File: santa.log

package info (click to toggle)
plaso 20241006-3
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 673,224 kB
  • sloc: python: 91,831; sh: 557; xml: 97; makefile: 17; sql: 14; vhdl: 11
file content (194 lines) | stat: -rw-r--r-- 63,466 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
 
[2018-08-19T03:09:13.120Z] I santad: action=DISKAPPEAR|mount=|volume=EFI|bsdname=disk0s1|fs=msdos|model=APPLE SSD SM0512G|serial=S29ANYAF566602|bus=PCI|dmgpath=|appearance=2018-08-19T03:09:08.429Z
[2018-08-19T03:09:13.120Z] I santad: action=DISKAPPEAR|mount=/|volume=HDD|bsdname=disk1s1|fs=apfs|model=APPLE SSD SM0512G|serial=S29ANYAF566602|bus=PCI|dmgpath=|appearance=2018-08-19T03:09:08.425Z
[2018-08-19T03:09:13.121Z] I santad: action=DISKAPPEAR|mount=|volume=Preboot|bsdname=disk1s2|fs=apfs|model=APPLE SSD SM0512G|serial=S29ANYAF566602|bus=PCI|dmgpath=|appearance=2018-08-19T03:09:08.423Z
[2018-08-19T03:09:13.121Z] I santad: action=DISKAPPEAR|mount=/Volumes/Recovery|volume=Recovery|bsdname=disk1s3|fs=apfs|model=APPLE SSD SM0512G|serial=S29ANYAF566602|bus=PCI|dmgpath=|appearance=2018-08-19T03:09:08.421Z
[2018-08-19T03:09:13.121Z] I santad: action=DISKAPPEAR|mount=/private/var/vm|volume=VM|bsdname=disk1s4|fs=apfs|model=APPLE SSD SM0512G|serial=S29ANYAF566602|bus=PCI|dmgpath=|appearance=2018-08-19T03:09:08.420Z
[2018-08-19T03:09:13.592Z] I santad: action=DISKAPPEAR|mount=/net|volume=|bsdname=|fs=autofs|model=|serial=(null)|bus=|dmgpath=|appearance=2001-01-01T00:00:00.000Z
[2018-08-19T03:09:13.593Z] I santad: action=DISKAPPEAR|mount=/home|volume=|bsdname=|fs=autofs|model=|serial=(null)|bus=|dmgpath=|appearance=2001-01-01T00:00:00.000Z
[2018-08-19T03:10:45.966Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=479|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
[2018-08-19T03:10:45.966Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=5aa70ae66deabb8da26ce3528b5bc7243524ee78722d8ae0725aca5642346293|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=479|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History|args=/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History
[2018-08-19T03:10:49.689Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=485|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.SafariBookmarksSyncAgent
[2018-08-19T03:10:49.712Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=1b8be58a5aaac3eb9a719a7f5369b1ddd45d7f156c7ffc6fc103b3ce8c0f4883|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=485|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariBookmarksSyncAgent|args=/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariBookmarksSyncAgent
[2018-08-19T03:11:34.715Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=498|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.SafariCloudHistoryPushAgent
[2018-08-19T03:11:35.102Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=a1cecd43ad5820a9c6b0f60f1854723a2345d1030c8e78215cab1a9b99a9e313|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=498|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariCloudHistoryPushAgent|args=/usr/libexec/SafariCloudHistoryPushAgent
[2018-08-19T03:11:35.103Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=a2c60ba0369d80bbaf60096f427a63504c2d76fe7cceaa2b1e02861ecc5388c4|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=503|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/PrivateFrameworks/BookmarkDAV.framework/Versions/A/Helpers/SafariDAVClient|args=/System/Library/PrivateFrameworks/BookmarkDAV.framework/Helpers/SafariDAVClient
[2018-08-19T03:13:12.241Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=9b9fe13daf0a4c035db43e3c5717e7ed89f3c5583d3b36fd40313f639a68bfad|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=511|ppid=59|uid=0|user=root|gid=0|group=wheel|mode=M|path=/sbin/mount|args=/sbin/mount -t msdos -o perm -o nobrowse /dev/disk0s1 /Volumes/firmwaresyncd.YRR2d9
[2018-08-19T03:13:12.253Z] *** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***
[2018-08-19T03:13:13.026Z] I santad: action=DISKAPPEAR|mount=/Volumes/firmwaresyncd.YRR2d9|volume=EFI|bsdname=disk0s1|fs=msdos|model=APPLE SSD SM0512G|serial=S29ANYAF566602|bus=PCI|dmgpath=|appearance=2018-08-19T03:09:08.429Z
[2018-08-19T03:13:13.314Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=e251c63f8206cabdb6575f202d570e0a4ff942f2f17329afcbd73766fc459cb2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=517|ppid=59|uid=0|user=root|gid=0|group=wheel|mode=M|path=/sbin/umount|args=/sbin/umount /Volumes/firmwaresyncd.YRR2d9
[2018-08-19T03:15:34.539Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=521|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.Safari.6412
[2018-08-19T03:15:34.564Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=63702da10eaa1fb58c9310a5861f4ff5ae6707bb499552b3e0dfaf9c9a9b0ba0|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=521|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/Applications/Safari.app/Contents/MacOS/Safari|args=/Applications/Safari.app/Contents/MacOS/Safari
[2018-08-19T03:15:36.097Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=523|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=/System/Library/PrivateFrameworks/BookmarkDAV.framework/Helpers/SafariDAVClient
[2018-08-19T03:15:36.147Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=a2c60ba0369d80bbaf60096f427a63504c2d76fe7cceaa2b1e02861ecc5388c4|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=523|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/PrivateFrameworks/BookmarkDAV.framework/Versions/A/Helpers/SafariDAVClient|args=/System/Library/PrivateFrameworks/BookmarkDAV.framework/Helpers/SafariDAVClient
[2018-08-19T03:15:38.317Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=526|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.Safari.SearchHelper 521
[2018-08-19T03:15:38.331Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=fb2e53b200fa2fb34a85142cf80275932f286e3e34dfd5407954e00afe951864|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=526|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper|args=/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper
[2018-08-19T03:15:38.773Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=528|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.Safari.SafeBrowsing.Service
[2018-08-19T03:15:38.799Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=ffb9a2d55c6676e0fd8e58814835a49f3208ff3555e16ea091edcd9f5c1dcad6|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=528|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/Versions/A/com.apple.Safari.SafeBrowsing.Service|args=/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service
[2018-08-19T03:15:40.099Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=530|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.Safari.ImageDecoder 521
[2018-08-19T03:15:40.113Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=d239e2f20634fb71190b1957c4786d9ab45f68fb6117c36fae8a6acdb1eb678a|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=530|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.ImageDecoder.xpc/Contents/MacOS/com.apple.Safari.ImageDecoder|args=/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.ImageDecoder.xpc/Contents/MacOS/com.apple.Safari.ImageDecoder
[2018-08-19T03:17:29.036Z] I santad: action=DISKAPPEAR|mount=|volume=Skype|bsdname=disk2s1|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=/Users/qwerty/Downloads/Skype-8.28.0.41.dmg|appearance=2018-08-19T03:17:28.982Z
[2018-08-19T03:17:30.072Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=9b9fe13daf0a4c035db43e3c5717e7ed89f3c5583d3b36fd40313f639a68bfad|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=561|ppid=65|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/sbin/mount|args=/sbin/mount -t hfs -o -u=501,-g=20,-m=755,nodev,noowners,nosuid,rdonly,quarantine /dev/disk2s1 /Volumes/Skype
[2018-08-19T03:17:30.083Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=5991c299f5225d1de743750dc01e370f936b917946629ead2fef05ac9da0da35|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=562|ppid=561|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/System/Library/Filesystems/hfs.fs/Contents/Resources/mount_hfs|args=/sbin/mount_hfs -u 501 -g 20 -m 755 -o nodev -o noowners -o nosuid -o rdonly -o quarantine /dev/disk2s1 /Volumes/Skype
[2018-08-19T03:17:30.096Z] I santad: action=DISKAPPEAR|mount=/Volumes/Skype|volume=Skype|bsdname=disk2s1|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=/Users/qwerty/Downloads/Skype-8.28.0.41.dmg|appearance=2018-08-19T03:17:28.983Z
[2018-08-19T03:17:30.096Z] I santad: action=DISKAPPEAR|mount=/Volumes/Skype|volume=Skype|bsdname=disk2s1|fs=hfs|model=Apple Disk Image|serial=|bus=Virtual Interface|dmgpath=/Users/qwerty/Downloads/Skype-8.28.0.41.dmg|appearance=2018-08-19T03:17:28.983Z
[2018-08-19T03:17:37.453Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=577|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
[2018-08-19T03:17:37.453Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=cb92aa42f592d6df4e28db0bb8d7b61208df5e82ac294aab7002df0119d6165d|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=577|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension|args=/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
[2018-08-19T03:17:55.716Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=580|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.xpc.launchd.oneshot.0x10000008.Skype
[2018-08-19T03:17:55.765Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=78b43a13b5b608fe1a5a590f5f3ff112ff16ece7befc29fc84347125f6b9ca78|cert_sha256=7317bc733242e9ae1e6c753ee8e41e9d384401ee498e2e9d2061b60b760387da|cert_cn=Developer ID Application: Skype Communications S.a.r.l (AL798K98FX)|quarantine_url=https://endpoint920510.azureedge.net/s4l/s4l/download/mac/Skype-8.28.0.41.dmg|pid=580|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/Applications/Skype.app/Contents/MacOS/Skype|args=/Applications/Skype.app/Contents/MacOS/Skype -psn_0_204850
[2018-08-19T03:18:07.095Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=fc1b441c8cb5123a8a03ae273581b6db928d1c2bf674ce5526f2c8122ffbdd02|cert_sha256=7317bc733242e9ae1e6c753ee8e41e9d384401ee498e2e9d2061b60b760387da|cert_cn=Developer ID Application: Skype Communications S.a.r.l (AL798K98FX)|pid=584|ppid=580|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/Applications/Skype.app/Contents/Frameworks/Skype Helper.app/Contents/MacOS/Skype Helper|args=/Applications/Skype.app/Contents/Frameworks/Skype Helper.app/Contents/MacOS/Skype Helper --type=gpu-process --no-sandbox --supports-dual-gpus=false --gpu-driver-bug-workarounds=0,1,5,12,27,30,43,47,56,62,70,73,74,75,76,83,84,86,94,95,96,100,103 --disable-gl-extensions=GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent --gpu-vendor-id=0x8086 --gpu-device-id=0x162b --gpu-driver-vendor --gpu-driver-version --gpu-driver-date --gpu-active-vendor-id=0x8086 --gpu-active-device-id=0x162b --service-request-channel-token=EDF300B7EF848D716E8ED58D94703C16
[2018-08-19T03:18:07.161Z] I santad: action=EXEC|decision=ALLOW|reason=UNKNOWN|sha256=fc1b441c8cb5123a8a03ae273581b6db928d1c2bf674ce5526f2c8122ffbdd02|cert_sha256=7317bc733242e9ae1e6c753ee8e41e9d384401ee498e2e9d2061b60b760387da|cert_cn=Developer ID Application: Skype Communications S.a.r.l (AL798K98FX)|pid=585|ppid=580|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/Applications/Skype.app/Contents/Frameworks/Skype Helper.app/Contents/MacOS/Skype Helper|args=/Applications/Skype.app/Contents/Frameworks/Skype Helper.app/Contents/MacOS/Skype Helper --type=renderer --ms-disable-indexeddb-transaction-timeout --no-sandbox --service-pipe-token=B0DD12AAFF740785FBABE88B1C878442 --lang=en-US --app-path=/Applications/Skype.app/Contents/Resources/app.asar --node-integration=false --webview-tag=true --no-sandbox --preload=/Applications/Skype.app/Contents/Resources/app.asar/Preload.js --context-id=2 --enable-pinch --num-raster-threads=2 --enable-zero-copy --enable-gpu-memory-buffer-compositor-resources --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,34037;0,12,34037;0,13,34037;0,14,3553;0,15,3553;0,16,3553;0,17,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,34037;1,12,34037;1,13,34037;1,14,3553;1,15,3553;1,16,3553;1,17,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,34037;2,12,34037;2,13,34037;2,14,3553;2,15,3553;2,16,3553;2,17,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,34037;3,6,3553;3,7,34037;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,34037;3,14,34037;3,15,3553;3,16,34037;3,17,34037;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,34037;4,6,3553;4,7,34037;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,34037;4,14,34037;4,15,3553;4,16,34037;4,17,34037 --enable-gpu-async-worker-context --service-request-channel-token=B0DD12AAFF740785FBABE88B1C878442 --renderer-client-id=4
[2018-08-19T03:19:19.232Z] I santad: action=DISKAPPEAR|mount=|volume=EFI|bsdname=disk3s1|fs=msdos|model=Verbatim Store n Go Drive|serial=TTQA1DST2UEXNF8D|bus=USB|dmgpath=|appearance=2018-08-19T03:19:19.198Z
[2018-08-19T03:19:19.286Z] I santad: action=DISKAPPEAR|mount=|volume=Untitled|bsdname=disk3s2|fs=exfat|model=Verbatim Store n Go Drive|serial=TTQA1DST2UEXNF8D|bus=USB|dmgpath=|appearance=2018-08-19T03:19:19.197Z
[2018-08-19T03:19:19.292Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=9b9fe13daf0a4c035db43e3c5717e7ed89f3c5583d3b36fd40313f639a68bfad|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=614|ppid=65|uid=0|user=root|gid=0|group=wheel|mode=M|path=/sbin/mount|args=/sbin/mount -t exfat -o nodev,noowners,nosuid /dev/disk3s2 /Volumes/Untitled
[2018-08-19T03:19:19.303Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=b921e73345fbc9f991f01a25c3f27c2e80e5b97d5da6dd69cfdb67a0b1d2cec2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=615|ppid=614|uid=0|user=root|gid=0|group=wheel|mode=M|path=/System/Library/Filesystems/exfat.fs/Contents/Resources/mount_exfat|args=/sbin/mount_exfat -o nodev -o noowners -o nosuid /dev/disk3s2 /Volumes/Untitled
[2018-08-19T03:19:19.459Z] I santad: action=DISKAPPEAR|mount=/Volumes/Untitled|volume=Untitled|bsdname=disk3s2|fs=exfat|model=Verbatim Store n Go Drive|serial=TTQA1DST2UEXNF8D|bus=USB|dmgpath=|appearance=2018-08-19T03:19:19.197Z
[2018-08-19T03:21:37.493Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=642|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
[2018-08-19T03:21:37.493Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=cb92aa42f592d6df4e28db0bb8d7b61208df5e82ac294aab7002df0119d6165d|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=642|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension|args=/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
[2018-08-19T03:22:02.490Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=5abf61c361e5ef91582e70634dfbf2214fbdb6f29c949160b69f27ae947d919d|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=644|ppid=356|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/bin/ls|args=ls /Volumes/Untitled/
[2018-08-19T03:22:44.207Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=cca2d4d8440d2e66e98fae7bf2890d177063463eaa0186d184434343fd2966de|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=646|ppid=356|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/bin/mv|args=mv /Volumes/Untitled/santa.cfg /Volumes/Untitled/santa.cfg.old
[2018-08-19T03:23:59.923Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=e251c63f8206cabdb6575f202d570e0a4ff942f2f17329afcbd73766fc459cb2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=652|ppid=65|uid=0|user=root|gid=0|group=wheel|mode=M|path=/sbin/umount|args=/sbin/umount /Volumes/Untitled
[2018-08-19T03:24:00.078Z] I santad: action=DISKDISAPPEAR|mount=|volume=Untitled|bsdname=disk3s2
[2018-08-19T03:24:00.079Z] I santad: action=DISKDISAPPEAR|mount=|volume=EFI|bsdname=disk3s1
[2018-08-19T03:24:05.575Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=e251c63f8206cabdb6575f202d570e0a4ff942f2f17329afcbd73766fc459cb2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=658|ppid=65|uid=0|user=root|gid=0|group=wheel|mode=M|path=/sbin/umount|args=/sbin/umount /Volumes/Skype
[2018-08-19T03:24:05.615Z] I santad: action=DISKDISAPPEAR|mount=|volume=Skype|bsdname=disk2s1
[2018-08-19T03:46:23.197Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=56dcb194a7ed9ed930bbdec0982e84aaec8cbf659a2a3df68138bf6bfdf53f0d|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=745|ppid=356|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/usr/bin/grep|args=grep WRITE santa.log
[2018-08-19T03:53:26.747Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=56dcb194a7ed9ed930bbdec0982e84aaec8cbf659a2a3df68138bf6bfdf53f0d|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=759|ppid=356|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/usr/bin/grep|args=grep WRITE /var/db/santa/santa.log
[2018-08-19T03:59:30.147Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.uesjS2|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T03:59:30.148Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.uesjS2|newpath=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/TransportSecurity|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T03:59:30.729Z] I santad: action=DELETE|path=/Users/qwerty/.test.swpx|pid=786|ppid=356|process=vim|processpath=/usr/bin/vim|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T03:59:30.729Z] I santad: action=DELETE|path=/Users/qwerty/.test.swp|pid=786|ppid=356|process=vim|processpath=/usr/bin/vim|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T03:59:30.738Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/TransportSecurity|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:01:27.259Z] I santad: action=WRITE|path=/private/var/log/wifi.log|pid=482|ppid=1|process=Console|processpath=/Applications/Utilities/Console.app/Contents/MacOS/Console|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:43.161Z] I santad: action=RENAME|path=/private/var/db/fud/com.apple.ApplePowerAccessoryUpdater/com.apple.ApplePowerAccessory/.dat.nosync0316.AMKcva|newpath=/private/var/db/fud/com.apple.ApplePowerAccessoryUpdater/com.apple.ApplePowerAccessory/pluginstate|pid=790|ppid=1|process=fud|processpath=(null)|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:01:45.677Z] I santad: action=WRITE|path=/Users/qwerty/Library/Preferences/com.apple.systemuiserver.plist.oQjT1bn|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:45.678Z] I santad: action=WRITE|path=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist.Qn4IMEv|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:45.679Z] I santad: action=RENAME|path=/Users/qwerty/Library/Preferences/com.apple.systemuiserver.plist.oQjT1bn|newpath=/Users/qwerty/Library/Preferences/com.apple.systemuiserver.plist|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:45.680Z] I santad: action=RENAME|path=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist.Qn4IMEv|newpath=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:48.441Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/QuotaManager-journal|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:49.850Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.4XcGH4|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:49.851Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.4XcGH4|newpath=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/TransportSecurity|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:50.863Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/TransportSecurity|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:01:55.458Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Cookies-journal|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:55.678Z] I santad: action=WRITE|path=/Users/qwerty/Library/Preferences/com.apple.systemuiserver.plist.EF12ifk|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:55.679Z] I santad: action=RENAME|path=/Users/qwerty/Library/Preferences/com.apple.systemuiserver.plist.EF12ifk|newpath=/Users/qwerty/Library/Preferences/com.apple.systemuiserver.plist|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:01:56.692Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Cookies-journal|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:08.068Z] I santad: action=RENAME|path=/private/var/db/fud/com.apple.ApplePowerAccessoryUpdater/com.apple.ApplePowerAccessory/.dat.nosync0319.f6vZul|newpath=/private/var/db/fud/com.apple.ApplePowerAccessoryUpdater/com.apple.ApplePowerAccessory/pluginstate|pid=793|ppid=1|process=fud|processpath=/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:10.221Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=56dcb194a7ed9ed930bbdec0982e84aaec8cbf659a2a3df68138bf6bfdf53f0d|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=794|ppid=356|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/usr/bin/grep|args=grep WRITE /var/db/santa/santa.log
[2018-08-19T04:02:13.087Z] I santad: action=RENAME|path=/private/var/db/fud/com.apple.ApplePowerAccessoryUpdater/com.apple.ApplePowerAccessory/.dat.nosync0319.bQPDO2|newpath=/private/var/db/fud/com.apple.ApplePowerAccessoryUpdater/com.apple.ApplePowerAccessory/pluginstate|pid=793|ppid=1|process=fud|processpath=/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:16.583Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/.com.google.Chrome.3a7Y0a|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:16.585Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/Google/Chrome/.com.google.Chrome.3a7Y0a|newpath=/Users/qwerty/Library/Application Support/Google/Chrome/Local State|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:16.622Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Service Worker/ScriptCache/eecb6eab472b16f5_0|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:16.622Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Service Worker/ScriptCache/eecb6eab472b16f5_1|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:17.596Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Local State|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:19.456Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/QuotaManager-journal|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:20.191Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.LqWk06|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:20.192Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.LqWk06|newpath=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Network Persistent State|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:21.204Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Network Persistent State|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:22.871Z] I santad: action=WRITE|path=/Users/qwerty/Library/Preferences/com.apple.GEO.plist.emlPMq3|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:22.874Z] I santad: action=RENAME|path=/Users/qwerty/Library/Preferences/com.apple.GEO.plist.emlPMq3|newpath=/Users/qwerty/Library/Preferences/com.apple.GEO.plist|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:22.874Z] I santad: action=WRITE|path=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist.MCN248R|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:22.875Z] I santad: action=RENAME|path=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist.MCN248R|newpath=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:25.678Z] I santad: action=WRITE|path=/Users/qwerty/Library/Preferences/com.apple.GEO.plist.mZVpNKU|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:25.679Z] I santad: action=WRITE|path=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist.WhVOO5q|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:25.680Z] I santad: action=RENAME|path=/Users/qwerty/Library/Preferences/com.apple.GEO.plist.mZVpNKU|newpath=/Users/qwerty/Library/Preferences/com.apple.GEO.plist|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:25.681Z] I santad: action=RENAME|path=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist.WhVOO5q|newpath=/Users/qwerty/Library/Preferences/com.apple.xpc.activity2.plist|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:26.008Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.ULR6Mh|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:26.009Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.ULR6Mh|newpath=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Secure Preferences|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:27.021Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Secure Preferences|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:30.512Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Sync Data/SyncData.sqlite3-journal|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:31.168Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Cookies-journal|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:31.185Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Sync Data/SyncData.sqlite3-journal|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:31.907Z] *** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***
[2018-08-19T04:02:32.907Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Web Data-journal|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:36.636Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Service Worker/ScriptCache/index-dir/temp-index|newpath=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Service Worker/ScriptCache/index-dir/the-real-index|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:37.626Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/.com.google.Chrome.3Fg0CE|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:37.627Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/Google/Chrome/.com.google.Chrome.3Fg0CE|newpath=/Users/qwerty/Library/Application Support/Google/Chrome/Local State|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:37.639Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Service Worker/ScriptCache/index-dir/the-real-index|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:38.639Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Local State|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:38.937Z] I santad: action=WRITE|path=/private/var/db/mds/system/mds.lock|pid=798|ppid=1|process=ocspd|processpath=/usr/sbin/ocspd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:39.007Z] I santad: action=WRITE|path=/private/var/db/ConfigurationProfiles/Store/ConfigProfiles.binary|pid=800|ppid=1|process=ManagedClient|processpath=/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:39.014Z] I santad: action=WRITE|path=/private/var/db/ConfigurationProfiles/MDM_ComputerPrefs.plist|pid=799|ppid=1|process=mdmclient|processpath=/usr/libexec/mdmclient|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:39.014Z] I santad: action=WRITE|path=/private/var/db/ConfigurationProfiles/Store/ConfigProfiles.binary|pid=800|ppid=1|process=ManagedClient|processpath=/System/Library/CoreServices/ManagedClient.app/Contents/MacOS/ManagedClient|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:40.529Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Sync Data/SyncData.sqlite3-journal|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:41.523Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.Qvcb4h|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:41.524Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/.com.google.Chrome.Qvcb4h|newpath=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Preferences|pid=294|ppid=1|process=Google Chrome|processpath=/Applications/Google Chrome.app/Contents/MacOS/Google Chrome|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:41.536Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Sync Data/SyncData.sqlite3-journal|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:41.912Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Preferences|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:41.941Z] I santad: action=DISKAPPEAR|mount=|volume=EFI|bsdname=disk2s1|fs=msdos|model=Verbatim Store n Go Drive|serial=TTQA1DST2UEXNF8D|bus=USB|dmgpath=|appearance=2018-08-19T04:02:41.899Z
[2018-08-19T04:02:41.990Z] I santad: action=DISKAPPEAR|mount=|volume=Untitled|bsdname=disk2s2|fs=exfat|model=Verbatim Store n Go Drive|serial=TTQA1DST2UEXNF8D|bus=USB|dmgpath=|appearance=2018-08-19T04:02:41.898Z
[2018-08-19T04:02:42.001Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=9b9fe13daf0a4c035db43e3c5717e7ed89f3c5583d3b36fd40313f639a68bfad|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=818|ppid=65|uid=0|user=root|gid=0|group=wheel|mode=M|path=/sbin/mount|args=/sbin/mount -t exfat -o nodev,noowners,nosuid /dev/disk2s2 /Volumes/Untitled
[2018-08-19T04:02:42.011Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=b921e73345fbc9f991f01a25c3f27c2e80e5b97d5da6dd69cfdb67a0b1d2cec2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=819|ppid=818|uid=0|user=root|gid=0|group=wheel|mode=M|path=/System/Library/Filesystems/exfat.fs/Contents/Resources/mount_exfat|args=/sbin/mount_exfat -o nodev -o noowners -o nosuid /dev/disk2s2 /Volumes/Untitled
[2018-08-19T04:02:42.172Z] I santad: action=DISKAPPEAR|mount=/Volumes/Untitled|volume=Untitled|bsdname=disk2s2|fs=exfat|model=Verbatim Store n Go Drive|serial=TTQA1DST2UEXNF8D|bus=USB|dmgpath=|appearance=2018-08-19T04:02:41.898Z
[2018-08-19T04:02:42.221Z] I santad: action=DELETE|path=/Volumes/Untitled/.fseventsd/000000000070eaff|pid=44|ppid=1|process=fseventsd|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:42.221Z] I santad: action=DELETE|path=/Volumes/Untitled/.fseventsd/fseventsd-uuid|pid=44|ppid=1|process=fseventsd|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:42.907Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/History-journal|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.012Z] I santad: action=DELETE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/live.0.indexUpdates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.018Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/shutdown_time|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.048Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/tmp.spotlight.state|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.058Z] I santad: action=RENAME|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/tmp.journals.live_user.retire.1|newpath=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/journals.live_user/retire.1|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.058Z] I santad: action=DELETE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/journals.live_user/journal.1|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.059Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/store.db|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.096Z] I santad: action=RENAME|path=/private/var/db/fud/.dat.nosync0319.Gr2Xk7|newpath=/private/var/db/fud/fudstate|pid=793|ppid=1|process=fud|processpath=/System/Library/PrivateFrameworks/MobileAccessoryUpdater.framework/Support/fud|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.870Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/live.0.directoryStoreFile.shadow|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.873Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/live.0.shadowIndexGroups|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.879Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/tmp.spotlight.state|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.885Z] I santad: action=DELETE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/store.updates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.890Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/reverseStore.updates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.896Z] I santad: action=DELETE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/store.updates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.902Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/reverseStore.updates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.905Z] I santad: action=DELETE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/live.0.indexUpdates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:43.911Z] I santad: action=DELETE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/journalAttr.1|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:44.211Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/com.apple.sharedfilelist/.dat.nosync0125.jAcG3w|pid=293|ppid=1|process=sharedfilelistd|processpath=/System/Library/CoreServices/sharedfilelistd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:44.213Z] I santad: action=RENAME|path=/Users/qwerty/Library/Application Support/com.apple.sharedfilelist/.dat.nosync0125.jAcG3w|newpath=/Users/qwerty/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2|pid=293|ppid=1|process=sharedfilelistd|processpath=/System/Library/CoreServices/sharedfilelistd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:45.223Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.FavoriteVolumes.sfl2|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:47.907Z] I santad: action=WRITE|path=/Users/qwerty/newfile|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:47.911Z] I santad: action=WRITE|path=/Users/qwerty/newfile|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:48.119Z] I santad: action=WRITE|path=/Users/qwerty/Library/Preferences/com.apple.finder.plist.8vamTES|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:48.120Z] I santad: action=RENAME|path=/Users/qwerty/Library/Preferences/com.apple.finder.plist.8vamTES|newpath=/Users/qwerty/Library/Preferences/com.apple.finder.plist|pid=282|ppid=1|process=cfprefsd|processpath=/usr/sbin/cfprefsd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:48.123Z] I santad: action=WRITE|path=/Users/qwerty/newfile|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:48.361Z] I santad: action=WRITE|path=/Users/qwerty/newfile|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:48.361Z] *** LOG MESSAGE QUOTA EXCEEDED - SOME MESSAGES FROM THIS PROCESS HAVE BEEN DISCARDED ***
[2018-08-19T04:02:48.361Z] I santad: action=WRITE|path=/Users/qwerty/newfile|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:48.482Z] I santad: action=WRITE|path=/Users/qwerty/sample|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:59.284Z] I santad: action=WRITE|path=/private/var/log/install.log|pid=39|ppid=1|process=syslogd|processpath=/usr/sbin/syslogd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:59.308Z] I santad: action=WRITE|path=/Users/qwerty/sample|pid=826|ppid=1|process=DesktopServicesH|processpath=/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:59.308Z] I santad: action=WRITE|path=/Volumes/Untitled/sample|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:59.308Z] I santad: action=WRITE|path=/Volumes/Untitled/sample|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:59.309Z] I santad: action=WRITE|path=/Volumes/Untitled/sample|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:59.347Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=df9066f055c53cf3cf8d989bb4ada04aeeac48857bbe33a1d6044c469f593795|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=831|ppid=1|uid=0|user=root|gid=0|group=wheel|mode=M|path=/usr/libexec/xpcproxy|args=xpcproxy com.apple.Safari.CacheDeleteExtension 440
[2018-08-19T04:02:59.479Z] I santad: action=WRITE|path=/Library/Keychains/crls/valid.sqlite3|pid=112|ppid=1|process=trustd|processpath=/usr/libexec/trustd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:59.479Z] I santad: action=WRITE|path=/Library/Keychains/crls/valid.sqlite3|pid=112|ppid=1|process=trustd|processpath=/usr/libexec/trustd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:02:59.479Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=cb92aa42f592d6df4e28db0bb8d7b61208df5e82ac294aab7002df0119d6165d|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=831|ppid=1|uid=501|user=qwerty|gid=20|group=staff|mode=M|path=/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension|args=/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
[2018-08-19T04:02:59.479Z] I santad: action=WRITE|path=/Volumes/Untitled/sample|pid=826|ppid=1|process=DesktopServicesH|processpath=/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:02:59.480Z] I santad: action=WRITE|path=/Volumes/Untitled/sample|pid=826|ppid=1|process=DesktopServicesH|processpath=/System/Library/PrivateFrameworks/DesktopServicesPriv.framework/Versions/A/Resources/DesktopServicesHelper|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:03:00.518Z] I santad: action=WRITE|path=/Volumes/Untitled/sample|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:01.461Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/tmp.spotlight.state|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:01.988Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/tmp.spotlight.state|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:02.494Z] I santad: action=DELETE|path=/private/var/folders/1g/b775vlb54nl28zt7h_fb1l3c0000gn/C/com.apple.QuickLook.thumbnailcache/dirty|pid=825|ppid=1|process=quicklookd|processpath=/System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd.app/Contents/MacOS/quicklookd|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:03:06.139Z] I santad: action=WRITE|path=/Volumes/Untitled/sample|pid=303|ppid=1|process=Finder|processpath=/System/Library/CoreServices/Finder.app/Contents/MacOS/Finder|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:03:39.585Z] I santad: action=RENAME|path=/Volumes/Untitled/sample|newpath=/Volumes/Untitled/text|pid=833|ppid=356|process=mv|processpath=(null)|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:03:40.600Z] I santad: action=WRITE|path=/Volumes/Untitled/text|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:46.134Z] I santad: action=WRITE|path=/Volumes/Untitled/text|pid=834|ppid=356|process=rm|processpath=/bin/rm|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:03:46.134Z] I santad: action=DELETE|path=/Volumes/Untitled/text|pid=834|ppid=356|process=rm|processpath=(null)|uid=501|user=qwerty|gid=20|group=staff
[2018-08-19T04:03:48.267Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/History-journal|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.860Z] I santad: action=DELETE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/live.0.indexUpdates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.860Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/tmp.spotlight.loc|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.864Z] I santad: action=DELETE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/store.updates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.867Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/reverseStore.updates|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.873Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/tmp.spotlight.state|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.886Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/permStore|pid=231|ppid=1|process=mds_stores|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds_stores|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.894Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/shutdown_time|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.899Z] I santad: action=WRITE|path=/Volumes/Untitled/.Spotlight-V100/Store-V2/E9B74ADC-5A5B-4644-BE89-3147508767A7/shutdown_time|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.911Z] I santad: action=DELETE|path=/Volumes/Untitled/.fseventsd/000000000071c980|pid=44|ppid=1|process=fseventsd|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.911Z] I santad: action=DELETE|path=/Volumes/Untitled/.fseventsd/000000000071c981|pid=44|ppid=1|process=fseventsd|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.911Z] I santad: action=DELETE|path=/Volumes/Untitled/.fseventsd/fseventsd-uuid|pid=44|ppid=1|process=fseventsd|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:03:53.943Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=e251c63f8206cabdb6575f202d570e0a4ff942f2f17329afcbd73766fc459cb2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=835|ppid=65|uid=0|user=root|gid=0|group=wheel|mode=M|path=/sbin/umount|args=/sbin/umount /Volumes/Untitled
[2018-08-19T04:03:56.151Z] I santad: action=WRITE|path=/Users/qwerty/Library/Application Support/Google/Chrome/Profile 1/Network Persistent State|pid=62|ppid=1|process=mds|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Metadata.framework/Versions/A/Support/mds|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:04:01.392Z] I santad: action=DELETE|path=/Volumes/Untitled/.fseventsd/000000000071c981|pid=44|ppid=1|process=fseventsd|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:04:01.392Z] I santad: action=DELETE|path=/Volumes/Untitled/.fseventsd/000000000071c982|pid=44|ppid=1|process=fseventsd|processpath=/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/FSEvents.framework/Versions/A/Support/fseventsd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:04:01.395Z] I santad: action=EXEC|decision=ALLOW|reason=CERT|sha256=e251c63f8206cabdb6575f202d570e0a4ff942f2f17329afcbd73766fc459cb2|cert_sha256=2aa4b9973b7ba07add447ee4da8b5337c3ee2c3a991911e80e7282e8a751fc32|cert_cn=Software Signing|pid=839|ppid=65|uid=0|user=root|gid=0|group=wheel|mode=M|path=/sbin/umount|args=/sbin/umount /Volumes/Untitled
[2018-08-19T04:04:01.476Z] I santad: action=WRITE|path=/private/var/run/automount.initialized|pid=840|ppid=83|process=automount|processpath=(null)|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:04:01.479Z] I santad: action=WRITE|path=/private/var/log/powermanagement/2018.08.18.asl|pid=39|ppid=1|process=syslogd|processpath=/usr/sbin/syslogd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:04:01.479Z] I santad: action=WRITE|path=/private/var/log/powermanagement/StoreData|pid=39|ppid=1|process=syslogd|processpath=/usr/sbin/syslogd|uid=0|user=root|gid=0|group=wheel
[2018-08-19T04:04:01.480Z] I santad: action=DISKDISAPPEAR|mount=|volume=EFI|bsdname=disk2s1
[2018-08-19T04:04:01.480Z] I santad: action=DISKDISAPPEAR|mount=|volume=Untitled|bsdname=disk2s2