Analysis Overview
SHA256
da678bb2b514960be90afb6e52fb93f4e6f75ccd886fffc5cce850da9a7f4fbc
Threat Level: Known bad
The file 2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest was found to be: Known bad.
Malicious Activity Summary
EvilQuest payload
Evilquest family
EvilQuest
Launch Daemon
AppleScript
Resource Forking
Launchctl
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-15 04:25
Signatures
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Evilquest family
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 04:25
Reported
2024-02-15 04:28
Platform
macos-20240214-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
EvilQuest
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launch Daemon
AppleScript
| Description | Indicator | Process | Target |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest]
/bin/zsh
[/bin/zsh -c /Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest]
/Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest
[/Users/run/2024-02-15_1da57b44bc181b051b480c5d4b923728_adload_evilquest]
/usr/libexec/dmd
[/usr/libexec/dmd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.authtrampoline]
/System/Library/Frameworks/Security.framework/authtrampoline
[/System/Library/Frameworks/Security.framework/authtrampoline]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/usr/libexec/xpcproxy
[xpcproxy questd]
/bin/launchctl
[launchctl start questd]
/usr/bin/sudo
[sudo /Library/AppQuest/com.apple.questd --silent]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/Library/AppQuest/com.apple.questd
[/Library/AppQuest/com.apple.questd --silent]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/bin/bash
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/usr/bin/osascript
[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.speech.speechsynthesisd]
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.SandboxHelper 648]
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportCrash.Root]
/var/root/Hellper.app
/System/Library/CoreServices/ReportCrash
[/System/Library/CoreServices/ReportCrash daemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | andrewka6.pythonanywhere.com | udp |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 52.182.143.208:443 | tcp | |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 17.137.170.10:443 | tcp | |
| US | 17.137.170.34:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/AppQuest/com.apple.questd
| MD5 | ab141c8a86a188bf511ffe5a711ebed8 |
| SHA1 | e3927ca1c9553be6584c430323aeef649ca23a0a |
| SHA256 | a9f0240a807cc8285a78bea39c2b844855529ab219bda83fe64bf550f851ff62 |
| SHA512 | 0240eeb3013dd65306483aba1cf274c4df7e4e156d91eff9e9b49dbad28ca17396e436065df02e860b7f20f6b41161a54d91c7b49d622db0bae39fc9f173d13a |
/Library/AppQuest/com.apple.questd
| MD5 | 4836382b3885529fbd3157c49b66ded7 |
| SHA1 | 17ec256860fc37f53f00e8e1faf1a16eeea1abb2 |
| SHA256 | 25a37c9557c2fa173e1f0e1eb985c28c0ebba44b8cb475c385513ce7fc1c050b |
| SHA512 | ad8234d91922ad7caefc8e4dc32639ae41311a49325c523ab733584d3bdf23f318407a424e78e8ac483baa09e3cddb554a19b8c52373cde5b7b0bfda88c635a2 |
/Library/LaunchDaemons/com.apple.questd.plist
| MD5 | a3d34532a7dd2cd1d73cea75deb0677f |
| SHA1 | 3019d1c50907fb2597121c03619990c5670ff6f4 |
| SHA256 | 779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735 |
| SHA512 | 52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91 |
/Users/run/Library/LaunchAgents/com.apple.questd.plist
| MD5 | eb73619f4e724257ff0fd951883a30ae |
| SHA1 | 5032251e50b32e340d8171631a598596bad8991e |
| SHA256 | 6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4 |
| SHA512 | ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c |
/var/root/Library/AppQuest/com.apple.questd
| MD5 | 46992b9cec2404383735d013abd85045 |
| SHA1 | 5486fba2237ad2f45e972376eac9aa419049fd73 |
| SHA256 | 231bea9e39cf96a0d7626ce6045ed2ebe30c25a0c9235ae19f577309a1084ad7 |
| SHA512 | 2f009c73429ea44015bef040c5fa9259091a45558b3d663f03b69cb94492615156d9860dd59a6295f2e2344706c5a044fc42efef62fa524aa85ee6b6812dd1cb |
/Library/AppQuest/com.apple.questd
| MD5 | 93b8ad9f743df3ff0d8c80ae620d41e4 |
| SHA1 | f65fcae21ba80fa2b9dca13d4049c9a8d29cde4d |
| SHA256 | e76caffd928df5eab6171611b8218dd9c12fce19f6bb5ed26523bad4de763eb0 |
| SHA512 | 8155022d241ade1b6d0a04505a375540acbe97ca439cb125125bcbafab9464e2cae21f705c7a2aca2c3a3b1155e79018180ab6adc9f7f6fe3c25dbe6a4d6bceb |
/var/root/Library/LaunchAgents/com.apple.questd.plist
| MD5 | 70c1e05ff6b32db6e1ef873321abd1f9 |
| SHA1 | 16878e40cd5a569bc8f441988cc07b66ffc8534a |
| SHA256 | ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378 |
| SHA512 | 1e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e |
/Users/run/.CFUserTextEncoding
| MD5 | 4cfd65ea66d60eb9480a60862430061c |
| SHA1 | 22e5cd7f7947e4ba5e32927e7fa643acfde7f781 |
| SHA256 | 54f304cbf96331da150bbbc288f72e8f4a583b9a58fb3705090586319390cdae |
| SHA512 | 4bf2d09cba82180e1fd85a44b9d2091404a7a34e4a257a6ec53332e107411225ba9f7ade0bf8b8a359452eedf48a45c39ca379742c6c336768aa391c724754a0 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |