Edit tour

macOS Analysis Report
Pipidae.app

Overview

General Information

Sample Name:	Pipidae.app
Analysis ID:	1294523
MD5:	8881338c77f4285d197fb52229575d64
SHA1:	23eea6ab534cf7aa5e9356660cfa974c3e610bbd
SHA256:	7a1f844ec0aa595b09d4044e99690cf3d3095a3faae5656a7f5b78cc593563f5
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Process executable has a file extension which is uncommon (probably to disguise the executable)

Contains symbols with suspicious names likely related to encryption

Contains symbols with suspicious names likely related to networking

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Reads the systems OS release and/or type

Classification

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1294523
Start date and time:	2023-08-21 15:42:38 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.13
CPU architecture:	x86_64
Analysis Mode:	default
Sample file name:	Pipidae.app
Detection:	MAL
Classification:	mal56.evad.macAPP@0/0@1/0

Runtime Messages

Command:	/Users/berri/Desktop/Pipidae.app
PID:	895
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is macvm-highsierra

mono-sgen32 New Fork (PID: 895, Parent: 826)

Pipidae.app (MD5: 8881338c77f4285d197fb52229575d64) Arguments: /Users/berri/Desktop/Pipidae.app

cleanup

HTTP traffic detected: POST /se/cu HTTP/1.1Host: www.ipahufm.icuContent-Type: application/jsonConnection: keep-aliveAccept: */*User-Agent: Pipidae.app (unknown version) CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Content-Length: 42Accept-Language: en-usAccept-Encoding: br, gzip, deflate

Source: unknown

HTTPS traffic detected: 54.70.175.13:443 -> 192.168.11.11:49304 version: TLS 1.2

Source: classification engine

Classification label: mal56.evad.macAPP@0/0@1/0

Source: /Users/berri/Desktop/Pipidae.app (PID: 895)

CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plist

Jump to behavior

Source: submission: Pipidae.app

Mach-O header: dylib_command -> /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Source: submission: Pipidae.app

Mach-O header: dylib_command -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

Source: submission: Pipidae.app

Mach-O header: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Hooking and other Techniques for Hiding and Protection

Denies being traced/debugged (via ptrace PT_DENY_ATTACH)

Source: /Users/berri/Desktop/Pipidae.app (PID: 895)

PTRACE system call (PT_DENY_ATTACH): PID 895 denies future traces

Jump to behavior

Process executable has a file extension which is uncommon (probably to disguise the executable)

Source: /Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32 (PID: 895)

Process executable with extension: /Users/berri/Desktop/Pipidae.app

Jump to behavior

Source: Pipidae.app, 00000895.00000282.9.000000010ae47000.000000010ae5b000.rw-.sdmp

Binary or memory string: VMware

Source: /Users/berri/Desktop/Pipidae.app (PID: 895)	Sysctl requested: kern.ostype (1.1)			Jump to behavior
Source: /Users/berri/Desktop/Pipidae.app (PID: 895)	Sysctl requested: kern.osrelease (1.2)			Jump to behavior

Source: /Users/berri/Desktop/Pipidae.app (PID: 895)

System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	1 GUI Input Capture	1 Security Software Discovery	Remote Services	1 GUI Input Capture	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	11 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Pipidae.app	13%	ReversingLabs	MacOS.Adware.Generic
Pipidae.app	38%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
www.ipahufm.icu	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
searchlb-3b453017ec33bbb9.elb.us-west-2.amazonaws.com	54.70.175.13	true	false		high
www.ipahufm.icu	unknown	unknown	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.ipahufm.icu/se/cu	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.70.175.13	searchlb-3b453017ec33bbb9.elb.us-west-2.amazonaws.com	United States		16509	AMAZON-02US	false
2.23.196.201	unknown	European Union		1273	CWVodafoneGroupPLCEU	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
54.70.175.13	Ravenwise	Get hash	malicious	Unknown	Browse
	Ravenwise	Get hash	malicious	Unknown	Browse
	bfe	Get hash	malicious	Unknown	Browse
	ctapp_230720_b1nt12.zip	Get hash	malicious	Unknown	Browse
	Kx1A2vl0kc	Get hash	malicious	Unknown	Browse
	ctapp_230720_b1nt12.zip	Get hash	malicious	Unknown	Browse
2.23.196.201	https://pub-1658c2dd66434dd7b5f48ce167884c7e.r2.dev/index.html#support@ashleymadison.com	Get hash	malicious	Unknown	Browse
	http://daubinvestments.com	Get hash	malicious	Unknown	Browse
	https://clothingmemorialadorable.com/xfk47a7yg?key=02661d03f8c3bed95f6dd5fe5d58f347	Get hash	malicious	Unknown	Browse
	Setup	Get hash	malicious	Unknown	Browse
	https://trk.klclick3.com/ls/click?upn=ODUWvrrWUUEee10FYhP2wZyPL1bLpxmK7tCWb4Xj1Noy-2F-2Bu0ZUvzWzy588C54QNl6EPf-2FtlYqzO-2FJkqf-2FjkkjhJXLWf5Q-2Bh3bAFwhgyoBKZRylURgGbO-2Fl-2FhbyBLIcM6kcBGS3VJC0dCH8iqTpiv-2BA-3D-3DC_TS_BdoE-2BqcBt692Zq6TFVs-2BIYMNWNao2bfciBVD4n-2F5m-2FzBQafN-2F7-2Bb30sW9-2BzFZMaW-2FLJeG6XW598f6wa-2Fo11l-2BHQQC5ig3nbpcHiAiLC4qo8M7BJH-2F03cOZNeyWMYx0sU6lI0DVg-2B-2BNK9mEASj1W3RH6HbZ9xgEE-2FV3ByC-2FjRioxk8-2FwBZ-2F867xPaQnbyASSD67hoK3iQXHJ3Jh-2F7VIbGFcx6Zr-2BEDbt1-2FQNWkxAShvSmZiu3FbvM8NrUGz63EdoSph70Bw3S915mU18T7xAa8FAnmS7G1NDJnJLYcw9Hiuc6zL4gJ6nwznB2cBoMoKt9fNH-2BGzhiVYtPk3qcCu-2BP8scoYS0uRT5d-2Flgt-2BUGYNIKc9NeNdHghkoytvotQ8p35TvSzKDt0nLjjlQUYFcKRWB6OB5D-2FMLRGYA9ZoGxrLTg-3D#cl/488482_md/10/419673/6491/60323/1797583	Get hash	malicious	Unknown	Browse
	https://1drv.ms/b/s!AuDWrgYDuxytbac78BbaB6ykfT8	Get hash	malicious	Unknown	Browse
	https://o3g46bxs.page.link/dmCn	Get hash	malicious	Unknown	Browse
	https://clothingmemorialadorable.com/xfk47a7yg?key=02661d03f8c3bed95f6dd5fe5d58f347	Get hash	malicious	Unknown	Browse
	https://clothingmemorialadorable.com/xfk47a7yg?	Get hash	malicious	Unknown	Browse
	main	Get hash	malicious	Unknown	Browse
	http://t.co/C3j7hxRH1i?go1	Get hash	malicious	Unknown	Browse
	https://tax.taxmatch.pw/index.php?fname=Sonia&Iname=Zamora&address=Dexter%20ct%20woodbridge&city=Harrisburg&state=PA&zip=17101&email=no@email.com&phone=7175747162	Get hash	malicious	Unknown	Browse
	9FajbP2iUg	Get hash	malicious	CloudMensis	Browse
	qSyn3wYEjY	Get hash	malicious	Calisto	Browse
	12mu8VHN8k	Get hash	malicious	Unknown	Browse
	https://rum.edgio.net	Get hash	malicious	Unknown	Browse
	https://workdrive.zohoexternal.com/file/cy5wr6f6bb22f7def4ca5a9c1783a9c058602	Get hash	malicious	Unknown	Browse
	Payment_receipt #june_ 4139.htm	Get hash	malicious	HTMLPhisher	Browse
	il9Qwo3sVf	Get hash	malicious	Unknown	Browse
	https://pub-094517efd3704d3cb6704b960e13b773.r2.dev/indexxe.html#credit-control@itv.com	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
searchlb-3b453017ec33bbb9.elb.us-west-2.amazonaws.com	Ravenwise	Get hash	malicious	Unknown	Browse	54.70.175.13
	Ravenwise	Get hash	malicious	Unknown	Browse	54.70.175.13
	bfe	Get hash	malicious	Unknown	Browse	54.70.175.13
	ctapp_230720_b1nt12.zip	Get hash	malicious	Unknown	Browse	54.70.175.13
	Kx1A2vl0kc	Get hash	malicious	Unknown	Browse	54.70.175.13
	ctapp_230720_b1nt12.zip	Get hash	malicious	Unknown	Browse	54.70.175.13

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	https://skilltrackers.com/product/chatgpt-for-accountants-understand-fiduciary-accounting-principles/?utm_source=EQ2&utm_medium=180823&utm_campaign=HR&utm_id=email&c=E,1,UCYU-yIXtYLMpHGZXEkkKAg_BAlLBjF_g0yJxCpN032LNtX1J7DTpr3TON8zIWLbNLgWzgAwj7cF9IJtU2bZ7BKtzYQnLge0asG_jk6HQSHs-w,,&typo=1	Get hash	malicious	Unknown	Browse	54.186.23.98
	http://documen.site/download/bosch-kts-200-keygen-213l_pdf	Get hash	malicious	Unknown	Browse	35.181.29.184
	https://red0zv3n.page.link/nYJz	Get hash	malicious	Unknown	Browse	3.75.62.37
	RFQ20230821_Commercial_list.exe	Get hash	malicious	FormBook, GuLoader	Browse	3.19.30.28
	http://ecv.microsoft.com/yes23p1SdD	Get hash	malicious	Captcha Phish	Browse	13.32.110.126
	KCyJ0EWBsw.elf	Get hash	malicious	Mirai	Browse	184.78.140.227
	https://qvrcu28l.page.link/jdF1	Get hash	malicious	Unknown	Browse	3.75.62.37
	ungziped_file.exe	Get hash	malicious	FormBook, GuLoader	Browse	54.179.30.8
	RFQ-Material_List0816023.exe	Get hash	malicious	FormBook	Browse	44.227.76.166
	https://runningonrice.com/auth3/cap/turnstile?userid=tbarris@estrellagaliciausa.com	Get hash	malicious	Unknown	Browse	108.138.34.115
	https://www.surveymonkey.com/r/xrm2tsx	Get hash	malicious	Unknown	Browse	108.138.36.106
	8 Hhtm.html	Get hash	malicious	HTMLPhisher	Browse	52.218.118.41
	Vm4U4HAc98.elf	Get hash	malicious	Mirai	Browse	18.238.106.150
	uuCAncltoX.elf	Get hash	malicious	Mirai	Browse	54.104.26.113
	427YPKJWie.elf	Get hash	malicious	Mirai	Browse	65.3.242.62
	pDtHFbnrHT.elf	Get hash	malicious	Mirai	Browse	34.211.14.94
	https://www.svatma.in/	Get hash	malicious	Unknown	Browse	35.158.84.222
	http://tink69.com/	Get hash	malicious	Unknown	Browse	13.232.151.197
	cutie.arm7.elf	Get hash	malicious	Mirai	Browse	54.255.24.89
	MHm4xSPZnZ.elf	Get hash	malicious	Mirai	Browse	108.152.25.13

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3e4e87dda5a3162306609b7e330441d2	https://finvestcapital.ca/	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://pub-1658c2dd66434dd7b5f48ce167884c7e.r2.dev/index.html#support@ashleymadison.com	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://sharedfiles132456-665542.s3.us-east-005.backblazeb2.com/grace.html	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://ncv.microsoft.com/LB68CYHnI7	Get hash	malicious	Unknown	Browse	54.70.175.13
	http://daubinvestments.com	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://mtbsign-onlineshelp6232.duckdns.org/	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://clothingmemorialadorable.com/xfk47a7yg?key=02661d03f8c3bed95f6dd5fe5d58f347	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://trk.klclick3.com/ls/click?upn=ODUWvrrWUUEee10FYhP2wZyPL1bLpxmK7tCWb4Xj1Noy-2F-2Bu0ZUvzWzy588C54QNl6EPf-2FtlYqzO-2FJkqf-2FjkkjhJXLWf5Q-2Bh3bAFwhgyoBKZRylURgGbO-2Fl-2FhbyBLIcM6kcBGS3VJC0dCH8iqTpiv-2BA-3D-3DC_TS_BdoE-2BqcBt692Zq6TFVs-2BIYMNWNao2bfciBVD4n-2F5m-2FzBQafN-2F7-2Bb30sW9-2BzFZMaW-2FLJeG6XW598f6wa-2Fo11l-2BHQQC5ig3nbpcHiAiLC4qo8M7BJH-2F03cOZNeyWMYx0sU6lI0DVg-2B-2BNK9mEASj1W3RH6HbZ9xgEE-2FV3ByC-2FjRioxk8-2FwBZ-2F867xPaQnbyASSD67hoK3iQXHJ3Jh-2F7VIbGFcx6Zr-2BEDbt1-2FQNWkxAShvSmZiu3FbvM8NrUGz63EdoSph70Bw3S915mU18T7xAa8FAnmS7G1NDJnJLYcw9Hiuc6zL4gJ6nwznB2cBoMoKt9fNH-2BGzhiVYtPk3qcCu-2BP8scoYS0uRT5d-2Flgt-2BUGYNIKc9NeNdHghkoytvotQ8p35TvSzKDt0nLjjlQUYFcKRWB6OB5D-2FMLRGYA9ZoGxrLTg-3D#cl/488482_md/10/419673/6491/60323/1797583	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://1drv.ms/b/s!AuDWrgYDuxytbac78BbaB6ykfT8	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://59zt7n39kiyr6n1exiq2.bxn6.ru/p6R3a9/	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://clothingmemorialadorable.com/xfk47a7yg?key=02661d03f8c3bed95f6dd5fe5d58f347	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://clothingmemorialadorable.com/xfk47a7yg?	Get hash	malicious	Unknown	Browse	54.70.175.13
	http://t.co/C3j7hxRH1i?go1	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://tax.taxmatch.pw/index.php?fname=Sonia&Iname=Zamora&address=Dexter%20ct%20woodbridge&city=Harrisburg&state=PA&zip=17101&email=no@email.com&phone=7175747162	Get hash	malicious	Unknown	Browse	54.70.175.13
	9FajbP2iUg	Get hash	malicious	CloudMensis	Browse	54.70.175.13
	https://rum.edgio.net	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://workdrive.zohoexternal.com/file/cy5wr6f6bb22f7def4ca5a9c1783a9c058602	Get hash	malicious	Unknown	Browse	54.70.175.13
	Payment_receipt #june_ 4139.htm	Get hash	malicious	HTMLPhisher	Browse	54.70.175.13
	https://pub-094517efd3704d3cb6704b960e13b773.r2.dev/indexxe.html#credit-control@itv.com	Get hash	malicious	Unknown	Browse	54.70.175.13
	https://autoingress.com.au/lq/?0463582	Get hash	malicious	Unknown	Browse	54.70.175.13

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE>
Entropy (8bit):	6.185759414823282
TrID:	Mac OS X Mach-O 64-bit Intel executable (4008/2) 50.02% Mac OS X Mach-O 64-bit executable (little-endian) (4004/1) 49.98%
File name:	Pipidae.app
File size:	436'592 bytes
MD5:	8881338c77f4285d197fb52229575d64
SHA1:	23eea6ab534cf7aa5e9356660cfa974c3e610bbd
SHA256:	7a1f844ec0aa595b09d4044e99690cf3d3095a3faae5656a7f5b78cc593563f5
SHA512:	93f16cf160b864bb6e98fe029043a0e404901986b22c91afc2a23557071d8807fcbb2be15941f2e9b136fc9dea8a2a81ea0dbcc426c1e5e7e033ba203d3e4115
SSDEEP:	6144:n7V6t+FfwK6yOWq81k3ekY3U2qV4jcxHu72XTqJpqj7+Bdcm:nwcKJtrs64jcxvTOpaNm
TLSH:	F294E7075367D4C1D430DAF80BF94BA10B60DA495597BE8A3091B1347C4BE2BAFF1B6A
File Content Preview:	.......................... .........H...__PAGEZERO..............................................................__TEXT...................@...............@......................__text..........__TEXT..........H...............H..............................

Static Mach Info

General Information for header 1
Endian:	little-endian
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	22
Entry point:	0x7F7E

segment_command_64 aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x54000

fileoff

0x0

filesize

0x54000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x100001848	0x500F5	0x1848	6.4237	0x2	0x0	0	0x80000400
__stubs	__TEXT	0x10005193E	0x22E	0x5193E	3.4591	0x1	0x0	0	0x80000408
__stub_helper	__TEXT	0x100051B6C	0x3B2	0x51B6C	4.4583	0x2	0x0	0	0x80000400
__const	__TEXT	0x100051F20	0x1068	0x51F20	1.8208	0x4	0x0	0	0x0
__objc_methname	__TEXT	0x100052F88	0xA7C	0x52F88	4.8249	0x0	0x0	0	0x2
__cstring	__TEXT	0x100053A04	0x3D8	0x53A04	5.0409	0x0	0x0	0	0x2
__objc_classname	__TEXT	0x100053DDC	0x49	0x53DDC	4.1835	0x0	0x0	0	0x2
__objc_methtype	__TEXT	0x100053E25	0x36	0x53E25	3.4301	0x0	0x0	0	0x2
__unwind_info	__TEXT	0x100053E5C	0x19C	0x53E5C	5.0744	0x2	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100054000

vmsize

0x14000

fileoff

0x54000

filesize

0x14000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__nl_symbol_ptr	__DATA	0x100054000	0x8	0x54000	-0.0000	0x3	0x0	0	0x6
__got	__DATA	0x100054008	0xB8	0x54008	-0.0000	0x3	0x0	0	0x6
__la_symbol_ptr	__DATA	0x1000540C0	0x2E8	0x540C0	3.0588	0x3	0x0	0	0x7
__const	__DATA	0x1000543A8	0x200	0x543A8	1.8208	0x3	0x0	0	0x0
__objc_nlclslist	__DATA	0x1000545A8	0x8	0x545A8	2.0000	0x3	0x0	0	0x10000000
__objc_protolist	__DATA	0x1000545B0	0x10	0x545B0	2.1250	0x3	0x0	0	0x0
__objc_imageinfo	__DATA	0x1000545C0	0x8	0x545C0	0.5436	0x2	0x0	0	0x0
__objc_const	__DATA	0x1000545C8	0x140	0x545C8	1.8119	0x3	0x0	0	0x0
__objc_selrefs	__DATA	0x100054708	0x478	0x54708	3.2317	0x3	0x0	0	0x10000005
__objc_protorefs	__DATA	0x100054B80	0x10	0x54B80	2.1250	0x3	0x0	0	0x0
__objc_classrefs	__DATA	0x100054B90	0xD0	0x54B90	-0.0000	0x3	0x0	0	0x10000000
__objc_data	__DATA	0x100054C60	0x50	0x54C60	1.5171	0x3	0x0	0	0x0
__data	__DATA	0x100054CB0	0x10768	0x54CB0	5.0850	0x4	0x0	0	0x0
__bss	__DATA	0x100065420	0x360	0x0	0.0000	0x4	0x0	0	0x1

Name	Value
segname	__LINKEDIT
vmaddr	0x100068000
vmsize	0x2970
fileoff	0x68000
filesize	0x2970
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_command aggregated: 1

Name	Value
rebase_off	425984
rebase_size	256
bind_off	426240
bind_size	1672
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	427912
lazy_bind_size	2400
export_off	430312
export_size	32

symtab_command aggregated: 1

Name	Value
symoff	430576
nsyms	142
stroff	433688
strsize	2904

dysymtab_command aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	140
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	432848
nindirectsyms	210
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

dylinker_command aggregated: 1

Name

Value

name

Datas

/usr/lib/dyld

uuid_command aggregated: 1

Name	Value
uuid	b'k\xa4>\xe4\xc3\x19=z\xacC{b\xf6\x83Mw'

version_min_command aggregated: 1

Name	Value
version	657920
sdk	852224

source_version_command aggregated: 1

Name	Value
version	0

entry_point_command aggregated: 1

Name	Value
entryoff	32638
stacksize	0

dylib_command aggregated: 7

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1953.255.0

compatibility_version

300.0.0

Datas

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

228.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libobjc.A.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1319.0.0

compatibility_version

1.0.0

Datas

/usr/lib/libSystem.B.dylib

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

2299.30.112

compatibility_version

45.0.0

Datas

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1953.255.0

compatibility_version

150.0.0

Datas

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

275.0.0

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Name

Value

name

timestamp

Thu Jan 1 01:00:02 1970

current_version

1241.60.3

compatibility_version

1.0.0

Datas

/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

rpath_command aggregated: 1

Name

Value

path

Datas

@executable_path/../Frameworks

linkedit_data_command aggregated: 2

Name	Value
dataoff	430344
datasize	224

Name	Value
dataoff	430568
datasize	8

Internal Symbols

_CCCryptorCreate

_CCCryptorFinal

_CCCryptorGetOutputLength

_CCCryptorRelease

_CCCryptorUpdate

_CCHmacFinal

_CCHmacInit

_CCHmacUpdate

_CCKeyDerivationPBKDF

_CC_MD5

_CFDataGetTypeID

_CFDictionaryGetCount

_CFDictionaryGetKeysAndValues

_CFGetTypeID

_CFRelease

_CFStringGetCStringPtr

_CFStringGetTypeID

_IOIteratorNext

_IOObjectRelease

_IORegistryEntryCreateCFProperties

_IORegistryEntryCreateCFProperty

_IORegistryEntryGetChildIterator

_IORegistryGetRootEntry

_IOServiceGetMatchingService

_IOServiceMatching

_NSSetUncaughtExceptionHandler

_NSTemporaryDirectory

_OBJC_CLASS_$_NSArray

_OBJC_CLASS_$_NSBundle

_OBJC_CLASS_$_NSCharacterSet

_OBJC_CLASS_$_NSData

_OBJC_CLASS_$_NSDictionary

_OBJC_CLASS_$_NSFileHandle

_OBJC_CLASS_$_NSFileManager

_OBJC_CLASS_$_NSJSONSerialization

_OBJC_CLASS_$_NSMutableArray

_OBJC_CLASS_$_NSMutableData

_OBJC_CLASS_$_NSMutableString

_OBJC_CLASS_$_NSMutableURLRequest

_OBJC_CLASS_$_NSNumber

_OBJC_CLASS_$_NSPipe

_OBJC_CLASS_$_NSPredicate

_OBJC_CLASS_$_NSProcessInfo

_OBJC_CLASS_$_NSRunLoop

_OBJC_CLASS_$_NSString

_OBJC_CLASS_$_NSTask

_OBJC_CLASS_$_NSThread

_OBJC_CLASS_$_NSURL

_OBJC_CLASS_$_NSURLComponents

_OBJC_CLASS_$_NSURLQueryItem

_OBJC_CLASS_$_NSURLSession

_OBJC_CLASS_$_NSUUID

_OBJC_CLASS_$_NSWorkspace

__Block_copy

__Block_object_assign

__DefaultRuneLocale

__NSConcreteGlobalBlock

__NSConcreteStackBlock

___CFConstantStringClassReference

___bzero

___stack_chk_fail

___stack_chk_guard

__dyld_register_func_for_add_image

__mh_execute_header

__objc_empty_cache

__objc_empty_vtable

_abort

_asprintf

_bzero

_calloc

_class_addMethod

_class_addProperty

_class_addProtocol

_class_getInstanceMethod

_class_getInstanceSize

_class_getInstanceVariable

_class_getIvarLayout

_class_getName

_class_getSuperclass

_class_isMetaClass

_class_replaceMethod

_class_respondsToSelector

_dispatch_async

_dispatch_get_global_queue

_dlopen

_dlsym

_exit

_free

_hash_create

_hash_search

_ivar_getName

_ivar_getOffset

_kCFAllocatorDefault

_kCFCoreFoundationVersionNumber

_kIOMasterPortDefault

_malloc

_memcpy

_method_setImplementation

_objc_alloc

_objc_allocateClassPair

_objc_autorelease

_objc_autoreleasePoolPop

_objc_autoreleasePoolPush

_objc_autoreleaseReturnValue

_objc_constructInstance

_objc_copyClassNamesForImage

_objc_enumerationMutation

_objc_getClass

_objc_getMetaClass

_objc_getProtocol

_objc_getRequiredClass

_objc_initializeClassPair

_objc_loadClassref

_objc_lookUpClass

_objc_msgSend

_objc_msgSend_stret

_objc_readClassPair

_objc_registerClassPair

_objc_release

_objc_retain

_objc_retainAutorelease

_objc_retainAutoreleaseReturnValue

_objc_retainAutoreleasedReturnValue

_objc_retainBlock

_object_getClass

_object_getIndexedIvars

_object_getIvar

_object_setIvar

_property_copyAttributeList

_protocol_getMethodDescription

_protocol_getName

_pthread_mutex_lock

_pthread_mutex_unlock

_sel_getUid

_signal

_strcmp

_strlen

_strncmp

_sysctl

_sysctlbyname

dyld_stub_binder

radr://5614542

External Symbols

_CCCryptorCreate

_CCCryptorFinal

_CCCryptorGetOutputLength

_CCCryptorRelease

_CCCryptorUpdate

_CCHmacFinal

_CCHmacInit

_CCHmacUpdate

_CCKeyDerivationPBKDF

_CC_MD5

_CFDataGetTypeID

_CFDictionaryGetCount

_CFDictionaryGetKeysAndValues

_CFGetTypeID

_CFRelease

_CFStringGetCStringPtr

_CFStringGetTypeID

_IOIteratorNext

_IOObjectRelease

_IORegistryEntryCreateCFProperties

_IORegistryEntryCreateCFProperty

_IORegistryEntryGetChildIterator

_IORegistryGetRootEntry

_IOServiceGetMatchingService

_IOServiceMatching

_NSSetUncaughtExceptionHandler

_NSTemporaryDirectory

__Block_copy

__Block_object_assign

___bzero

___stack_chk_fail

__dyld_register_func_for_add_image

_abort

_asprintf

_bzero

_calloc

_class_addMethod

_class_addProperty

_class_addProtocol

_class_getInstanceMethod

_class_getInstanceSize

_class_getInstanceVariable

_class_getIvarLayout

_class_getSuperclass

_class_isMetaClass

_class_replaceMethod

_class_respondsToSelector

_dispatch_async

_dispatch_get_global_queue

_dlopen

_dlsym

_exit

_free

_hash_create

_hash_search

_ivar_getName

_ivar_getOffset

_malloc

_memcpy

_method_setImplementation

_objc_alloc

_objc_autorelease

_objc_autoreleasePoolPop

_objc_autoreleasePoolPush

_objc_autoreleaseReturnValue

_objc_constructInstance

_objc_enumerationMutation

_objc_getClass

_objc_getMetaClass

_objc_getProtocol

_objc_getRequiredClass

_objc_initializeClassPair

_objc_lookUpClass

_objc_msgSend_stret

_objc_registerClassPair

_objc_retainAutorelease

_objc_retainAutoreleaseReturnValue

_objc_retainAutoreleasedReturnValue

_objc_retainBlock

_object_getClass

_object_getIvar

_object_setIvar

_property_copyAttributeList

_protocol_getMethodDescription

_pthread_mutex_lock

_pthread_mutex_unlock

_sel_getUid

_signal

_strcmp

_strlen

_strncmp

_sysctl

_sysctlbyname

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2023 15:43:51.275496960 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.275573015 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:43:51.276235104 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.276993036 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.277030945 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:43:51.868381023 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:43:51.869110107 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.869235992 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.911729097 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.911818981 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:43:51.913033009 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:43:51.913559914 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.917047977 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.920885086 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:51.921049118 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:43:52.321096897 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:43:52.321501970 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:43:52.322710037 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:52.322990894 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:52.324465036 CEST	49304	443	192.168.11.11	54.70.175.13
Aug 21, 2023 15:43:52.324526072 CEST	443	49304	54.70.175.13	192.168.11.11
Aug 21, 2023 15:44:12.088114977 CEST	49295	80	192.168.11.11	17.253.15.208
Aug 21, 2023 15:44:12.088501930 CEST	49296	80	192.168.11.11	2.23.196.201
Aug 21, 2023 15:44:12.096960068 CEST	80	49295	17.253.15.208	192.168.11.11
Aug 21, 2023 15:44:12.097316027 CEST	80	49296	2.23.196.201	192.168.11.11
Aug 21, 2023 15:44:12.098865032 CEST	49295	80	192.168.11.11	17.253.15.208
Aug 21, 2023 15:44:12.099056959 CEST	49296	80	192.168.11.11	2.23.196.201

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 21, 2023 15:43:51.231131077 CEST	55804	53	192.168.11.11	1.1.1.1
Aug 21, 2023 15:43:51.270880938 CEST	53	55804	1.1.1.1	192.168.11.11
Aug 21, 2023 15:44:02.316143990 CEST	137	137	192.168.11.11	192.168.11.255

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 21, 2023 15:43:51.231131077 CEST	192.168.11.11	1.1.1.1	0x8724	Standard query (0)	www.ipahufm.icu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 21, 2023 15:43:51.270880938 CEST	1.1.1.1	192.168.11.11	0x8724	No error (0)	www.ipahufm.icu	searchlb-3b453017ec33bbb9.elb.us-west-2.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Aug 21, 2023 15:43:51.270880938 CEST	1.1.1.1	192.168.11.11	0x8724	No error (0)	searchlb-3b453017ec33bbb9.elb.us-west-2.amazonaws.com		54.70.175.13	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.ipahufm.icu

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.11.11	49304	54.70.175.13	443

Timestamp	Direction	Data
2023-08-21 13:43:51 UTC	OUT	POST /se/cu HTTP/1.1 Host: www.ipahufm.icu Content-Type: application/json Connection: keep-alive Accept: / User-Agent: Pipidae.app (unknown version) CFNetwork/893.13.1 Darwin/17.3.0 (x86_64) Content-Length: 42 Accept-Language: en-us Accept-Encoding: br, gzip, deflate
2023-08-21 13:43:51 UTC	OUT	Data Raw: 7b 22 6d 69 64 22 3a 22 31 36 64 33 30 36 39 63 62 36 37 64 36 64 38 32 31 64 30 30 32 64 64 66 62 66 30 36 36 39 32 32 22 7d Data Ascii: {"mid":"16d3069cb67d6d821d002ddfbf066922"}
2023-08-21 13:43:52 UTC	IN	HTTP/1.1 200 OK Server: nginx/1.10.3 (Ubuntu) Date: Mon, 21 Aug 2023 13:43:52 GMT Content-Type: text/html; charset=utf-8 Content-Length: 1 Connection: close
2023-08-21 13:43:52 UTC	IN	Data Raw: 30 Data Ascii: 0

System Behavior

Analysis Process: mono-sgen32 PID: 895, Parent PID: 826

General

Start time:	15:43:50
Start date:	21/08/2023
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: Pipidae.app PID: 895, Parent PID: 826

General

Start time:	15:43:50
Start date:	21/08/2023
Path:	/Users/berri/Desktop/Pipidae.app
Arguments:	/Users/berri/Desktop/Pipidae.app
File size:	436592 bytes
MD5 hash:	8881338c77f4285d197fb52229575d64

Source: Pipidae.app	ReversingLabs: Detection: 13%
Source: Pipidae.app	Virustotal: Detection: 38%			Perma Link

Source: Pipidae.app, 00000895.00000282.9.000000011188f000.00000001118aa000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: Pipidae.app, 00000895.00000282.9.000000011188f000.00000001118aa000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: Pipidae.app, 00000895.00000282.9.000000011188f000.00000001118aa000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: Pipidae.app, 00000895.00000282.9.000000011188f000.00000001118aa000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: Pipidae.app, 00000895.00000282.9.000000011188f000.00000001118aa000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: Bypass User Access Control ).
Tactics:	Collection, Credential Access
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, User interface
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Source: submission: Pipidae.app	Mach-O symbol: _CCCryptorRelease
Source: submission: Pipidae.app	Mach-O symbol: _CCCryptorUpdate
Source: submission: Pipidae.app	Mach-O symbol: _CCCryptorFinal
Source: submission: Pipidae.app	Mach-O symbol: _CCCryptorGetOutputLength
Source: submission: Pipidae.app	Mach-O symbol: _CCCryptorCreate

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49304
Source: unknown	Network traffic detected: HTTP traffic on port 49304 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.196.201
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.15.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.196.201
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report Pipidae.app

Overview

General Information

Detection

Signatures

Classification

General Information

Runtime Messages

Process Tree

Yara Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static Mach Info

General Information for header 1

Internal Symbols

External Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

System Behavior

Analysis Process: mono-sgen32 PID: 895, Parent PID: 826

General

Chronological Activities

Analysis Process: Pipidae.app PID: 895, Parent PID: 826

General

Chronological Activities

macOS Analysis Report
Pipidae.app