{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:37 2026 UTC","unixTime":1771345597,"epoch":0,"counter":512,"numerics":false,"columns":{"cdhash":"dad984a18d5726701331e872295a73e4395701e0","child_pid":"","cmdline":"audit -s ","cmdline_count":"2","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities LANG=en_US.UTF-8 HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LC_TERMINAL=iTerm2 COLORTERM=truecolor LOGNAME=root USER=root SHELL=/bin/sh \"SUDO_COMMAND=/usr/sbin/audit -s\" SUDO_USER=root SUDO_UID=0 SUDO_GID=0 ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"212","original_parent":"42892","parent":"42892","parent_pidversion":"112626","path":"/usr/sbin/audit","pid":"42893","pidversion":"112628","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"86","session_id":"38273","signing_id":"com.apple.audit","team_id":"","time":"1771345592","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:37 2026 UTC","unixTime":1771345597,"epoch":0,"counter":512,"numerics":false,"columns":{"cdhash":"a1b9c4ceb3bf3dbe1c56c26146dc4ac8d930d1c9","child_pid":"","cmdline":"sudo audit -s ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/sudo OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"210","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/sudo","pid":"42892","pidversion":"112626","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"85","session_id":"38273","signing_id":"com.apple.sudo","team_id":"","time":"1771345592","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:37 2026 UTC","unixTime":1771345597,"epoch":0,"counter":512,"numerics":false,"columns":{"cdhash":"dad984a18d5726701331e872295a73e4395701e0","child_pid":"","cmdline":"audit -s ","cmdline_count":"2","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities LANG=en_US.UTF-8 HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LC_TERMINAL=iTerm2 COLORTERM=truecolor LOGNAME=root USER=root SHELL=/bin/sh \"SUDO_COMMAND=/usr/sbin/audit -s\" SUDO_USER=root SUDO_UID=0 SUDO_GID=0 ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"200","original_parent":"42888","parent":"42888","parent_pidversion":"112618","path":"/usr/sbin/audit","pid":"42889","pidversion":"112620","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"82","session_id":"38273","signing_id":"com.apple.audit","team_id":"","time":"1771345589","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:37 2026 UTC","unixTime":1771345597,"epoch":0,"counter":512,"numerics":false,"columns":{"cdhash":"a1b9c4ceb3bf3dbe1c56c26146dc4ac8d930d1c9","child_pid":"","cmdline":"sudo audit -s ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/sudo OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"198","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/sudo","pid":"42888","pidversion":"112618","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"81","session_id":"38273","signing_id":"com.apple.sudo","team_id":"","time":"1771345589","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:37 2026 UTC","unixTime":1771345597,"epoch":0,"counter":512,"numerics":false,"columns":{"cdhash":"dad984a18d5726701331e872295a73e4395701e0","child_pid":"","cmdline":"audit -s ","cmdline_count":"2","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities LANG=en_US.UTF-8 HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LC_TERMINAL=iTerm2 COLORTERM=truecolor LOGNAME=root USER=root SHELL=/bin/sh \"SUDO_COMMAND=/usr/sbin/audit -s\" SUDO_USER=root SUDO_UID=0 SUDO_GID=0 ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"194","original_parent":"42886","parent":"42886","parent_pidversion":"112613","path":"/usr/sbin/audit","pid":"42887","pidversion":"112616","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"80","session_id":"38273","signing_id":"com.apple.audit","team_id":"","time":"1771345587","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:37 2026 UTC","unixTime":1771345597,"epoch":0,"counter":512,"numerics":false,"columns":{"cdhash":"a1b9c4ceb3bf3dbe1c56c26146dc4ac8d930d1c9","child_pid":"","cmdline":"sudo audit -s ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/sudo OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"191","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/sudo","pid":"42886","pidversion":"112613","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"78","session_id":"38273","signing_id":"com.apple.sudo","team_id":"","time":"1771345587","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:18 2026 UTC","unixTime":1771345578,"epoch":0,"counter":510,"numerics":false,"columns":{"cdhash":"dad984a18d5726701331e872295a73e4395701e0","child_pid":"","cmdline":"audit -s ","cmdline_count":"2","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities LANG=en_US.UTF-8 HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LC_TERMINAL=iTerm2 COLORTERM=truecolor LOGNAME=root USER=root SHELL=/bin/sh \"SUDO_COMMAND=/usr/sbin/audit -s\" SUDO_USER=root SUDO_UID=0 SUDO_GID=0 ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"168","original_parent":"42878","parent":"42878","parent_pidversion":"112595","path":"/usr/sbin/audit","pid":"42879","pidversion":"112597","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"69","session_id":"38273","signing_id":"com.apple.audit","team_id":"","time":"1771345570","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:18 2026 UTC","unixTime":1771345578,"epoch":0,"counter":510,"numerics":false,"columns":{"cdhash":"a1b9c4ceb3bf3dbe1c56c26146dc4ac8d930d1c9","child_pid":"","cmdline":"sudo audit -s ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/sudo OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"166","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/sudo","pid":"42878","pidversion":"112595","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"68","session_id":"38273","signing_id":"com.apple.sudo","team_id":"","time":"1771345570","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:26:08 2026 UTC","unixTime":1771345568,"epoch":0,"counter":509,"numerics":false,"columns":{"cdhash":"dad984a18d5726701331e872295a73e4395701e0","child_pid":"","cmdline":"audit -s ","cmdline_count":"2","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/audit OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"159","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/sbin/audit","pid":"42876","pidversion":"112590","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"65","session_id":"38273","signing_id":"com.apple.audit","team_id":"","time":"1771345566","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:25:40 2026 UTC","unixTime":1771345540,"epoch":0,"counter":506,"numerics":false,"columns":{"cdhash":"dad984a18d5726701331e872295a73e4395701e0","child_pid":"","cmdline":"audit -s /var/log/system.log ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=root SUDO_UID=0 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 \"SUDO_COMMAND=/bin/bash -c audit -s /var/log/system.log && rm -rf /var/log/system.log\" COLORFGBG=15;0 HOME=/var/root LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=0 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/sbin/audit ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"139","original_parent":"42870","parent":"42870","parent_pidversion":"112575","path":"/usr/sbin/audit","pid":"42871","pidversion":"112577","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"57","session_id":"38273","signing_id":"com.apple.audit","team_id":"","time":"1771345533","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:25:40 2026 UTC","unixTime":1771345540,"epoch":0,"counter":506,"numerics":false,"columns":{"cdhash":"323169bddf474bedd39064f691c234e0cb0655ee","child_pid":"","cmdline":"bash -c \"audit -s /var/log/system.log && rm -rf /var/log/system.log\" ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities LANG=en_US.UTF-8 HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LC_TERMINAL=iTerm2 COLORTERM=truecolor LOGNAME=root USER=root SHELL=/bin/sh \"SUDO_COMMAND=/bin/bash -c audit -s /var/log/system.log && rm -rf /var/log/system.log\" SUDO_USER=root SUDO_UID=0 SUDO_GID=0 ","env_count":"18","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"137","original_parent":"42869","parent":"42869","parent_pidversion":"112573","path":"/bin/bash","pid":"42870","pidversion":"112575","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"56","session_id":"38273","signing_id":"com.apple.bash","team_id":"","time":"1771345533","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:25:40 2026 UTC","unixTime":1771345540,"epoch":0,"counter":506,"numerics":false,"columns":{"cdhash":"a1b9c4ceb3bf3dbe1c56c26146dc4ac8d930d1c9","child_pid":"","cmdline":"sudo bash -c \"audit -s /var/log/system.log && rm -rf /var/log/system.log\" ","cmdline_count":"4","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/sudo OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"135","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/sudo","pid":"42869","pidversion":"112573","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"55","session_id":"38273","signing_id":"com.apple.sudo","team_id":"","time":"1771345533","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:55 2026 UTC","unixTime":1771345435,"epoch":0,"counter":496,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"0","gid":"0","global_seq_num":"70","original_parent":"42847","parent":"42847","parent_pidversion":"112519","path":"/usr/bin/xattr","pid":"42851","pidversion":"112526","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"22","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345431","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:55 2026 UTC","unixTime":1771345435,"epoch":0,"counter":496,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -c /tmp/exfil_chunk_aa ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root PWD=/Users/snap/Downloads LANG=en_US.UTF-8 COLORFGBG=15;0 HOME=/var/root SUDO_COMMAND=/usr/bin/su SHLVL=2 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root LC_TERMINAL=iTerm2 SUDO_GID=20 COLORTERM=truecolor _=/usr/bin/xattr ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"69","original_parent":"42847","parent":"42847","parent_pidversion":"112519","path":"/usr/bin/xattr","pid":"42851","pidversion":"112526","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"26","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345431","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:55 2026 UTC","unixTime":1771345435,"epoch":0,"counter":496,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"0","gid":"0","global_seq_num":"64","original_parent":"42847","parent":"42847","parent_pidversion":"112519","path":"/usr/bin/xattr","pid":"42849","pidversion":"112522","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"20","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345431","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:55 2026 UTC","unixTime":1771345435,"epoch":0,"counter":496,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -wx com.apple.FinderInfo 0000000000000000000000000000000000000000000000000000000000000000 /tmp/exfil_chunk_aa ","cmdline_count":"5","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root _=/usr/bin/xattr PWD=/Users/snap/Downloads LANG=en_US.UTF-8 COLORFGBG=15;0 HOME=/var/root SUDO_COMMAND=/usr/bin/su SHLVL=2 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root LC_TERMINAL=iTerm2 SUDO_GID=20 COLORTERM=truecolor ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"63","original_parent":"42847","parent":"42847","parent_pidversion":"112519","path":"/usr/bin/xattr","pid":"42849","pidversion":"112522","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"24","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345431","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:55 2026 UTC","unixTime":1771345435,"epoch":0,"counter":496,"numerics":false,"columns":{"cdhash":"323169bddf474bedd39064f691c234e0cb0655ee","child_pid":"","cmdline":"bash -c \"xattr -wx com.apple.FinderInfo \\\"$(printf \\\"%064d\\\" 0)\\\" /tmp/exfil_chunk_aa && chflags hidden /tmp/exfil_chunk_aa && xattr -c /tmp/exfil_chunk_aa > /dev/null\" ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/bin/bash OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"59","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/bin/bash","pid":"42847","pidversion":"112519","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"23","session_id":"38273","signing_id":"com.apple.bash","team_id":"","time":"1771345431","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:27 2026 UTC","unixTime":1771345407,"epoch":0,"counter":493,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"256","gid":"0","global_seq_num":"45","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/xattr","pid":"42843","pidversion":"112508","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"15","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345403","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:27 2026 UTC","unixTime":1771345407,"epoch":0,"counter":493,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -d UTM.dmg UniversalMac_26.1_25B78_Restore.ipsw osquery-5.21.0.pkg com.apple.quarantine ","cmdline_count":"6","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/xattr OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"44","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/xattr","pid":"42843","pidversion":"112508","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"16","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345403","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:17 2026 UTC","unixTime":1771345397,"epoch":0,"counter":492,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"256","gid":"0","global_seq_num":"37","original_parent":"42840","parent":"42840","parent_pidversion":"112501","path":"/usr/bin/xattr","pid":"42841","pidversion":"112503","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"12","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345391","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:17 2026 UTC","unixTime":1771345397,"epoch":0,"counter":492,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -w com.apple.FinderInfo  /tmp/exfil_chunk_aa ","cmdline_count":"5","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root _=/usr/bin/xattr PWD=/Users/snap/Downloads LANG=en_US.UTF-8 COLORFGBG=15;0 HOME=/var/root SUDO_COMMAND=/usr/bin/su SHLVL=2 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root LC_TERMINAL=iTerm2 SUDO_GID=20 COLORTERM=truecolor ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"36","original_parent":"42840","parent":"42840","parent_pidversion":"112501","path":"/usr/bin/xattr","pid":"42841","pidversion":"112503","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"13","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345391","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:23:17 2026 UTC","unixTime":1771345397,"epoch":0,"counter":492,"numerics":false,"columns":{"cdhash":"323169bddf474bedd39064f691c234e0cb0655ee","child_pid":"","cmdline":"bash -c \"xattr -w com.apple.FinderInfo \\\"\\\" /tmp/exfil_chunk_aa && chflags hidden /tmp/exfil_chunk_aa && xattr -c /tmp/exfil_chunk_aa > /dev/null\" ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/bin/bash OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"34","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/bin/bash","pid":"42840","pidversion":"112501","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"12","session_id":"38273","signing_id":"com.apple.bash","team_id":"","time":"1771345391","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:22:58 2026 UTC","unixTime":1771345378,"epoch":0,"counter":490,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"256","gid":"0","global_seq_num":"13","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/xattr","pid":"42834","pidversion":"112487","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"4","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345371","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Tue Feb 17 16:22:58 2026 UTC","unixTime":1771345378,"epoch":0,"counter":490,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -d com.apple.quarantine ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/xattr OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"12","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/xattr","pid":"42834","pidversion":"112487","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"4","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1771345371","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:14:10 2026 UTC","unixTime":1770995650,"epoch":0,"counter":191,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"0","gid":"0","global_seq_num":"5170","original_parent":"40212","parent":"40212","parent_pidversion":"105855","path":"/usr/bin/xattr","pid":"40216","pidversion":"105862","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1552","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995650","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:14:10 2026 UTC","unixTime":1770995650,"epoch":0,"counter":191,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -c /tmp/exfil_chunk_aa ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root PWD=/Users/snap/Downloads LANG=en_US.UTF-8 COLORFGBG=15;0 HOME=/var/root SUDO_COMMAND=/usr/bin/su SHLVL=2 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root LC_TERMINAL=iTerm2 SUDO_GID=20 COLORTERM=truecolor _=/usr/bin/xattr ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5169","original_parent":"40212","parent":"40212","parent_pidversion":"105855","path":"/usr/bin/xattr","pid":"40216","pidversion":"105862","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"2047","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995650","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:14:10 2026 UTC","unixTime":1770995650,"epoch":0,"counter":191,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"0","gid":"0","global_seq_num":"5164","original_parent":"40212","parent":"40212","parent_pidversion":"105855","path":"/usr/bin/xattr","pid":"40214","pidversion":"105858","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1550","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995650","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:14:10 2026 UTC","unixTime":1770995650,"epoch":0,"counter":191,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -wx com.apple.FinderInfo 0000000000000000000000000000000000000000000000000000000000000000 /tmp/exfil_chunk_aa ","cmdline_count":"5","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root _=/usr/bin/xattr PWD=/Users/snap/Downloads LANG=en_US.UTF-8 COLORFGBG=15;0 HOME=/var/root SUDO_COMMAND=/usr/bin/su SHLVL=2 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root LC_TERMINAL=iTerm2 SUDO_GID=20 COLORTERM=truecolor ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5163","original_parent":"40212","parent":"40212","parent_pidversion":"105855","path":"/usr/bin/xattr","pid":"40214","pidversion":"105858","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"2045","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995650","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:14:10 2026 UTC","unixTime":1770995650,"epoch":0,"counter":191,"numerics":false,"columns":{"cdhash":"323169bddf474bedd39064f691c234e0cb0655ee","child_pid":"","cmdline":"bash -c \"xattr -wx com.apple.FinderInfo \\\"$(printf \\\"%064d\\\" 0)\\\" /tmp/exfil_chunk_aa && chflags hidden /tmp/exfil_chunk_aa && xattr -c /tmp/exfil_chunk_aa > /dev/null\" ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/bin/bash OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5159","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/bin/bash","pid":"40212","pidversion":"105855","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"2044","session_id":"38273","signing_id":"com.apple.bash","team_id":"","time":"1770995650","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:13:51 2026 UTC","unixTime":1770995631,"epoch":0,"counter":189,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"256","gid":"0","global_seq_num":"5141","original_parent":"40206","parent":"40206","parent_pidversion":"105840","path":"/usr/bin/xattr","pid":"40207","pidversion":"105842","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1543","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995626","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:13:51 2026 UTC","unixTime":1770995631,"epoch":0,"counter":189,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -w com.apple.FinderInfo  /tmp/exfil_chunk_aa ","cmdline_count":"5","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"TERM=xterm-256color SHELL=/bin/sh USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities MAIL=/var/mail/root _=/usr/bin/xattr PWD=/Users/snap/Downloads LANG=en_US.UTF-8 COLORFGBG=15;0 HOME=/var/root SUDO_COMMAND=/usr/bin/su SHLVL=2 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root LC_TERMINAL=iTerm2 SUDO_GID=20 COLORTERM=truecolor ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5140","original_parent":"40206","parent":"40206","parent_pidversion":"105840","path":"/usr/bin/xattr","pid":"40207","pidversion":"105842","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"2036","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995626","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:13:51 2026 UTC","unixTime":1770995631,"epoch":0,"counter":189,"numerics":false,"columns":{"cdhash":"323169bddf474bedd39064f691c234e0cb0655ee","child_pid":"","cmdline":"bash -c \"xattr -w com.apple.FinderInfo \\\"\\\" /tmp/exfil_chunk_aa && chflags hidden /tmp/exfil_chunk_aa && xattr -c /tmp/exfil_chunk_aa > /dev/null\" ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/bin/bash OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5138","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/bin/bash","pid":"40206","pidversion":"105840","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"2035","session_id":"38273","signing_id":"com.apple.bash","team_id":"","time":"1770995626","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:12:26 2026 UTC","unixTime":1770995546,"epoch":0,"counter":180,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"256","gid":"0","global_seq_num":"5085","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/xattr","pid":"40191","pidversion":"105801","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1528","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995539","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:12:26 2026 UTC","unixTime":1770995546,"epoch":0,"counter":180,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -d UTM.dmg UniversalMac_26.1_25B78_Restore.ipsw osquery-5.21.0.pkg com.apple.quarantine ","cmdline_count":"6","codesigning_flags":"","cwd":"/Users/snap/Downloads","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap/Downloads LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/xattr OLDPWD=/Users/snap ","env_count":"22","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5084","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/xattr","pid":"40191","pidversion":"105801","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"2011","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995539","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:12:16 2026 UTC","unixTime":1770995536,"epoch":0,"counter":179,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"","cmdline_count":"0","codesigning_flags":"","cwd":"","egid":"0","env":"","env_count":"0","euid":"0","event_type":"exit","exit_code":"256","gid":"0","global_seq_num":"5078","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/xattr","pid":"40189","pidversion":"105796","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"1526","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995527","uid":"0","username":"root","version":"8"},"action":"added"}
{"name":"es_process_events","hostIdentifier":"MacBookPro","calendarTime":"Fri Feb 13 15:12:16 2026 UTC","unixTime":1770995536,"epoch":0,"counter":179,"numerics":false,"columns":{"cdhash":"e97159f6754d6fb971bd64968a3593a3779dff2d","child_pid":"","cmdline":"xattr -d com.apple.quarantine ","cmdline_count":"3","codesigning_flags":"","cwd":"/Users/snap","egid":"0","env":"SHELL=/bin/sh TERM=xterm-256color USER=root SUDO_USER=snap SUDO_UID=501 SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.614sLX07yb/Listeners __CF_USER_TEXT_ENCODING=0x0:0:0 MAIL=/var/mail/root PATH=/Users/snap/.local/bin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/opt/homebrew/bin:/Applications/iTerm.app/Contents/Resources/utilities PWD=/Users/snap LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/usr/bin/su HOME=/var/root COLORFGBG=15;0 LC_TERMINAL_VERSION=3.6.6 LOGNAME=root SUDO_GID=20 LC_TERMINAL=iTerm2 COLORTERM=truecolor _=/usr/bin/xattr ","env_count":"21","euid":"0","event_type":"exec","exit_code":"","gid":"0","global_seq_num":"5077","original_parent":"40024","parent":"40024","parent_pidversion":"105354","path":"/usr/bin/xattr","pid":"40189","pidversion":"105796","platform_binary":"1","responsible_pid":"29792","responsible_pidversion":"83076","seq_num":"2008","session_id":"38273","signing_id":"com.apple.xattr","team_id":"","time":"1770995527","uid":"0","username":"root","version":"8"},"action":"added"}