC_CLASS_$_NSXMLParser
                _OBJC_METACLASS_$_NSInputStream
                _OBJC_METACLASS_$_NSMutableArray
                _OBJC_METACLASS_$_NSObject
                _SCNetworkReachabilityCreateWithAddress
                _SCNetworkReachabilityCreateWithName
                _SCNetworkReachabilityGetFlags
                _SCNetworkReachabilityScheduleWithRunLoop
                _SCNetworkReachabilitySetCallback
                _SCNetworkReachabilityUnscheduleFromRunLoop
                _SecCertificateCopyData
                _SecCertificateCreateWithData
                _SecItemExport
                _SecPolicyCreateBasicX509
                _SecPolicyCreateSSL
                _SecTrustCopyPublicKey
                _SecTrustCreateWithCertificates
                _SecTrustEvaluate
                _SecTrustGetCertificateAtIndex
                _SecTrustGetCertificateCount
                _SecTrustSetAnchorCertificates
                _SecTrustSetPolicies
                _UTTypeCopyPreferredTagWithClass
                _UTTypeCreatePreferredIdentifierForTag
                __Block_copy
                __Block_object_assign
                __Block_object_dispose
                __Block_release
                __NSConcreteGlobalBlock
                __NSConcreteStackBlock
                __Unwind_Resume
                __ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm
                __ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv
                __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc
                __ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_
                __ZSt9terminatev
                __ZdlPv
                __Znam
                __Znwm
                ___CFConstantStringClassReference
                ___chkstk_darwin
                ___cxa_begin_catch
                ___darwin_check_fd_set_overflow
                ___gxx_personality_v0
                ___memcpy_chk
                ___objc_personality_v0
                ___sprintf_chk
                ___stack_chk_fail
                ___stack_chk_guard
                ___stderrp
                ___stdoutp
                ___strncpy_chk
                __dispatch_main_q
                __dispatch_queue_attr_concurrent
                __dispatch_source_type_timer
                __mh_execute_header
                __objc_empty_cache
                _access
                _arc4random
                _atoi
                _bzero
                _class_addMethod
                _class_getInstanceMethod
                _close
                _closedir
                _dispatch_async
                _dispatch_barrier_async
                _dispatch_get_global_queue
                _dispatch_group_async
                _dispatch_group_create
                _dispatch_once
                _dispatch_queue_create
                _dispatch_resume
                _dispatch_semaphore_create
                _dispatch_semaphore_signal
                _dispatch_semaphore_wait
                _dispatch_source_cancel
                _dispatch_source_create
                _dispatch_source_set_event_handler
                _dispatch_source_set_timer
                _dispatch_sync
                _dispatch_time
                _dispatch_walltime
                _dup2
                _execvp
                _exit
                _fclose
                _feof
                _fgets
                _fopen
                _fork
                _fread
                _free
                _freeifaddrs
                _freopen
                _fseek
                _ftell
                _getcwd
                _getifaddrs
                _getuid
                _grantpt
                _host_page_size
                _host_statistics64
                _if_nametoindex
                _inet_addr
                _inet_ntoa
                _ioctl
                _kCFAllocatorDefault
                _kCFBundleExecutableKey
                _kCFBundleIdentifierKey
                _kCFBundleVersionKey
                _kCFRunLoopCommonModes
                _kCFStreamPropertyHTTPProxyHost
                _kCFStreamPropertyHTTPProxyPort
                _kCFStreamPropertyHTTPSProxyHost
                _kCFStreamPropertyHTTPSProxyPort
                _kIOMasterPortDefault
                _kUTTagClassFilenameExtension
                _kUTTagClassMIMEType
                _kill
                _mach_host_self
                _malloc
                _memcpy
                _method_exchangeImplementations
                _method_getImplementation
                _method_getTypeEncoding
                _objc_alloc
                _objc_autorelease
                _objc_autoreleaseReturnValue
                _objc_copyWeak
                _objc_destroyWeak
                _objc_enumerationMutation
                _objc_exception_throw
                _objc_getProperty
                _objc_initWeak
                _objc_loadWeakRetained
                _objc_msgSend
                _objc_msgSendSuper2
                _objc_release
                _objc_retain
                _objc_retainAutorelease
                _objc_retainAutoreleaseReturnValue
                _objc_retainAutoreleasedReturnValue
                _objc_retainBlock
                _objc_setProperty_atomic_copy
                _objc_setProperty_nonatomic_copy
                _objc_storeStrong
                _objc_storeWeak
                _objc_unsafeClaimAutoreleasedReturnValue
                _open
                _opendir
                _pclose
                _popen
                _printf
                _pthread_create
                _pthread_join
                _puts
                _read
                _readdir
                _rename
                _rindex
                _select
                _signal
                _sleep
                _snprintf
                _sprintf
                _stat
                _statfs
                _strchr
                _strcmp
                _strcpy
                _strlen
                _strstr
                _strtol
                _sysctl
                _sysctlbyname
                _system
                _unlink
                _unlockpt
                _waitpid
                _write
                dyld_stub_binder
                radr://5614542
                _CCCrypt
                _CFArrayCreate
                _CFRelease
                _CFRetain
                _CFRunLoopGetMain
                _CFStringTransform
                _CFUUIDCreate
                _CFUUIDCreateString
                _IOObjectRelease
                _IORegistryEntryCreateCFProperty
                _IOServiceGetMatchingService
                _IOServiceMatching
                _NSClassFromString
                _NSLog
                _NSSearchPathForDirectoriesInDomains
                _NSSelectorFromString
                _NSStringFromClass
                _NSStringFromSelector
                _NSUserName
                _SCNetworkReachabilityCreateWithAddress
                _SCNetworkReachabilityCreateWithName
                _SCNetworkReachabilityGetFlags
                _SCNetworkReachabilityScheduleWithRunLoop
                _SCNetworkReachabilitySetCallback
                _SCNetworkReachabilityUnscheduleFromRunLoop
                _SecCertificateCopyData
                _SecCertificateCreateWithData
                _SecItemExport
                _SecPolicyCreateBasicX509
                _SecPolicyCreateSSL
                _SecTrustCopyPublicKey
                _SecTrustCreateWithCertificates
                _SecTrustEvaluate
                _SecTrustGetCertificateAtIndex
                _SecTrustGetCertificateCount
                _SecTrustSetAnchorCertificates
                _SecTrustSetPolicies
                _UTTypeCopyPreferredTagWithClass
                _UTTypeCreatePreferredIdentifierForTag
                __Block_copy
                __Block_object_assign
                __Block_object_dispose
                __Block_release
                __Unwind_Resume
                __ZNKSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE7compareEmmPKcm
                __ZNKSt3__121__basic_string_commonILb1EE20__throw_length_errorEv
                __ZNSt3__112basic_stringIcNS_11char_traitsIcEENS_9allocatorIcEEE6appendEPKc
                __ZNSt3__1plIcNS_11char_traitsIcEENS_9allocatorIcEEEENS_12basic_stringIT_T0_T1_EEPKS6_RKS9_
                __ZSt9terminatev
                ___cxa_begin_catch
                ___darwin_check_fd_set_overflow
                ___memcpy_chk
                ___sprintf_chk
                ___stack_chk_fail
                ___strncpy_chk
                _access
                _arc4random
                _atoi
                _bzero
                _class_addMethod
                _class_getInstanceMethod
                _close
                _closedir
                _dispatch_async
                _dispatch_barrier_async
                _dispatch_get_global_queue
                _dispatch_group_async
                _dispatch_group_create
                _dispatch_once
                _dispatch_queue_create
                _dispatch_resume
                _dispatch_semaphore_create
                _dispatch_semaphore_signal
                _dispatch_semaphore_wait
                _dispatch_source_cancel
                _dispatch_source_create
                _dispatch_source_set_event_handler
                _dispatch_source_set_timer
                _dispatch_sync
                _dispatch_time
                _dispatch_walltime
                _dup2
                _execvp
                _exit
                _fclose
                _feof
                _fgets
                _fopen
                _fork
                _fread
                _free
                _freeifaddrs
                _freopen
                _fseek
                _ftell
                _getcwd
                _getifaddrs
                _getuid
                _grantpt
                _host_page_size
                _host_statistics64
                _if_nametoindex
                _inet_addr
                _inet_ntoa
                _ioctl
                _kill
                _mach_host_self
                _malloc
                _memcpy
                _method_exchangeImplementations
                _method_getImplementation
                _method_getTypeEncoding
                _objc_alloc
                _objc_autorelease
                _objc_autoreleaseReturnValue
                _objc_copyWeak
                _objc_destroyWeak
                _objc_enumerationMutation
                _objc_exception_throw
                _objc_getProperty
                _objc_initWeak
                _objc_loadWeakRetained
                _objc_msgSend
                _objc_msgSendSuper2
                _objc_release
                _objc_retain
                _objc_retainAutorelease
                _objc_retainAutoreleaseReturnValue
                _objc_retainAutoreleasedReturnValue
                _objc_retainBlock
                _objc_setProperty_atomic_copy
                _objc_setProperty_nonatomic_copy
                _objc_storeStrong
                _objc_storeWeak
                _objc_unsafeClaimAutoreleasedReturnValue
                _open
                _opendir
                _pclose
                _popen
                _printf
                _pthread_create
                _pthread_join
                _puts
                _read
                _readdir
                _rename
                _rindex
                _select
                _signal
                _sleep
                _snprintf
                _sprintf
                _stat
                _statfs
                _strchr
                _strcmp
                _strcpy
                _strlen
                _strstr
                _strtol
                _sysctl
                _sysctlbyname
                _system
                _unlink
                _unlockpt
                _waitpid
                _write
                TimestampSource PortDest PortSource IPDest IP
                Mar 28, 2022 14:12:48.311383963 CEST49302137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670630932 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670660973 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670681000 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670686007 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670691013 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670840979 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670845985 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670850039 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670854092 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670857906 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670953035 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670958042 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670962095 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.670967102 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671062946 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671067953 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671072006 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671076059 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671081066 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671156883 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671164036 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671170950 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671175957 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671180964 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671185017 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671190023 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671194077 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671339035 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671343088 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671417952 CEST138138192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671422958 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671427965 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671432018 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671436071 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671439886 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671516895 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671521902 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671525955 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671530008 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671534061 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671539068 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671542883 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671621084 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671626091 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671629906 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671633959 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671638012 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671643019 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671736002 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671741009 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671745062 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671749115 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671753883 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671757936 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671889067 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671894073 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671897888 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:48.671901941 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061182976 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061280966 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061376095 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061381102 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061549902 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061553955 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061558008 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061685085 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061693907 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061698914 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061903954 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061909914 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061913967 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.061918020 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062041998 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062046051 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062050104 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062134981 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062139034 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062144041 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062292099 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062295914 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062299967 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062457085 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062551022 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062555075 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062558889 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.062721968 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813153028 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813345909 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813352108 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813357115 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813360929 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813493013 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813498020 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813626051 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813637972 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813760042 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813766956 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813771009 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813960075 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813963890 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.813968897 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814049006 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814201117 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814204931 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814208984 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814352989 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814357996 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814362049 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814366102 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814443111 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814446926 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814450979 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814590931 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814598083 CEST137137192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:49.814604044 CEST138138192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:52.819813967 CEST138138192.168.0.52192.168.0.255
                Mar 28, 2022 14:12:54.330102921 CEST53564958.8.8.8192.168.0.52
                Mar 28, 2022 14:12:54.691968918 CEST6148353192.168.0.528.8.8.8
                Mar 28, 2022 14:12:54.692070007 CEST5735953192.168.0.528.8.8.8
                Mar 28, 2022 14:12:54.710969925 CEST53573598.8.8.8192.168.0.52
                Mar 28, 2022 14:12:54.711069107 CEST53614838.8.8.8192.168.0.52
                Mar 28, 2022 14:14:14.195482969 CEST53504708.8.8.8192.168.0.52
                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Mar 28, 2022 14:12:54.691968918 CEST192.168.0.528.8.8.80x9fc3Standard query (0)pki-goog.l.google.com65IN (0x0001)
                Mar 28, 2022 14:12:54.692070007 CEST192.168.0.528.8.8.80xf745Standard query (0)pki-goog.l.google.comA (IP address)IN (0x0001)
                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Mar 28, 2022 14:12:54.702195883 CEST8.8.8.8192.168.0.520xe3eNo error (0)pki-goog.l.google.com172.217.168.67A (IP address)IN (0x0001)
                Mar 28, 2022 14:12:54.710969925 CEST8.8.8.8192.168.0.520xf745No error (0)pki-goog.l.google.com172.217.168.67A (IP address)IN (0x0001)

                System Behavior

                Start time:14:12:32
                Start date:28/03/2022
                Path:/Library/Frameworks/Mono.framework/Versions/6.12.0/bin/mono-sgen64
                Arguments:n/a
                File size:4699168 bytes
                MD5 hash:98f65da8c6a62423d3f4cda359f06a87
                Start time:14:12:32
                Start date:28/03/2022
                Path:/Users/drew/Desktop/CorelDRAW
                Arguments:/Users/drew/Desktop/CorelDRAW
                File size:730896 bytes
                MD5 hash:23699799f496b8e872d05f19d2b397f8
                Start time:14:12:32
                Start date:28/03/2022
                Path:/bin/sh
                Arguments:n/a
                File size:120912 bytes
                MD5 hash:8356936fbf1eeb3548896b9206a685a0
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/ps
                Arguments:ps -ef
                File size:173728 bytes
                MD5 hash:5441fc94a247a54e76339a9e5b8c2b45
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/grep
                Arguments:grep CorelDRAW
                File size:140304 bytes
                MD5 hash:501a6e2ee4b55292be9321ece0fa2a93
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/grep
                Arguments:grep -v /Users/drew/Desktop/CorelDRAW
                File size:140304 bytes
                MD5 hash:501a6e2ee4b55292be9321ece0fa2a93
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/grep
                Arguments:grep -v CorelDRAW\s*Graphics\s*Suite
                File size:140304 bytes
                MD5 hash:501a6e2ee4b55292be9321ece0fa2a93
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/awk
                Arguments:awk {print $2}
                File size:305504 bytes
                MD5 hash:1780ae04585c36f7b86aaec7523fceb6
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/xargs
                Arguments:xargs kill -9
                File size:139200 bytes
                MD5 hash:e5109f0c83efadc46f840033d8c89901
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/sh
                Arguments:n/a
                File size:120912 bytes
                MD5 hash:8356936fbf1eeb3548896b9206a685a0
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:sh -c ps -ef |grep CorelDRAW |grep -v /Users/drew/Desktop/CorelDRAW |grep -v 'CorelDRAW\s*Graphics\s*Suite' |awk '{print $2}' |xargs kill -9
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/ps
                Arguments:ps -ef
                File size:173728 bytes
                MD5 hash:5441fc94a247a54e76339a9e5b8c2b45
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/grep
                Arguments:grep CorelDRAW
                File size:140304 bytes
                MD5 hash:501a6e2ee4b55292be9321ece0fa2a93
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/grep
                Arguments:grep -v /Users/drew/Desktop/CorelDRAW
                File size:140304 bytes
                MD5 hash:501a6e2ee4b55292be9321ece0fa2a93
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/grep
                Arguments:grep -v CorelDRAW\s*Graphics\s*Suite
                File size:140304 bytes
                MD5 hash:501a6e2ee4b55292be9321ece0fa2a93
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/awk
                Arguments:awk {print $2}
                File size:305504 bytes
                MD5 hash:1780ae04585c36f7b86aaec7523fceb6
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:n/a
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/bin/xargs
                Arguments:xargs kill -9
                File size:139200 bytes
                MD5 hash:e5109f0c83efadc46f840033d8c89901
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/sh
                Arguments:n/a
                File size:120912 bytes
                MD5 hash:8356936fbf1eeb3548896b9206a685a0
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:sh -c cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/cp
                Arguments:cp /Users/drew/Desktop/CorelDRAW /var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File size:123264 bytes
                MD5 hash:9007c6e0352122c17fbcea99739b716e
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/sh
                Arguments:n/a
                File size:120912 bytes
                MD5 hash:8356936fbf1eeb3548896b9206a685a0
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:sh -c launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/launchctl
                Arguments:launchctl unload -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
                File size:329344 bytes
                MD5 hash:a9ce661111e6db7d90923d46f790e5c7
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/sh
                Arguments:n/a
                File size:120912 bytes
                MD5 hash:8356936fbf1eeb3548896b9206a685a0
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/bash
                Arguments:sh -c launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
                File size:1296704 bytes
                MD5 hash:c1edb59ec6a40884fc3c4e201d31b1d5
                Start time:14:12:33
                Start date:28/03/2022
                Path:/bin/launchctl
                Arguments:launchctl load -w /Library/LaunchDaemons/com.CorelDRAW.va.plist
                File size:329344 bytes
                MD5 hash:a9ce661111e6db7d90923d46f790e5c7
                Start time:14:12:33
                Start date:28/03/2022
                Path:/usr/libexec/xpcproxy
                Arguments:n/a
                File size:196720 bytes
                MD5 hash:395c4370ee6c31ff7061018e365ee7b9
                Start time:14:12:33
                Start date:28/03/2022
                Path:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                Arguments:/var/root/Library/Preferences/CorelDRAW/CorelDRAW
                File size:730896 bytes
                MD5 hash:23699799f496b8e872d05f19d2b397f8