Loading ...

Analysis Report 1sPrekVaLY.dmg

Overview

General Information

Joe Sandbox Version:25.0.0
Analysis ID:63632
Start date:07.11.2018
Start time:18:08:04
Joe Sandbox Product:Cloud
Overall analysis duration:0h 13m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:1sPrekVaLY.dmg
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal72.adwa.spyw.evad.macDMG@0/804@4/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Too many dropped files, some of them have not been restored

Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protectionsShow sources
Source: /usr/bin/env (PID: 719)Certificate import: /usr/bin/security -> security add-trusted-cert -k /Users/henry/Library/Keychains/login.keychain-db /Users/henry/.mitmproxy/mitmproxy-ca-cert.cerJump to behavior
Writes python scripts with MiTM functionalityShow sources
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)File written: /Users/henry/.mitmproxy/inject.pyJump to dropped file

Networking:

barindex
Writes shell scripts with functionality to modify network settingsShow sources
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)File written: /Users/henry/Library/SPI/uninstallerwatcher.shJump to dropped file
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.204
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.55.204
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISA1HObdaLwvM6OUP9hewA0bss HTTP/1.1Host: ocsp.int-x3.letsencrypt.orgConnection: closeUser-Agent: trustd (unknown version) CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISA37ntHMtm4wR8i%2FcpEtazM6u HTTP/1.1Host: ocsp.int-x3.letsencrypt.orgConnection: closeUser-Agent: trustd (unknown version) CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /MFgwVqADAgEAME8wTTBLMAkGBSsOAwIaBQAEFH7maudymrP8%2BKIgZGwWoS1gcQhdBBSoSmpjBH3duubRObemRWXv86jsoQISAwgtM%2F6DRSP4U%2BKQKVdWGAyc HTTP/1.1Host: ocsp.int-x3.letsencrypt.orgConnection: closeUser-Agent: trustd (unknown version) CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.searchawesome.net
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49244 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49244
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49242
Source: unknownNetwork traffic detected: HTTP traffic on port 49242 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49239 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49239

Spam, unwanted Advertisements and Ransom Demands:

barindex
Detected OSX AwesomeSearch spywareShow sources
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)IOC file written: /Users/henry/Library/SPI/uninstallerwatcher.shJump to behavior

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal72.adwa.spyw.evad.macDMG@0/804@4/0

Persistence and Installation Behavior:

barindex
Terminates several processes with shell command 'killall'Show sources
Source: /usr/bin/env (PID: 714)Killall command executed: killall -z -m mitmdumpJump to behavior
Changes permissions of written Mach-O filesShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Alamofire: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Versions/A/Alamofire: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Versions/Current/Alamofire: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftAppKit.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftCore.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftCoreData.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftCoreFoundation.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftCoreGraphics.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftCoreImage.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftDarwin.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftDispatch.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftFoundation.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftIOKit.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftMetal.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftObjectiveC.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftos.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftQuartzCore.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/libswiftXPC.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/MacOS/Autoupdate: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/MacOS/fileop: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Sparkle: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Sparkle: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/MacOS/Autoupdate: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Permissions modified for written 64-bit Mach-O /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/MacOS/fileop: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/.Python: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_asyncio.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_bisect.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_blake2.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_bz2.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written FAT Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_cffi_backend.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_cn.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_hk.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_iso2022.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_jp.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_kr.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_tw.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_crypt.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_csv.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_ctypes.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_curses.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_datetime.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_dbm.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_decimal.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_gdbm.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_hashlib.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_heapq.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_json.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_md5.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_multibytecodec.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_multiprocessing.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_opcode.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_pickle.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_posixsubprocess.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_random.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_ruamel_yaml.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_scproxy.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_sha1.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_sha256.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_sha3.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_sha512.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_socket.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_ssl.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_struct.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_testcapi.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_tkinter.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/array.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/binascii.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written FAT Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/brotli._brotli.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written FAT Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/cryptography.hazmat.bindings._constant_time.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written FAT Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/cryptography.hazmat.bindings._openssl.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/fcntl.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/grp.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libcrypto.1.0.0.dylib: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libgdbm.4.dylib: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libreadline.7.dylib: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libssl.1.0.0.dylib: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/math.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/mmap.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/pyexpat.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/readline.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/resource.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/select.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/termios.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/tornado.speedups.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/unicodedata.so: bits: - usr: - grp: - all: rwxJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Permissions modified for written 64-bit Mach-O /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/zlib.so: bits: - usr: - grp: - all: rwxJump to dropped file
Creates hidden files, links and/or directoriesShow sources
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)Hidden Directory created: /Users/henry/.mitmproxy -> /Users/henry/.mitmproxyJump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Hidden file created: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/.PythonJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 717)Shell command executed: /bin/sh -c uname -p 2> /dev/nullJump to behavior
Source: /usr/bin/sh (PID: 713)Shell command executed: sh -c '$HOME/Library/SPI/uninstallerwatcher.sh'Jump to behavior
Explicitly loads/starts launch servicesShow sources
Source: /usr/bin/env (PID: 712)Launch agent/daemon loaded: launchctl load /Users/henry/Library/LaunchAgents/spid-uninstall.plistJump to behavior
Opens applications that may be created onesShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Application opened: /usr/bin/open /Applications/spi.appJump to behavior
Reads launchservices plist filesShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 710)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Uses Security framework containing interfaces for system-level user authentication and authorizationShow sources
Source: /usr/bin/security (PID: 719)Security framework info plist opened: /System/Library/Frameworks/Security.framework/Resources/Info.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Alamofire.framework/AlamofireJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Versions/A/AlamofireJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Versions/Current/AlamofireJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftAppKit.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftCore.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftCoreData.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftCoreFoundation.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftCoreGraphics.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftCoreImage.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftDarwin.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftDispatch.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftFoundation.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftIOKit.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftMetal.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftObjectiveC.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftos.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftQuartzCore.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/libswiftXPC.dylibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/MacOS/AutoupdateJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/MacOS/fileopJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/SparkleJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/AutoupdateJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileopJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/SparkleJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/MacOS/AutoupdateJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/MacOS/fileopJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/.PythonJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_asyncio.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_bisect.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_blake2.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_bz2.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_cn.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_hk.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_iso2022.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_jp.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_kr.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_codecs_tw.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_crypt.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_csv.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_ctypes.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_curses.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_datetime.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_dbm.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_decimal.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_gdbm.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_hashlib.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_heapq.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_json.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_md5.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_multibytecodec.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_multiprocessing.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_opcode.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_pickle.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_posixsubprocess.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_random.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_ruamel_yaml.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_scproxy.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_sha1.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_sha256.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_sha3.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_sha512.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_socket.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_ssl.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_struct.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_testcapi.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_tkinter.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/array.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/binascii.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/fcntl.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/grp.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libcrypto.1.0.0.dylibJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libgdbm.4.dylibJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libreadline.7.dylibJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libssl.1.0.0.dylibJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/math.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/mmap.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/pyexpat.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/readline.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/resource.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/select.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/termios.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/tornado.speedups.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/unicodedata.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/zlib.soJump to dropped file
Writes FAT Mach-O files to diskShow sources
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/_cffi_backend.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/brotli._brotli.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/cryptography.hazmat.bindings._constant_time.soJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)File written: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/cryptography.hazmat.bindings._openssl.soJump to dropped file
Writes Python files to diskShow sources
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)Python file created: /Users/henry/.mitmproxy/inject.pyJump to dropped file
Writes ZIP files to diskShow sources
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)ZIP file created: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/base_library.zipJump to dropped file
Writes certificate files to diskShow sources
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)CER file created: /Users/henry/.mitmproxy/mitmproxy-ca-cert.cerJump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)P12 file created: /Users/henry/.mitmproxy/mitmproxy-ca-cert.p12Jump to dropped file
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)P12 file created: /Users/henry/.mitmproxy/mitmproxy-ca.p12Jump to dropped file
Writes icon files to diskShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/Resources/AppIcon.icnsJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/AppIcon.icnsJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)File written: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/Resources/AppIcon.icnsJump to dropped file
Writes shell script files to diskShow sources
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)Shell script file created: /Users/henry/Library/SPI/uninstallerwatcher.shJump to dropped file
Reads data from the local random generatorShow sources
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)Random device file read: /dev/urandomJump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)Random device file read: /dev/urandomJump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)Random device file read: /dev/urandomJump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)Random device file read: /dev/urandomJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Uses SSL librariesShow sources
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)Lib SSL library: /var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/libssl.1.0.0.dylibJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Resources/Info.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Versions/A/_CodeSignature/CodeResourcesJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Versions/A/Resources/Info.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Versions/Current/_CodeSignature/CodeResourcesJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Alamofire.framework/Versions/Current/Resources/Info.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ar.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ar.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ar.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/Info.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Autoupdate.app/Contents/Resources/SUStatus.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/cs.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/cs.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/cs.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/da.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/da.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/da.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/de.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/de.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/de.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/el.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/el.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/el.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/en.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/en.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/en.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/es.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/es.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/es.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/fr.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/fr.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/fr.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/fr_CA.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/fr_CA.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/fr_CA.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/Info.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/is.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/is.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/is.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/it.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/it.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/it.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ja.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ja.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ja.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ko.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ko.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ko.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/nb.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/nb.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/nb.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/nl.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/nl.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/nl.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pl.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pl.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pl.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt_BR.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt_BR.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt_BR.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt_PT.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt_PT.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/pt_PT.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ro.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ro.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ro.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ru.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ru.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/ru.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sk.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sk.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sk.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sl.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sl.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sl.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/SUModelTranslation.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/SUStatus.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sv.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sv.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/sv.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/th.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/th.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/th.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/tr.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/tr.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/tr.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/uk.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/uk.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/uk.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/zh_CN.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/zh_CN.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/zh_CN.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/zh_TW.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/zh_TW.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Resources/zh_TW.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/_CodeSignature/CodeResourcesJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ar.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Info.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/Resources/SUStatus.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/cs.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/da.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/de.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/el.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/en.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/es.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr_CA.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr_CA.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/fr_CA.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Info.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/is.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/it.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ja.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ko.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nb.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/nl.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pl.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_BR.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/pt_PT.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ro.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/ru.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sk.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sl.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/SUModelTranslation.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/SUStatus.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/sv.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/th.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/tr.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/uk.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_CN.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/zh_TW.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/_CodeSignature/CodeResourcesJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/ar.lproj/SUAutomaticUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/ar.lproj/SUUpdateAlert.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/ar.lproj/SUUpdatePermissionPrompt.nibJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)XML plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/Info.plistJump to dropped file
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Binary plist file created: /Applications/spi.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/Resources/SUStatus.nibJump to dropped file
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)XML plist file created: /Users/henry/Library/LaunchAgents/spid-uninstall.plistJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Creates hidden Mach-O filesShow sources
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 715)Hidden Mach-O file written: Mach-O 64 bit: /private/var/folders/4x/3w8zrtrd7m1f065ysgs32sn40000gn/T/_MEINgaile/.PythonJump to dropped file

Language, Device and Operating System Detection:

barindex
Reads the systems OS release and/or typeShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /usr/bin/uname (PID: 718)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /usr/bin/uname (PID: 718)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 717)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/uname (PID: 718)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 713)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /Users/henry/Library/SPI/uninstallerwatcher.sh (PID: 713)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Volumes/SearchpageInstaller/spinstall.app/Contents/MacOS/spiinstall (PID: 708)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/open (PID: 710)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /Applications/spi.app/Contents/Resources/mitmdump (PID: 716)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Stealing of Sensitive Information:

barindex
Detected OSX AwesomeSearch spywareShow sources
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)IOC file written: /Users/henry/Library/SPI/uninstallerwatcher.shJump to behavior
Executes the "security" command used to access the keychainShow sources
Source: /usr/bin/env (PID: 719)Security executable: /usr/bin/security -> security add-trusted-cert -k /Users/henry/Library/Keychains/login.keychain-db /Users/henry/.mitmproxy/mitmproxy-ca-cert.cerJump to behavior
Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protectionsShow sources
Source: /usr/bin/env (PID: 719)Certificate import: /usr/bin/security -> security add-trusted-cert -k /Users/henry/Library/Keychains/login.keychain-db /Users/henry/.mitmproxy/mitmproxy-ca-cert.cerJump to behavior
Writes python scripts with MiTM functionalityShow sources
Source: /Applications/spi.app/Contents/MacOS/spi (PID: 711)File written: /Users/henry/.mitmproxy/inject.pyJump to dropped file
Executes the "uname" command used to read OS and architecture nameShow sources
Source: /bin/sh (PID: 718)Uname executable: /usr/bin/uname -> uname -pJump to behavior


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 63632 Sample: 1sPrekVaLY.dmg Startdate: 07/11/2018 Architecture: MAC Score: 72 52 www.langeliertechnology.com 198.24.161.78, 443, 49244 SS-ASH-SECUREDSERVERSLLCUS United States 2->52 54 www.searchpage.com 217.182.14.184, 443, 49242 OVHFR France 2->54 56 5 other IPs or domains 2->56 9 xpcproxy spi 4 2->9         started        13 xpcproxy spiinstall 2 2->13         started        15 xpcproxy sh sh uninstallerwatcher.sh 2->15         started        process3 file4 38 /Users/henry/Libra...installerwatcher.sh, POSIX 9->38 dropped 40 /Users/henry/.mitmproxy/inject.py, ASCII 9->40 dropped 66 Detected OSX AwesomeSearch spyware 9->66 68 Writes shell scripts with functionality to modify network settings 9->68 70 Writes python scripts with MiTM functionality 9->70 17 env mitmdump 394 9->17         started        21 env security 5 9->21         started        23 env killall 9->23         started        25 env launchctl 9->25         started        42 /Applications/spi....ntents/MacOS/fileop, Mach-O 13->42 dropped 44 /Applications/spi....ts/MacOS/Autoupdate, Mach-O 13->44 dropped 46 /Applications/spi....ntents/MacOS/fileop, Mach-O 13->46 dropped 48 3 other files (none is malicious) 13->48 dropped 27 open 13->27         started        signatures5 process6 file7 36 /private/var/folde.../_MEINgaile/.Python, Mach-O 17->36 dropped 58 Creates hidden Mach-O files 17->58 29 mitmdump mitmdump 6 17->29         started        60 Imports (root) certificates into the systems keychain typically to intercept SSL traffic or bypass code integrity protections 21->60 62 Executes the "security" command used to access the keychain 21->62 64 Terminates several processes with shell command 'killall' 23->64 signatures8 process9 file10 50 /Users/henry/.mitm...tmproxy-ca-cert.cer, ASCII 29->50 dropped 32 mitmdump sh 29->32         started        process11 process12 34 sh uname 32->34         started       

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots