Malware Analysis Report

2024-11-30 16:21

Sample ID 240215-fh1ebshg22
Target 2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest
SHA256 90b5a701c41fa4e2ea33a9fbde45ca4c9906c523fa75bae168c6f1c0aad59044
Tags
evilquest backdoor execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

90b5a701c41fa4e2ea33a9fbde45ca4c9906c523fa75bae168c6f1c0aad59044

Threat Level: Known bad

The file 2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest was found to be: Known bad.

Malicious Activity Summary

evilquest backdoor execution persistence

EvilQuest payload

Evilquest family

EvilQuest

Launch Daemon

AppleScript

Launchctl

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-15 04:53

Signatures

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

Evilquest family

evilquest

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-15 04:53

Reported

2024-02-15 04:55

Platform

macos-20240214-en

Max time kernel

149s

Max time network

151s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest"]

Signatures

EvilQuest

backdoor evilquest

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launch Daemon

persistence

AppleScript

execution
Description Indicator Process Target
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A launchctl start questd N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl start questd N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl start questd N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl start questd N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest]

/bin/zsh

[/bin/zsh -c /Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest]

/Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest

[/Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.authtrampoline]

/System/Library/Frameworks/Security.framework/authtrampoline

[/System/Library/Frameworks/Security.framework/authtrampoline]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/usr/libexec/xpcproxy

[xpcproxy questd]

/bin/launchctl

[launchctl start questd]

/usr/bin/sudo

[sudo /Library/AppQuest/com.apple.questd --silent]

/bin/sh

[sh -c osascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "sudo /Library/AppQuest/com.apple.questd" with administrator privileges]

/Users/run/.2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest1

/bin/sh

[/bin/sh -c sudo /Library/AppQuest/com.apple.questd]

/bin/bash

[/bin/sh -c sudo /Library/AppQuest/com.apple.questd]

/usr/bin/sudo

[sudo /Library/AppQuest/com.apple.questd]

/Library/AppQuest/com.apple.questd

[/Library/AppQuest/com.apple.questd]

/Library/AppQuest/com.apple.questd

[/Library/AppQuest/com.apple.questd --silent]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterDA6CE80A/OneDrive.app]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

Network

Country Destination Domain Proto
US 8.8.8.8:53 2-courier.push.apple.com udp
US 8.8.8.8:53 a68.dscw27.akamai.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
GB 51.105.71.136:443 tcp
US 8.8.8.8:53 8-courier.push.apple.com udp
US 8.8.8.8:53 andrewka6.pythonanywhere.com udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 22-courier.push.apple.com udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 8.8.8.8:53 3.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 11-courier.push.apple.com udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 8.8.8.8:53 37-courier.push.apple.com udp
US 8.8.8.8:53 7-courier.push.apple.com udp
US 8.8.8.8:53 41-courier.push.apple.com udp
US 8.8.8.8:53 21.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 12.courier-push-apple.com.akadns.net udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 27-courier.push.apple.com udp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/.2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest1

MD5 404345264e9c1b5a711a676176b1147c
SHA1 8217d171f1fad3f650ebf4aeb873f5d253288490
SHA256 f018b12315c2b1924db29bb246137f947cf9601b14364e3744c3d979c839b6d6
SHA512 d9444f0afaac217f63c5505db8222b2d066ebaca3000e2223f4ece6f62fe87d917d137313d24c17fee8cd49109f8b3bbd70f4a82041e7f604074dd2b23b877bc

/Library/AppQuest/com.apple.questd

MD5 f18ec39bc8f731fe0952968b49f97925
SHA1 7a383150498a7a73ba5cd81766a761de06792c26
SHA256 1508486882f16aeef667ea82222c5a396289dc5612f40d6d0e0cc6234bf98fd7
SHA512 c50415aa59c4659755ee1723ddec8fa1fdc213dd95a6578dbb2bd747e19f6ef94b8383fe21cd54924c55e59a540d62fd1e0e9d82b8edaab98c2f5c466f118cde

/Users/run/Library/AppQuest/com.apple.questd

MD5 942e91d859326689e56c809ae1d42f63
SHA1 e070ea529bab0548e23d32a3a94a6df4bf1f4bcd
SHA256 98c0f0e5779a148df1a2dff1d8ae6b1a601dcdad8283ae713df07705e358c944
SHA512 0f114412e865eb96f91af44274371bbba5ee5d071142111acae95200dcb8df489e067cf9f8e323eb4de62353ed11e2c091d7f5d00f97e15b18f214c23942f465

/Library/LaunchDaemons/com.apple.questd.plist

MD5 a3d34532a7dd2cd1d73cea75deb0677f
SHA1 3019d1c50907fb2597121c03619990c5670ff6f4
SHA256 779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735
SHA512 52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

/Users/run/Library/LaunchAgents/com.apple.questd.plist

MD5 eb73619f4e724257ff0fd951883a30ae
SHA1 5032251e50b32e340d8171631a598596bad8991e
SHA256 6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4
SHA512 ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

/Library/AppQuest/com.apple.questd

MD5 d0067e0f51a33de2da7df58851392337
SHA1 f7f818a4037379fe3bab02d8725f4ce4b12275a8
SHA256 57dd93da7b9954a3ff7a177420c73931e2852facc58a176088722a4c9810b812
SHA512 25d583e32b9ec7130a5ac26d685288865ff02087e4480eb11365ffc7e15d5ec588cbf94f396389897945545179baf6721727fb3a1a0daedde6f5d648dac6ca9d

/var/root/Library/AppQuest/com.apple.questd

MD5 5be20c1305afb663f1b393759ef1c2fe
SHA1 cf0a517719ed0605abc720873dab50f2036bbe40
SHA256 94bec9166fc4bfd00b995b63f584a32ec9eaaf4e58031f76ddd80d8db711423c
SHA512 a653ddf8f85562e03a0369dde04949a76220c3445260945ca29557779e97eed76a58ce4c2c5b895cb4e5f2520900605d41bb9fe911a5a16713afda52cce52871

/var/root/Library/LaunchAgents/com.apple.questd.plist

MD5 70c1e05ff6b32db6e1ef873321abd1f9
SHA1 16878e40cd5a569bc8f441988cc07b66ffc8534a
SHA256 ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378
SHA512 1e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e

/Users/run/Library/Containers/com.apple.iCal.CalendarNC/Container.plist

MD5 2cd00e4b56b4e251dc38ebc3ee6430ff
SHA1 17c0b935843ed06f3b8bbf9e0e432a880949b84d
SHA256 9855c461ae3a723aded334c9f8ed5694a83b6df58f8aaf613feb0f710d9d80c3
SHA512 d60249880f6a0392b98b7cffc4e4b2e50ea59fb11fb344fbc7f6be6b45ce9d9712c9aa179f76ef1200b1656c0d5f94e2af2b4f315e5f71e6c5a6f379cbf0cc7d