Analysis Overview
SHA256
d4a9afb55a07d94d43d1d887db17f043e038d239f762ae590a2c1ed97200d891
Threat Level: Known bad
The file 2024-02-15_4e272ae307509135d27776bd4c5b8147_adload_evilquest was found to be: Known bad.
Malicious Activity Summary
EvilQuest
EvilQuest payload
Evilquest family
Launch Daemon
AppleScript
Resource Forking
Launchctl
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-15 04:38
Signatures
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Evilquest family
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 04:38
Reported
2024-02-15 04:40
Platform
macos-20240214-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
EvilQuest
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launch Daemon
AppleScript
| Description | Indicator | Process | Target |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" | N/A | N/A |
| N/A | osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd | N/A | N/A |
| N/A | /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_4e272ae307509135d27776bd4c5b8147_adload_evilquest"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_4e272ae307509135d27776bd4c5b8147_adload_evilquest"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/2024-02-15_4e272ae307509135d27776bd4c5b8147_adload_evilquest]
/usr/libexec/dmd
[/usr/libexec/dmd]
/bin/zsh
[/bin/zsh -c /Users/run/2024-02-15_4e272ae307509135d27776bd4c5b8147_adload_evilquest]
/Users/run/2024-02-15_4e272ae307509135d27776bd4c5b8147_adload_evilquest
[/Users/run/2024-02-15_4e272ae307509135d27776bd4c5b8147_adload_evilquest]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.authtrampoline]
/System/Library/Frameworks/Security.framework/authtrampoline
[/System/Library/Frameworks/Security.framework/authtrampoline]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/usr/libexec/xpcproxy
[xpcproxy questd]
/bin/launchctl
[launchctl start questd]
/usr/bin/sudo
[sudo /Library/AppQuest/com.apple.questd --silent]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/Library/AppQuest/com.apple.questd
[/Library/AppQuest/com.apple.questd --silent]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/bin/sh
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/bin/bash
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/usr/bin/osascript
[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.speech.speechsynthesisd]
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.SandboxHelper 645]
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ViewBridgeAuxiliary]
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]
/bin/sh
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/bin/bash
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/usr/bin/osascript
[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.agent]
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
[/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.speech.speechsynthesisd]
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.SandboxHelper 670]
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]
/var/root/Hellper.app
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/bin/sh
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/bin/bash
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/usr/bin/osascript
[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportCrash.Root]
/var/root/Hellper.app
/System/Library/CoreServices/ReportCrash
[/System/Library/CoreServices/ReportCrash daemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | andrewka6.pythonanywhere.com | udp |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 52.182.143.208:443 | tcp | |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 17.137.170.10:443 | tcp | |
| US | 17.137.170.34:443 | tcp | |
| N/A | 224.0.0.251:5353 | udp |
Files
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/AppQuest/com.apple.questd
| MD5 | 42c4569bd28740dc813d89d3fe10c036 |
| SHA1 | deb681b2b291d428cd689bcd15fa4bd8c43746e4 |
| SHA256 | 5246a65f19bbb3a78a26ea467b654cfed0c077d4efe7147364c425bcdb1b9c12 |
| SHA512 | 94174e6e955e812a8272d33f9fad610628b8f78635602d2b48a1e8ea85d04a1c8559f6416941f77b36cde4cc2dba6e4e41f469aaf0ebb2a7c0275e462505a503 |
/Library/AppQuest/com.apple.questd
| MD5 | ea19a6df0fc62dc761d2f9fae170c3b8 |
| SHA1 | 22abcef071952b38ce6394decb3dcfd7a9ab747c |
| SHA256 | acf4bae8da4fb32e6d63af7a3f7c2a47490d98af966906ce32bbf8b6dc399df8 |
| SHA512 | 3401be5b7970cd38a12f05205e8a45b4932e29fa5134202ac375fb1c497835673649e879a2a663e2a044aadf3af72f072cb88aa2b94879a09ffea205e0316faf |
/Library/LaunchDaemons/com.apple.questd.plist
| MD5 | a3d34532a7dd2cd1d73cea75deb0677f |
| SHA1 | 3019d1c50907fb2597121c03619990c5670ff6f4 |
| SHA256 | 779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735 |
| SHA512 | 52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91 |
/Users/run/Library/LaunchAgents/com.apple.questd.plist
| MD5 | eb73619f4e724257ff0fd951883a30ae |
| SHA1 | 5032251e50b32e340d8171631a598596bad8991e |
| SHA256 | 6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4 |
| SHA512 | ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c |
/Library/AppQuest/com.apple.questd
| MD5 | 6e613db64a212465eedefdd39b2a43ad |
| SHA1 | 1cbcf1d26772527a05e28adfb11f009e7c5f7571 |
| SHA256 | 0977db4f87a6484ab91926ea6a29f37a1c6f1d06394b023cdc877056ab7ab823 |
| SHA512 | 786bfd3df22fec653c4a198f3f6a583af078c3d27fad33e5f835711215b32cc5c8ea473e3a2237955c6b62deab61e713660fffa7b27458e9d3126dc4b6705c6f |
/var/root/Library/AppQuest/com.apple.questd
| MD5 | 9a8474f3f33e0ce9de013079299d6e32 |
| SHA1 | c7cb62b5fbd519caa44c31d11fac1c6a679fd3e0 |
| SHA256 | 7b3a6a77f1be13da2b0433b8f517636a6928d5c144797b93e365173fd58244a3 |
| SHA512 | e86e9a6c030436990c56ba9ec6252be9c3e23fb1f31a23c48b0860400e1b16185b407f0ea91c19ee30dff0734025aafe63129db14f1646f976bf3817a87e2a95 |
/var/root/Library/LaunchAgents/com.apple.questd.plist
| MD5 | 70c1e05ff6b32db6e1ef873321abd1f9 |
| SHA1 | 16878e40cd5a569bc8f441988cc07b66ffc8534a |
| SHA256 | ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378 |
| SHA512 | 1e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e |
/Users/run/.CFUserTextEncoding
| MD5 | b3da4865f8c9f468ed99fd1245bef99b |
| SHA1 | d2892ec7546ec5b5eef7ec399119bdc8045675cc |
| SHA256 | 6d5819c601e1ba82e68d4e45828315cde4ec71f0980a94c0d4b151995f2cdff7 |
| SHA512 | f77ce6110595b72095ebe746ff3a3fca70cc5093b42e61f681678f1888ecfc975fa25209a7cb6fb74fb41b49d3e3f0ed9cdabdb041fec12c09cc73fe60ac65ad |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | a6ef4856e99c9d8e1d9bb762c5a8503a |
| SHA1 | 25d5405ad91791b716ae5a56b37aa2b393854967 |
| SHA256 | 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa |
| SHA512 | 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489 |
/Users/run/Library/Keychains/login.keychain-db
| MD5 | d5fd8f52121a419433c70a33e1d28bca |
| SHA1 | 7f81179c29de2167929a879f3792e4c9c8cb827b |
| SHA256 | 9812449f33a0a773000b48424d6845dcb9592aeec43a6e3a3d09d7d820c3f7b1 |
| SHA512 | bb9be788142cda9ec28eca4e8046343721e8b1fbf943ca875525f4ecee0cee660cefd7f0e9a49049f2f5a10a2adf8244a577c799978d7dff989c135e9d98da0e |
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
| MD5 | 28145801b1e7c48ee3ed31025ec694c7 |
| SHA1 | c883cc180cfff8266e6b0201d6cea06c0b4a6ac0 |
| SHA256 | 01a7e3d1e879a1669b91a9e51fceb12962a1da71b62ecc8b5f369c737f3b9bd1 |
| SHA512 | 9b911f717d478bce52dde75fc9f701f7db77c6370bb79e871e51fc57e602483ef02ec51dcd85258ec9f9d9ed5ac3f1cbc1c34a60bb579109f267f8a8b9c668b8 |