Malware Analysis Report

2024-11-30 16:10

Sample ID 240212-wrhtmsce28
Target Mixed In Key 8.dmg
SHA256 b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a
Tags
evilquest backdoor evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

Threat Level: Known bad

The file Mixed In Key 8.dmg was found to be: Known bad.

Malicious Activity Summary

evilquest backdoor evasion execution persistence

EvilQuest

EvilQuest payload

File Permission

Launch Daemon

AppleScript

Resource Forking

Launchctl

Command and Scripting Interpreter

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-12 18:09

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-12 18:09

Reported

2024-02-12 18:09

Platform

macos-20231201-en

Max time kernel

19s

Max time network

34s

Command Line

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

Signatures

EvilQuest

backdoor evilquest

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

File Permission

evasion

Launch Daemon

persistence

AppleScript

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/794FCF34-7CA9-4AD5-9FF7-9902C9A90F4F.activeSandbox/Root / N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c N/A N/A

Command and Scripting Interpreter

Launchctl

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

/bin/bash

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

/usr/bin/sudo

[sudo /bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]

/bin/zsh

[/bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]

/usr/sbin/installer

[installer -pkg /Users/run/setup.pkg -target /]

/usr/libexec/xpcproxy

[xpcproxy com.apple.installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/794FCF34-7CA9-4AD5-9FF7-9902C9A90F4F.activeSandbox/Root /]

/tmp/PKInstallSandbox.Plpzpc/Scripts/com.mixedinkey.installer.pir415/postinstall

[/tmp/PKInstallSandbox.Plpzpc/Scripts/com.mixedinkey.installer.pir415/postinstall /Users/run/setup.pkg /Applications / /]

/bin/bash

[/bin/sh /tmp/PKInstallSandbox.Plpzpc/Scripts/com.mixedinkey.installer.pir415/postinstall /Users/run/setup.pkg /Applications / /]

/bin/mkdir

[mkdir /Library/mixednkey]

/bin/mv

[mv /Applications/Utils/patch /Library/mixednkey/toolroomd]

/bin/rmdir

[rmdir /Application/Utils]

/bin/chmod

[chmod +x /Library/mixednkey/toolroomd]

/Library/mixednkey/toolroomd

[/Library/mixednkey/toolroomd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/libexec/xpcproxy

[xpcproxy com.apple.bird]

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird

[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

Network

Country Destination Domain Proto
US 8.8.8.8:53 16.courier-push-apple.com.akadns.net udp
DE 17.57.146.39:5223 tcp
DE 17.57.146.42:5223 tcp
US 20.189.173.2:443 tcp
US 20.189.173.9:443 tcp
US 8.8.8.8:53 e673.dsce9.akamaiedge.net udp
US 8.8.8.8:53 certs.apple.com udp
GB 17.253.29.199:80 certs.apple.com tcp
US 8.8.8.8:53 25.courier-push-apple.com.akadns.net udp
NL 17.248.236.65:443 tcp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 andrewka6.pythonanywhere.com udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 8.8.8.8:53 udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp

Files

/Library/InstallerSandboxes/.PKInstallSandboxManager/794FCF34-7CA9-4AD5-9FF7-9902C9A90F4F.activeSandbox/Scripts/com.mixedinkey.installer.pir415//Scripts/._postinstall__

MD5 5f57248f8a15969f55f716d8e7ce1447
SHA1 2daf28e0b224464534eecc6576c5b87e05cad4a7
SHA256 03ee1b034d79af0d5bc807f1560e7ffd5554ff56fcf29a47b3ac5db4f7fa4eb5
SHA512 2d9a3e97a5b991d9d22ef5e008f1828b9a7f8b8aa35111250edf45f9ed3f772378119f2a8c18cf5d1141f34d0b04200eadc7b75f1aaa57e0c15083c28f73c5c7

/private/var/run/installd.commit.pid

MD5 58ae749f25eded36f486bc85feb3f0ab
SHA1 77c8184f671aa0397dd897541ed5ec0a8be0380b
SHA256 04edd1d7736883194af3ddb232c337e53d17bc93cfd2140c4f4c4e0d966798b1
SHA512 06ee59456a6a1e2f31848ab7b9dc3f02ea09459f69821447d3061685b79eb7fb8f1fd57adb5e22a4734bbeba5113162ee91c0fdfb691c3991e493e215f509379

/tmp/PKInstallSandbox.Plpzpc/Scripts/com.mixedinkey.installer.pir415/postinstall

MD5 03fc4e3ef9bdbccd7ea68537970ce472
SHA1 7cc289badfe38c5677175fa38810e0e18c51e1d3
SHA256 abcce423690c96a06414f68090db40cbdaee12b67f90d1ca64bddbdc1d11d097
SHA512 6f089d9c977fabc18e0a599c8239200031b6eeed1fbbd2f8197bb82e7cdd8f695b220902bef49276c6b1ca8784ebc3503aba841146a4ce36b1b571703e832bf1

/Library/InstallerSandboxes/.PKInstallSandboxManager/794FCF34-7CA9-4AD5-9FF7-9902C9A90F4F.activeSandbox/Boms/com.mixedinkey.installer.bom

MD5 0f07cb15d467adba0a80120ef583d92c
SHA1 9a66033fcbbd2c4a4ad82d173b7d686febcd7509
SHA256 977d7b35b060620e979cd8337ef0e4972afc08388986354b7a6b57763d0450d4
SHA512 e681f21eb24279dd9bf4f9c9f339f075e6e948d497fb42c4bf614425c4c62bae8fb9e71d9efc61a50f3d6957c211aaebbc20d36836a0d212d96950c252f93561

/Library/AppQuest/com.apple.questd

MD5 322f4fb8f257a2e651b128c41df92b1d
SHA1 efbb681a61967e6f5a811f8649ec26efe16f50ae
SHA256 5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b
SHA512 33c8cf815e4b37a3481c0ba4dfb14a4735a46575f6f70d5b351a8595e4ec8886224577c89c80d726f2e3d7cf2460d0cdd983379acb5fda0a9b7310f86c988e53

/Library/LaunchDaemons/com.apple.questd.plist

MD5 a3d34532a7dd2cd1d73cea75deb0677f
SHA1 3019d1c50907fb2597121c03619990c5670ff6f4
SHA256 779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735
SHA512 52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

/Users/run/Library/LaunchAgents/com.apple.questd.plist

MD5 eb73619f4e724257ff0fd951883a30ae
SHA1 5032251e50b32e340d8171631a598596bad8991e
SHA256 6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4
SHA512 ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-12 18:09

Reported

2024-02-12 18:09

Platform

macos-20231201-en

Max time kernel

21s

Max time network

26s

Command Line

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

Signatures

EvilQuest

backdoor evilquest

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

File Permission

evasion

Launch Daemon

persistence

AppleScript

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/3705FEBE-A619-424F-8083-E69CA7A4C9CB.activeSandbox/Root / N/A N/A
N/A /System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c N/A N/A

Command and Scripting Interpreter

Launchctl

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

/bin/bash

[sh -c sudo /bin/zsh -c "installer -pkg /Users/run/setup.pkg -target /"]

/usr/bin/sudo

[sudo /bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]

/bin/zsh

[/bin/zsh -c installer -pkg /Users/run/setup.pkg -target /]

/usr/sbin/installer

[installer -pkg /Users/run/setup.pkg -target /]

/usr/libexec/xpcproxy

[xpcproxy com.apple.installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/install_monitor -t /private/var/run/installd.commit.pid]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/shove -f -s /Library/InstallerSandboxes/.PKInstallSandboxManager/3705FEBE-A619-424F-8083-E69CA7A4C9CB.activeSandbox/Root /]

/tmp/PKInstallSandbox.xTu1hK/Scripts/com.mixedinkey.installer.pPlrbu/postinstall

[/tmp/PKInstallSandbox.xTu1hK/Scripts/com.mixedinkey.installer.pPlrbu/postinstall /Users/run/setup.pkg /Applications / /]

/bin/bash

[/bin/sh /tmp/PKInstallSandbox.xTu1hK/Scripts/com.mixedinkey.installer.pPlrbu/postinstall /Users/run/setup.pkg /Applications / /]

/bin/mkdir

[mkdir /Library/mixednkey]

/bin/mv

[mv /Applications/Utils/patch /Library/mixednkey/toolroomd]

/bin/rmdir

[rmdir /Application/Utils]

/bin/chmod

[chmod +x /Library/mixednkey/toolroomd]

/Library/mixednkey/toolroomd

[/Library/mixednkey/toolroomd]

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update

[/System/Library/PrivateFrameworks/PackageKit.framework/Resources/efw_cache_update -c]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

Network

Country Destination Domain Proto
US 52.182.143.211:443 tcp
US 8.8.8.8:53 andrewka6.pythonanywhere.com udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 8.8.8.8:53 udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp

Files

/Library/InstallerSandboxes/.PKInstallSandboxManager/3705FEBE-A619-424F-8083-E69CA7A4C9CB.activeSandbox/Scripts/com.mixedinkey.installer.pPlrbu//Scripts/._postinstall__

MD5 5f57248f8a15969f55f716d8e7ce1447
SHA1 2daf28e0b224464534eecc6576c5b87e05cad4a7
SHA256 03ee1b034d79af0d5bc807f1560e7ffd5554ff56fcf29a47b3ac5db4f7fa4eb5
SHA512 2d9a3e97a5b991d9d22ef5e008f1828b9a7f8b8aa35111250edf45f9ed3f772378119f2a8c18cf5d1141f34d0b04200eadc7b75f1aaa57e0c15083c28f73c5c7

/private/var/run/installd.commit.pid

MD5 c75b6f114c23a4d7ea11331e7c00e73c
SHA1 3219b5be78da72e80e0918d458b9ece3825a68e1
SHA256 fadb19bfbddde11ed6828a22e742cc97f5589ce48ac8ec8f94a6510ad5f16b8b
SHA512 ef55732bbcf0f2ba4d2c29de31cbb85eedf5604aad2136b78c229c14f705b49c6ba1548b1398f701e9ecf321b9059d9cbffc5da58e8debf8dd7f002e679c1d12

/tmp/PKInstallSandbox.xTu1hK/Scripts/com.mixedinkey.installer.pPlrbu/postinstall

MD5 03fc4e3ef9bdbccd7ea68537970ce472
SHA1 7cc289badfe38c5677175fa38810e0e18c51e1d3
SHA256 abcce423690c96a06414f68090db40cbdaee12b67f90d1ca64bddbdc1d11d097
SHA512 6f089d9c977fabc18e0a599c8239200031b6eeed1fbbd2f8197bb82e7cdd8f695b220902bef49276c6b1ca8784ebc3503aba841146a4ce36b1b571703e832bf1

/Library/InstallerSandboxes/.PKInstallSandboxManager/3705FEBE-A619-424F-8083-E69CA7A4C9CB.activeSandbox/Boms/com.mixedinkey.installer.bom

MD5 0f07cb15d467adba0a80120ef583d92c
SHA1 9a66033fcbbd2c4a4ad82d173b7d686febcd7509
SHA256 977d7b35b060620e979cd8337ef0e4972afc08388986354b7a6b57763d0450d4
SHA512 e681f21eb24279dd9bf4f9c9f339f075e6e948d497fb42c4bf614425c4c62bae8fb9e71d9efc61a50f3d6957c211aaebbc20d36836a0d212d96950c252f93561

/Library/AppQuest/com.apple.questd

MD5 322f4fb8f257a2e651b128c41df92b1d
SHA1 efbb681a61967e6f5a811f8649ec26efe16f50ae
SHA256 5a024ffabefa6082031dccdb1e74a7fec9f60f257cd0b1ab0f698ba2a5baca6b
SHA512 33c8cf815e4b37a3481c0ba4dfb14a4735a46575f6f70d5b351a8595e4ec8886224577c89c80d726f2e3d7cf2460d0cdd983379acb5fda0a9b7310f86c988e53

/Library/LaunchDaemons/com.apple.questd.plist

MD5 a3d34532a7dd2cd1d73cea75deb0677f
SHA1 3019d1c50907fb2597121c03619990c5670ff6f4
SHA256 779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735
SHA512 52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

/Users/run/Library/LaunchAgents/com.apple.questd.plist

MD5 eb73619f4e724257ff0fd951883a30ae
SHA1 5032251e50b32e340d8171631a598596bad8991e
SHA256 6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4
SHA512 ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c