Analysis Overview
SHA256
de5f2822ee4ac2a1b2cd8a88d4083321f72e42f44959d751d5f00f52aba42188
Threat Level: Known bad
The file 2024-02-15_7846daca8966e9df74647c001103be85_adload_evilquest was found to be: Known bad.
Malicious Activity Summary
EvilQuest payload
Evilquest family
EvilQuest
Launch Daemon
AppleScript
Resource Forking
Launchctl
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-15 04:46
Signatures
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Evilquest family
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-15 04:46
Reported
2024-02-15 04:49
Platform
macos-20240214-en
Max time kernel
143s
Max time network
131s
Command Line
Signatures
EvilQuest
EvilQuest payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launch Daemon
AppleScript
| Description | Indicator | Process | Target |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd | N/A | N/A |
| N/A | /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd | N/A | N/A |
Launchctl
| Description | Indicator | Process | Target |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
| N/A | /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" | N/A | N/A |
| N/A | osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" | N/A | N/A |
| N/A | launchctl start questd | N/A | N/A |
| N/A | sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_7846daca8966e9df74647c001103be85_adload_evilquest"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_7846daca8966e9df74647c001103be85_adload_evilquest"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/2024-02-15_7846daca8966e9df74647c001103be85_adload_evilquest]
/bin/zsh
[/bin/zsh -c /Users/run/2024-02-15_7846daca8966e9df74647c001103be85_adload_evilquest]
/Users/run/2024-02-15_7846daca8966e9df74647c001103be85_adload_evilquest
[/Users/run/2024-02-15_7846daca8966e9df74647c001103be85_adload_evilquest]
/usr/libexec/dmd
[/usr/libexec/dmd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.authtrampoline]
/System/Library/Frameworks/Security.framework/authtrampoline
[/System/Library/Frameworks/Security.framework/authtrampoline]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/usr/libexec/xpcproxy
[xpcproxy questd]
/usr/bin/sudo
[sudo /Library/AppQuest/com.apple.questd --silent]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/Library/AppQuest/com.apple.questd
[/Library/AppQuest/com.apple.questd --silent]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/bin/bash
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/usr/bin/osascript
[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/bin/sh
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/bin/bash
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/usr/bin/osascript
[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.speech.speechsynthesisd]
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.SandboxHelper 646]
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.speech.speechsynthesisd]
/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd
[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ViewBridgeAuxiliary]
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.SandboxHelper 648]
/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper
[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportCrash.Root]
/var/root/Hellper.app
/System/Library/CoreServices/ReportCrash
[/System/Library/CoreServices/ReportCrash daemon]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
/bin/sh
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/bin/bash
[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]
/usr/bin/osascript
[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.agent]
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
[/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/var/root/Hellper.app
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.accountsd]
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]
/bin/sh
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/bin/bash
[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]
/usr/bin/osascript
[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]
/bin/sh
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/bash
[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]
/bin/launchctl
[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]
/bin/launchctl
[launchctl start questd]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | andrewka6.pythonanywhere.com | udp |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| US | 17.137.170.10:443 | tcp | |
| US | 17.137.170.34:443 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 52.182.143.208:443 | tcp | |
| US | 35.173.69.207:80 | andrewka6.pythonanywhere.com | tcp |
| N/A | 224.0.0.251:5353 | udp |
Files
/Users/run/Library/AppQuest/com.apple.questd
| MD5 | fd04cf2797144da628a31e9b0f824a5d |
| SHA1 | 866d5d289b249931e02f9576a01e430014fac831 |
| SHA256 | 351d012ae76db27b93b128ca984c960aa42b3e2c70bef74a4fe4b56fff5cf62b |
| SHA512 | 3e4cce1c55fa3409388de41e565dd23b0fff03a5bf13be080a70e66f189794518c7c47b623d526051661512607d7f4283e6f88b6b287d3d4ebab023cb1a16f51 |
/Library/AppQuest/com.apple.questd
| MD5 | 3a48168c109236fdfe21ab971c0271a5 |
| SHA1 | 2a23d0bc94266358fc65c88d3a1ee8407ef17730 |
| SHA256 | 3a691d788eef6ba507b8303cead7d3981472647d0463facd44a379039ac222d4 |
| SHA512 | e42c7a262ae1a1e7bd694c52ef2aed0487e2230b4f28740ce920478f701e8afc37ad4564f28b60dba8e7a750cab308d6dd94ffa8331a8422a4582d44597a11d6 |
/Users/run/Library/LaunchAgents/com.apple.questd.plist
| MD5 | eb73619f4e724257ff0fd951883a30ae |
| SHA1 | 5032251e50b32e340d8171631a598596bad8991e |
| SHA256 | 6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4 |
| SHA512 | ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c |
/Library/LaunchDaemons/com.apple.questd.plist
| MD5 | a3d34532a7dd2cd1d73cea75deb0677f |
| SHA1 | 3019d1c50907fb2597121c03619990c5670ff6f4 |
| SHA256 | 779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735 |
| SHA512 | 52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91 |
/Library/AppQuest/com.apple.questd
| MD5 | 30476963a2bd4d15e8d770b4c1f5bc01 |
| SHA1 | 101e2b9ea4c67dc2def88e081db41323f01ef3ff |
| SHA256 | 80dcf31efff22c1dc4ec99ce044b44e2545963b4daa09d293fca6a45c5d8a9ab |
| SHA512 | 1e6e7ce7f9de168f9c7280ea959ec4419883a05ee4bbe09768efa9e1186536114f88b30b41cb782e175c1b771c1f026ff5f727caf5e1098346efb0bae2da833d |
/var/root/Library/AppQuest/com.apple.questd
| MD5 | a556081b3794c562ec4cb68703f46b87 |
| SHA1 | 0893550fdbdbee680648a491e76dbc84fba89396 |
| SHA256 | 83bf989813e3249af235bda19d3f6a69f8975b93463a614b9d2a5cc6a542f86b |
| SHA512 | 84f2a5af5b02ad7b1df6e3eb39e60343267e46c997787e65ba42c230aa9034e4646249230f687f0c5097a72cd48a5c7813e8035b8e1cc1512f17a9e96f39f01a |
/var/root/Library/LaunchAgents/com.apple.questd.plist
| MD5 | 70c1e05ff6b32db6e1ef873321abd1f9 |
| SHA1 | 16878e40cd5a569bc8f441988cc07b66ffc8534a |
| SHA256 | ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378 |
| SHA512 | 1e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e |
/Users/run/.CFUserTextEncoding
| MD5 | 0037298e15ce7da596418b7f121dd70e |
| SHA1 | 18793d24aca706d470c526b4f90b20cde6723776 |
| SHA256 | 2ec1d3871812918968b2cb0972710e23210a6cd72eddb0588dc5db32cc7d6e66 |
| SHA512 | 42b625e7f8539598c6f988089669c1ae939ee6dd78454acba8067b676276c61087c3825b6015d9c94e8cf9aa29a0dadac56a0f01bab50a2b3a4963074f7abe69 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/Keychains/login.keychain-db
| MD5 | 27f785b975861c5fd7d1a6b161be2046 |
| SHA1 | 74755db457c2ba7a1442689eacd62e5ccaf9083e |
| SHA256 | 8d618cf102019ee1778c490f04bf6c8861868766105edc0974116d047b93fb7e |
| SHA512 | 2a1ee34b1612f3650ade53514c2d21a675645fd62063d9d0133fac8626a44b30eccb1ac285f80de96f6dc8858e74086b65173907f2f46c74f149f5898913db7e |
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
| MD5 | 9c171148d883fccbe5cfd622935f596e |
| SHA1 | af9f0c69b3dad6a380d4fd4ba46bb192fbda49cd |
| SHA256 | 2b0d58c9617064d5ca8e1ba019a669924f8cd6ee9606d707b61caa68039ebce7 |
| SHA512 | 96464626acdcf75e9785defe2da2e805c4d76ff4b5d5d3f7f70ff334d2862f21c60699977cd0d24bf5192aa29e28059bdf8168485d2cb1c3e82838dcc3ae2cb6 |