Edit tour

macOS Analysis Report
rrr

Overview

General Information

Sample name:	rrr
Analysis ID:	1583358
MD5:	bfcb8d38e8224b0f45930c7ff4f24608
SHA1:	2676d802e32f0479d69b973915fa34b5004c31e5
SHA256:	dd4f1291a2108e59b0687592f02067ae8863f1b5fba3067fe039d44dd4bd62cd
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false

Signatures

Multi AV Scanner detection for submitted file

Contains symbols with suspicious names likely related to networking

Mach-O contains sections with high entropy indicating compressed/encrypted content

Moves itself during installation or deletes itself after installation

Process deletes its process image on disk

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583358
Start date and time:	2025-01-02 14:35:48 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Virtual Machine, Mojave (Office 16 16.27, Java 11.0.2+9, Adobe Reader 2019.010.20099)
macOS major version:	10.14
CPU architecture:	x86_64
Analysis Mode:	default
Sample name:	rrr
Detection:	MAL
Classification:	mal48.mac@0/0@1/0

Warnings

Excluded IPs from analysis (whitelisted): 204.79.197.237, 13.107.21.237, 17.253.13.139, 17.253.13.145, 17.253.13.136, 17.253.13.140, 17.253.13.132, 23.37.124.6, 17.36.200.79, 17.253.13.141
Excluded domains from analysis (whitelisted): mesu-cdn.apple.com.akadns.net, lcdn-locator-usuqo.apple.com.akadns.net, updates.cdn-apple.com.akadns.net, e673.dsce9.akamaiedge.net, star-bing-com.dual-a-0034.a-msedge.net, crl.apple.com, lb._dns-sd._udp.0.11.168.192.in-addr.arpa, mesu-cdn.origin-apple.com.akadns.net, lcdn-locator.apple.com.akadns.net, wwww.bing.com, lcdn-locator.apple.com, mesu.g.aaplimg.com, updates.g.aaplimg.com, itunes.apple.com.edgekey.net, dual-a-0034.a-msedge.net, mesu.apple.com, init.itunes.apple.com, init-cdn.itunes-apple.com.akadns.net, updates.cdn-apple.com

Runtime Messages

Command:	/Users/bernard/Desktop/rrr
PID:	619
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

System is macvm-mojave

mono-sgen32 New Fork (PID: 619, Parent: 537)

rrr (MD5: bfcb8d38e8224b0f45930c7ff4f24608) Arguments: /Users/bernard/Desktop/rrr

rrr New Fork (PID: 620, Parent: 619)

xpcproxy New Fork (PID: 624, Parent: 1)

nsurlstoraged (MD5: 321b0a40e24b45f0af49ba42742b3f64) Arguments: /usr/libexec/nsurlstoraged --privileged

xpcproxy New Fork (PID: 641, Parent: 1)

eficheck (MD5: 328beb81a2263449258057506bb4987f) Arguments: /usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon

cleanup

Yara Signatures

⊘No yara matches

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rrr

ReversingLabs: Detection: 37%

Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49369 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49373 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49383 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2

Source: submission: rrr	Mach-O symbol: _send
Source: submission: rrr	Mach-O symbol: _setsockopt
Source: submission: rrr	Mach-O symbol: _socket
Source: submission: rrr	Mach-O symbol: _socketpair
Source: submission: rrr	Mach-O symbol: _getsockopt
Source: submission: rrr	Mach-O symbol: _getsockname
Source: submission: rrr	Mach-O symbol: _connect

Source: unknown	TCP traffic detected without corresponding DNS query: 23.37.124.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.37.124.29
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.45.85
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.45.85
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.45.85
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.45.85
Source: unknown	TCP traffic detected without corresponding DNS query: 23.43.45.85
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: h3.apis.apple.map.fastly.net

Source: rrr, 00000619.00000247.9.000000011a26d000.000000011a296000.r--.sdmp, rrr, 00000620.00000248.9.000000011a26d000.000000011a296000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: rrr, 00000619.00000247.9.000000011a26d000.000000011a296000.r--.sdmp, rrr, 00000620.00000248.9.000000011a26d000.000000011a296000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: rrr, 00000619.00000247.9.000000011a26d000.000000011a296000.r--.sdmp, rrr, 00000620.00000248.9.000000011a26d000.000000011a296000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: rrr, 00000619.00000247.9.000000011a26d000.000000011a296000.r--.sdmp, rrr, 00000620.00000248.9.000000011a26d000.000000011a296000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: rrr	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support/rust/deps/gimli-0.28.1/src/read/abbrev.rsHash
Source: rrr	String found in binary or memory: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eofreceived
Source: rrr, 00000619.00000247.9.000000011a26d000.000000011a296000.r--.sdmp, rrr, 00000620.00000248.9.000000011a26d000.000000011a296000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0

Source: unknown	Network traffic detected: HTTP traffic on port 49399 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49369
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49401
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49400
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49388
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49386
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49383
Source: unknown	Network traffic detected: HTTP traffic on port 49353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49386 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49401 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49369 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49398 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49399
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49398
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49353
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49373
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49392
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49390
Source: unknown	Network traffic detected: HTTP traffic on port 49392 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49390 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49400 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49383 -> 443

Source: /Users/bernard/Desktop/rrr (PID: 620)

Writes from socket in process: data

Jump to behavior

Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49369 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49373 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49383 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49386 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49388 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49390 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.131.6:443 -> 192.168.11.12:49392 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49398 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49399 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49400 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 151.101.195.6:443 -> 192.168.11.12:49401 version: TLS 1.2

Source: classification engine

Classification label: mal48.mac@0/0@1/0

Source: /Users/bernard/Desktop/rrr (PID: 620)

Process image deleted: /Users/bernard/Desktop/rrr

Jump to behavior

Source: submission: rrr

Mach-O header: load_dylib -> /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

Source: /usr/libexec/firmwarecheckers/eficheck/eficheck (PID: 641)

Random device file read: /dev/random

Jump to behavior

Source: rrr	Submission file: section __const with 7.04944391 entropy (max. 8.0)
Source: rrr	Submission file: section __data with 7.91177262 entropy (max. 8.0)

Source: /Users/bernard/Desktop/rrr (PID: 620)

File deleted: /Users/bernard/Desktop/rrr

Jump to behavior

Source: rrr, 00000620.00000248.9.000000010c04e000.000000010c054000.r--.sdmp	Binary or memory string: framework.vmnet
Source: rrr, 00000620.00000248.9.000000010c04e000.000000010c054000.r--.sdmp	Binary or memory string: framework.vmnet$

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Obfuscated Files or Information	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 File Deletion	LSASS Memory	1 System Network Configuration Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Shell
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
rrr	38%	ReversingLabs	MacOS.Trojan.Multiverze

Dropped Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
h3.apis.apple.map.fastly.net	151.101.195.6	true	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://docs.rs/getrandom#nodejs-es-module-support/rust/deps/gimli-0.28.1/src/read/abbrev.rsHash	rrr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.37.124.29	unknown	United States	20940	AKAMAI-ASN1EU	false
151.101.131.6	unknown	United States	54113	FASTLYUS	false
151.101.195.6	h3.apis.apple.map.fastly.net	United States	54113	FASTLYUS	false
23.43.45.85	unknown	United States	18734	OperbesSAdeCVMX	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
23.37.124.29	ab_j	Get hash	malicious	Rust Stealer	Browse
151.101.131.6	CGESrv	Get hash	malicious	CobaltStrike	Browse
	https://ivsmn.kidsavancados.com/	Get hash	malicious	Unknown	Browse
	https://fastbposolutions.com/language/overrides/message.alibaba.com/login.alibaba-com/saexy7ktc4fw1k7zk9xpnx19.php	Get hash	malicious	Unknown	Browse
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse
	aJU0obOiEe	Get hash	malicious	Unknown	Browse
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse
	https://henrybodmerabeggco.wordpress.com/abegg-co-ag-proposal/	Get hash	malicious	Unknown	Browse
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse
	CalendlyApp	Get hash	malicious	Unknown	Browse
151.101.195.6	ab_j	Get hash	malicious	Rust Stealer	Browse
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse
	https://henrybodmerabeggco.wordpress.com/abegg-co-ag-proposal/	Get hash	malicious	Unknown	Browse
	CalendlyApp	Get hash	malicious	Unknown	Browse
	CalendlyApp	Get hash	malicious	Unknown	Browse
	https://burlingtonenqlish.com/vm%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	Unknown	Browse
	Constate	Get hash	malicious	Unknown	Browse
	iB8UZgdjgk	Get hash	malicious	CTHULHU STEALER	Browse
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
h3.apis.apple.map.fastly.net	ab_j	Get hash	malicious	Rust Stealer	Browse	151.101.3.6
	CGESrv	Get hash	malicious	CobaltStrike	Browse	151.101.3.6
	18037.doc	Get hash	malicious	Unknown	Browse	151.101.3.6
	Telegram	Get hash	malicious	Unknown	Browse	151.101.3.6
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse	151.101.131.6
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse	151.101.3.6
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse	151.101.131.6
	https://henrybodmerabeggco.wordpress.com/abegg-co-ag-proposal/	Get hash	malicious	Unknown	Browse	151.101.195.6
	https://my.toruftuiov.com/a43a39c3-796e-468c-aae4-b83c862e0918	Get hash	malicious	Unknown	Browse	151.101.3.6
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse	151.101.131.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FASTLYUS	https://www.ecorfan.org/	Get hash	malicious	Unknown	Browse	151.101.194.137
	ab_j	Get hash	malicious	Rust Stealer	Browse	151.101.67.6
	http://www.johnlewis-partnerships.com	Get hash	malicious	Unknown	Browse	151.101.194.208
	https://tr171139818.amoliani.com/c/mm14r39/e-v_xxa-/imz77nt3nps	Get hash	malicious	Unknown	Browse	151.101.129.44
	random.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	random.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	151.101.66.137
	01012025.html	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137
OperbesSAdeCVMX	nklm68k.elf	Get hash	malicious	Unknown	Browse	189.221.175.85
	i686.elf	Get hash	malicious	Unknown	Browse	200.23.7.148
	byte.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	189.216.212.151
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	189.204.243.34
	nabsh4.elf	Get hash	malicious	Unknown	Browse	200.33.13.222
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	189.221.175.99
	V6QED2Q1WBYVOPE	Get hash	malicious	Unknown	Browse	23.43.44.201
	79VAlgfTk8.elf	Get hash	malicious	Mirai	Browse	189.204.209.201
	na.elf	Get hash	malicious	Mirai	Browse	189.204.169.105
	QH1v8Gya9C.elf	Get hash	malicious	Unknown	Browse	189.221.175.99
AKAMAI-ASN1EU	DEMONS.x86.elf	Get hash	malicious	Unknown	Browse	104.97.147.124
	ab_j	Get hash	malicious	Rust Stealer	Browse	23.37.124.29
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	104.70.105.111
	FW_ Carr & Jeanne Biggerstaff has sent you an ecard.msg	Get hash	malicious	Unknown	Browse	2.16.168.119
	over.ps1	Get hash	malicious	Vidar	Browse	23.44.203.175
	MJhe4xWsnR.msi	Get hash	malicious	Unknown	Browse	23.44.201.14
	6684V5n83w.exe	Get hash	malicious	Vidar	Browse	23.209.72.8
	Bp4LoSXw83.lnk	Get hash	malicious	Unknown	Browse	23.44.201.25
	http://ghostbin.cafe24.com/	Get hash	malicious	Unknown	Browse	95.101.148.20
	kwari.arm.elf	Get hash	malicious	Unknown	Browse	172.237.42.205
FASTLYUS	https://www.ecorfan.org/	Get hash	malicious	Unknown	Browse	151.101.194.137
	ab_j	Get hash	malicious	Rust Stealer	Browse	151.101.67.6
	http://www.johnlewis-partnerships.com	Get hash	malicious	Unknown	Browse	151.101.194.208
	https://tr171139818.amoliani.com/c/mm14r39/e-v_xxa-/imz77nt3nps	Get hash	malicious	Unknown	Browse	151.101.129.44
	random.exe	Get hash	malicious	Credential Flusher	Browse	151.101.193.91
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.109.133
	random.exe	Get hash	malicious	Credential Flusher	Browse	151.101.129.91
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	185.199.110.133
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	151.101.66.137
	01012025.html	Get hash	malicious	HTMLPhisher	Browse	151.101.66.137

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5c118da645babe52f060d0754256a73c	ab_j	Get hash	malicious	Rust Stealer	Browse	151.101.131.6 151.101.195.6
	CGESrv	Get hash	malicious	CobaltStrike	Browse	151.101.131.6 151.101.195.6
	https://ivsmn.kidsavancados.com/	Get hash	malicious	Unknown	Browse	151.101.131.6 151.101.195.6
	18037.doc	Get hash	malicious	Unknown	Browse	151.101.131.6 151.101.195.6
	https://docs.google.com/presentation/d/e/2PACX-1vTBMx4bSFDj_B_GCJTdTqUpVgpLXyQPR3uFGYP9j81KKHswOSbzMWDM5ZByYtVAwpACe-iOzHmzehje/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	151.101.131.6 151.101.195.6
	Telegram	Get hash	malicious	Unknown	Browse	151.101.131.6 151.101.195.6
	https://fastbposolutions.com/language/overrides/message.alibaba.com/login.alibaba-com/saexy7ktc4fw1k7zk9xpnx19.php	Get hash	malicious	Unknown	Browse	151.101.131.6 151.101.195.6
	http://eocf.jyjwohl.ru/KIOJOJMAIEJFLVSF280212193270471103367JIGUHOIIAX4RQ0SVD?beunjabnkfaakr796013636449016227029WA5LIQI5PMNQO0EETOR	Get hash	malicious	Unknown	Browse	151.101.131.6 151.101.195.6
	https://commandes.maisonetstyles.com/Short/?Verification=aalborz_02@yahoo.com	Get hash	malicious	Unknown	Browse	151.101.131.6 151.101.195.6
	aJU0obOiEe	Get hash	malicious	Unknown	Browse	151.101.131.6 151.101.195.6

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	Mach-O 64-bit x86_64 executable, flags:<NOUNDEFS\|DYLDLINK\|TWOLEVEL\|PIE\|HAS_TLV_DESCRIPTORS>
Entropy (8bit):	6.872200112856146
TrID:	Mac OS X Mach-O 64-bit Intel executable (4008/2) 50.02% Mac OS X Mach-O 64-bit executable (little-endian) (4004/1) 49.98%
File name:	rrr
File size:	5'112'336 bytes
MD5:	bfcb8d38e8224b0f45930c7ff4f24608
SHA1:	2676d802e32f0479d69b973915fa34b5004c31e5
SHA256:	dd4f1291a2108e59b0687592f02067ae8863f1b5fba3067fe039d44dd4bd62cd
SHA512:	6b5b132e84df8d3d3cfd6a3b8986e48d0d699476074a7bfdccb1634633cac24a7875a71a72743477940c3afbae119e467f5052f74299422e55bbdbf1b5639aba
SSDEEP:	98304:m5povXdlnkkNREuvVbmuC0+paH/WgkE4KjnSl:m5penRz/H/WgkE
TLSH:	49366CBF95905DC8D44B50F402C397E2CA253CB90210639D76D26A3A6D3F9B7BA1E34B
File Content Preview:	....................................H...__PAGEZERO..........................................................x...__TEXT...................0D..............0D.....................__text..........__TEXT....................:....................................

Static Mach Info

General Information for header 1
Endian:	little-endian
Size:	64-bit
Architecture:	x86_64
Filetype:	execute
Nbr. of load commands:	18
Entry point:	0x100047C40

segment_64 load command - aggregated: 4

Name	Value
segname	__PAGEZERO
vmaddr	0x0
vmsize	0x100000000
fileoff	0x0
filesize	0x0
maxprot	0x0
initprot	0x0
nsects	0
flags	0x0

Name

Value

segname

__TEXT

vmaddr

0x100000000

vmsize

0x443000

fileoff

0x0

filesize

0x443000

maxprot

0x5

initprot

0x5

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__text	__TEXT	0x1000011C0	0x3AF4C7	0x11C0	6.49333731	6	0x0	0	0x80000400
__stubs	__TEXT	0x1003B0688	0x384	0x3B0688	3.88033818	1	0x0	0	0x80000400
__stub_helper	__TEXT	0x1003B0A0C	0x5EC	0x3B0A0C	4.63951807	2	0x0	0	0x80000400
__const	__TEXT	0x1003B1000	0x8B020	0x3B1000	7.04944391	12	0x0	0	0x0
__gcc_except_tab	__TEXT	0x10043C020	0x1850	0x43C020	5.97874083	2	0x0	0	0x0
__unwind_info	__TEXT	0x10043D870	0x35CC	0x43D870	5.54856482	2	0x0	0	0x0
__eh_frame	__TEXT	0x100440E40	0x1C38	0x440E40	4.55395831	3	0x0	0	0x0

Name

Value

segname

__DATA

vmaddr

0x100443000

vmsize

0x98000

fileoff

0x443000

filesize

0x98000

maxprot

0x3

initprot

0x3

nsects

flags

0x0

Datas

sectname	segname	addr	size	offset	entropy	align	reloff	nreloc	flags
__nl_symbol_ptr	__DATA	0x100443000	0x8	0x443000	-0.00000000	3	0x0	0	0x0
__got	__DATA	0x100443008	0x18	0x443008	0.98335575	3	0x0	0	0x0
__la_symbol_ptr	__DATA	0x100443020	0x4B0	0x443020	3.16573203	3	0x0	0	0x0
__const	__DATA	0x100443500	0x110E5	0x443500	3.39415596	6	0x0	0	0x0
__data	__DATA	0x1004545F0	0x85D90	0x4545F0	7.91177262	4	0x0	0	0x0
__thread_vars	__DATA	0x1004DA380	0x150	0x4DA380	0.57090320	3	0x0	0	0x0
__thread_data	__DATA	0x1004DA4D0	0x20	0x4DA4D0	0.20062232	3	0x0	0	0x0
__thread_bss	__DATA	0x1004DA4F0	0x1F8	0x0	0.00000000	3	0x0	0	0x0
__bss	__DATA	0x1004DA6E8	0x1DA	0x0	0.00000000	3	0x0	0	0x0
__common	__DATA	0x1004DA8D0	0x10	0x0	0.00000000	4	0x0	0	0x0

Name	Value
segname	__LINKEDIT
vmaddr	0x1004DB000
vmsize	0x5210
fileoff	0x4DB000
filesize	0x5210
maxprot	0x1
initprot	0x1
nsects	0
flags	0x0

dyld_info_only load command - aggregated: 1

Name	Value
rebase_off	5091328
rebase_size	2776
bind_off	5094104
bind_size	80
weak_bind_off	0
weak_bind_size	0
lazy_bind_off	5094184
lazy_bind_size	3240
export_off	5097424
export_size	72

symtab load command - aggregated: 1

Name	Value
symoff	5106344
nsyms	155
stroff	5110040
strsize	2296

dysymtab load command - aggregated: 1

Name	Value
ilocalsym	0
nlocalsym	1
iextdefsym	1
nextdefsym	1
iundefsym	2
nundefsym	153
tocoff	0
ntoc	0
modtaboff	0
nmodtab	0
extrefsymoff	0
nextrefsyms	0
indirectsymoff	5108824
nindirectsyms	304
extreloff	0
nextrel	0
locreloff	0
nlocrel	0

load_dylinker load command - aggregated: 1

Name	Value

uuid load command - aggregated: 1

Name	Value
uuid	854ba6b4-7698-351b-9962-cc9f1136458b

version_min_macosx load command - aggregated: 1

Name	Value
version	10.13.0
sdk	11.1.0

source_version load command - aggregated: 1

Name	Value
path	0.0.0.0.0

main load command - aggregated: 1

Name	Value

load_dylib load command - aggregated: 4

Name

Value

compatibility_version

150.0.0

current_version

1770.255.0

timestamp

1970-01-01

Datas

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation

Name

Value

compatibility_version

1.0.0

current_version

1109.60.2

timestamp

1970-01-01

Datas

/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration

Name

Value

compatibility_version

1.0.0

current_version

1292.60.1

timestamp

1970-01-01

Datas

/usr/lib/libSystem.B.dylib

Name

Value

compatibility_version

7.0.0

current_version

7.0.0

timestamp

1970-01-01

Datas

/usr/lib/libiconv.2.dylib

function_starts load command - aggregated: 1

Name	Value
dataoff	5097496
datasize	6912

data_in_code load command - aggregated: 1

Name	Value
dataoff	5104408
datasize	1936

Symbols

Name	Category	Origin	Segment Name	Bind Address	Library Name
__mh_execute_header	EXTERNAL	LC_SYMTAB
radr://5614542	LOCAL	LC_SYMTAB
_main	NONE	DYLD_EXPORT
_rust_eh_personality	NONE	DYLD_EXPORT
__NSGetArgc	UNDEFINED	LC_SYMTAB	__DATA	0x100443020	/usr/lib/libSystem.B.dylib
__NSGetArgv	UNDEFINED	LC_SYMTAB	__DATA	0x100443028	/usr/lib/libSystem.B.dylib
__NSGetEnviron	UNDEFINED	LC_SYMTAB	__DATA	0x100443030	/usr/lib/libSystem.B.dylib
__Unwind_Backtrace	UNDEFINED	LC_SYMTAB	__DATA	0x100443038	/usr/lib/libSystem.B.dylib
__Unwind_GetCFA	UNDEFINED	LC_SYMTAB	__DATA	0x100443040	/usr/lib/libSystem.B.dylib
__Unwind_GetDataRelBase	UNDEFINED	LC_SYMTAB	__DATA	0x100443048	/usr/lib/libSystem.B.dylib
__Unwind_GetIP	UNDEFINED	LC_SYMTAB	__DATA	0x100443050	/usr/lib/libSystem.B.dylib
__Unwind_GetIPInfo	UNDEFINED	LC_SYMTAB	__DATA	0x100443058	/usr/lib/libSystem.B.dylib
__Unwind_GetLanguageSpecificData	UNDEFINED	LC_SYMTAB	__DATA	0x100443060	/usr/lib/libSystem.B.dylib
__Unwind_GetRegionStart	UNDEFINED	LC_SYMTAB	__DATA	0x100443068	/usr/lib/libSystem.B.dylib
__Unwind_GetTextRelBase	UNDEFINED	LC_SYMTAB	__DATA	0x100443070	/usr/lib/libSystem.B.dylib
__Unwind_Resume	UNDEFINED	LC_SYMTAB	__DATA	0x100443078	/usr/lib/libSystem.B.dylib
__Unwind_SetGR	UNDEFINED	LC_SYMTAB	__DATA	0x100443080	/usr/lib/libSystem.B.dylib
__Unwind_SetIP	UNDEFINED	LC_SYMTAB	__DATA	0x100443088	/usr/lib/libSystem.B.dylib
___bzero	UNDEFINED	LC_SYMTAB	__DATA	0x100443090	/usr/lib/libSystem.B.dylib
___error	UNDEFINED	LC_SYMTAB	__DATA	0x100443098	/usr/lib/libSystem.B.dylib
___stack_chk_fail	UNDEFINED	LC_SYMTAB	__DATA	0x1004430A0	/usr/lib/libSystem.B.dylib
___stack_chk_guard	UNDEFINED	LC_SYMTAB	__DATA	0x100443008	/usr/lib/libSystem.B.dylib
__dyld_get_image_header	UNDEFINED	LC_SYMTAB	__DATA	0x1004430A8	/usr/lib/libSystem.B.dylib
__dyld_get_image_name	UNDEFINED	LC_SYMTAB	__DATA	0x1004430B0	/usr/lib/libSystem.B.dylib
__dyld_get_image_vmaddr_slide	UNDEFINED	LC_SYMTAB	__DATA	0x1004430B8	/usr/lib/libSystem.B.dylib
__dyld_image_count	UNDEFINED	LC_SYMTAB	__DATA	0x1004430C0	/usr/lib/libSystem.B.dylib
__exit	UNDEFINED	LC_SYMTAB	__DATA	0x1004430C8	/usr/lib/libSystem.B.dylib
__tlv_atexit	UNDEFINED	LC_SYMTAB	__DATA	0x1004430D0	/usr/lib/libSystem.B.dylib
__tlv_bootstrap	UNDEFINED	LC_SYMTAB	__DATA	0x1004DA4B8	/usr/lib/libSystem.B.dylib
_abort	UNDEFINED	LC_SYMTAB	__DATA	0x1004430D8	/usr/lib/libSystem.B.dylib
_access	UNDEFINED	LC_SYMTAB	__DATA	0x1004430E0	/usr/lib/libSystem.B.dylib
_calloc	UNDEFINED	LC_SYMTAB	__DATA	0x1004430E8	/usr/lib/libSystem.B.dylib
_chdir	UNDEFINED	LC_SYMTAB	__DATA	0x1004430F0	/usr/lib/libSystem.B.dylib
_clock_gettime	UNDEFINED	LC_SYMTAB	__DATA	0x1004430F8	/usr/lib/libSystem.B.dylib
_close$NOCANCEL	UNDEFINED	LC_SYMTAB	__DATA	0x100443100	/usr/lib/libSystem.B.dylib
_closedir	UNDEFINED	LC_SYMTAB	__DATA	0x100443108	/usr/lib/libSystem.B.dylib
_connect	UNDEFINED	LC_SYMTAB	__DATA	0x100443110	/usr/lib/libSystem.B.dylib
_copyfile_state_alloc	UNDEFINED	LC_SYMTAB	__DATA	0x100443118	/usr/lib/libSystem.B.dylib
_copyfile_state_free	UNDEFINED	LC_SYMTAB	__DATA	0x100443120	/usr/lib/libSystem.B.dylib
_copyfile_state_get	UNDEFINED	LC_SYMTAB	__DATA	0x100443128	/usr/lib/libSystem.B.dylib
_dispatch_release	UNDEFINED	LC_SYMTAB	__DATA	0x100443130	/usr/lib/libSystem.B.dylib
_dispatch_semaphore_create	UNDEFINED	LC_SYMTAB	__DATA	0x100443138	/usr/lib/libSystem.B.dylib
_dispatch_semaphore_signal	UNDEFINED	LC_SYMTAB	__DATA	0x100443140	/usr/lib/libSystem.B.dylib
_dispatch_semaphore_wait	UNDEFINED	LC_SYMTAB	__DATA	0x100443148	/usr/lib/libSystem.B.dylib
_dispatch_time	UNDEFINED	LC_SYMTAB	__DATA	0x100443150	/usr/lib/libSystem.B.dylib
_dlsym	UNDEFINED	LC_SYMTAB	__DATA	0x100443158	/usr/lib/libSystem.B.dylib
_dup2	UNDEFINED	LC_SYMTAB	__DATA	0x100443160	/usr/lib/libSystem.B.dylib
_execvp	UNDEFINED	LC_SYMTAB	__DATA	0x100443168	/usr/lib/libSystem.B.dylib
_exit	UNDEFINED	LC_SYMTAB	__DATA	0x100443170	/usr/lib/libSystem.B.dylib
_fchmod	UNDEFINED	LC_SYMTAB	__DATA	0x100443178	/usr/lib/libSystem.B.dylib
_fcntl	UNDEFINED	LC_SYMTAB	__DATA	0x100443180	/usr/lib/libSystem.B.dylib
_fcopyfile	UNDEFINED	LC_SYMTAB	__DATA	0x100443188	/usr/lib/libSystem.B.dylib
_fork	UNDEFINED	LC_SYMTAB	__DATA	0x100443190	/usr/lib/libSystem.B.dylib
_free	UNDEFINED	LC_SYMTAB	__DATA	0x100443198	/usr/lib/libSystem.B.dylib
_freeaddrinfo	UNDEFINED	LC_SYMTAB	__DATA	0x1004431A0	/usr/lib/libSystem.B.dylib
_freeifaddrs	UNDEFINED	LC_SYMTAB	__DATA	0x1004431A8	/usr/lib/libSystem.B.dylib
_fstat$INODE64	UNDEFINED	LC_SYMTAB	__DATA	0x1004431B0	/usr/lib/libSystem.B.dylib
_gai_strerror	UNDEFINED	LC_SYMTAB	__DATA	0x1004431B8	/usr/lib/libSystem.B.dylib
_getaddrinfo	UNDEFINED	LC_SYMTAB	__DATA	0x1004431C0	/usr/lib/libSystem.B.dylib
_getcwd	UNDEFINED	LC_SYMTAB	__DATA	0x1004431C8	/usr/lib/libSystem.B.dylib
_getentropy	UNDEFINED	LC_SYMTAB	__DATA	0x1004431D0	/usr/lib/libSystem.B.dylib
_getenv	UNDEFINED	LC_SYMTAB	__DATA	0x1004431D8	/usr/lib/libSystem.B.dylib
_geteuid	UNDEFINED	LC_SYMTAB	__DATA	0x1004431E0	/usr/lib/libSystem.B.dylib
_gethostname	UNDEFINED	LC_SYMTAB	__DATA	0x1004431E8	/usr/lib/libSystem.B.dylib
_getifaddrs	UNDEFINED	LC_SYMTAB	__DATA	0x1004431F0	/usr/lib/libSystem.B.dylib
_getmntinfo$INODE64	UNDEFINED	LC_SYMTAB	__DATA	0x1004431F8	/usr/lib/libSystem.B.dylib
_getpagesize	UNDEFINED	LC_SYMTAB	__DATA	0x100443200	/usr/lib/libSystem.B.dylib
_getpeername	UNDEFINED	LC_SYMTAB	__DATA	0x100443208	/usr/lib/libSystem.B.dylib
_getpid	UNDEFINED	LC_SYMTAB	__DATA	0x100443210	/usr/lib/libSystem.B.dylib
_getpwuid_r	UNDEFINED	LC_SYMTAB	__DATA	0x100443218	/usr/lib/libSystem.B.dylib
_getsockname	UNDEFINED	LC_SYMTAB	__DATA	0x100443220	/usr/lib/libSystem.B.dylib
_getsockopt	UNDEFINED	LC_SYMTAB	__DATA	0x100443228	/usr/lib/libSystem.B.dylib
_getuid	UNDEFINED	LC_SYMTAB	__DATA	0x100443230	/usr/lib/libSystem.B.dylib
_host_statistics64	UNDEFINED	LC_SYMTAB	__DATA	0x100443238	/usr/lib/libSystem.B.dylib
_ioctl	UNDEFINED	LC_SYMTAB	__DATA	0x100443240	/usr/lib/libSystem.B.dylib
_lstat$INODE64	UNDEFINED	LC_SYMTAB	__DATA	0x100443248	/usr/lib/libSystem.B.dylib
_mach_host_self	UNDEFINED	LC_SYMTAB	__DATA	0x100443250	/usr/lib/libSystem.B.dylib
_malloc	UNDEFINED	LC_SYMTAB	__DATA	0x100443258	/usr/lib/libSystem.B.dylib
_memcmp	UNDEFINED	LC_SYMTAB	__DATA	0x100443260	/usr/lib/libSystem.B.dylib
_memcpy	UNDEFINED	LC_SYMTAB	__DATA	0x100443268	/usr/lib/libSystem.B.dylib
_memmove	UNDEFINED	LC_SYMTAB	__DATA	0x100443270	/usr/lib/libSystem.B.dylib
_memset	UNDEFINED	LC_SYMTAB	__DATA	0x100443278	/usr/lib/libSystem.B.dylib
_mkdir	UNDEFINED	LC_SYMTAB	__DATA	0x100443280	/usr/lib/libSystem.B.dylib
_mmap	UNDEFINED	LC_SYMTAB	__DATA	0x100443288	/usr/lib/libSystem.B.dylib
_mprotect	UNDEFINED	LC_SYMTAB	__DATA	0x100443290	/usr/lib/libSystem.B.dylib
_munmap	UNDEFINED	LC_SYMTAB	__DATA	0x100443298	/usr/lib/libSystem.B.dylib
_nanosleep	UNDEFINED	LC_SYMTAB	__DATA	0x1004432A0	/usr/lib/libSystem.B.dylib
_open	UNDEFINED	LC_SYMTAB	__DATA	0x1004432A8	/usr/lib/libSystem.B.dylib
_opendir$INODE64	UNDEFINED	LC_SYMTAB	__DATA	0x1004432B0	/usr/lib/libSystem.B.dylib
_pipe	UNDEFINED	LC_SYMTAB	__DATA	0x1004432B8	/usr/lib/libSystem.B.dylib
_poll	UNDEFINED	LC_SYMTAB	__DATA	0x1004432C0	/usr/lib/libSystem.B.dylib
_posix_memalign	UNDEFINED	LC_SYMTAB	__DATA	0x1004432C8	/usr/lib/libSystem.B.dylib
_posix_spawn_file_actions_adddup2	UNDEFINED	LC_SYMTAB	__DATA	0x1004432D0	/usr/lib/libSystem.B.dylib
_posix_spawn_file_actions_destroy	UNDEFINED	LC_SYMTAB	__DATA	0x1004432D8	/usr/lib/libSystem.B.dylib
_posix_spawn_file_actions_init	UNDEFINED	LC_SYMTAB	__DATA	0x1004432E0	/usr/lib/libSystem.B.dylib
_posix_spawnattr_destroy	UNDEFINED	LC_SYMTAB	__DATA	0x1004432E8	/usr/lib/libSystem.B.dylib
_posix_spawnattr_init	UNDEFINED	LC_SYMTAB	__DATA	0x1004432F0	/usr/lib/libSystem.B.dylib
_posix_spawnattr_setflags	UNDEFINED	LC_SYMTAB	__DATA	0x1004432F8	/usr/lib/libSystem.B.dylib
_posix_spawnattr_setpgroup	UNDEFINED	LC_SYMTAB	__DATA	0x100443300	/usr/lib/libSystem.B.dylib
_posix_spawnattr_setsigdefault	UNDEFINED	LC_SYMTAB	__DATA	0x100443308	/usr/lib/libSystem.B.dylib
_posix_spawnp	UNDEFINED	LC_SYMTAB	__DATA	0x100443310	/usr/lib/libSystem.B.dylib
_pthread_atfork	UNDEFINED	LC_SYMTAB	__DATA	0x100443318	/usr/lib/libSystem.B.dylib
_pthread_attr_destroy	UNDEFINED	LC_SYMTAB	__DATA	0x100443320	/usr/lib/libSystem.B.dylib
_pthread_attr_init	UNDEFINED	LC_SYMTAB	__DATA	0x100443328	/usr/lib/libSystem.B.dylib
_pthread_attr_setstacksize	UNDEFINED	LC_SYMTAB	__DATA	0x100443330	/usr/lib/libSystem.B.dylib
_pthread_cond_destroy	UNDEFINED	LC_SYMTAB	__DATA	0x100443338	/usr/lib/libSystem.B.dylib
_pthread_cond_signal	UNDEFINED	LC_SYMTAB	__DATA	0x100443340	/usr/lib/libSystem.B.dylib
_pthread_cond_timedwait	UNDEFINED	LC_SYMTAB	__DATA	0x100443348	/usr/lib/libSystem.B.dylib
_pthread_cond_wait	UNDEFINED	LC_SYMTAB	__DATA	0x100443350	/usr/lib/libSystem.B.dylib
_pthread_create	UNDEFINED	LC_SYMTAB	__DATA	0x100443358	/usr/lib/libSystem.B.dylib
_pthread_detach	UNDEFINED	LC_SYMTAB	__DATA	0x100443360	/usr/lib/libSystem.B.dylib
_pthread_get_stackaddr_np	UNDEFINED	LC_SYMTAB	__DATA	0x100443368	/usr/lib/libSystem.B.dylib
_pthread_get_stacksize_np	UNDEFINED	LC_SYMTAB	__DATA	0x100443370	/usr/lib/libSystem.B.dylib
_pthread_getname_np	UNDEFINED	LC_SYMTAB	__DATA	0x100443378	/usr/lib/libSystem.B.dylib
_pthread_join	UNDEFINED	LC_SYMTAB	__DATA	0x100443380	/usr/lib/libSystem.B.dylib
_pthread_mutex_destroy	UNDEFINED	LC_SYMTAB	__DATA	0x100443388	/usr/lib/libSystem.B.dylib
_pthread_mutex_init	UNDEFINED	LC_SYMTAB	__DATA	0x100443390	/usr/lib/libSystem.B.dylib
_pthread_mutex_lock	UNDEFINED	LC_SYMTAB	__DATA	0x100443398	/usr/lib/libSystem.B.dylib
_pthread_mutex_trylock	UNDEFINED	LC_SYMTAB	__DATA	0x1004433A0	/usr/lib/libSystem.B.dylib
_pthread_mutex_unlock	UNDEFINED	LC_SYMTAB	__DATA	0x1004433A8	/usr/lib/libSystem.B.dylib
_pthread_mutexattr_destroy	UNDEFINED	LC_SYMTAB	__DATA	0x1004433B0	/usr/lib/libSystem.B.dylib
_pthread_mutexattr_init	UNDEFINED	LC_SYMTAB	__DATA	0x1004433B8	/usr/lib/libSystem.B.dylib
_pthread_mutexattr_settype	UNDEFINED	LC_SYMTAB	__DATA	0x1004433C0	/usr/lib/libSystem.B.dylib
_pthread_self	UNDEFINED	LC_SYMTAB	__DATA	0x1004433C8	/usr/lib/libSystem.B.dylib
_pthread_setname_np	UNDEFINED	LC_SYMTAB	__DATA	0x1004433D0	/usr/lib/libSystem.B.dylib
_read	UNDEFINED	LC_SYMTAB	__DATA	0x1004433D8	/usr/lib/libSystem.B.dylib
_readdir_r$INODE64	UNDEFINED	LC_SYMTAB	__DATA	0x1004433E0	/usr/lib/libSystem.B.dylib
_readv	UNDEFINED	LC_SYMTAB	__DATA	0x1004433E8	/usr/lib/libSystem.B.dylib
_realloc	UNDEFINED	LC_SYMTAB	__DATA	0x1004433F0	/usr/lib/libSystem.B.dylib
_recv	UNDEFINED	LC_SYMTAB	__DATA	0x1004433F8	/usr/lib/libSystem.B.dylib
_rename	UNDEFINED	LC_SYMTAB	__DATA	0x100443400	/usr/lib/libSystem.B.dylib
_rmdir	UNDEFINED	LC_SYMTAB	__DATA	0x100443408	/usr/lib/libSystem.B.dylib
_sched_yield	UNDEFINED	LC_SYMTAB	__DATA	0x100443410	/usr/lib/libSystem.B.dylib
_send	UNDEFINED	LC_SYMTAB	__DATA	0x100443418	/usr/lib/libSystem.B.dylib
_setgid	UNDEFINED	LC_SYMTAB	__DATA	0x100443420	/usr/lib/libSystem.B.dylib
_setgroups	UNDEFINED	LC_SYMTAB	__DATA	0x100443428	/usr/lib/libSystem.B.dylib
_setpgid	UNDEFINED	LC_SYMTAB	__DATA	0x100443430	/usr/lib/libSystem.B.dylib
_setsid	UNDEFINED	LC_SYMTAB	__DATA	0x100443438	/usr/lib/libSystem.B.dylib
_setsockopt	UNDEFINED	LC_SYMTAB	__DATA	0x100443440	/usr/lib/libSystem.B.dylib
_setuid	UNDEFINED	LC_SYMTAB	__DATA	0x100443448	/usr/lib/libSystem.B.dylib
_sigaction	UNDEFINED	LC_SYMTAB	__DATA	0x100443450	/usr/lib/libSystem.B.dylib
_sigaddset	UNDEFINED	LC_SYMTAB	__DATA	0x100443458	/usr/lib/libSystem.B.dylib
_sigaltstack	UNDEFINED	LC_SYMTAB	__DATA	0x100443460	/usr/lib/libSystem.B.dylib
_sigemptyset	UNDEFINED	LC_SYMTAB	__DATA	0x100443468	/usr/lib/libSystem.B.dylib
_signal	UNDEFINED	LC_SYMTAB	__DATA	0x100443470	/usr/lib/libSystem.B.dylib
_socket	UNDEFINED	LC_SYMTAB	__DATA	0x100443478	/usr/lib/libSystem.B.dylib
_socketpair	UNDEFINED	LC_SYMTAB	__DATA	0x100443480	/usr/lib/libSystem.B.dylib
_stat$INODE64	UNDEFINED	LC_SYMTAB	__DATA	0x100443488	/usr/lib/libSystem.B.dylib
_strerror_r	UNDEFINED	LC_SYMTAB	__DATA	0x100443490	/usr/lib/libSystem.B.dylib
_strlen	UNDEFINED	LC_SYMTAB	__DATA	0x100443498	/usr/lib/libSystem.B.dylib
_sysconf	UNDEFINED	LC_SYMTAB	__DATA	0x1004434A0	/usr/lib/libSystem.B.dylib
_umask	UNDEFINED	LC_SYMTAB	__DATA	0x1004434A8	/usr/lib/libSystem.B.dylib
_unlink	UNDEFINED	LC_SYMTAB	__DATA	0x1004434B0	/usr/lib/libSystem.B.dylib
_waitpid	UNDEFINED	LC_SYMTAB	__DATA	0x1004434B8	/usr/lib/libSystem.B.dylib
_write	UNDEFINED	LC_SYMTAB	__DATA	0x1004434C0	/usr/lib/libSystem.B.dylib
_writev	UNDEFINED	LC_SYMTAB	__DATA	0x1004434C8	/usr/lib/libSystem.B.dylib
dyld_stub_binder	UNDEFINED	LC_SYMTAB	__DATA	0x100443018	/usr/lib/libSystem.B.dylib

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 14:37:26.237162113 CET	49369	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.237224102 CET	443	49369	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.237701893 CET	49369	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.238763094 CET	49369	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.238812923 CET	443	49369	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.548612118 CET	443	49369	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.550661087 CET	49369	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.550734997 CET	49369	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.608021021 CET	49369	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.608093977 CET	443	49369	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.608212948 CET	443	49369	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.608710051 CET	49369	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.608738899 CET	49369	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.660943985 CET	49373	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.660978079 CET	443	49373	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.661689997 CET	49373	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.663027048 CET	49373	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.663047075 CET	443	49373	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.971700907 CET	443	49373	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.972749949 CET	49373	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.972794056 CET	49373	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.988070011 CET	49373	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.988221884 CET	443	49373	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.988579035 CET	443	49373	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:26.988722086 CET	49373	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:26.988976002 CET	49373	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.085347891 CET	49383	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.085423946 CET	443	49383	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.085978031 CET	49383	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.086674929 CET	49383	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.086725950 CET	443	49383	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.377065897 CET	443	49383	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.377794981 CET	49383	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.377890110 CET	49383	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.478976011 CET	49383	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.479151011 CET	443	49383	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.479547024 CET	443	49383	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.479743958 CET	49383	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.480051041 CET	49383	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.600482941 CET	49386	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.600557089 CET	443	49386	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.601077080 CET	49386	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.601783037 CET	49386	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.601835966 CET	443	49386	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.898148060 CET	443	49386	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.898937941 CET	49386	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.899096012 CET	49386	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.911946058 CET	49386	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.912111044 CET	443	49386	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.912532091 CET	443	49386	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.912928104 CET	49386	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.913140059 CET	49386	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.952938080 CET	49388	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.953028917 CET	443	49388	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:28.954118967 CET	49388	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.956835985 CET	49388	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:28.956892967 CET	443	49388	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.234185934 CET	443	49388	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.234860897 CET	49388	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.234963894 CET	49388	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.253650904 CET	49388	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.253710032 CET	443	49388	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.253793001 CET	443	49388	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.254350901 CET	49388	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.254369020 CET	49388	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.295986891 CET	49390	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.296003103 CET	443	49390	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.296581030 CET	49390	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.297920942 CET	49390	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.297930002 CET	443	49390	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.585364103 CET	443	49390	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.586076021 CET	49390	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.586205006 CET	49390	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.592854977 CET	49390	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.592914104 CET	443	49390	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.592995882 CET	443	49390	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.593657017 CET	49390	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.593698025 CET	49390	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.608062983 CET	49392	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.608081102 CET	443	49392	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.608649015 CET	49392	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.609961987 CET	49392	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.609973907 CET	443	49392	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.885023117 CET	443	49392	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.885742903 CET	49392	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.885742903 CET	49392	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.892303944 CET	49392	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.892400980 CET	443	49392	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.892481089 CET	443	49392	151.101.131.6	192.168.11.12
Jan 2, 2025 14:37:29.892909050 CET	49392	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:29.893002987 CET	49392	443	192.168.11.12	151.101.131.6
Jan 2, 2025 14:37:50.207818985 CET	49344	80	192.168.11.12	23.37.124.29
Jan 2, 2025 14:37:50.336524010 CET	80	49344	23.37.124.29	192.168.11.12
Jan 2, 2025 14:37:50.337150097 CET	49344	80	192.168.11.12	23.37.124.29
Jan 2, 2025 14:37:56.416790009 CET	49353	443	192.168.11.12	23.43.45.85
Jan 2, 2025 14:37:56.427478075 CET	49353	443	192.168.11.12	23.43.45.85
Jan 2, 2025 14:37:56.546015978 CET	443	49353	23.43.45.85	192.168.11.12
Jan 2, 2025 14:37:56.546214104 CET	443	49353	23.43.45.85	192.168.11.12
Jan 2, 2025 14:37:56.546819925 CET	49353	443	192.168.11.12	23.43.45.85
Jan 2, 2025 14:37:56.546912909 CET	49353	443	192.168.11.12	23.43.45.85
Jan 2, 2025 14:37:56.556694031 CET	443	49353	23.43.45.85	192.168.11.12
Jan 2, 2025 14:37:56.557209015 CET	49353	443	192.168.11.12	23.43.45.85
Jan 2, 2025 14:39:00.124053001 CET	49398	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.124154091 CET	443	49398	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.124841928 CET	49398	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.125690937 CET	49398	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.125745058 CET	443	49398	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.402101994 CET	443	49398	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.402837038 CET	49398	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.402932882 CET	49398	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.410737038 CET	49398	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.410782099 CET	443	49398	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.410908937 CET	443	49398	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.411494017 CET	49398	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.411689997 CET	49398	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.426492929 CET	49399	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.426522017 CET	443	49399	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.427328110 CET	49399	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.428222895 CET	49399	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.428240061 CET	443	49399	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.722714901 CET	443	49399	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.723563910 CET	49399	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.723615885 CET	49399	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.729310989 CET	49399	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.729500055 CET	443	49399	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.729871988 CET	443	49399	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.730274916 CET	49399	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.730346918 CET	49399	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.747478962 CET	49400	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.747551918 CET	443	49400	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:00.748508930 CET	49400	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.749409914 CET	49400	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:00.749484062 CET	443	49400	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.035191059 CET	443	49400	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.037105083 CET	49400	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.037192106 CET	49400	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.043715954 CET	49400	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.043889046 CET	443	49400	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.044271946 CET	443	49400	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.044527054 CET	49400	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.044873953 CET	49400	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.055033922 CET	49401	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.055108070 CET	443	49401	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.055679083 CET	49401	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.056370974 CET	49401	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.056422949 CET	443	49401	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.347342968 CET	443	49401	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.348099947 CET	49401	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.348191023 CET	49401	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.354789019 CET	49401	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.354847908 CET	443	49401	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.354928017 CET	443	49401	151.101.195.6	192.168.11.12
Jan 2, 2025 14:39:01.355457067 CET	49401	443	192.168.11.12	151.101.195.6
Jan 2, 2025 14:39:01.355607033 CET	49401	443	192.168.11.12	151.101.195.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 14:37:13.647663116 CET	53	52458	1.1.1.1	192.168.11.12
Jan 2, 2025 14:37:53.804563999 CET	137	137	192.168.11.12	192.168.11.255
Jan 2, 2025 14:37:53.804625034 CET	137	137	192.168.11.12	192.168.11.255
Jan 2, 2025 14:38:59.990865946 CET	61024	53	192.168.11.12	1.1.1.1
Jan 2, 2025 14:39:00.120961905 CET	53	61024	1.1.1.1	192.168.11.12

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jan 2, 2025 14:37:25.624974012 CET	192.168.11.12	1.1.1.1	3c29	(Port unreachable)	Destination Unreachable
Jan 2, 2025 14:37:25.626669884 CET	192.168.11.12	1.1.1.1	3c29	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 14:38:59.990865946 CET	192.168.11.12	1.1.1.1	0x5d2	Standard query (0)	h3.apis.apple.map.fastly.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 14:39:00.120961905 CET	1.1.1.1	192.168.11.12	0x5d2	No error (0)	h3.apis.apple.map.fastly.net	151.101.195.6	A (IP address)	IN (0x0001)	false
Jan 2, 2025 14:39:00.120961905 CET	1.1.1.1	192.168.11.12	0x5d2	No error (0)	h3.apis.apple.map.fastly.net	151.101.131.6	A (IP address)	IN (0x0001)	false
Jan 2, 2025 14:39:00.120961905 CET	1.1.1.1	192.168.11.12	0x5d2	No error (0)	h3.apis.apple.map.fastly.net	151.101.67.6	A (IP address)	IN (0x0001)	false
Jan 2, 2025 14:39:00.120961905 CET	1.1.1.1	192.168.11.12	0x5d2	No error (0)	h3.apis.apple.map.fastly.net	151.101.3.6	A (IP address)	IN (0x0001)	false

System Behavior

Analysis Process: mono-sgen32 PID: 619, Parent PID: 537

General

Start time (UTC):	13:37:01
Start date (UTC):	02/01/2025
Path:	/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
Arguments:	-
File size:	3722408 bytes
MD5 hash:	8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: rrr PID: 619, Parent PID: 537

General

Start time (UTC):	13:37:01
Start date (UTC):	02/01/2025
Path:	/Users/bernard/Desktop/rrr
Arguments:	/Users/bernard/Desktop/rrr
File size:	5112336 bytes
MD5 hash:	bfcb8d38e8224b0f45930c7ff4f24608

Chronological Activities

Analysis Process: rrr PID: 620, Parent PID: 619

General

Start time (UTC):	13:37:01
Start date (UTC):	02/01/2025
Path:	/Users/bernard/Desktop/rrr
Arguments:	-
File size:	5112336 bytes
MD5 hash:	bfcb8d38e8224b0f45930c7ff4f24608

Chronological Activities

Analysis Process: xpcproxy PID: 624, Parent PID: 1

General

Start time (UTC):	13:37:07
Start date (UTC):	02/01/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: nsurlstoraged PID: 624, Parent PID: 1

General

Start time (UTC):	13:37:07
Start date (UTC):	02/01/2025
Path:	/usr/libexec/nsurlstoraged
Arguments:	/usr/libexec/nsurlstoraged --privileged
File size:	246624 bytes
MD5 hash:	321b0a40e24b45f0af49ba42742b3f64

Chronological Activities

Analysis Process: xpcproxy PID: 641, Parent PID: 1

General

Start time (UTC):	13:37:46
Start date (UTC):	02/01/2025
Path:	/usr/libexec/xpcproxy
Arguments:	-
File size:	44048 bytes
MD5 hash:	4764d9eafe6b7dac23253a9f8b7f73d6

Chronological Activities

Analysis Process: eficheck PID: 641, Parent PID: 1

General

Start time (UTC):	13:37:46
Start date (UTC):	02/01/2025
Path:	/usr/libexec/firmwarecheckers/eficheck/eficheck
Arguments:	/usr/libexec/firmwarecheckers/eficheck/eficheck --integrity-check-daemon
File size:	74048 bytes
MD5 hash:	328beb81a2263449258057506bb4987f

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

macOS Analysis Report rrr

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Static Mach Info

General Information for header 1

Symbols

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

System Behavior

Analysis Process: mono-sgen32 PID: 619, Parent PID: 537

General

Chronological Activities

Analysis Process: rrr PID: 619, Parent PID: 537

General

Chronological Activities

Analysis Process: rrr PID: 620, Parent PID: 619

General

Chronological Activities

Analysis Process: xpcproxy PID: 624, Parent PID: 1

General

Chronological Activities

Analysis Process: nsurlstoraged PID: 624, Parent PID: 1

General

Chronological Activities

Analysis Process: xpcproxy PID: 641, Parent PID: 1

General

Chronological Activities

Analysis Process: eficheck PID: 641, Parent PID: 1

macOS Analysis Report
rrr