evilquest | b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

General

Target

EvilQuest.dmg
Size

10.4MB
MD5

58680abd58baca826c2029f32e5b78b3
SHA1

98040c4d358a6fb9fed970df283a9b25f0ab393b
SHA256

b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a
SHA512

be852ea2a0ce7a119392f6f28033dfcec27ac897f3479767287da8e5b2babd2cff95b94c399e64d5f219fbef3508a3a2f2b2f4346e057ddce416353825994d28

Score

10^/10

evilquest backdoor ransomware

Malware Config

Extracted

Path

/Users/run/Desktop/READ_ME_NOW.txt

Ransom Note

YOUR IMPORTANT FILES ARE ENCRYPTED Many of your documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your file without our decryption service. We use 256-bit AES algorithm so it will take you more than a billion years to break this encryption without knowing the key (you can read Wikipedia about AES if you don't believe this statement). Anyways, we guarantee that you can recover your files safely and easily. This will require us to use some processing power, electricity and storage on our side, so there's a fixed processing fee of 50 USD. This is a one-time payment, no additional fees included. In order to accept this offer, you have to deposit payment within 72 hours (3 days) after receiving this message, otherwise this offer will expire and you will lose your files forever. Payment has to be deposited in Bitcoin based on Bitcoin/USD exchange rate at the moment of payment. The address you have to make payment is: 13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7 Decryption will start automatically within 2 hours after the payment has been processed and will take from 2 to 5 hours depending on the processing power of your computer. After that all of your files will be restored. THIS OFFER IS VALID FOR 72 HOURS AFTER RECEIVING THIS MESSAGE

Wallets

13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest Payload 43 IoCs

resource	yara_rule
behavioral1/files/0x0000000300089747-3.dat	family_evilquest
behavioral1/files/0x000000030008974f-9.dat	family_evilquest
behavioral1/files/0x000000030008974f-641.dat	family_evilquest
behavioral1/files/0x0000000300089adb-642.dat	family_evilquest
behavioral1/files/0x000000030008974f-643.dat	family_evilquest
behavioral1/files/0x0000000300089add-644.dat	family_evilquest
behavioral1/files/0x0000000300089adf-645.dat	family_evilquest
behavioral1/files/0x000000030008974f-646.dat	family_evilquest
behavioral1/files/0x0000000300089adb-651.dat	family_evilquest
behavioral1/files/0x0000000300089adf-652.dat	family_evilquest
behavioral1/files/0x000000030008974f-654.dat	family_evilquest
behavioral1/files/0x000000030008974f-655.dat	family_evilquest
behavioral1/files/0x000000030008974f-656.dat	family_evilquest
behavioral1/files/0x000000030008974f-657.dat	family_evilquest
behavioral1/files/0x0000000300089adb-658.dat	family_evilquest
behavioral1/files/0x000000030008974f-659.dat	family_evilquest
behavioral1/files/0x000000030008974f-660.dat	family_evilquest
behavioral1/files/0x0000000300087d49-661.dat	family_evilquest
behavioral1/files/0x0000000300089adf-663.dat	family_evilquest
behavioral1/files/0x000000030008974f-662.dat	family_evilquest
behavioral1/files/0x000000030008974f-664.dat	family_evilquest
behavioral1/files/0x0000000300082e25-665.dat	family_evilquest
behavioral1/files/0x000000030008974f-666.dat	family_evilquest
behavioral1/files/0x0000000300089723-667.dat	family_evilquest
behavioral1/files/0x0000000300089723-888.dat	family_evilquest
behavioral1/files/0x0000000300089adf-4300.dat	family_evilquest
behavioral1/files/0x000000030008974f-4301.dat	family_evilquest
behavioral1/files/0x000000030008974f-7936.dat	family_evilquest
behavioral1/files/0x000000030008974f-11521.dat	family_evilquest
behavioral1/files/0x000000030008974f-11522.dat	family_evilquest
behavioral1/files/0x000000030008974f-11523.dat	family_evilquest
behavioral1/files/0x000000030008974f-11524.dat	family_evilquest
behavioral1/files/0x000000030008974f-11525.dat	family_evilquest
behavioral1/files/0x000000030008974f-11526.dat	family_evilquest
behavioral1/files/0x000000030008974f-11527.dat	family_evilquest
behavioral1/files/0x000000030008974f-11528.dat	family_evilquest
behavioral1/files/0x000000030008974f-11529.dat	family_evilquest
behavioral1/files/0x000000030008974f-11530.dat	family_evilquest
behavioral1/files/0x000000030008974f-11531.dat	family_evilquest
behavioral1/files/0x000000030008974f-11532.dat	family_evilquest
behavioral1/files/0x000000030008974f-11533.dat	family_evilquest
behavioral1/files/0x000000030008974f-11534.dat	family_evilquest
behavioral1/files/0x000000030008974f-11535.dat	family_evilquest

/bin/sh
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:659

/bin/bash
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:659

/bin/bash
sh -c "sudo /bin/zsh -c \"installer -pkg /Users/run/setup.pkg -target /\""
1⤵
PID:659

/usr/bin/sudo
sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
1⤵
PID:659

/usr/bin/sudo
sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
1⤵
PID:659
- /bin/zsh
  /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
  2⤵
  PID:660
- /bin/zsh
  /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"
  2⤵
  PID:660
- /usr/sbin/installer
  installer -pkg /Users/run/setup.pkg -target /
  2⤵
  PID:660
- /usr/sbin/installer
  installer -pkg /Users/run/setup.pkg -target /
  2⤵
  PID:660

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:661

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:661

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:662

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:662

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:664

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:664

/usr/libexec/xpcproxy
xpcproxy com.apple.installer.2124
1⤵
PID:665

/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
/System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
1⤵
PID:665

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:666

/usr/libexec/xpcproxy
xpcproxy com.apple.replayd
1⤵
PID:668

/usr/libexec/replayd
/usr/libexec/replayd
1⤵
PID:668

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:671

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:671

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:672

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:672

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 430
1⤵
PID:674

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:674

/usr/libexec/xpcproxy
xpcproxy com.apple.security.agent
1⤵
PID:676

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
1⤵
PID:676

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid
1⤵
PID:677

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186A6
1⤵
PID:678

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
1⤵
PID:678

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/76E3CFC2-81F1-40B4-9D29-F8C85213F0AE.activeSandbox/Root /
1⤵
PID:679

/tmp/PKInstallSandbox.Zt3qSo/Scripts/com.mixedinkey.installer.hsLyOl/postinstall
/tmp/PKInstallSandbox.Zt3qSo/Scripts/com.mixedinkey.installer.hsLyOl/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:680

/bin/bash
/bin/sh /tmp/PKInstallSandbox.Zt3qSo/Scripts/com.mixedinkey.installer.hsLyOl/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:680

/bin/bash
/bin/sh /tmp/PKInstallSandbox.Zt3qSo/Scripts/com.mixedinkey.installer.hsLyOl/postinstall /Users/run/setup.pkg /Applications / /
1⤵
PID:680
- /bin/mkdir
  mkdir /Library/mixednkey
  2⤵
  PID:681
- /bin/mkdir
  mkdir /Library/mixednkey
  2⤵
  PID:681
- /bin/mv
  mv /Applications/Utils/patch /Library/mixednkey/toolroomd
  2⤵
  PID:682
- /bin/mv
  mv /Applications/Utils/patch /Library/mixednkey/toolroomd
  2⤵
  PID:682
- /bin/rmdir
  rmdir /Application/Utils
  2⤵
  PID:683
- /bin/rmdir
  rmdir /Application/Utils
  2⤵
  PID:683
- /bin/chmod
  chmod +x /Library/mixednkey/toolroomd
  2⤵
  PID:684
- /bin/chmod
  chmod +x /Library/mixednkey/toolroomd
  2⤵
  PID:684
- /Library/mixednkey/toolroomd
  /Library/mixednkey/toolroomd
  2⤵
  PID:685
- /Library/mixednkey/toolroomd
  /Library/mixednkey/toolroomd
  2⤵
  PID:685
- /Users/run/Hellper.app
  2⤵
  PID:685
- /Users/run/Hellper.app
  2⤵
  PID:685
- /Users/run/Hellper.app
  2⤵
  PID:685
- /Users/run/Hellper.app
  2⤵
  PID:685

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c
1⤵
PID:687

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:688

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:688

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:688

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:689

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:689

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:689

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:690

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:690

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:690

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:691

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:691

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:691

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:692

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:692

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:692

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:693

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:693

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:693

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:707

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:707

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:707

/bin/sh
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:736

/bin/bash
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:736

/bin/bash
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:736

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.satellite.3DF79D2F-7274-43EF-AF52-D9628CC7E21F 663
1⤵
PID:737

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
1⤵
PID:737

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:741

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:741

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:741

/bin/sh
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:742

/bin/bash
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:742

/bin/bash
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:742

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:743

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:743

/usr/libexec/xpcproxy
xpcproxy com.apple.TextEdit.2092
1⤵
PID:744

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
1⤵
PID:744

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:748

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:748

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:749

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:749

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:750

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:750

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:751

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:751

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:752

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:752

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:752

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:753

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:753

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:753

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:754

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:754

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:754

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:755

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:755

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:755

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:756

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:756

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:756

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:757

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:757

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:757

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:758

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:758

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:758

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:759

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:759

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:759

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:760

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:760

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:760

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:761

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:761

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:761

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:762

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:762

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:762

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:763

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:763

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:763

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:764

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:764

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:764

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:765

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:765

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:765

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:766

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:766

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:766

/bin/sh
sh -c /usr/sbin/kextstat
1⤵
PID:767

/bin/bash
sh -c /usr/sbin/kextstat
1⤵
PID:767

/bin/bash
sh -c /usr/sbin/kextstat
1⤵
PID:767

/usr/sbin/kextstat
/usr/sbin/kextstat
1⤵
PID:767

/usr/sbin/kextstat
/usr/sbin/kextstat
1⤵
PID:767

/usr/libexec/xpcproxy
xpcproxy com.apple.newsyslog
1⤵
PID:768

/usr/sbin/newsyslog
/usr/sbin/newsyslog
1⤵
PID:768

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:771

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:771

/usr/libexec/xpcproxy
xpcproxy com.apple.mobile.keybagd
1⤵
PID:772

/usr/libexec/keybagd
/usr/libexec/keybagd -t 15
1⤵
PID:772

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:773

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:773

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:775

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:775

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:776

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:776

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:777

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:777

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:778

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:778

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:779

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:779

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:780

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:780

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:781

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:781

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:782

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:782

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:783

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:783

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:784

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:784

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:785

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:785

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:786

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:786

/usr/libexec/xpcproxy
xpcproxy com.apple.security.agent
1⤵
PID:787

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
1⤵
PID:787

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:788

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:788

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:789

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:789

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:790

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:790

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads