evilquest | da678bb2b514960be90afb6e52fb93f4e6f75ccd886fffc5cce850da9a7f4fbc

Analysis

max time kernel
149s
max time network
144s
platform
macos-10.15_amd64
resource
macos-20240214-en
resource tags

arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
15-02-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest
Size

16.1MB
MD5

1da57b44bc181b051b480c5d4b923728
SHA1

394e099c6dbdedc18fed2d812fbdc3eeaa46e6cb
SHA256

da678bb2b514960be90afb6e52fb93f4e6f75ccd886fffc5cce850da9a7f4fbc
SHA512

0fb47aa06ce104e315cd4a1a0ff404608bff3c93f8265729e3effb94d998a4b23fa00f1f623dfbc34c0f8439164a7be395db657d4192f79df45166ea65a55111
SSDEEP

49152:U33dQ333dQkb33dQ333dQkb33dQ333dQk333dQ333dQk933g33dQ333dQkb33dQ2:i

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000000030008af1d-4.dat	family_evilquest
behavioral1/files/0x000000030008af19-3.dat	family_evilquest
behavioral1/files/0x000000030008af29-8.dat	family_evilquest
behavioral1/files/0x000000030008af19-7.dat	family_evilquest

Launch Daemon 1 TTPs
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 36 IoCs

execution

AppleScript

T1059.002

Processes:

ioc	Process
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""

Resource Forking 1 TTPs 1 IoCs

evasion

Resource Forking

T1564.009

Processes:

ioc	Process
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd

Launchctl 1 TTPs 64 IoCs

execution

Launchctl

T1569.001

Processes:

ioc	Process
launchctl start questd
launchctl start questd
launchctl start questd
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
launchctl start questd
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
launchctl start questd
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
launchctl start questd
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
launchctl start questd
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
launchctl start questd
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
launchctl start questd
launchctl start questd
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
launchctl start questd
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
launchctl start questd
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
launchctl start questd
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
launchctl start questd
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
launchctl start questd
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest\""
1⤵
PID:522

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest\""
1⤵
PID:522

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest
1⤵
PID:522
- /bin/zsh
  /bin/zsh -c /Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest
  2⤵
  PID:523
- /Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest
  /Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest
  2⤵
  PID:523

/usr/libexec/dmd
/usr/libexec/dmd
1⤵
PID:517

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:528

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:529

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:529

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:550

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:550

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:551

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:551

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:552

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:552
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:553
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:555

/usr/libexec/xpcproxy
xpcproxy questd
1⤵
PID:554

/usr/bin/sudo
sudo /Library/AppQuest/com.apple.questd --silent
1⤵
PID:554
- /Library/AppQuest/com.apple.questd
  /Library/AppQuest/com.apple.questd --silent
  2⤵
  PID:568
- /var/root/Hellper.app
  2⤵
  PID:568

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:556

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:556

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:556

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:557

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:557
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:558
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:559

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:560

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:560

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:560

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:561

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:561
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:562
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:563

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:564

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:564

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:564

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:565

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:565
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:566
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:567

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:569

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:569

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:569

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:570

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:570
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:571
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:572

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:573

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:573

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:573

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:574

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:574
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:575
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:576

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:577

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:577

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:577

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:578

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:578
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:579
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:580

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:581

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:581

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:581

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:582

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:582
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:583
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:584

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:585

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:585

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:585

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:586

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:586
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:587
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:588

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:589

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:589

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:589

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:590

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:590
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:591
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:592

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:593

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:593

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:593

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:594

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:594
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:595
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:596

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:597

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:597

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:597

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:598

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:598
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:599
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:600

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:602

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:602

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:602

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:603

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:603
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:604
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:605

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:606

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:606

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:606

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:607

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:607
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:608
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:609

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:610

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:610

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:610

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:614

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:614
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:615
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:616

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:617

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:617

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:617

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:618

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:619

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:619
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:620
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:621

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:623

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:624

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:625

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:627

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:627

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:628

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:625

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:624

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:628

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:623

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:631

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:632

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:634

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:634

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:636

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:636

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:636

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:637

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:637
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:638
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:639

/bin/sh
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:640

/bin/bash
sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\""
1⤵
PID:640

/usr/bin/osascript
osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""
1⤵
PID:640

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:641

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:641

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:642

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:642

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:643

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:643

/usr/libexec/xpcproxy
xpcproxy com.apple.speech.speechsynthesisd
1⤵
PID:648

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
1⤵
PID:648

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.SandboxHelper 648
1⤵
PID:650

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
1⤵
PID:650

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:652

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:652

/usr/libexec/xpcproxy
xpcproxy com.apple.accountsd
1⤵
PID:657

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
1⤵
PID:657

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/AppQuest/com.apple.questd

Filesize
33KB

MD5
4836382b3885529fbd3157c49b66ded7

SHA1
17ec256860fc37f53f00e8e1faf1a16eeea1abb2

SHA256
25a37c9557c2fa173e1f0e1eb985c28c0ebba44b8cb475c385513ce7fc1c050b

SHA512
ad8234d91922ad7caefc8e4dc32639ae41311a49325c523ab733584d3bdf23f318407a424e78e8ac483baa09e3cddb554a19b8c52373cde5b7b0bfda88c635a2

Download Submit
/Library/AppQuest/com.apple.questd

Filesize
13.8MB

MD5
93b8ad9f743df3ff0d8c80ae620d41e4

SHA1
f65fcae21ba80fa2b9dca13d4049c9a8d29cde4d

SHA256
e76caffd928df5eab6171611b8218dd9c12fce19f6bb5ed26523bad4de763eb0

SHA512
8155022d241ade1b6d0a04505a375540acbe97ca439cb125125bcbafab9464e2cae21f705c7a2aca2c3a3b1155e79018180ab6adc9f7f6fe3c25dbe6a4d6bceb

Download Submit
/Library/LaunchDaemons/com.apple.questd.plist

Filesize
435B

MD5
a3d34532a7dd2cd1d73cea75deb0677f

SHA1
3019d1c50907fb2597121c03619990c5670ff6f4

SHA256
779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735

SHA512
52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist

Filesize
42B

MD5
ce7f5b3d4bfc7b4b0da6a06dccc515f2

SHA1
ce657a52a052a3aaf534ecfbf7cbdde4ee334c10

SHA256
9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1

SHA512
db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Download Submit
/Users/run/.CFUserTextEncoding

Filesize
314B

MD5
4cfd65ea66d60eb9480a60862430061c

SHA1
22e5cd7f7947e4ba5e32927e7fa643acfde7f781

SHA256
54f304cbf96331da150bbbc288f72e8f4a583b9a58fb3705090586319390cdae

SHA512
4bf2d09cba82180e1fd85a44b9d2091404a7a34e4a257a6ec53332e107411225ba9f7ade0bf8b8a359452eedf48a45c39ca379742c6c336768aa391c724754a0

Download Submit
/Users/run/Library/AppQuest/com.apple.questd

Filesize
50KB

MD5
ab141c8a86a188bf511ffe5a711ebed8

SHA1
e3927ca1c9553be6584c430323aeef649ca23a0a

SHA256
a9f0240a807cc8285a78bea39c2b844855529ab219bda83fe64bf550f851ff62

SHA512
0240eeb3013dd65306483aba1cf274c4df7e4e156d91eff9e9b49dbad28ca17396e436065df02e860b7f20f6b41161a54d91c7b49d622db0bae39fc9f173d13a

Download Submit
/Users/run/Library/LaunchAgents/com.apple.questd.plist

Filesize
423B

MD5
eb73619f4e724257ff0fd951883a30ae

SHA1
5032251e50b32e340d8171631a598596bad8991e

SHA256
6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4

SHA512
ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/root/Library/AppQuest/com.apple.questd

Filesize
10.0MB

MD5
46992b9cec2404383735d013abd85045

SHA1
5486fba2237ad2f45e972376eac9aa419049fd73

SHA256
231bea9e39cf96a0d7626ce6045ed2ebe30c25a0c9235ae19f577309a1084ad7

SHA512
2f009c73429ea44015bef040c5fa9259091a45558b3d663f03b69cb94492615156d9860dd59a6295f2e2344706c5a044fc42efef62fa524aa85ee6b6812dd1cb

Download Submit
/var/root/Library/LaunchAgents/com.apple.questd.plist

Filesize
422B

MD5
70c1e05ff6b32db6e1ef873321abd1f9

SHA1
16878e40cd5a569bc8f441988cc07b66ffc8534a

SHA256
ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378

SHA512
1e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e

Download Submit