{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:22:49 2026 UTC","unixTime":1771345369,"epoch":0,"counter":489,"numerics":false,"columns":{"cdhash":"10da91cda876eec88765bc8c9abb6366983c5815","child_pid":"","cmdline":"split -b 1k - /tmp/exfil_chunk_ ","cmdline_count":"5","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/split OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"3","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/split","pid":"42832","pidversion":"112482","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1","session_id":"38273","signing_id":"com.apple.split","team_id":"","time":"1771345363","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:11:10 2026 UTC","unixTime":1770995470,"epoch":0,"counter":173,"numerics":false,"columns":{"cdhash":"10da91cda876eec88765bc8c9abb6366983c5815","child_pid":"","cmdline":"split -b 1k - /tmp/exfil_chunk_ ","cmdline_count":"5","codesigning_flags":"","cwd":"/Users/snap","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/split ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5045","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/split","pid":"40181","pidversion":"105774","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1993","session_id":"38273","signing_id":"com.apple.split","team_id":"","time":"1770995467","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:10:41 2026 UTC","unixTime":1770995441,"epoch":0,"counter":170,"numerics":false,"columns":{"cdhash":"10da91cda876eec88765bc8c9abb6366983c5815","child_pid":"","cmdline":"split -b 1k - /tmp/exfil_chunk_ ","cmdline_count":"5","codesigning_flags":"","cwd":"/Users/snap","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/split ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5027","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/split","pid":"40176","pidversion":"105761","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1986","session_id":"38273","signing_id":"com.apple.split","team_id":"","time":"1770995438","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:10:32 2026 UTC","unixTime":1770995432,"epoch":0,"counter":169,"numerics":false,"columns":{"cdhash":"10da91cda876eec88765bc8c9abb6366983c5815","child_pid":"","cmdline":"split -b 1k - /tmp/exfil_chunk_ ","cmdline_count":"5","codesigning_flags":"","cwd":"/Users/snap","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/split ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5017","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/split","pid":"40173","pidversion":"105754","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1982","session_id":"38273","signing_id":"com.apple.split","team_id":"","time":"1770995430","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:22:49 2026 UTC","unixTime":1771345369,"epoch":0,"counter":489,"numerics":false,"columns":{"cdhash":"fffc8c8df228022a78b0fd04f51bbc8454036d58","child_pid":"","cmdline":"dd if=/Users/snap/Desktop/splunkforwarder-10.2.0-d749cb17ea65-darwin-universal2.dmg bs=512 count=100 ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/bin/dd OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"2","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/bin/dd","pid":"42831","pidversion":"112481","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"0","session_id":"38273","signing_id":"com.apple.dd","team_id":"","time":"1771345363","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:11:10 2026 UTC","unixTime":1770995470,"epoch":0,"counter":173,"numerics":false,"columns":{"cdhash":"fffc8c8df228022a78b0fd04f51bbc8454036d58","child_pid":"","cmdline":"dd if=/Users/snap/Desktop/splunkforwarder-10.2.0-d749cb17ea65-darwin-universal2.dmg bs=512 count=100 ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/snap","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/bin/dd ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5046","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/bin/dd","pid":"40180","pidversion":"105773","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1994","session_id":"38273","signing_id":"com.apple.dd","team_id":"","time":"1770995467","uid":"0","username":"root","version":"8"},"action":"added"}