Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:19.0.0
Analysis ID:36981
Start time:15:30:39
Joe Sandbox Product:Cloud
Start date:02.05.2017
Overall analysis duration:0h 12m 28s
Report type:full
Sample file name:7819ae7d72fa045baa77e9c8e063a69df439146b27f9c3bb10aef52dcc77c145.app
Cookbook file name:default.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_25)
Detection:MAL
Classification:mal100.spyw.expl.evad.macAPP@0/24@2/0


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Classification

Signature Overview

Click to jump to signature section


Cryptography:

barindex
Imports (root) certificates into the systems keychain usually to intercept SSL traffic or bypass code integrity protectionsShow sources
Source: /bin/bash (PID: 477)Certificate import: /usr/bin/security -> security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der

Networking:

barindex
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: raw.githubusercontent.com
Reads from file descriptors related to (network) socketsShow sources
Source: /usr/bin/curl (PID: 483)Reads from socket in process:
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49205
Source: unknownNetwork traffic detected: HTTP traffic on port 49205 -> 443
Writes from file descriptors related to (network) socketsShow sources
Source: /usr/bin/curl (PID: 483)Writes from socket in process:

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal100.spyw.expl.evad.macAPP@0/24@2/0
Submitted sample is a known malware sampleShow sources
Source: MD5 e8bdde90574d5bf285d9abb0c8a113a8Submitted blacklisted sample: Spyware Dok.A

Persistence and Installation Behavior:

barindex
Executes the "awk" command used to scan for patterns (usually in standard output)Show sources
Source: /bin/sh (PID: 529)Awk executable: /usr/bin/awk -> awk -F* /^ +\*/ {print $2}
Executes the "sed" command used to modify input streams (usually from files or pipes)Show sources
Source: /bin/sh (PID: 530)Sed executable: /usr/bin/sed -> sed s/^ *//
Reads data from the local random generatorShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Random device file read: /dev/random
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Random device file read: /dev/random
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Random device file read: /dev/random
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Random device file read: /dev/random
Source: /usr/bin/security (PID: 477)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 483)Random device file read: /dev/random
Source: /usr/bin/curl (PID: 483)Random device file read: /dev/random
Source: /usr/bin/ruby (PID: 485)Random device file read: /dev/urandom
Source: /usr/libexec/diskmanagementd (PID: 535)Random device file read: /dev/random
Submitted sample is a bundle that is signedShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)CodeSignature CodeResources file read: /Users/vreni/Desktop/unpack/Dokument.app/Contents/_CodeSignature/CodeResources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)CodeSignature CodeResources file read: /Users/vreni/Desktop/unpack/Dokument.app/Contents/_CodeSignature/CodeResources
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Writes property list (.plist) files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)XML plist file created: /Users/Shared/AppStore.app/Contents/_CodeSignature/CodeResources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)XML plist file created: /Users/Shared/AppStore.app/Contents/Info.plist
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Binary plist file created: /Users/Shared/AppStore.app/Contents/Resources/Base.lproj/MainMenu.nib
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)XML plist file created: /private/tmp/.dat.nosync01cc.r9KKsW
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)XML plist file created: /private/tmp/.dat.nosync01cc.kN1IYD
Source: /System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues (PID: 533)XML plist file created: /Library/Printers/InstalledPrinters.plist
Changes permissions of written Mach-O filesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Permissions modifiied for written 64-bit Mach-O /Users/Shared/AppStore.app/Contents/MacOS/AppStore: bits: - usr: rx grp: rx all: rwx
Creates hidden files, links and/or directoriesShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Hidden file created: /tmp/.dat.nosync01cc.r9KKsW
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Hidden file created: /tmp/.dat.nosync01cc.kN1IYD
Source: /usr/bin/touch (PID: 525)Hidden file created: /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
Executes Ruby scripts via command line evaluationShow sources
Source: /usr/bin/sudo (PID: 485)Ruby script executed using -e: /usr/bin/ruby -> /usr/bin/ruby -e #!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby# This script installs to /usr/local only. To install elsewhere you can just# untar https://github.com/Homebrew/brew/tarball/master anywhere you like or# change the value of HOMEBREW_PREFIX.HOMEBREW_PREFIX = '/usr/local'.freezeHOMEBREW_REPOSITORY = '/usr/local/Homebrew'.freezeHOMEBREW_CACHE = '#{ENV['HOME']}/Library/Caches/Homebrew'.freezeHOMEBREW_OLD_CACHE = '/Library/Caches/Homebrew'.freezeBREW_REPO = 'https://github.com/Homebrew/brew'.freezeCORE_TAP_REPO = 'https://github.com/Homebrew/homebrew-core'.freeze# no analytics during installationENV['HOMEBREW_NO_ANALYTICS_THIS_RUN'] = '1'ENV['HOMEBREW_NO_ANALYTICS_MESSAGE_OUTPUT'] = '1'module Tty module_function def blue bold 34 end def red bold 31 end def reset escape 0 end def bold(n = 39) escape '1 #{n}' end def underline escape '4 39' end def escape(n) '\033[#{n}m' if STDOUT.tty? ende
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Shell command executed: /bin/bash -c chmod +x /Users/Shared/AppStore.app
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Shell command executed: /bin/bash -c sleep 5 && rm -fR '/Users/vreni/Downloads/Dokument.app' && '/Users/Shared/AppStore.app/Contents/MacOS/AppStore' Dokument
Source: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid (PID: 471)Shell command executed: /bin/sh -c /Users/Shared/AppStore.app/Contents/MacOS/AppStore
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Shell command executed: /bin/bash -c echo 'vreni ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Shell command executed: /bin/bash -c killall Safari
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Shell command executed: /bin/bash -c killall firefox
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Shell command executed: /bin/bash -c killall 'Google Chrome'
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Shell command executed: /bin/bash -c security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Shell command executed: /bin/bash -c sudo -u vreni /usr/local/bin/brew -v
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Shell command executed: /bin/bash -c sudo -u vreni echo |sudo -u vreni /usr/bin/ruby -e '$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)'
Source: /usr/bin/ruby (PID: 486)Shell command executed: sh -c xcode-select --print-path >/dev/null 2>&1 && xcrun --sdk macosx --show-sdk-path 2>/dev/null
Source: /usr/bin/ruby (PID: 488)Shell command executed: sh -c /usr/bin/sudo -n -v 2>/dev/null
Source: /usr/bin/ruby (PID: 491)Shell command executed: sh -c dsmemberutil checkmembership -U 'vreni' -G admin
Source: /usr/bin/ruby (PID: 522)Shell command executed: sh -c /usr/bin/xcode-select -print-path 2>/dev/null
Source: /usr/bin/ruby (PID: 526)Shell command executed: sh -c softwareupdate -l | grep -B 1 -E 'Command Line (Developer|Tools)' | awk -F'*' '/^ +\*/ {print $2}' | sed 's/^ *//' | tail -n1
Executes the "chgrp" command used to modify group ownershipShow sources
Source: /usr/bin/sudo (PID: 499)Chgrp executable: /usr/bin/chgrp -> /usr/bin/chgrp admin /usr/local/bin
Source: /usr/bin/sudo (PID: 509)Chgrp executable: /usr/bin/chgrp -> /usr/bin/chgrp admin /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Executes the "chmod" command used to modify permissionsShow sources
Source: /bin/bash (PID: 455)Chmod executable: /bin/chmod -> chmod +x /Users/Shared/AppStore.app
Source: /usr/bin/sudo (PID: 493)Chmod executable: /bin/chmod -> /bin/chmod u+rwx /usr/local/bin
Source: /usr/bin/sudo (PID: 495)Chmod executable: /bin/chmod -> /bin/chmod g+rwx /usr/local/bin
Source: /usr/bin/sudo (PID: 503)Chmod executable: /bin/chmod -> /bin/chmod g+rwx /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/sudo (PID: 505)Chmod executable: /bin/chmod -> /bin/chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
Source: /usr/bin/sudo (PID: 513)Chmod executable: /bin/chmod -> /bin/chmod g+rwx /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/sudo (PID: 519)Chmod executable: /bin/chmod -> /bin/chmod g+rwx /Library/Caches/Homebrew
Executes the "curl" command used to transfer data via the network (usually using HTTP/S)Show sources
Source: /bin/bash (PID: 483)Curl executable: /usr/bin/curl -> curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 528)Grep executable: /usr/bin/grep -> grep -B 1 -E Command Line (Developer|Tools)
Executes the "mkdir" command used to create foldersShow sources
Source: /usr/bin/sudo (PID: 501)Mkdir executable: /bin/mkdir -> /bin/mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/sudo (PID: 511)Mkdir executable: /bin/mkdir -> /bin/mkdir -p /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/sudo (PID: 517)Mkdir executable: /bin/mkdir -> /bin/mkdir -p /Library/Caches/Homebrew
Executes the "ruby" command used to interprete Ruby scriptsShow sources
Source: /usr/bin/sudo (PID: 485)Ruby executable: /usr/bin/ruby -> /usr/bin/ruby -e #!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby# This script installs to /usr/local only. To install elsewhere you can just# untar https://github.com/Homebrew/brew/tarball/master anywhere you like or# change the value of HOMEBREW_PREFIX.HOMEBREW_PREFIX = '/usr/local'.freezeHOMEBREW_REPOSITORY = '/usr/local/Homebrew'.freezeHOMEBREW_CACHE = '#{ENV['HOME']}/Library/Caches/Homebrew'.freezeHOMEBREW_OLD_CACHE = '/Library/Caches/Homebrew'.freezeBREW_REPO = 'https://github.com/Homebrew/brew'.freezeCORE_TAP_REPO = 'https://github.com/Homebrew/homebrew-core'.freeze# no analytics during installationENV['HOMEBREW_NO_ANALYTICS_THIS_RUN'] = '1'ENV['HOMEBREW_NO_ANALYTICS_MESSAGE_OUTPUT'] = '1'module Tty module_function def blue bold 34 end def red bold 31 end def reset escape 0 end def bold(n = 39) escape '1 #{n}' end def underline escape '4 39' end def escape(n) '\033[#{n}m' if STDOUT.tty? ende
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /usr/bin/sudo (PID: 525)Touch executable: /usr/bin/touch -> /usr/bin/touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
Reads launchservices plist filesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Reads user launchservices plist file containing default apps for corresponding filetypesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Preferences launchservices plist file read: /Users/vreni/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plist
Uses AppleScript framework/components containing Apple Script related functionalitiesShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Uses AppleScript scripting additions containing additional functionalities for Apple ScriptsShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Writes 64-bit Mach-O files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)File written: /Users/Shared/AppStore.app/Contents/MacOS/AppStore
Writes certificate files to diskShow sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)DER file created: /private/tmp/cert.der
Writes icon files to diskShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)File written: /Users/Shared/AppStore.app/Contents/Resources/AppIcon.icns
Changes permissions of common UNIX (system) binary directoriesShow sources
Source: /usr/bin/sudo (PID: 493)Chmod directory: /bin/chmod -> /bin/chmod u+rwx /usr/local/bin
Source: /usr/bin/sudo (PID: 495)Chmod directory: /bin/chmod -> /bin/chmod g+rwx /usr/local/bin
Source: /usr/bin/sudo (PID: 503)Chmod directory: /bin/chmod -> /bin/chmod g+rwx /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/sudo (PID: 505)Chmod directory: /bin/chmod -> /bin/chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
Source: /usr/bin/sudo (PID: 513)Chmod directory: /bin/chmod -> /bin/chmod g+rwx /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/sudo (PID: 519)Chmod directory: /bin/chmod -> /bin/chmod g+rwx /Library/Caches/Homebrew
Executes the "dsmemberutil" command used to retrieve user membership informationShow sources
Source: /bin/sh (PID: 491)Dsmemberutil executable: /usr/bin/dsmemberutil -> dsmemberutil checkmembership -U vreni -G admin
Executes the "rm" command used to delete files or directoriesShow sources
Source: /bin/bash (PID: 459)Rm executable: /bin/rm -> rm -fR /Users/vreni/Downloads/Dokument.app
Executes the "softwareupdate" command used to check for new Apple related software and updatesShow sources
Source: /bin/sh (PID: 527)Softwareupdate executable: /usr/sbin/softwareupdate -> softwareupdate -l
Source: /usr/bin/sudo (PID: 545)Softwareupdate executable: /usr/sbin/softwareupdate -> /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2
Executes the "sudo" command used to execute a command as another userShow sources
Source: /bin/bash (PID: 478)Sudo executable: /usr/bin/sudo -> sudo -u vreni /usr/local/bin/brew -v
Source: /bin/bash (PID: 480)Sudo executable: /usr/bin/sudo -> sudo -u vreni echo
Source: /bin/bash (PID: 481)Sudo executable: /usr/bin/sudo -> sudo -u vreni /usr/bin/ruby -e #!/System/Library/Frameworks/Ruby.framework/Versions/Current/usr/bin/ruby# This script installs to /usr/local only. To install elsewhere you can just# untar https://github.com/Homebrew/brew/tarball/master anywhere you like or# change the value of HOMEBREW_PREFIX.HOMEBREW_PREFIX = '/usr/local'.freezeHOMEBREW_REPOSITORY = '/usr/local/Homebrew'.freezeHOMEBREW_CACHE = '#{ENV['HOME']}/Library/Caches/Homebrew'.freezeHOMEBREW_OLD_CACHE = '/Library/Caches/Homebrew'.freezeBREW_REPO = 'https://github.com/Homebrew/brew'.freezeCORE_TAP_REPO = 'https://github.com/Homebrew/homebrew-core'.freeze# no analytics during installationENV['HOMEBREW_NO_ANALYTICS_THIS_RUN'] = '1'ENV['HOMEBREW_NO_ANALYTICS_MESSAGE_OUTPUT'] = '1'module Tty module_function def blue bold 34 end def red bold 31 end def reset escape 0 end def bold(n = 39) escape '1 #{n}' end def underline escape '4 39' end def escape(n) '\033[#{n}m' if STDOU
Source: /bin/sh (PID: 489)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo -n -v
Source: /usr/bin/ruby (PID: 492)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod u+rwx /usr/local/bin
Source: /usr/bin/ruby (PID: 494)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod g+rwx /usr/local/bin
Source: /usr/bin/ruby (PID: 496)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/chown vreni /usr/local/bin
Source: /usr/bin/ruby (PID: 498)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/bin/chgrp admin /usr/local/bin
Source: /usr/bin/ruby (PID: 500)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/mkdir -p /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/ruby (PID: 502)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod g+rwx /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/ruby (PID: 504)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod 755 /usr/local/share/zsh /usr/local/share/zsh/site-functions
Source: /usr/bin/ruby (PID: 506)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/chown vreni /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/ruby (PID: 508)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/bin/chgrp admin /usr/local/Cellar /usr/local/Homebrew /usr/local/Frameworks /usr/local/etc /usr/local/include /usr/local/lib /usr/local/opt /usr/local/sbin /usr/local/share /usr/local/share/zsh /usr/local/share/zsh/site-functions /usr/local/var
Source: /usr/bin/ruby (PID: 510)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/mkdir -p /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 512)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod g+rwx /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 514)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/chown vreni /Users/vreni/Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 516)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/mkdir -p /Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 518)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /bin/chmod g+rwx /Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 520)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/chown vreni /Library/Caches/Homebrew
Source: /usr/bin/ruby (PID: 524)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/bin/touch /tmp/.com.apple.dt.CommandLineTools.installondemand.in-progress
Source: /usr/bin/ruby (PID: 544)Sudo executable: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2
Executes the "xcode-select" command used to retrieve developer environment informationShow sources
Source: /bin/sh (PID: 487)Xcode-select executable: /usr/bin/xcode-select -> xcode-select --print-path
Source: /bin/sh (PID: 523)Xcode-select executable: /usr/bin/xcode-select -> /usr/bin/xcode-select -print-path
Explicitly checks for user admin membershipShow sources
Source: /bin/sh (PID: 491)Dsmemberutil checkmembership of admin: /usr/bin/dsmemberutil -> dsmemberutil checkmembership -U vreni -G admin
Explicitly terminates browser processesShow sources
Source: /bin/bash (PID: 474)Kills 'Safari'browser processes: killall Safari
Source: /bin/bash (PID: 475)Kills 'Firefox'browser processes: killall firefox
Source: /bin/bash (PID: 476)Kills 'Chrome'browser processes: killall Google Chrome
Installs Xcode Command Line Tools used for compiling softwareShow sources
Source: /usr/bin/ruby (PID: 544)Installation of Xcode CLI tools: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2
Source: /usr/bin/sudo (PID: 545)Installation of Xcode CLI tools: /usr/sbin/softwareupdate -> /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2
Installs new Apple related software and updatesShow sources
Source: /usr/bin/ruby (PID: 544)Software installation: /usr/bin/sudo -> /usr/bin/sudo /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2
Source: /usr/bin/sudo (PID: 545)Software installation: /usr/sbin/softwareupdate -> /usr/sbin/softwareupdate -i Command Line Tools (macOS El Capitan version 10.11) for Xcode-8.2
Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)Show sources
Source: /bin/sh (PID: 471)Shell process: /Users/Shared/AppStore.app/Contents/MacOS/AppStore
Source: /bin/sh (PID: 487)Shell process: xcode-select --print-path
Source: /bin/sh (PID: 489)Shell process: /usr/bin/sudo -n -v
Source: /bin/sh (PID: 491)Shell process: dsmemberutil checkmembership -U vreni -G admin
Source: /bin/sh (PID: 523)Shell process: /usr/bin/xcode-select -print-path
Source: /bin/sh (PID: 527)Shell process: softwareupdate -l
Source: /bin/sh (PID: 528)Shell process: grep -B 1 -E Command Line (Developer|Tools)
Source: /bin/sh (PID: 529)Shell process: awk -F* /^ +\*/ {print $2}
Source: /bin/sh (PID: 530)Shell process: sed s/^ *//
Source: /bin/sh (PID: 531)Shell process: tail -n1
Terminates several processes with shell command 'killall'Show sources
Source: /bin/bash (PID: 474)Killall command executed: killall Safari
Source: /bin/bash (PID: 475)Killall command executed: killall firefox
Source: /bin/bash (PID: 476)Killall command executed: killall Google Chrome

HIPS / PFW / Operating System Protection Evasion:

barindex
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Sysctl read request: kern.safeboot (1.66)
Bypasses sudo password prompts by disabling it in the sudoers fileShow sources
Source: /bin/bash (PID: 473)File written: /private/etc/sudoers -> vreni ALL=(ALL) NOPASSWD: ALL.
Modifies the sudoers file used to configure command execution as another userShow sources
Source: /bin/bash (PID: 473)File written: /private/etc/sudoers -> vreni ALL=(ALL) NOPASSWD: ALL.

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/sw_vers (PID: 490)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Queries OS software version with shell command 'sw_vers'Show sources
Source: /usr/bin/ruby (PID: 490)sw_vers executed: /usr/bin/sw_vers -productVersion
Reads hardware related sysctl valuesShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Sysctl read request: hw.ncpu (6.3)
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Sysctl read request: hw.availcpu (6.25)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Sysctl read request: hw.ncpu (6.3)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Sysctl read request: hw.availcpu (6.25)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Sysctl read request: hw.ncpu (6.3)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Sysctl read request: hw.cpu_freq (6.15)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Sysctl read request: hw.availcpu (6.25)
Reads the kernel OS version valueShow sources
Source: /Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore (PID: 453)Sysctl read request: kern.osversion (1.65)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 460)Sysctl read request: kern.osversion (1.65)
Source: /Users/Shared/AppStore.app/Contents/MacOS/AppStore (PID: 471)Sysctl read request: kern.osversion (1.65)
Reads the systems OS release and/or typeShow sources
Source: /usr/bin/curl (PID: 483)Sysctl requested: kern.osrelease (1.2)
Source: /System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues (PID: 533)Sysctl requested: kern.ostype (1.1)
Source: /System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues (PID: 533)Sysctl requested: kern.osrelease (1.2)
Reads the systems hostnameShow sources
Source: /bin/bash (PID: 455)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 456)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 471)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 473)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 474)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 475)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 476)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 477)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 478)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 478)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 479)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 480)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 481)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 486)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 488)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 489)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 491)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 492)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 494)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 496)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 498)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 500)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 502)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 504)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 506)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 508)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 510)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 512)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 514)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 516)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 518)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 520)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 522)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 524)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 526)Sysctl requested: kern.hostname (1.10)
Source: /usr/bin/sudo (PID: 544)Sysctl requested: kern.hostname (1.10)
Source: /System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues (PID: 533)Sysctl requested: kern.hostname (1.10)

Stealing of Sensitive Information:

barindex
Executes the "security" command used to access the keychainShow sources
Source: /bin/bash (PID: 477)Security executable: /usr/bin/security -> security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der
Imports (root) certificates into the systems keychain usually to intercept SSL traffic or bypass code integrity protectionsShow sources
Source: /bin/bash (PID: 477)Certificate import: /usr/bin/security -> security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/cert.der


Runtime Messages

Command:open
Exitcode:0
Killed:False
Standard Output:
Standard Error:

Yara Overview

No Yara matches

Screenshot

cam-macmac-stand

Startup

  • system is mac1
  • xpcproxy (PID: 453 PPID: 1 MD5: d68b4c6f2056c73e1d3bd228bcd6d4ff)
  • AppStore (PID: 453 PPID: 1 Overlayed Process Image: xpcproxy MD5: 14c1cd9c5f263d5ba988838e0c3e3cf6)
    • bash (PID: 455 PPID: 453 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
    • chmod (PID: 455 PPID: 453 Overlayed Process Image: bash MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
    • bash (PID: 456 PPID: 453 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
      • bash (PID: 457 PPID: 456 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
      • sleep (PID: 457 PPID: 456 Overlayed Process Image: bash MD5: a5566195e03cbb7d5df309767a4231ae)
      • bash (PID: 459 PPID: 456 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
      • rm (PID: 459 PPID: 456 Overlayed Process Image: bash MD5: e8926d2347850b76f57a1d5f0226de8b)
      • bash (PID: 460 PPID: 456 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
      • AppStore (PID: 460 PPID: 456 Overlayed Process Image: bash MD5: 14c1cd9c5f263d5ba988838e0c3e3cf6)
        • AppStore (PID: 471 PPID: 460 MD5: 14c1cd9c5f263d5ba988838e0c3e3cf6)
        • security_authtrampoline (PID: 471 PPID: 460 Overlayed Process Image: AppStore MD5: 34db24049f929d8372cbdf52d770b98d)
        • uid (PID: 471 PPID: 460 Overlayed Process Image: security_authtrampoline MD5: 1276a2f702f871b34410af3858bd9cb0)
        • uid (PID: 471 PPID: 460 Overlayed Process Image: uid MD5: 1276a2f702f871b34410af3858bd9cb0)
        • sh (PID: 471 PPID: 460 Overlayed Process Image: uid MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • AppStore (PID: 471 PPID: 460 Overlayed Process Image: sh MD5: 14c1cd9c5f263d5ba988838e0c3e3cf6)
          • bash (PID: 473 PPID: 471 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • bash (PID: 474 PPID: 471 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • killall (PID: 474 PPID: 471 Overlayed Process Image: bash MD5: e27cce82be3cba31a2486d00964d1c5e)
          • bash (PID: 475 PPID: 471 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • killall (PID: 475 PPID: 471 Overlayed Process Image: bash MD5: e27cce82be3cba31a2486d00964d1c5e)
          • bash (PID: 476 PPID: 471 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • killall (PID: 476 PPID: 471 Overlayed Process Image: bash MD5: e27cce82be3cba31a2486d00964d1c5e)
          • bash (PID: 477 PPID: 471 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • security (PID: 477 PPID: 471 Overlayed Process Image: bash MD5: 6323b6bd0865d2300eb65a512f8c560c)
          • bash (PID: 478 PPID: 471 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
          • sudo (PID: 478 PPID: 471 Overlayed Process Image: bash MD5: 7d986f7707c0f11264989cd7105ea80d)
          • bash (PID: 479 PPID: 471 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
            • bash (PID: 480 PPID: 479 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
            • sudo (PID: 480 PPID: 479 Overlayed Process Image: bash MD5: 7d986f7707c0f11264989cd7105ea80d)
            • bash (PID: 481 PPID: 479 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
            • sudo (PID: 481 PPID: 479 Overlayed Process Image: bash MD5: 7d986f7707c0f11264989cd7105ea80d)
              • bash (PID: 482 PPID: 481 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
                • bash (PID: 483 PPID: 482 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
                • curl (PID: 483 PPID: 482 Overlayed Process Image: bash MD5: 313ae871e04221163541c8af134351dc)
              • sudo (PID: 485 PPID: 481 MD5: 7d986f7707c0f11264989cd7105ea80d)
              • ruby (PID: 485 PPID: 481 Overlayed Process Image: sudo MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • ruby (PID: 486 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sh (PID: 486 PPID: 485 Overlayed Process Image: ruby MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • sh (PID: 487 PPID: 486 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • xcode-select (PID: 487 PPID: 486 Overlayed Process Image: sh MD5: 76ba5af4fe69e97c43f99fed107a28c7)
                • ruby (PID: 488 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sh (PID: 488 PPID: 485 Overlayed Process Image: ruby MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • sh (PID: 489 PPID: 488 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • sudo (PID: 489 PPID: 488 Overlayed Process Image: sh MD5: 7d986f7707c0f11264989cd7105ea80d)
                • ruby (PID: 490 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sw_vers (PID: 490 PPID: 485 Overlayed Process Image: ruby MD5: b1668c2003c554a75688384652e92e2b)
                • ruby (PID: 491 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sh (PID: 491 PPID: 485 Overlayed Process Image: ruby MD5: 2cc3c26641112c1bd0173f396b7d7662)
                • dsmemberutil (PID: 491 PPID: 485 Overlayed Process Image: sh MD5: ee7f8596baee8869a0330e10d1d4682e)
                • ruby (PID: 492 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 492 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 493 PPID: 492 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chmod (PID: 493 PPID: 492 Overlayed Process Image: sudo MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
                • ruby (PID: 494 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 494 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 495 PPID: 494 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chmod (PID: 495 PPID: 494 Overlayed Process Image: sudo MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
                • ruby (PID: 496 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 496 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 497 PPID: 496 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chown (PID: 497 PPID: 496 Overlayed Process Image: sudo MD5: 47316ddabc9edbd8cc56ebc2efd31ecd)
                • ruby (PID: 498 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 498 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 499 PPID: 498 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chgrp (PID: 499 PPID: 498 Overlayed Process Image: sudo MD5: ab6f212adbfd7640558e0d9e42464cf1)
                • ruby (PID: 500 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 500 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 501 PPID: 500 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • mkdir (PID: 501 PPID: 500 Overlayed Process Image: sudo MD5: 00efa095a9110a312bf9115afb361764)
                • ruby (PID: 502 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 502 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 503 PPID: 502 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chmod (PID: 503 PPID: 502 Overlayed Process Image: sudo MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
                • ruby (PID: 504 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 504 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 505 PPID: 504 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chmod (PID: 505 PPID: 504 Overlayed Process Image: sudo MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
                • ruby (PID: 506 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 506 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 507 PPID: 506 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chown (PID: 507 PPID: 506 Overlayed Process Image: sudo MD5: 47316ddabc9edbd8cc56ebc2efd31ecd)
                • ruby (PID: 508 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 508 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 509 PPID: 508 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chgrp (PID: 509 PPID: 508 Overlayed Process Image: sudo MD5: ab6f212adbfd7640558e0d9e42464cf1)
                • ruby (PID: 510 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 510 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 511 PPID: 510 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • mkdir (PID: 511 PPID: 510 Overlayed Process Image: sudo MD5: 00efa095a9110a312bf9115afb361764)
                • ruby (PID: 512 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 512 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 513 PPID: 512 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chmod (PID: 513 PPID: 512 Overlayed Process Image: sudo MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
                • ruby (PID: 514 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 514 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 515 PPID: 514 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chown (PID: 515 PPID: 514 Overlayed Process Image: sudo MD5: 47316ddabc9edbd8cc56ebc2efd31ecd)
                • ruby (PID: 516 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 516 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 517 PPID: 516 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • mkdir (PID: 517 PPID: 516 Overlayed Process Image: sudo MD5: 00efa095a9110a312bf9115afb361764)
                • ruby (PID: 518 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 518 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 519 PPID: 518 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chmod (PID: 519 PPID: 518 Overlayed Process Image: sudo MD5: ecb64579c6dd0ebee31bf8e4d4cdcc6e)
                • ruby (PID: 520 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 520 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 521 PPID: 520 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • chown (PID: 521 PPID: 520 Overlayed Process Image: sudo MD5: 47316ddabc9edbd8cc56ebc2efd31ecd)
                • ruby (PID: 522 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sh (PID: 522 PPID: 485 Overlayed Process Image: ruby MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • sh (PID: 523 PPID: 522 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • xcode-select (PID: 523 PPID: 522 Overlayed Process Image: sh MD5: 76ba5af4fe69e97c43f99fed107a28c7)
                • ruby (PID: 524 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 524 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 525 PPID: 524 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • touch (PID: 525 PPID: 524 Overlayed Process Image: sudo MD5: 6e95af6ebd7fd2dd9a0e26654024db31)
                • ruby (PID: 526 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sh (PID: 526 PPID: 485 Overlayed Process Image: ruby MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • sh (PID: 527 PPID: 526 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • softwareupdate (PID: 527 PPID: 526 Overlayed Process Image: sh MD5: 147d9c83c6ae3255f29df22ef991e4b0)
                  • sh (PID: 528 PPID: 526 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • grep (PID: 528 PPID: 526 Overlayed Process Image: sh MD5: f7fe9c4af9294f2949377a12244b3d60)
                  • sh (PID: 529 PPID: 526 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • awk (PID: 529 PPID: 526 Overlayed Process Image: sh MD5: f3018baf92b308f79410d303b5186198)
                  • sh (PID: 530 PPID: 526 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • sed (PID: 530 PPID: 526 Overlayed Process Image: sh MD5: 824cf059686109372fe70bf8d9c320dd)
                  • sh (PID: 531 PPID: 526 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                  • tail (PID: 531 PPID: 526 Overlayed Process Image: sh MD5: 7881a115760ba2573406cb73d2368971)
                • ruby (PID: 544 PPID: 485 MD5: 025474bbddd98fccd7ac0bb0ca2cedfb)
                • sudo (PID: 544 PPID: 485 Overlayed Process Image: ruby MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • sudo (PID: 545 PPID: 544 MD5: 7d986f7707c0f11264989cd7105ea80d)
                  • softwareupdate (PID: 545 PPID: 544 Overlayed Process Image: sudo MD5: 147d9c83c6ae3255f29df22ef991e4b0)
  • sfltool (PID: 462 PPID: 221 Overlayed Process Image: sharedfilelistd MD5: 0ced48308860d34b0e0b304d9033b6b7)
  • sfltool (PID: 463 PPID: 221 Overlayed Process Image: sharedfilelistd MD5: 0ced48308860d34b0e0b304d9033b6b7)
  • sfltool (PID: 464 PPID: 221 Overlayed Process Image: sharedfilelistd MD5: 0ced48308860d34b0e0b304d9033b6b7)
  • sudo (PID: 484 PPID: 480 MD5: 7d986f7707c0f11264989cd7105ea80d)
  • echo (PID: 484 PPID: 480 Overlayed Process Image: sudo MD5: 28aaba1826ce568b1eec9cf71ad0655c)
  • xpcproxy (PID: 532 PPID: 1 MD5: d68b4c6f2056c73e1d3bd228bcd6d4ff)
  • nsurlstoraged (PID: 532 PPID: 1 Overlayed Process Image: xpcproxy MD5: 6eeb0dc54f68a7a875397231838f2722)
  • makequeues (PID: 533 PPID: 333 MD5: 52700eaa5f13fa131c164b6b13cedad1)
  • xpcproxy (PID: 535 PPID: 1 MD5: d68b4c6f2056c73e1d3bd228bcd6d4ff)
  • diskmanagementd (PID: 535 PPID: 1 Overlayed Process Image: xpcproxy MD5: f6e81fe9e88497039d345998358093f9)
  • automount (PID: 543 PPID: 83 MD5: e352828696a852f80b71a44c7e9aa012)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
/Library/Keychains/System.keychain.sb-d1708791-co9eCV
  • Type: data
  • MD5: 2268BABF41C33DE24C5D0CC953171349
  • SHA: D1E029318CF355BA66CE71E9166F49110E59C4E7
  • SHA-256: B4A81F206E228AB335485D611AEE18A64FF7EAC43837392D3F48F13355106494
  • SHA-512: ADEBBD9BB9DC7D4A23008D84A21D5EADB7FA26BB21C58DE15FBC083047EB0B79CF3C89A2E0C5A1F4BEA3839A41B027072EEBA5D02D4D0E608039EC21695C2A30
false
/Library/Printers/InstalledPrinters.plist
  • Type: XML document text
  • MD5: 8F5A47E2E1F0077C8D5EA44FDE776C31
  • SHA: 1FC7A20B52163FCAD2507955BA01FA16DDB1E3A4
  • SHA-256: 228557615228AF28A0A60641E70F2621752905ECF77EC416B13654676C745816
  • SHA-512: FDFA88F2343D026DD1FFD95C53CF10F324E3B35C0F383B948BDB5A36E09054F383EC896628473F84E49250785ABAAEB8865512C0945EF32C57A9DFB4AD5E9833
false
/Users/Shared/AppStore.app/Contents/Info.plist
  • Type: XML document text
  • MD5: 254128B15F6E55B6DC35F8645BA7D8DA
  • SHA: CCA7C130E5C3D77B97874DB404F4B07E9AB7C070
  • SHA-256: 9C5F9EE4235A15389A71D1021F5DF8D329B11D4427BA8D7E8960492FCD16F9AC
  • SHA-512: 44C8302EBC76EA8B8652B6FE0BA1B59B5C37FDD00B7ECDE578524856C8D0028FF0A2C383DE366E64BA43F4E87741D1289B0E48A143A78942FE96A1C595CB96D2
false
/Users/Shared/AppStore.app/Contents/MacOS/AppStore
  • Type: Mach-O 64-bit executable
  • MD5: 14C1CD9C5F263D5BA988838E0C3E3CF6
  • SHA: D9685BEA995E57AE89D10122CB76022554179FF7
  • SHA-256: 4131D4737FE8DFE66D407BFD0A0DF18A4A77B89347471CC012DA8EFC93C661A5
  • SHA-512: C27EEE021D7F6EECF8C4D1E3193C10C888ACC010800484B57A00356347640838FAC58EB272041D2CAEE953F371B06BAE1AD8994719CD2960C1861178DA8D0634
true
/Users/Shared/AppStore.app/Contents/PkgInfo
  • Type: ASCII text, with no line terminators
  • MD5: 23B7D7D024ABB0F558420E098800BF27
  • SHA: 9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
  • SHA-256: 82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
  • SHA-512: F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
false
/Users/Shared/AppStore.app/Contents/Resources/AppIcon.icns
  • Type: data
  • MD5: 0EB3D0406A86558D0B827BF7689764B5
  • SHA: A917E697A84B275D19B21AC1E17DB1019F03424C
  • SHA-256: 6FAD33BDB2A180EFF845EAA24557E625E16E23C16025BE441EAC2B082C304B30
  • SHA-512: 8BA6509C29E336063F4265407637FAE4AB12D219733F28F5FB99D12A3F93DF6E16E5532763CCBE0746002D77877759A724B2F2A7FBAFDEAB4D40CBC02DFC401F
false
/Users/Shared/AppStore.app/Contents/Resources/Base.lproj/MainMenu.nib
  • Type: Apple binary property list
  • MD5: 7634CC9E79E4E1244EF1512FF6863C29
  • SHA: 5B613F6B7AD54B6657E54DB77FE9B0D8E689D14E
  • SHA-256: 30684F37131F65BF6858FAF8B6E252D8A8E77D624BF34BDC0E95EEE6C2582212
  • SHA-512: B106A67F6EB4BE9D0F80182981AB5B526EA2672B67619C7906C8FD6D26E00A559EA8F24C51FF6C5C1FBE9D24AD91814DCADA7C68C3AAE4C770AD21993F2374DE
false
/Users/Shared/AppStore.app/Contents/Resources/appstore.tiff
  • Type: TIFF image data, big-endian
  • MD5: 9ED868C085D1AFA7F988241C19460341
  • SHA: 4F5D1AF1DBBD7BB395D169BA4E340C3D69CA49B3
  • SHA-256: B7444529369704258A6225177CD457D510635F93E0195ABE5DC8DA43F6B50DC8
  • SHA-512: 881B70CCD3A5ECA2176FD8566C109377F87FDF5AB77488D3A2B907AB3BFAC04454229EB21CC361C54E092D478C34D7AA096356646BD3716AA8A7A3D60EF92483
false
/Users/Shared/AppStore.app/Contents/Resources/de.lproj/MainMenu.strings
  • Type: UTF-8 Unicode C program text, with very long lines
  • MD5: A1FBC97F1F1D8D46722D1116CD3A815C
  • SHA: FEA245DD7810297D5014E950A49355F1FB847C09
  • SHA-256: 57989A8D4B181E5AEDDE75BE00744F98127D685F12DE231279EEC787B9B51173
  • SHA-512: 9F48DC79D69A03578A943F07DD72B8FB46853EAC66BA47E33AA4AF66CEF4B0CC6DD193605B6F2B4EFC1369CF4C8F78F01A894C207F08F08E05DE667DADA5A6AA
false
/Users/Shared/AppStore.app/Contents/Resources/en.lproj/MainMenu.strings
  • Type: UTF-8 Unicode C program text, with very long lines
  • MD5: 5E530CB36C0FC065D532FAFA3E09DF04
  • SHA: A60C850182D418E1DE8C79E033B0F28194F55FE7
  • SHA-256: 5A72E0ED092622234A7957093D93A7F4C1ED8076C2D8636FE04400CACA73755C
  • SHA-512: F731E94BCA73615B30847CF7DDD3225B005127952C0E22AF6BE77FBE49339C8D00D3064B649C01259CEA996E74D4A5FAB940F4BEB3F239F8FD6D273F0412A2DF
false
/Users/Shared/AppStore.app/Contents/_CodeSignature/CodeResources
  • Type: XML document text
  • MD5: 8E7DD58A654D74089AC10C738AFFDFE7
  • SHA: 5F1A505764CDB19B50A5663C2A42D7D2683B0995
  • SHA-256: BFB3ECE332CE00FED431EB7C94C35A25EFA1470182C8D47586D6D6E141564B01
  • SHA-512: ADDA56919A65BBE021590A2E93248D44DCF637AB0C27D0153A9E4E831501A079E694A4A78FF3EAF94E7E186E2C75C4C13215D44387594889091E074822CCFBB1
false
/dev/null
  • Type: ASCII English text
  • MD5: CA351A6C592866CC63F8F30541DA8B43
  • SHA: 223C23B54B298B3639DDE6E537AA8181E0F32872
  • SHA-256: 7EAF1567030667B9596FE67ED12D75D8FEF5DFA948C1299ED70C63AF86208176
  • SHA-512: 8EB3CCDC6663C95FEDA1DC3B6F126ABD5BA82C96F2B18D2BD7835F120F6456CB20B6837AC1CB8AAE8B59C1EA69871DBC876589DF1B7C28B281BDE01F0265C4F6
true
/private/etc/sudoers
  • Type: ASCII text
  • MD5: FED93EC06340BDEECA51A8F2A9B8E641
  • SHA: B84C03F1AD143F2829BE996C024E0FC2F5F76AEB
  • SHA-256: 6F76A95EDDB81615FA71294FDFE84F89C9ABFA8AE6BA51D882FFCD779F081CB7
  • SHA-512: D40B7822B45B7235763F9F03942873E91855396FE839F12266263B31A7BE67D8DF769BF257C4AAB030EBCA0A43F41F658B1CEB9B19F250949CBFDD815EE0C359
true
/private/tmp/.dat.nosync01cc.kN1IYD
  • Type: XML document text
  • MD5: 109FA4BF29ED7E8E59C4CE186173001A
  • SHA: 9C1FB37D5D819A224B5DF571EF3FB7339B742CB9
  • SHA-256: FB012527935D3614C80AC26B897680208F6EFF01A967D01DB6BC0D9A9BDC0AAE
  • SHA-512: 94007157D41BE3D634900AA2C19E68874E13F9C281615AE02BDB0A8075D99250E36E801470C8FF49BA878C232383616E2A27A1CAAF738704071D15480BDA3C98
false
/private/tmp/.dat.nosync01cc.r9KKsW
  • Type: XML document text
  • MD5: 86930A0DA1A68478767B2B3B939B31FF
  • SHA: 06DFABDF04FB7D9697D70E3D99F78D143F48CFB1
  • SHA-256: 1F4AD138BA7D461A18989F0622305BCE044CBE0FFE20A5A24E9E3EDCCAB699AE
  • SHA-512: 31A5106D8BD952986C4978E8DDBE2DEA67725D856E518C65A94B7DA96C410FF42779FF2BCA146D326F70B261B77F3B375ACD8C9943CFE680A01A274B36A35810
false
/private/tmp/cert.der
  • Type: data
  • MD5: C6C84C35129187DBD80203554632F585
  • SHA: ACE6C3FC42ACE412C3DCEE1C527D4CC12FE70D41
  • SHA-256: 7513EDAD60F826B588B6C8E202C30E114B1586BBAD30125191109A3F56443296
  • SHA-512: 09C7B836EA45669B36C476A37D5D06F8320255B823EF5A88D84534A7C5C2F96E28F41767FE4C69842D687FCAAFD9DB1AC7EA57076CA1FC0C9C93DE0FB5AABFA5
false
/private/var/folders/rz/z4lzdb9n2yg9fdd643nf823w0000gn/T/tmp.Jm8JGU
  • Type: data
  • MD5: D876C29448080FD81B7B5BFB0C371156
  • SHA: F8184C414C6E8C7A81757FA1699CFB50EC579208
  • SHA-256: C21DA9A08BFCB56121959ECFAB4AB0EA0348E7B8A0C6989F1FC50807C60BC7E8
  • SHA-512: 473CA222FFD7E932AF71A02F98BF3C1450E3B3C3B95D20C2CC7B94463A97C3C375305B86170C93B6E85CE56C32EF54A2094D495DB4B2AE7BE4E92807AEBFF3AA
false

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMalicious
raw.githubusercontent.com151.101.0.133truefalse

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
17.253.34.125United States
6185AppleIncfalse
151.101.0.133United States
137GARRItalianacademicandresearchnetworkfalse
8.8.4.4United States
15169GoogleIncfalse
17.188.166.11United States
714AppleIncfalse
8.8.8.8United States
15169GoogleIncfalse
17.252.60.24United States
714AppleIncfalse
224.0.0.251Reserved
2541JumpManagementSRLfalse

Static File Info

General

File type:Zip archive data, at least v2.0 to extract
TrID:
  • Mac OS X Application Bundle (25504/1) 86.41%
  • ZIP compressed archive (4004/1) 13.57%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
File name:7819ae7d72fa045baa77e9c8e063a69df439146b27f9c3bb10aef52dcc77c145.app
File size:129000
MD5:e8bdde90574d5bf285d9abb0c8a113a8
SHA1:f5d3425482dc4f4f738277ff3ba315b496894899
SHA256:7819ae7d72fa045baa77e9c8e063a69df439146b27f9c3bb10aef52dcc77c145
SHA512:11cbb93092b2136ac0305a9e73b037d5495ff1c1d81244e3b7d8aa7921dba54bcbcc9efbd9964f7e8d8510d1364948421f33dffc03a873ae13ec8c2f11dae7f8
File Content Preview:PK.........`.J................Dokument.app/PK.........`.J................Dokument.app/Contents/PK.........`.J............%...Dokument.app/Contents/_CodeSignature/PK.........`.J<.......N...2...Dokument.app/Contents/_CodeSignature/CodeResources.V.N.@.}...6>

Static App Info

General Informations

Package Info:APPL????
Property List File:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>BuildMachineOSBuild</key><string>13F1911</string><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>AppStore</string><key>CFBundleIconFile</key><string>AppIcon</string><key>CFBundleIdentifier</key><string>Trusteer.AppStore</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundleName</key><string>AppStore</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>1.0</string><key>CFBundleSignature</key><string>????</string><key>CFBundleVersion</key><string>1</string><key>DTCompiler</key><string>com.apple.compilers.llvm.clang.1_0</string><key>DTPlatformBuild</key><string>6A2008a</string><key>DTPlatformVersion</key><string>GM</string><key>DTSDKBuild</key><string>14A382</string><key>DTSDKName</key><string>macosx10.10</string><key>DTXcode</key><string>0611</string><key>DTXcodeBuild</key><string>6A2008a</string><key>LSMinimumSystemVersion</key><string>10.9</string><key>LSUIElement</key><true/><key>NSHumanReadableCopyright</key><string>Copyright 2017 Trusteer. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string><key>NSPrincipalClass</key><string>NSApplication</string><key>NSUserNotificationAlertStyle</key><string>alert</string></dict></plist>

Resources

NameType
Info.plistXML document text
PkgInfoASCII text, with no line terminators
AppStoreMach-O 64-bit executable
AppIcon.icnsdata
appstore.tiffTIFF image data, big-endian
MainMenu.nibApple binary property list
MainMenu.stringsUTF-8 Unicode C program text, with very long lines
MainMenu.stringsUTF-8 Unicode C program text, with very long lines
CodeResourcesXML document text
Info.plistXML document text
PkgInfoASCII text, with no line terminators
AppStoreMach-O 64-bit executable
AppIcon.icnsdata
appstore.tiffTIFF image data, big-endian
MainMenu.nibApple binary property list
MainMenu.stringsUTF-8 Unicode C program text, with very long lines
MainMenu.stringsUTF-8 Unicode C program text, with very long lines
CodeResourcesXML document text

Static Mach Info

General Informations for header0

Endian:<
Size:64-bit
Architecture:x86_64
Filetype:execute
Nbr. of load commands:23
segment_command_64
NameValue
segname__PAGEZERO
fileoff0
maxprot0
vmsize4294967296
nsects0
flags0
filesize0
vmaddr0
initprot0
segment_command_64
NameValue
segname__TEXT
fileoff0
maxprot7
vmsize24576
nsects12
flags0
filesize24576
vmaddr4294967296
initprot5
Datassectname__text
segname__TEXT
reloff0
addr4294971801
align0
nreloc0
flags2147484672
offset4505
reserved20
reserved10
reserved30
size9247
sectname__stubs
segname__TEXT
reloff0
addr4294981048
align1
nreloc0
flags2147484680
offset13752
reserved26
reserved10
reserved30
size120
sectname__stub_helper
segname__TEXT
reloff0
addr4294981168
align2
nreloc0
flags2147484672
offset13872
reserved20
reserved10
reserved30
size216
sectname__objc_methname
segname__TEXT
reloff0
addr4294981384
align0
nreloc0
flags2
offset14088
reserved20
reserved10
reserved30
size4856
sectname__cstring
segname__TEXT
reloff0
addr4294986240
align0
nreloc0
flags2
offset18944
reserved20
reserved10
reserved30
size1778
sectname__objc_classname
segname__TEXT
reloff0
addr4294988018
align0
nreloc0
flags2
offset20722
reserved20
reserved10
reserved30
size122
sectname__objc_methtype
segname__TEXT
reloff0
addr4294988140
align0
nreloc0
flags2
offset20844
reserved20
reserved10
reserved30
size2257
sectname__const
segname__TEXT
reloff0
addr4294990400
align3
nreloc0
flags0
offset23104
reserved20
reserved10
reserved30
size8
sectname__gcc_except_tab
segname__TEXT
reloff0
addr4294990408
align2
nreloc0
flags0
offset23112
reserved20
reserved10
reserved30
size924
sectname__ustring
segname__TEXT
reloff0
addr4294991332
align1
nreloc0
flags0
offset24036
reserved20
reserved10
reserved30
size212
sectname__unwind_info
segname__TEXT
reloff0
addr4294991544
align2
nreloc0
flags0
offset24248
reserved20
reserved10
reserved30
size200
sectname__eh_frame
segname__TEXT
reloff0
addr4294991744
align3
nreloc0
flags0
offset24448
reserved20
reserved10
reserved30
size128
segment_command_64
NameValue
segname__DATA
fileoff24576
maxprot7
vmsize12288
nsects16
flags0
filesize12288
vmaddr4294991872
initprot3
Datassectname__nl_symbol_ptr
segname__DATA
reloff0
addr4294991872
align3
nreloc0
flags6
offset24576
reserved20
reserved120
reserved30
size16
sectname__got
segname__DATA
reloff0
addr4294991888
align3
nreloc0
flags6
offset24592
reserved20
reserved122
reserved30
size48
sectname__la_symbol_ptr
segname__DATA
reloff0
addr4294991936
align3
nreloc0
flags7
offset24640
reserved20
reserved128
reserved30
size160
sectname__cfstring
segname__DATA
reloff0
addr4294992096
align3
nreloc0
flags0
offset24800
reserved20
reserved10
reserved30
size2144
sectname__objc_classlist
segname__DATA
reloff0
addr4294994240
align3
nreloc0
flags268435456
offset26944
reserved20
reserved10
reserved30
size16
sectname__objc_catlist
segname__DATA
reloff0
addr4294994256
align3
nreloc0
flags268435456
offset26960
reserved20
reserved10
reserved30
size8
sectname__objc_protolist
segname__DATA
reloff0
addr4294994264
align3
nreloc0
flags0
offset26968
reserved20
reserved10
reserved30
size32
sectname__objc_imageinfo
segname__DATA
reloff0
addr4294994296
align2
nreloc0
flags0
offset27000
reserved20
reserved10
reserved30
size8
sectname__objc_const
segname__DATA
reloff0
addr4294994304
align3
nreloc0
flags0
offset27008
reserved20
reserved10
reserved30
size5352
sectname__objc_selrefs
segname__DATA
reloff0
addr4294999656
align3
nreloc0
flags268435461
offset32360
reserved20
reserved10
reserved30
size648
sectname__objc_classrefs
segname__DATA
reloff0
addr4295000304
align3
nreloc0
flags268435456
offset33008
reserved20
reserved10
reserved30
size136
sectname__objc_superrefs
segname__DATA
reloff0
addr4295000440
align3
nreloc0
flags268435456
offset33144
reserved20
reserved10
reserved30
size8
sectname__objc_ivar
segname__DATA
reloff0
addr4295000448
align3
nreloc0
flags0
offset33152
reserved20
reserved10
reserved30
size88
sectname__objc_data
segname__DATA
reloff0
addr4295000536
align3
nreloc0
flags0
offset33240
reserved20
reserved10
reserved30
size160
sectname__data
segname__DATA
reloff0
addr4295000704
align4
nreloc0
flags0
offset33408
reserved20
reserved10
reserved30
size3168
sectname__bss
segname__DATA
reloff0
addr4295003872
align3
nreloc0
flags1
offset0
reserved20
reserved10
reserved30
size8
segment_command_64
NameValue
segname__LINKEDIT
fileoff36864
maxprot7
vmsize16384
nsects0
flags0
filesize13808
vmaddr4295004160
initprot1
dyld_info_command
NameValue
lazy_bind_size528
lazy_bind_off38096
weak_bind_size0
rebase_size344
export_off38624
export_size32
bind_off37208
rebase_off36864
bind_size888
weak_bind_off0
symtab_command
NameValue
strsize1064
symoff38784
stroff39760
nsyms49
dysymtab_command
NameValue
extreloff0
nlocrel0
indirectsymoff39568
modtaboff0
nextrel0
iundefsym2
nmodtab0
ilocalsym0
nundefsym47
nextrefsyms0
locreloff0
ntoc0
nlocalsym1
tocoff0
extrefsymoff0
nindirectsyms48
iextdefsym1
nextdefsym1
dylinker_command
NameValue
name12
Data/usr/lib/dyld
uuid_command
NameValue
uuide872d32c087c300583856f4809a01584
version_min_command
NameValue
version657664
reserved657920
source_version_command
NameValue
version0
entry_point_command
NameValue
stacksize0
entryoff5961
dylib_command
NameValue
compatibility_version0.44.1
timestampThu Jan 01 01:00:02 1970
name24
current_version4096.127.4
Data/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.228.0
Data/usr/lib/libobjc.A.dylib
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.189.4
Data/usr/lib/libSystem.B.dylib
dylib_command
NameValue
compatibility_version0.45.0
timestampThu Jan 01 01:00:02 1970
name24
current_version3584.63.5
Data/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
dylib_command
NameValue
compatibility_version0.150.0
timestampThu Jan 01 01:00:02 1970
name24
current_version4096.127.4
Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
dylib_command
NameValue
compatibility_version0.64.0
timestampThu Jan 01 01:00:02 1970
name24
current_version0.88.2
Data/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics
rpath_command
NameValue
path12
Data@executable_path/../Frameworks
linkedit_data_command
NameValue
dataoff38656
datassize48
linkedit_data_command
NameValue
dataoff38704
datassize0
linkedit_data_command
NameValue
dataoff38704
datassize80
linkedit_data_command
NameValue
dataoff40832
datassize9840

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Mai 2, 2017 15:31:11.692693949 MESZ5773553192.168.0.508.8.8.8
Mai 2, 2017 15:31:12.629211903 MESZ53577358.8.8.8192.168.0.50
Mai 2, 2017 15:31:19.193578005 MESZ5321953192.168.0.508.8.8.8
Mai 2, 2017 15:31:19.193696022 MESZ53532198.8.8.8192.168.0.50
Mai 2, 2017 15:31:19.193934917 MESZ5321953192.168.0.508.8.4.4
Mai 2, 2017 15:31:19.194017887 MESZ53532198.8.4.4192.168.0.50
Mai 2, 2017 15:31:19.330516100 MESZ53535353192.168.0.50224.0.0.251
Mai 2, 2017 15:31:19.500202894 MESZ53535353192.168.0.50224.0.0.251
Mai 2, 2017 15:31:19.506320953 MESZ6040653192.168.0.508.8.8.8
Mai 2, 2017 15:31:19.506542921 MESZ6509653192.168.0.508.8.8.8
Mai 2, 2017 15:31:20.574440002 MESZ6040653192.168.0.508.8.8.8
Mai 2, 2017 15:31:20.574462891 MESZ6509653192.168.0.508.8.8.8
Mai 2, 2017 15:31:20.635322094 MESZ53650968.8.8.8192.168.0.50
Mai 2, 2017 15:31:20.635354996 MESZ53604068.8.8.8192.168.0.50
Mai 2, 2017 15:31:21.627639055 MESZ53604068.8.8.8192.168.0.50
Mai 2, 2017 15:31:21.627671957 MESZ53650968.8.8.8192.168.0.50
Mai 2, 2017 15:31:21.799474955 MESZ6356253192.168.0.508.8.8.8
Mai 2, 2017 15:31:21.799540043 MESZ6190253192.168.0.508.8.8.8
Mai 2, 2017 15:31:22.635335922 MESZ53619028.8.8.8192.168.0.50
Mai 2, 2017 15:31:22.635360956 MESZ53635628.8.8.8192.168.0.50
Mai 2, 2017 15:31:40.520466089 MESZ491555223192.168.0.5017.188.166.11
Mai 2, 2017 15:31:40.520488977 MESZ52234915517.188.166.11192.168.0.50
Mai 2, 2017 15:31:40.720473051 MESZ52234915517.188.166.11192.168.0.50
Mai 2, 2017 15:31:40.720737934 MESZ491555223192.168.0.5017.188.166.11
Mai 2, 2017 15:31:48.852389097 MESZ491735223192.168.0.5017.252.60.24
Mai 2, 2017 15:31:48.852420092 MESZ52234917317.252.60.24192.168.0.50
Mai 2, 2017 15:31:49.211980104 MESZ52234917317.252.60.24192.168.0.50
Mai 2, 2017 15:31:49.212301016 MESZ491735223192.168.0.5017.252.60.24
Mai 2, 2017 15:33:25.870512962 MESZ6420053192.168.0.508.8.8.8
Mai 2, 2017 15:33:25.870553017 MESZ5219853192.168.0.508.8.8.8
Mai 2, 2017 15:33:26.623991966 MESZ53521988.8.8.8192.168.0.50
Mai 2, 2017 15:33:26.624028921 MESZ53642008.8.8.8192.168.0.50
Mai 2, 2017 15:33:27.406713963 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.406766891 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:27.407027960 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.414486885 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.414513111 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:27.594789982 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:27.594810963 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:27.595396996 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.595417023 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.644638062 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:27.645080090 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.668196917 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.668219090 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:27.669955969 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.669967890 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:27.791852951 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:27.793092012 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.793864965 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:27.793889046 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.075337887 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.075356007 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.075903893 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.075923920 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.076303005 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.090754032 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.090766907 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.092307091 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.092320919 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.092703104 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.094799995 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.095911026 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.095928907 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.095952034 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.096343040 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.096350908 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.096612930 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.098069906 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.098476887 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.111012936 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.111026049 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.111598969 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.112237930 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.112258911 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.112891912 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:28.112966061 MESZ44349205151.101.0.133192.168.0.50
Mai 2, 2017 15:33:28.113193989 MESZ49205443192.168.0.50151.101.0.133
Mai 2, 2017 15:33:29.236218929 MESZ5675753192.168.0.508.8.8.8
Mai 2, 2017 15:33:29.639600992 MESZ53567578.8.8.8192.168.0.50
Mai 2, 2017 15:33:30.471669912 MESZ123123192.168.0.5017.253.34.125
Mai 2, 2017 15:33:30.812159061 MESZ5727453192.168.0.508.8.8.8
Mai 2, 2017 15:33:31.647546053 MESZ53572748.8.8.8192.168.0.50
Mai 2, 2017 15:33:34.932761908 MESZ5401553192.168.0.508.8.8.8
Mai 2, 2017 15:33:35.687437057 MESZ53540158.8.8.8192.168.0.50
Mai 2, 2017 15:34:00.519781113 MESZ6441953192.168.0.508.8.8.8
Mai 2, 2017 15:34:01.655128956 MESZ6441953192.168.0.508.8.8.8
Mai 2, 2017 15:34:01.854368925 MESZ53644198.8.8.8192.168.0.50
Mai 2, 2017 15:34:02.570903063 MESZ53644198.8.8.8192.168.0.50
Mai 2, 2017 15:34:04.084278107 MESZ5535253192.168.0.508.8.8.8
Mai 2, 2017 15:34:04.631232977 MESZ53553528.8.8.8192.168.0.50
Mai 2, 2017 15:35:33.304289103 MESZ5904853192.168.0.508.8.8.8
Mai 2, 2017 15:35:33.571640968 MESZ53590488.8.8.8192.168.0.50
Mai 2, 2017 15:36:09.353941917 MESZ5504053192.168.0.508.8.8.8
Mai 2, 2017 15:36:09.354016066 MESZ53550408.8.8.8192.168.0.50
Mai 2, 2017 15:36:09.354286909 MESZ5504053192.168.0.508.8.4.4
Mai 2, 2017 15:36:09.354353905 MESZ53550408.8.4.4192.168.0.50
Mai 2, 2017 15:36:09.599256992 MESZ53535353192.168.0.50224.0.0.251
Mai 2, 2017 15:36:09.831655025 MESZ53535353192.168.0.50224.0.0.251
Mai 2, 2017 15:36:09.865065098 MESZ5573253192.168.0.508.8.8.8
Mai 2, 2017 15:36:09.865142107 MESZ53557328.8.8.8192.168.0.50
Mai 2, 2017 15:36:09.869658947 MESZ6389853192.168.0.508.8.8.8
Mai 2, 2017 15:36:09.869697094 MESZ5105653192.168.0.508.8.8.8
Mai 2, 2017 15:36:10.639071941 MESZ53510568.8.8.8192.168.0.50
Mai 2, 2017 15:36:10.639091969 MESZ53638988.8.8.8192.168.0.50
Mai 2, 2017 15:36:10.663163900 MESZ5438253192.168.0.508.8.8.8
Mai 2, 2017 15:36:10.663192034 MESZ5035053192.168.0.508.8.8.8
Mai 2, 2017 15:36:11.630785942 MESZ53503508.8.8.8192.168.0.50
Mai 2, 2017 15:36:11.630805969 MESZ53543828.8.8.8192.168.0.50
Mai 2, 2017 15:36:50.153630972 MESZ6165053192.168.0.508.8.8.8
Mai 2, 2017 15:36:50.153717041 MESZ53616508.8.8.8192.168.0.50
Mai 2, 2017 15:36:50.183474064 MESZ5686053192.168.0.508.8.8.8
Mai 2, 2017 15:36:50.183537006 MESZ53568608.8.8.8192.168.0.50

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Mai 2, 2017 15:31:11.692693949 MESZ5773553192.168.0.508.8.8.8
Mai 2, 2017 15:31:12.629211903 MESZ53577358.8.8.8192.168.0.50
Mai 2, 2017 15:31:19.193578005 MESZ5321953192.168.0.508.8.8.8
Mai 2, 2017 15:31:19.193696022 MESZ53532198.8.8.8192.168.0.50
Mai 2, 2017 15:31:19.193934917 MESZ5321953192.168.0.508.8.4.4
Mai 2, 2017 15:31:19.194017887 MESZ53532198.8.4.4192.168.0.50
Mai 2, 2017 15:31:19.330516100 MESZ53535353192.168.0.50224.0.0.251
Mai 2, 2017 15:31:19.500202894 MESZ53535353192.168.0.50224.0.0.251
Mai 2, 2017 15:31:19.506320953 MESZ6040653192.168.0.508.8.8.8
Mai 2, 2017 15:31:19.506542921 MESZ6509653192.168.0.508.8.8.8
Mai 2, 2017 15:31:20.574440002 MESZ6040653192.168.0.508.8.8.8
Mai 2, 2017 15:31:20.574462891 MESZ6509653192.168.0.508.8.8.8
Mai 2, 2017 15:31:20.635322094 MESZ53650968.8.8.8192.168.0.50
Mai 2, 2017 15:31:20.635354996 MESZ53604068.8.8.8192.168.0.50
Mai 2, 2017 15:31:21.627639055 MESZ53604068.8.8.8192.168.0.50
Mai 2, 2017 15:31:21.627671957 MESZ53650968.8.8.8192.168.0.50
Mai 2, 2017 15:31:21.799474955 MESZ6356253192.168.0.508.8.8.8
Mai 2, 2017 15:31:21.799540043 MESZ6190253192.168.0.508.8.8.8
Mai 2, 2017 15:31:22.635335922 MESZ53619028.8.8.8192.168.0.50
Mai 2, 2017 15:31:22.635360956 MESZ53635628.8.8.8192.168.0.50
Mai 2, 2017 15:33:25.870512962 MESZ6420053192.168.0.508.8.8.8
Mai 2, 2017 15:33:25.870553017 MESZ5219853192.168.0.508.8.8.8
Mai 2, 2017 15:33:26.623991966 MESZ53521988.8.8.8192.168.0.50
Mai 2, 2017 15:33:26.624028921 MESZ53642008.8.8.8192.168.0.50
Mai 2, 2017 15:33:29.236218929 MESZ5675753192.168.0.508.8.8.8
Mai 2, 2017 15:33:29.639600992 MESZ53567578.8.8.8192.168.0.50
Mai 2, 2017 15:33:30.471669912 MESZ123123192.168.0.5017.253.34.125
Mai 2, 2017 15:33:30.812159061 MESZ5727453192.168.0.508.8.8.8
Mai 2, 2017 15:33:31.647546053 MESZ53572748.8.8.8192.168.0.50
Mai 2, 2017 15:33:34.932761908 MESZ5401553192.168.0.508.8.8.8
Mai 2, 2017 15:33:35.687437057 MESZ53540158.8.8.8192.168.0.50
Mai 2, 2017 15:34:00.519781113 MESZ6441953192.168.0.508.8.8.8
Mai 2, 2017 15:34:01.655128956 MESZ6441953192.168.0.508.8.8.8
Mai 2, 2017 15:34:01.854368925 MESZ53644198.8.8.8192.168.0.50
Mai 2, 2017 15:34:02.570903063 MESZ53644198.8.8.8192.168.0.50
Mai 2, 2017 15:34:04.084278107 MESZ5535253192.168.0.508.8.8.8
Mai 2, 2017 15:34:04.631232977 MESZ53553528.8.8.8192.168.0.50
Mai 2, 2017 15:35:33.304289103 MESZ5904853192.168.0.508.8.8.8
Mai 2, 2017 15:35:33.571640968 MESZ53590488.8.8.8192.168.0.50
Mai 2, 2017 15:36:09.353941917 MESZ5504053192.168.0.508.8.8.8
Mai 2, 2017 15:36:09.354016066 MESZ53550408.8.8.8192.168.0.50
Mai 2, 2017 15:36:09.354286909 MESZ5504053192.168.0.508.8.4.4
Mai 2, 2017 15:36:09.354353905 MESZ53550408.8.4.4192.168.0.50
Mai 2, 2017 15:36:09.599256992 MESZ53535353192.168.0.50224.0.0.251
Mai 2, 2017 15:36:09.831655025 MESZ53535353192.168.0.50224.0.0.251
Mai 2, 2017 15:36:09.865065098 MESZ5573253192.168.0.508.8.8.8
Mai 2, 2017 15:36:09.865142107 MESZ53557328.8.8.8192.168.0.50
Mai 2, 2017 15:36:09.869658947 MESZ6389853192.168.0.508.8.8.8
Mai 2, 2017 15:36:09.869697094 MESZ5105653192.168.0.508.8.8.8
Mai 2, 2017 15:36:10.639071941 MESZ53510568.8.8.8192.168.0.50
Mai 2, 2017 15:36:10.639091969 MESZ53638988.8.8.8192.168.0.50
Mai 2, 2017 15:36:10.663163900 MESZ5438253192.168.0.508.8.8.8
Mai 2, 2017 15:36:10.663192034 MESZ5035053192.168.0.508.8.8.8
Mai 2, 2017 15:36:11.630785942 MESZ53503508.8.8.8192.168.0.50
Mai 2, 2017 15:36:11.630805969 MESZ53543828.8.8.8192.168.0.50
Mai 2, 2017 15:36:50.153630972 MESZ6165053192.168.0.508.8.8.8
Mai 2, 2017 15:36:50.153717041 MESZ53616508.8.8.8192.168.0.50
Mai 2, 2017 15:36:50.183474064 MESZ5686053192.168.0.508.8.8.8
Mai 2, 2017 15:36:50.183537006 MESZ53568608.8.8.8192.168.0.50

ICMP Packets

TimestampSource IPDest IPChecksumCodeType
Mai 2, 2017 15:31:21.628987074 MESZ192.168.0.508.8.8.810b5(Port unreachable)Destination Unreachable
Mai 2, 2017 15:31:21.629014015 MESZ192.168.0.508.8.8.8fe62(Port unreachable)Destination Unreachable
Mai 2, 2017 15:34:02.572354078 MESZ192.168.0.508.8.8.8e4(Port unreachable)Destination Unreachable
Mai 2, 2017 15:36:09.865355968 MESZ192.168.0.508.8.8.822f4(Port unreachable)Destination Unreachable
Mai 2, 2017 15:36:50.153925896 MESZ192.168.0.508.8.8.8bd6(Port unreachable)Destination Unreachable
Mai 2, 2017 15:36:50.183757067 MESZ192.168.0.508.8.8.81e8c(Port unreachable)Destination Unreachable

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Mai 2, 2017 15:33:25.870512962 MESZ192.168.0.508.8.8.80xf8ffStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)
Mai 2, 2017 15:33:25.870553017 MESZ192.168.0.508.8.8.80xda32Standard query (0)raw.githubusercontent.com28IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Mai 2, 2017 15:33:26.623991966 MESZ8.8.8.8192.168.0.500xda32Name error (3)raw.githubusercontent.comnonenone28IN (0x0001)
Mai 2, 2017 15:33:26.624028921 MESZ8.8.8.8192.168.0.500xf8ffNo error (0)raw.githubusercontent.com151.101.0.133A (IP address)IN (0x0001)

HTTPS Packets

TimestampSource PortDest PortSource IPDest IPSubjectIssuerNot BeforeNot AfterRaw
Mai 2, 2017 15:33:27.594810963 MESZ44349205151.101.0.133192.168.0.50CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=USCN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Mar 23 01:00:00 CET 2017Wed May 13 14:00:00 CEST 2020[[ Version: V3 Subject: CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 25099697626048321606202818344071502550576411888331701071141161223694675869786745800889617243213642455258158495927201678345350021623733344893724275172963412722339878198389644829083964717190878070492781167669895599575788154081255061130305535549411705316507008410948527417224113219034434540514365587659572158721996877966754415715730209401768225239036749296683522925986561048065207836614684495060962115342387644979615572735292237094507662116283631106341692208293437519645282962451912142974140521707187040079470650176250023234488760804440782477843096472385145915778215630371344833626811599300515164458563730525132815920871 public exponent: 65537 Validity: [From: Thu Mar 23 01:00:00 CET 2017, To: Wed May 13 14:00:00 CEST 2020] Issuer: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US SerialNumber: [ 083a8459 2f77f2e7 951bf887 cedec966]Certificate Extensions: 10[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=falseExtension unknown: DER encoded OCTET string =0000: 04 82 01 E5 04 82 01 E1 01 DF 00 76 00 A4 B9 09 ...........v....0010: 90 B4 18 58 14 87 BB 13 A2 CC 67 70 0A 3C 35 98 ...X......gp.<5.0020: 04 F9 1B DF B8 E3 77 CD 0E C8 0D DC 10 00 00 01 ......w.........0030: 5A FD 40 6A 04 00 00 04 03 00 47 30 45 02 20 45 Z.@j......G0E. E0040: 5E C5 9A 0B 56 EE A7 C4 34 26 0A D8 F4 48 08 C6 ^...V...4&...H..0050: 3A A2 D6 FD 9F 03 A6 60 E3 88 91 5D 24 32 CB 02 :......`...]$2..0060: 21 00 8C E1 CD 4D 73 96 C7 89 87 9F B2 5D CE 54 !....Ms......].T0070: D4 8F A9 82 A4 66 5D BD 57 70 F2 2C 18 BF 28 39 .....f].Wp.,..(90080: DC 23 00 75 00 56 14 06 9A 2F D7 C2 EC D3 F5 E1 .#.u.V.../......0090: BD 44 B2 3E C7 46 76 B9 BC 99 11 5C C0 EF 94 98 .D.>.Fv....\....00A0: 55 D6 89 D0 DD 00 00 01 5A FD 40 6A 65 00 00 04 U.......Z.@je...00B0: 03 00 46 30 44 02 20 4A 40 CB 32 4A 68 FA F6 82 ..F0D. J@.2Jh...00C0: 99 31 E0 BE 30 3A 24 2E BA D5 37 6B 4A F8 E3 25 .1..0:$...7kJ..%00D0: CD FD 53 E6 A8 07 B6 02 20 44 92 CD 1A F7 D6 0E ..S..... D......00E0: 63 29 08 AF E2 58 F4 A6 32 C6 0A DB 26 32 4E 5F c)...X..2...&2N_00F0: 4A 6E D1 C1 B4 FE 56 A6 47 00 76 00 EE 4B BD B7 Jn....V.G.v..K..0100: 75 CE 60 BA E1 42 69 1F AB E1 9E 66 A3 0F 7E 5F u.`..Bi....f..._0110: B0 72 D8 83 00 C4 7B 89 7A A8 FD CB 00 00 01 5A .r......z......Z0120: FD 40 6A 1F 00 00 04 03 00 47 30 45 02 20 0D A7 .@j......G0E. ..0130: D1 36 DE 01 AE 4A 6E E3 A9 9D 7A 49 6E 73 9B C1 .6...Jn...zIns..0140: C9 29 3A C1 EC 68 DF B6 AC 0E D9 03 5E 98 02 21 .):..h......^..!0150: 00 97 B2 53 9D 53 DD 98 57 1A BB 3C 0B 8E 03 44 ...S.S..W..<...D0160: 48 C4 45 B6 7E 01 AF 39 BD 5C 94 CF 25 B6 96 3D H.E....9.\..%..=0170: A7 00 76 00 BB D9 DF BC 1F 8A 71 B5 93 94 23 97 ..v.......q...#.0180: AA 92 7B 47 38 57 95 0A AB 52 E8 1A 90 96 64 36 ...G8W...R....d60190: 8E 1E D1 85 00 00 01 5A FD 40 6A 11 00 00 04 03 .......Z.@j.....01A0: 00 47 30 45 02 21 00 AA AE DB AA EF 52 7A 4C CE .G0E.!......RzL.01B0: F0 28 C5 9E 48 04 4E 75 36 BC 7F 7E 46 A0 B3 08 .(..H.Nu6...F...01C0: 98 95 CE 35 23 47 7D 02 20 38 DB D2 BB F5 47 E6 ...5#G.. 8....G.01D0: 39 59 D7 E3 C3 F9 BE 93 84 51 75 FA 95 7B C2 9E 9Y.......Qu.....01E0: F0 AB EF FC C6 21 D4 32 5B .....!.2[[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.digicert.com, accessMethod: caIssuers accessLocation: URIName: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt]][3]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: 51 68 FF 90 AF 02 07 75 3C CC D9 65 64 62 A2 12 Qh.....u<..edb..0010: B8 59 72 3B .Yr;]][4]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:false PathLen: undefined][5]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl3.digicert.com/sha2-ha-server-g5.crl], DistributionPoint: [URIName: http://crl4.digicert.com/sha2-ha-server-g5.crl]]][6]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.16.840.1.114412.1.1][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS]] ] [CertificatePolicyId: [2.23.140.1.2.2][] ]][7]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][8]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_Encipherment][9]: ObjectId: 2.5.29.17 Criticality=falseSubjectAlternativeName [ DNSName: www.github.com DNSName: *.github.com DNSName: github.com DNSName: *.github.io DNSName: github.io DNSName: *.githubusercontent.com DNSName: githubusercontent.com][10]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 30 82 29 D8 6D 4C E0 D4 A2 C6 10 48 05 80 87 A8 0.).mL.....H....0010: BC AA E9 12 ....]]] Algorithm: [SHA256withRSA] Signature:0000: 99 7E D6 2F CE 1B A6 15 F5 15 B3 EF F1 30 C1 1F .../.........0..0010: 54 10 92 A4 8C 43 C0 BC BD A5 0D 00 53 E2 42 C1 T....C......S.B.0020: 85 6F E5 A7 A9 41 99 4B 46 11 5A DD FD E8 27 69 .o...A.KF.Z...'i0030: 97 B6 3C A6 0E 2A 30 DB 33 53 BE 83 B0 AA 08 89 ..<..*0.3S......0040: 04 7E 66 35 E5 5C B3 2C 28 7F A7 B1 E5 27 79 6D ..f5.\.,(....'ym0050: 81 26 89 EA A0 55 51 70 10 CB EB 43 59 6B AA 52 .&...UQp...CYk.R0060: B4 46 FD D2 FF 89 16 8A 45 DA 0E BF 87 0D 53 EF .F......E.....S.0070: 83 24 C5 17 AD 12 63 40 74 80 4D BD A4 C9 DD 74 .$....c@t.M....t0080: D9 DF 1C 61 02 0A 71 B0 93 24 2F 2D A9 20 7A 43 ...a..q..$/-. zC0090: 86 44 11 58 8A 45 9B D7 5C E2 66 EB A6 C6 F1 7C .D.X.E..\.f.....00A0: A7 DC DD AF 27 89 39 F7 C1 9A 99 C8 7F 34 7A D9 ....'.9......4z.00B0: 39 73 83 CB 73 75 BC 16 B0 4E A1 49 2D 09 12 8D 9s..su...N.I-...00C0: 4E 3E 63 FF F0 88 71 DF 50 46 2B A5 38 3D DB 38 N>c...q.PF+.8=.800D0: 08 97 29 64 DE CB C7 EB 88 70 59 DD 62 DC 16 76 ..)d.....pY.b..v00E0: 2D 30 6A E3 A3 2F 40 A5 36 0F CC 05 76 D5 E0 6E -0j../@.6...v..n00F0: 04 40 3D 6A 21 5F BF 4E A3 A8 6C D0 98 21 B9 BD .@=j!_.N..l..!..]
Mai 2, 2017 15:33:27.594810963 MESZ44349205151.101.0.133192.168.0.50CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028[[ Version: V3 Subject: CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11 Key: Sun RSA public key, 2048 bits modulus: 23085922014910748503624791917480115148492919026914207610707020942093828159221184419960399297678177590153378092714640886296044490661625022319263060388275515964365478738040978664516396912933675650257207760237777280773935047177225664304566903694731631728916260237117586511459590661362255543750987738241463266555577715629664656907640120826399947323444556799362651693283202076722872218490347588587929811327918605576169523712767591239193274840826201053308722900104999956283622772648025895714833602740679819670062830777938157004975732087864164660384513848296643542134747514357423990884765641067184766081973460304136714018531 public exponent: 65537 Validity: [From: Tue Oct 22 14:00:00 CEST 2013, To: Sun Oct 22 14:00:00 CEST 2028] Issuer: CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US SerialNumber: [ 04e1e7a4 dc5cf2f3 6dc02b42 b85d159f]Certificate Extensions: 8[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=falseAuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName: http://ocsp.digicert.com]][2]: ObjectId: 2.5.29.35 Criticality=falseAuthorityKeyIdentifier [KeyIdentifier [0000: B1 3E C3 69 03 F8 BF 47 01 D4 98 26 1A 08 02 EF .>.i...G...&....0010: 63 64 2B C3 cd+.]][3]: ObjectId: 2.5.29.19 Criticality=trueBasicConstraints:[ CA:true PathLen:0][4]: ObjectId: 2.5.29.31 Criticality=falseCRLDistributionPoints [ [DistributionPoint: [URIName: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl]]][5]: ObjectId: 2.5.29.32 Criticality=falseCertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0][PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 64 69 ..https://www.di0010: 67 69 63 65 72 74 2E 63 6F 6D 2F 43 50 53 gicert.com/CPS]] ]][6]: ObjectId: 2.5.29.37 Criticality=falseExtendedKeyUsages [ serverAuth clientAuth][7]: ObjectId: 2.5.29.15 Criticality=trueKeyUsage [ DigitalSignature Key_CertSign Crl_Sign][8]: ObjectId: 2.5.29.14 Criticality=falseSubjectKeyIdentifier [KeyIdentifier [0000: 51 68 FF 90 AF 02 07 75 3C CC D9 65 64 62 A2 12 Qh.....u<..edb..0010: B8 59 72 3B .Yr;]]] Algorithm: [SHA256withRSA] Signature:0000: 18 8A 95 89 03 E6 6D DF 5C FC 1D 68 EA 4A 8F 83 ......m.\..h.J..0010: D6 51 2F 8D 6B 44 16 9E AC 63 F5 D2 6E 6C 84 99 .Q/.kD...c..nl..0020: 8B AA 81 71 84 5B ED 34 4E B0 B7 79 92 29 CC 2D ...q.[.4N..y.).-0030: 80 6A F0 8E 20 E1 79 A4 FE 03 47 13 EA F5 86 CA .j.. .y...G.....0040: 59 71 7D F4 04 96 6B D3 59 58 3D FE D3 31 25 5C Yq....k.YX=..1%\0050: 18 38 84 A3 E6 9F 82 FD 8C 5B 98 31 4E CD 78 9E .8.......[.1N.x.0060: 1A FD 85 CB 49 AA F2 27 8B 99 72 FC 3E AA D5 41 ....I..'..r.>..A0070: 0B DA D5 36 A1 BF 1C 6E 47 49 7F 5E D9 48 7C 03 ...6...nGI.^.H..0080: D9 FD 8B 49 A0 98 26 42 40 EB D6 92 11 A4 64 0A ...I..&B@.....d.0090: 57 54 C4 F5 1D D6 02 5E 6B AC EE C4 80 9A 12 72 WT.....^k......r00A0: FA 56 93 D7 FF BF 30 85 06 30 BF 0B 7F 4E FF 57 .V....0..0...N.W00B0: 05 9D 24 ED 85 C3 2B FB A6 75 A8 AC 2D 16 EF 7D ..$...+..u..-...00C0: 79 27 B2 EB C2 9D 0B 07 EA AA 85 D3 01 A3 20 28 y'............ (00D0: 41 59 43 28 D2 81 E3 AA F6 EC 7B 3B 77 B6 40 62 AYC(.......;w.@b00E0: 80 05 41 45 01 EF 17 06 3E DE C0 33 9B 67 D3 61 ..AE....>..3.g.a00F0: 2E 72 87 E4 69 FC 12 00 57 40 1E 70 F5 1E C9 B4 .r..i...W@.p....]

System Behavior

General

Start time:15:31:13
Start date:02/05/2017
Path:/usr/libexec/xpcproxy
File size:42656 bytes
MD5 hash:d68b4c6f2056c73e1d3bd228bcd6d4ff

General

Start time:15:31:13
Start date:02/05/2017
Path:/Users/vreni/Desktop/unpack/Dokument.app/Contents/MacOS/AppStore
File size:50672 bytes
MD5 hash:14c1cd9c5f263d5ba988838e0c3e3cf6

General

Start time:15:31:13
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:31:13
Start date:02/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

General

Start time:15:31:13
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:31:13
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:31:13
Start date:02/05/2017
Path:/bin/sleep
File size:17984 bytes
MD5 hash:a5566195e03cbb7d5df309767a4231ae

General

Start time:15:31:18
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:31:18
Start date:02/05/2017
Path:/bin/rm
File size:23744 bytes
MD5 hash:e8926d2347850b76f57a1d5f0226de8b

General

Start time:15:31:18
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:31:18
Start date:02/05/2017
Path:/Users/Shared/AppStore.app/Contents/MacOS/AppStore
File size:50672 bytes
MD5 hash:14c1cd9c5f263d5ba988838e0c3e3cf6

General

Start time:15:33:24
Start date:02/05/2017
Path:/Users/Shared/AppStore.app/Contents/MacOS/AppStore
File size:50672 bytes
MD5 hash:14c1cd9c5f263d5ba988838e0c3e3cf6

General

Start time:15:33:24
Start date:02/05/2017
Path:/usr/libexec/security_authtrampoline
File size:18848 bytes
MD5 hash:34db24049f929d8372cbdf52d770b98d

General

Start time:15:33:24
Start date:02/05/2017
Path:/System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid
File size:17808 bytes
MD5 hash:1276a2f702f871b34410af3858bd9cb0

General

Start time:15:33:24
Start date:02/05/2017
Path:/System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid
File size:17808 bytes
MD5 hash:1276a2f702f871b34410af3858bd9cb0

General

Start time:15:33:24
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:24
Start date:02/05/2017
Path:/Users/Shared/AppStore.app/Contents/MacOS/AppStore
File size:50672 bytes
MD5 hash:14c1cd9c5f263d5ba988838e0c3e3cf6

General

Start time:15:33:24
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/usr/bin/killall
File size:23872 bytes
MD5 hash:e27cce82be3cba31a2486d00964d1c5e

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/usr/bin/killall
File size:23872 bytes
MD5 hash:e27cce82be3cba31a2486d00964d1c5e

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/usr/bin/killall
File size:23872 bytes
MD5 hash:e27cce82be3cba31a2486d00964d1c5e

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/usr/bin/security
File size:234560 bytes
MD5 hash:6323b6bd0865d2300eb65a512f8c560c

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:27
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

General

Start time:15:33:25
Start date:02/05/2017
Path:/usr/bin/curl
File size:172016 bytes
MD5 hash:313ae871e04221163541c8af134351dc

General

Start time:15:33:27
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:27
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:27
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:27
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:27
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:27
Start date:02/05/2017
Path:/usr/bin/xcode-select
File size:23856 bytes
MD5 hash:76ba5af4fe69e97c43f99fed107a28c7

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sw_vers
File size:18736 bytes
MD5 hash:b1668c2003c554a75688384652e92e2b

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/dsmemberutil
File size:27648 bytes
MD5 hash:ee7f8596baee8869a0330e10d1d4682e

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/sbin/chown
File size:23184 bytes
MD5 hash:47316ddabc9edbd8cc56ebc2efd31ecd

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/chgrp
File size:23184 bytes
MD5 hash:ab6f212adbfd7640558e0d9e42464cf1

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/mkdir
File size:18496 bytes
MD5 hash:00efa095a9110a312bf9115afb361764

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/sbin/chown
File size:23184 bytes
MD5 hash:47316ddabc9edbd8cc56ebc2efd31ecd

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/chgrp
File size:23184 bytes
MD5 hash:ab6f212adbfd7640558e0d9e42464cf1

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/mkdir
File size:18496 bytes
MD5 hash:00efa095a9110a312bf9115afb361764

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/sbin/chown
File size:23184 bytes
MD5 hash:47316ddabc9edbd8cc56ebc2efd31ecd

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/mkdir
File size:18496 bytes
MD5 hash:00efa095a9110a312bf9115afb361764

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/chmod
File size:33904 bytes
MD5 hash:ecb64579c6dd0ebee31bf8e4d4cdcc6e

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/sbin/chown
File size:23184 bytes
MD5 hash:47316ddabc9edbd8cc56ebc2efd31ecd

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/xcode-select
File size:23856 bytes
MD5 hash:76ba5af4fe69e97c43f99fed107a28c7

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/touch
File size:23248 bytes
MD5 hash:6e95af6ebd7fd2dd9a0e26654024db31

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/sbin/softwareupdate
File size:91584 bytes
MD5 hash:147d9c83c6ae3255f29df22ef991e4b0

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/grep
File size:33712 bytes
MD5 hash:f7fe9c4af9294f2949377a12244b3d60

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/awk
File size:116176 bytes
MD5 hash:f3018baf92b308f79410d303b5186198

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/sed
File size:41984 bytes
MD5 hash:824cf059686109372fe70bf8d9c320dd

General

Start time:15:33:28
Start date:02/05/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/bin/tail
File size:28416 bytes
MD5 hash:7881a115760ba2573406cb73d2368971

General

Start time:15:33:59
Start date:02/05/2017
Path:/usr/bin/ruby
File size:42864 bytes
MD5 hash:025474bbddd98fccd7ac0bb0ca2cedfb

General

Start time:15:33:59
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:59
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:59
Start date:02/05/2017
Path:/usr/sbin/softwareupdate
File size:91584 bytes
MD5 hash:147d9c83c6ae3255f29df22ef991e4b0

General

Start time:15:31:18
Start date:02/05/2017
Path:/System/Library/CoreServices/sharedfilelistd
File size:123616 bytes
MD5 hash:f27d37ceb90584465739b7527f7c7b2d

General

Start time:15:31:18
Start date:02/05/2017
Path:/usr/bin/sfltool
File size:79456 bytes
MD5 hash:0ced48308860d34b0e0b304d9033b6b7

General

Start time:15:31:21
Start date:02/05/2017
Path:/System/Library/CoreServices/sharedfilelistd
File size:123616 bytes
MD5 hash:f27d37ceb90584465739b7527f7c7b2d

General

Start time:15:31:21
Start date:02/05/2017
Path:/usr/bin/sfltool
File size:79456 bytes
MD5 hash:0ced48308860d34b0e0b304d9033b6b7

General

Start time:15:31:28
Start date:02/05/2017
Path:/System/Library/CoreServices/sharedfilelistd
File size:123616 bytes
MD5 hash:f27d37ceb90584465739b7527f7c7b2d

General

Start time:15:31:28
Start date:02/05/2017
Path:/usr/bin/sfltool
File size:79456 bytes
MD5 hash:0ced48308860d34b0e0b304d9033b6b7

General

Start time:15:33:25
Start date:02/05/2017
Path:/usr/bin/sudo
File size:168448 bytes
MD5 hash:7d986f7707c0f11264989cd7105ea80d

General

Start time:15:33:25
Start date:02/05/2017
Path:/bin/echo
File size:18032 bytes
MD5 hash:28aaba1826ce568b1eec9cf71ad0655c

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/libexec/xpcproxy
File size:42656 bytes
MD5 hash:d68b4c6f2056c73e1d3bd228bcd6d4ff

General

Start time:15:33:28
Start date:02/05/2017
Path:/usr/libexec/nsurlstoraged
File size:221296 bytes
MD5 hash:6eeb0dc54f68a7a875397231838f2722

General

Start time:15:33:34
Start date:02/05/2017
Path:/System/Library/SystemConfiguration/PrinterNotifications.bundle/Contents/MacOS/makequeues
File size:132464 bytes
MD5 hash:52700eaa5f13fa131c164b6b13cedad1

General

Start time:15:33:42
Start date:02/05/2017
Path:/usr/libexec/xpcproxy
File size:42656 bytes
MD5 hash:d68b4c6f2056c73e1d3bd228bcd6d4ff

General

Start time:15:33:42
Start date:02/05/2017
Path:/usr/libexec/diskmanagementd
File size:856208 bytes
MD5 hash:f6e81fe9e88497039d345998358093f9

General

Start time:15:33:43
Start date:02/05/2017
Path:/usr/sbin/automount
File size:62960 bytes
MD5 hash:e352828696a852f80b71a44c7e9aa012