Malware Analysis Report

2024-11-30 16:04

Sample ID 240307-1e5vvsfd6y
Target 2024-03-07_775c6754c8d3d5d52dd440b3836ab630_adload_evilquest
SHA256 41afa27930f0d584b6adbbecd334f4c0cb871bb22f2b8225ce998dd6db04b405
Tags
evilquest backdoor evasion execution persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

41afa27930f0d584b6adbbecd334f4c0cb871bb22f2b8225ce998dd6db04b405

Threat Level: Known bad

The file 2024-03-07_775c6754c8d3d5d52dd440b3836ab630_adload_evilquest was found to be: Known bad.

Malicious Activity Summary

evilquest backdoor evasion execution persistence ransomware

EvilQuest payload

Evilquest family

EvilQuest

Compromise Client Software Binary

Launch Daemon

Resource Forking

AppleScript

Launchctl

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 21:34

Signatures

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

Evilquest family

evilquest

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 21:34

Reported

2024-03-07 21:37

Platform

macos-20240214-en

Max time kernel

142s

Max time network

124s

Command Line

[xpcproxy com.apple.pluginkit.pkd]

Signatures

EvilQuest

backdoor evilquest

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Compromise Client Software Binary

persistence
Description Indicator Process Target
N/A /Users/run/Library/AppQuest/com.apple.questd N/A N/A
N/A /Library/AppQuest/com.apple.questd N/A N/A
N/A /Users/run/Library/AppQuest/com.apple.questd N/A N/A
N/A /Library/AppQuest/com.apple.questd N/A N/A
N/A /var/root/Library/AppQuest/com.apple.questd N/A N/A

Launch Daemon

persistence

AppleScript

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" N/A N/A
N/A osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"beep 18 say \\\"Your files are encrypted\\\" waiting until completion false set alTitle to \\\"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\\\" set alText to \\\"Your files are encrypted\\\" display alert alText message alTitle as critical buttons {\\\"OK\\\"} set the clipboard to \\\"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\\\"\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A

Resource Forking

evasion
Description Indicator Process Target
N/A /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd N/A N/A
N/A /System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl start questd N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl start questd N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl start questd N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A launchctl start questd N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A launchctl start questd N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/2024-03-07_775c6754c8d3d5d52dd440b3836ab630_adload_evilquest"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/2024-03-07_775c6754c8d3d5d52dd440b3836ab630_adload_evilquest"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/2024-03-07_775c6754c8d3d5d52dd440b3836ab630_adload_evilquest]

/bin/zsh

[/bin/zsh -c /Users/run/2024-03-07_775c6754c8d3d5d52dd440b3836ab630_adload_evilquest]

/Users/run/2024-03-07_775c6754c8d3d5d52dd440b3836ab630_adload_evilquest

[/Users/run/2024-03-07_775c6754c8d3d5d52dd440b3836ab630_adload_evilquest]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.authtrampoline]

/System/Library/Frameworks/Security.framework/authtrampoline

[/System/Library/Frameworks/Security.framework/authtrampoline]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/usr/libexec/xpcproxy

[xpcproxy questd]

/bin/launchctl

[launchctl start questd]

/usr/bin/sudo

[sudo /Library/AppQuest/com.apple.questd --silent]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/Library/AppQuest/com.apple.questd

[/Library/AppQuest/com.apple.questd --silent]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2481EFE7/OneDrive.app]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/usr/libexec/xpcproxy

[xpcproxy com.apple.akd]

/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd

[/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.icloud.findmydeviced]

/usr/libexec/findmydeviced

[/usr/libexec/findmydeviced]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]

/bin/bash

[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]

/usr/bin/osascript

[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.speech.speechsynthesisd]

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd

[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.SandboxHelper 718]

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper

[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportCrash.Root]

/var/root/Hellper.app

/System/Library/CoreServices/ReportCrash

[/System/Library/CoreServices/ReportCrash daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/bin/sh

[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]

/bin/bash

[sh -c osascript -e "beep 18 say \"Your files are encrypted\" waiting until completion false set alTitle to \"Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop\" set alText to \"Your files are encrypted\" display alert alText message alTitle as critical buttons {\"OK\"} set the clipboard to \"13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7\""]

/usr/bin/osascript

[osascript -e beep 18 say "Your files are encrypted" waiting until completion false set alTitle to "Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service. We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees. Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop" set alText to "Your files are encrypted" display alert alText message alTitle as critical buttons {"OK"} set the clipboard to "13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7"]

/usr/libexec/xpcproxy

[xpcproxy com.apple.quicklook.satellite.1DDA4A16-1095-4B11-8F6B-E690F81383DC 736]

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite

[/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.speech.speechsynthesisd]

/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd

[/System/Library/Frameworks/ApplicationServices.framework/Frameworks/SpeechSynthesis.framework/Resources/com.apple.speech.speechsynthesisd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.SandboxHelper 744]

/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper

[/System/Library/Frameworks/AudioToolbox.framework/XPCServices/com.apple.audio.SandboxHelper.xpc/Contents/MacOS/com.apple.audio.SandboxHelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ViewBridgeAuxiliary]

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary

[/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist]

/bin/launchctl

[launchctl start questd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.accountsd]

/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd

[/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd]

Network

Country Destination Domain Proto
US 8.8.8.8:53 41-courier.push.apple.com udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
FR 40.79.141.154:443 tcp
US 8.8.8.8:53 andrewka6.pythonanywhere.com udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 35.173.69.207:80 andrewka6.pythonanywhere.com tcp
US 8.8.8.8:53 cds.apple.com udp
GB 184.85.51.234:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 23.37.1.157:443 help.apple.com tcp
GB 23.37.1.157:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/Library/AppQuest/com.apple.questd

MD5 f32271d07b2abd6b53991927dc0ad795
SHA1 d7cf09d611c55945688912603e68b694ce8d6334
SHA256 40c2817419216a49d3f83e9e21ef53220b6336db713336b9df37448c0892aa37
SHA512 0b2531ba1ad03a2786b616181adb6fdfde08b2daa926df725f5a3751b93f8290120a58dcc7c953a5f1d05e613b9a85cecaf5c55d45959360cca00b9b6b58715e

/Users/run/Library/AppQuest/com.apple.questd

MD5 a53c200bca8f73797b47ef290bc6f705
SHA1 61e75b2c4cf6c0d65342e75d0b15a21c7dfc2e7a
SHA256 69ab9e3a43e8668bf79c3f4e36adbd68b94cea99a641699f0aacf0bfaccb6680
SHA512 49c1689b649db371e19d781f4e4e5ad56176e53989514ee44e2001860c867739a6c13801f0c32d5ea0a3f890046c53cc51b2824b09a17da49a08bac964a549ed

/Library/LaunchDaemons/com.apple.questd.plist

MD5 a3d34532a7dd2cd1d73cea75deb0677f
SHA1 3019d1c50907fb2597121c03619990c5670ff6f4
SHA256 779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735
SHA512 52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

/Users/run/Library/LaunchAgents/com.apple.questd.plist

MD5 eb73619f4e724257ff0fd951883a30ae
SHA1 5032251e50b32e340d8171631a598596bad8991e
SHA256 6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4
SHA512 ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

/Library/AppQuest/com.apple.questd

MD5 775c6754c8d3d5d52dd440b3836ab630
SHA1 76faa9586af33ff4e223b6d7dc230437fb776f50
SHA256 41afa27930f0d584b6adbbecd334f4c0cb871bb22f2b8225ce998dd6db04b405
SHA512 6192b9bbaa1edfb46bce87e2cfb659e6be297317ebcfa43c8ad247ec8500d88995e04b82b8be127b3e9e614c9709fa37c8ec41dea0bf007041e7ec4ac8005b77

/var/root/Library/LaunchAgents/com.apple.questd.plist

MD5 70c1e05ff6b32db6e1ef873321abd1f9
SHA1 16878e40cd5a569bc8f441988cc07b66ffc8534a
SHA256 ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378
SHA512 1e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e

/Users/run/.CFUserTextEncoding

MD5 c9ec180ecd1752510543e326de149928
SHA1 d53e941a5a7b9f5e71d707c11ca35550b66d6a10
SHA256 c7d3b41f9723a2b6073b8cf5b8acb76cb0c53f7b9ad9ed80417c883049a0ea89
SHA512 60abaa904c392f18463b753d3b47b1535a29438681fe386ac7bb1702edf6390bbcb5388c101876797689840db3d421fb01f262a1b7ff323a4e0920f721d7a7ce

/Users/run/Desktop/READ_ME_NOW.txt

MD5 7a7187f67a2d1523378ae5c72e9c281d
SHA1 5afcffb685913f2760d88613648919630b79a9c8
SHA256 19744bd95c27fdef870911dffa9c86dca5e3af94c2d28c4faf630450b456f4ad
SHA512 dc70978fb1403bf22f7b61adcfad2e32274898616e418737c26135ce42aa952de889bbb3d43d4a07de2080a65c133c0027f83fa6aac6779492b443b60d657f58

/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

MD5 9829f512449357888d02ddb241ba2d65
SHA1 35ff2a45a209a7efce874c3754dc9be8e0d1e6c4
SHA256 fa9db81f29ef4471e209d9c46335d97cd14042e9ac8ced3fa6a2fdda8d436932
SHA512 5958357fcf1f144a572268119e6959cda0b32cc8ccf69506bef5ef9e3686a0d2655f166c9666df3a4593da0d0ea9b5c313c13deebde747bd583b139a1fdced2a