Malware Analysis Report

2024-11-30 16:03

Sample ID 240307-z81mkafb6t
Target 2024-03-07_043fde99ae4ee9b8de4640ed6d1b3191_adload_evilquest
SHA256 9472b27d1a5f3c541b3b7d8742fcf8b321eec8d2eef55650d3e68f16920ecb1c
Tags
evilquest backdoor execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9472b27d1a5f3c541b3b7d8742fcf8b321eec8d2eef55650d3e68f16920ecb1c

Threat Level: Known bad

The file 2024-03-07_043fde99ae4ee9b8de4640ed6d1b3191_adload_evilquest was found to be: Known bad.

Malicious Activity Summary

evilquest backdoor execution persistence

EvilQuest payload

Evilquest family

EvilQuest

Launch Agent

Launch Daemon

AppleScript

Launchctl

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 21:24

Signatures

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

Evilquest family

evilquest

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 21:24

Reported

2024-03-07 21:26

Platform

macos-20240214-en

Max time kernel

151s

Max time network

153s

Command Line

[xpcproxy com.apple.pluginkit.pkd]

Signatures

EvilQuest

backdoor evilquest

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launch Agent

persistence

Launch Daemon

persistence

AppleScript

execution
Description Indicator Process Target
N/A osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist N/A N/A
N/A osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A /bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A /bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" N/A N/A
N/A /bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/2024-03-07_043fde99ae4ee9b8de4640ed6d1b3191_adload_evilquest"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/2024-03-07_043fde99ae4ee9b8de4640ed6d1b3191_adload_evilquest"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/2024-03-07_043fde99ae4ee9b8de4640ed6d1b3191_adload_evilquest]

/bin/zsh

[/bin/zsh -c /Users/run/2024-03-07_043fde99ae4ee9b8de4640ed6d1b3191_adload_evilquest]

/Users/run/2024-03-07_043fde99ae4ee9b8de4640ed6d1b3191_adload_evilquest

[/Users/run/2024-03-07_043fde99ae4ee9b8de4640ed6d1b3191_adload_evilquest]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nsurlstoraged]

/usr/libexec/nsurlstoraged

[/usr/libexec/nsurlstoraged]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.authtrampoline]

/System/Library/Frameworks/Security.framework/authtrampoline

[/System/Library/Frameworks/Security.framework/authtrampoline]

/bin/sh

[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2481EFE7/OneDrive.app]

/bin/sh

[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportCrash.Root]

/System/Library/CoreServices/ReportCrash

[/System/Library/CoreServices/ReportCrash daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.icloud.findmydeviced]

/usr/libexec/findmydeviced

[/usr/libexec/findmydeviced]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.cfprefsd.xpc.agent]

/usr/sbin/cfprefsd

[/usr/sbin/cfprefsd agent]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.suggestd]

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd

[/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.knowledge-agent]

/usr/libexec/knowledge-agent

[/usr/libexec/knowledge-agent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy com.apple.siri.context.service]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService

[/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

Network

Country Destination Domain Proto
US 8.8.8.8:53 45.courier-push-apple.com.akadns.net udp
GB 104.84.95.239:80 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
FR 40.79.141.154:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 151.101.67.6:443 apis.apple.map.fastly.net tcp
US 8.8.8.8:53 gspe1-ssl.ls.apple.com.edgesuite.net udp
GB 104.91.71.85:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.86:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
GB 104.91.71.85:443 gspe1-ssl.ls.apple.com.edgesuite.net tcp
US 8.8.8.8:53 18-courier.push.apple.com udp
US 8.8.8.8:53 39-courier.push.apple.com udp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
GB 17.253.77.201:80 valid.apple.com tcp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 13-courier.push.apple.com udp
US 8.8.8.8:53 35.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 cds.apple.com udp
US 8.8.8.8:53 help.apple.com udp
GB 2.18.109.84:443 help.apple.com tcp
GB 2.18.109.84:443 help.apple.com tcp
US 8.8.8.8:53 8-courier.push.apple.com udp
US 8.8.8.8:53 35.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 40-courier.push.apple.com udp
US 8.8.8.8:53 34.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 21-courier.push.apple.com udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 7-courier.push.apple.com udp
US 8.8.8.8:53 9-courier.push.apple.com udp
US 8.8.8.8:53 3-courier.push.apple.com udp

Files

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 88d4d583dd34017f0af3cb7a8795506d
SHA1 21edc0023a797219fbf9d9b552a74ad6ee40ab15
SHA256 b813e07e510d7a079b6c0d31041b4185f52a1b7b420e05c6097aebbfe495cb2a
SHA512 62e9e0fc8c98957286fc3d8dffb61452cfe5d206d64b390108892bd5b2a21c49be711ee6dbeb611aed32951c0d1f40d83f5833750e01dcc1231e3d75795039ac

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 1ea62a1baba519cf81cd4547026018ba
SHA1 901aa6a86c5e887cc7807880bfb580d205da1b83
SHA256 edd9ecad00b738d3fd194aff2a3cb5c1cc6e592ca69316d3a6377a9528386553
SHA512 337d6e23e81fb70066db29b7ce7c35f885b61c135bc1b901a2cf6d25bb45e71306fa6c4a6642aed6f31cc5877c9122540c1ba532e0e01f86156d7412b0323e87

/Users/run/Library/Caches/GeoServices/Resources/altitude-1202.xml

MD5 f627cf4820da06be8e6ff3fdec6ebfee
SHA1 993d8ec88721b9e76c3fe1f5987338a61b452bf8
SHA256 f1d2905b871b9b80172b7c9dc298c1a3dd355e6ae633f77562f4e06ed52a54e7
SHA512 bf698aa0eee296df872b91432670af719bda88be3b6d210a567b500da1cedc0e07055a805c2331ccacea0a8a17396e2e37b4bf70894b9052723049c96083001f

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 5691861ab946e73a5405d3aecde486a1
SHA1 a5e13f1f2376855e81bcb438b9ed048d0d153fe5
SHA256 a2d0573920407819bf2d52a14bff67b88075b0c95beace9f2d4dee77072a478c
SHA512 95a74523f74a5e662c831e492782ea3721058c1aa78c4cf7362bc4d8ba948717b45ab32a1a4e1ea8cfdcd326cb6638e1be994eedfae44884a432bb5e6b528c7e

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 f63a85a6700193f76886215a79fa87f1
SHA1 5b1c5fb5ebc783277d400b0c8bfd21e7581e7af9
SHA256 37cba1bbbd703d8f976277dedd2c160356ae0e4fa5e2a3a71266f515be0be40b
SHA512 5955b231a5fab7bb51a591e3319c183fcda2d038bd5b356f43918453fee2c7cfc65e4592b4b647beb16f4842fc54923125d087b40a88e8879c70781a0840b36b

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 347611d17cce07f003bd0e855a7a94ee
SHA1 c7c80c93c14d6053fcefb5ebf7373a477cfe8eed
SHA256 c986485b301083e1a923f0055fd26b5e2a9cc42d415321e0f7035b8fa8b93593
SHA512 4eee0c18152d1881a8bf5a6249cb2391f1fb57985707edec134225f164afbe39653b8dbcf9db2e2dbd4d805284b3d4f646c2716afc49f8ecb8a61d393e54936e

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 a45ed06a4a6a09ad7c3e44ec1247cbce
SHA1 e91d8d1f2e0fac0bb17c6eec2c8461f5a28a0788
SHA256 7886478e9377dfd5c4f7d0e336459d33ba8b72b70b8038fdcf793f9daa1bcf23
SHA512 c3a95107b1fec0439c97da56cf31c3c9d9f9cab277913ab53a5500c565ded9dae26b0f7d7fe754b3eaf8121f23d47fa0d3afe10341bdfed334e3adf77c25c504

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 805800c5407ae1e92b41e79c3a2e4fbd
SHA1 50e1ddb8f102bc96b63c9493b95cd15808e34dd0
SHA256 67e34632a0671c9228d8815ef7050a01e994f023b17263e3bf1ddbe654d12f54
SHA512 480abba8630abf0eb5d7187d73c4c2f7449e9d303f0ffdd0cc63539794083f1d2fff7d6f423d4a2673d405a6b6e69313a63a4c3621f91d4153bab911daad549f

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 5cce1c722c4a9de52bd159ed3cc5e204
SHA1 01e7a847f93ba484f35a29379bb4facd448455f6
SHA256 f8853971ff8b58c1608c05eabd1295a332b512364245e224b03265cf71578629
SHA512 9eedd4adc2a6b43dab5a12fc17262311d979a3393419c46a9109b0e68399f24abb8921cf49ff81a72b2590ecc17ece25d611170a1d997b44ec3432959771f1bd

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 50b846e2f9137531702f581f13950678
SHA1 44680e3f260bba2dfa543795bd05a02c8ee06ed4
SHA256 466acfc2ff8597c3a7547f65951b490768d2483eafe915022df744da5da3f3f8
SHA512 d3aea7a2b2ef4b2e04489f71c18d69852c64165537039e85183ab0fccb02a7983beeea77f12c3f9c7d0172f3ea92e19c240df4b8051ef56a89dbd56ffe303954

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 9e7b71a231b332373a772bc874a989d4
SHA1 fb913182d9d6d0d89c9770831fc03632ee7da9c6
SHA256 c12361567b04a9c7d38406bc21a53e1eb27f04b14a0d9a46d2265e921d302ef6
SHA512 2fcaa0afcfdee5980fa851b305fd0effa18c2df24257e53f688436fa6d3fb5396c7fc77346e78fba003d2537bc06e4ae552a134de3137ac2390bb4d5cf0aa94c

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 d8a997eb4ad9af3c84aeff45a65871b2
SHA1 75433b65e8590a4791d86a2b9ea5471af7df9f38
SHA256 d024ae0d9318ba94892c4200fc62f2d0af5a34dbeea1b4d1b9468aac54e6e519
SHA512 c974c1174385840c74c080ae1202c8e9cbffa9f8ccceec09016db342b28b83de3f7c10db3c3eb0cd9b736b440da28030c5c2cb72fead1085667b21f191b510d3

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 965e128223b7b05a307bc4df20b1a97e
SHA1 de0c45c4f666a3d4bfd535907c7d571ff5c3b67d
SHA256 7f98ea6d2bfc153ba14686255b6375765e649146fd4b23236a1f154d14ee107f
SHA512 923d428b1f4007522dcda80e3b55d7f8c1a00615bc39e8eac3f00516bfc3317cc133b1bcb48c002207ff8246a5e4d7fe58590e439146d78e02b30c2a5cbbfb51

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 f4cb30c072f59774be4b604e9948906a
SHA1 1992e933f8f8832779d626fd49640eb6c780a540
SHA256 0e47b6a8506afbb5f551829f0e38c0dd1d522b615672d6bfb8e541b337a171b3
SHA512 7db27588fa1de265f1cb0c6cdb026fd2c08b7c55bfcb4f82a2aec7c0485f5ac1c68ae178a391e07fb3d4f3e9c624078c8a718ed0e0f6eb48c7a03a131b5383f6

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 00dec19b5afed647731d93de6914469e
SHA1 d34e318bd862b3e5a4c05f87569d953ecdfa826e
SHA256 3eadd91914e116eec8169dd71f4660b80422c490b0a308efffbeae1d82c023ab
SHA512 6120e6014b45b6480badaa4e19f8cb432d684e80c5ab92f312211a1e44bea1afc2f1cfbdee6c7b561f28f055ff7d9a207a9d6b3e11686593e9c31bb27339b854

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 c52f870f57dce9a3f4748a9e9ade30df
SHA1 ec7911736d4becc85e445493704b027f848f81b8
SHA256 75db009751bbfad4121358707be6ca82c21934e9beda7659793d8b8a2b72f5cc
SHA512 8e5a2ab9d49cf3dc68eed8aa69327992cebfa38fa81a7b564c0356ba90037588fea9a881cbcd1846ee51e15b9ec336d9327e0790b0991d131aaa4240e7d90882

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 bf16284f2f14e74e3e9fbc4b5559b52e
SHA1 320a44315de9cd062e0014b05e53a506a54068ac
SHA256 2e44c11bbdbbd0d49ed08218f317cf7fec5be440600e477183ad38aef771fa3c
SHA512 c47da839bbbc6f8d2938c00d5c02a6d893ed9b35d7f19e585fd3ba0b80a37c1988aa29ff1de509c4e724a721f7e8e71c24fd9cd4fbb78a5346ed6af64aa7a5a2

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 17b6f6d58083a687f4447df8e1188b44
SHA1 64c34216e867ec4b2843b72a31b2426f23e57ccd
SHA256 f54654b6d6a741ad25e1362a824a2175601217b7c3d03f777d1bb01ec465551e
SHA512 2b52c31475cf5b4c30e8cfb68badb2d8a67a1b953379302afe41043a8fbcfd06a435b8f9858841140ee745b9747c0eaecc423edfdc391fddbbafd6b4d83746ee

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 d3e1a59fbe018f8383ca0579da535b10
SHA1 d76e9628dd2a055ddb40a0364811a99b09983a1a
SHA256 09ef584bfc38374c50361c135c92febbd58cdc20a2142d1ec16f5e39056d9c33
SHA512 4f4a927bcb5fe59c939d647bac89af9de0986e2a476af937d97f3ff6850fbbb3d2e7980ffeafd764afbf11419cd3ecdc999c9aa471a2a7aac8fe0f265796ca54

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 d716d0a2cb4ac41d98addb60a29592b4
SHA1 4f00acac41ade36e8944b09770e96568b7e239eb
SHA256 70bc620fadfd0c3099b693dc9af6adef475171b657b79593acdab8a4997a9261
SHA512 6f6cfd3f5124fd39262a817f26c6fd9365cb0fb786dbe4b1ffbd3683aca4725c26d6829002a3755fe905baf90e7ed738d7f7113dade0514fd58a3caaf230d38d

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 00ce7881a9b271d9b714b64355c212c0
SHA1 bc75bb796ac32b91c8fce688998f1ccfa914bd23
SHA256 6805a88b967f87454f03d3b2af7d8fdce9ef78132166fc9da3c805d1b3a0f021
SHA512 3119c1505f6a3e1896ccdc1b1f99ffc1de6ad2768da0e14b433aecde40f837a6241bccd9229b7b6c35693e6675951a4f289e27aa1e85e5b8407139a312e84e9b

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 d57b9e43d8c1fdcb9bafadef1bd27f21
SHA1 6575c8232eaab978639858393385748d3b0e15cc
SHA256 9fb1076b7b0864012f4141866cef9db1383c43fe6c9385db6ae1e6526a104850
SHA512 76369109dcd4e4f4385ab79e53d12fd390ada1cab362183f9cc920950cdf08cf37129bacccea2177842cc4b28dd35cc043b826ef2130704044efafbceefe51a5

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 a07659224a618822bb71e3ceaeea9073
SHA1 f807edb7dd40754c5f98466034504e47a336f40b
SHA256 e94b48d2da5cfde840649c2255b560f864b6ddb4daccf58cc38d2d2ab7d5de62
SHA512 56a2a1aab2d6b16af344dd5fcf58fdbe9fae5c9eed57f90c8979e526226d5a500ecf36508225983155360ffc2523e14ded671526c0905a50f56c759898448209

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 af3b060d9be83412adf1e6a0ae55e1a5
SHA1 c0e1b2e4d89f58f4ce3877864967bb36d1cf05dd
SHA256 b73e3ae8c0507aa1ae636739119b0aed445af5ba7fef5eaf792ff40380eb3726
SHA512 2f0773f10c6f996975b78c28c57bf8181f19337be96c9cddf0c12681fc0eaaa43d40259498658bf115b2a731633984f70ec858cfa51398bd4beca7e1d64f70cd

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 e7e3c088d91bb929bd3133c370e85648
SHA1 9e2678c80e8389cc0c9ed492d58323cfeff65ff3
SHA256 472b43807a9bf518a0da111c34d4b833494d0c0386ac53d3d1cfd870489781dc
SHA512 69fd169f59bc9b5b8b2c55fb645d0d1396d075db2feae420cece1f93af6e404fa35d0fb700f0cb4f730fdc99cd66eeec539cd9250d73266822223bcfc9a25091

/Users/run/Library/Cookies/HSTS.plist

MD5 d0550408a6cd88ae67a1e0acc7d6bc02
SHA1 2c2b701bf5a986ae56b74e7d9e11a2972b6de1d2
SHA256 2b79177b1a27154525e204bcc6cb30ddb7b005e78991f4f9b8c9f9131e96e130
SHA512 188733ad018efeec58b975cb0a7b91a6831a0561891137b081010b78264142c253da3ec8a8c95a758cfbb6572b5c055d521d553feac1eae888ff8468c88e5449

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 a713010ae2b6c8ff223c59414e1ee15f
SHA1 3378a08cce48bed5fb4d526d8dd199f4395ad310
SHA256 2f105104e5502636da96845ad38c097c7a81638f306bf65fcb6815f1fd453c22
SHA512 a8511eb2863974c52fea65e9dd43ce3f03505b4f2cee050b4829cd9cf7f5eac3a1ba639b1c2f88528929c1acf0113da21440363a540da0b73a50a95c439de171

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 ce4622851957f631ac1fbce6779fccf4
SHA1 f53432e6cc31d2961430eb2649d952cbcaa55724
SHA256 afff8608e87b2ae3d1ad40f38c2ef60ba458e9dbfd690603ac1aba224651ca12
SHA512 d3ca515bd64c0f664330d09433eefbf5ed7b82a5ead9722d14b8b1d0682e6d70587e7a4a52dce989d250043b79c9db104b27a7e312a9c91536a8a70de50428a5

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 fc20c5dfbd53b8b6fba9f0454d8e39fa
SHA1 9c1086e08bef226e5d98c6f70b9ee27c9f3de640
SHA256 00ec0bc9248056d1d14420b9b6e6044e4d30ace6f92ba3f771a2e3c2ee88cf76
SHA512 360ddc67b37d311a0f4575287cd0bc83ed9f5964f46f5dfe4785b11a3ad09f7608c5bc5233c9fa2d6a08f779eb025a496198e0f00bd04b947ee6dfd634ea1b45

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 013410892b3b92f7a8fb44aae3c3aa8e
SHA1 d4599604a5afbb3b5bbd3d906f8929f6a0379bcc
SHA256 5afa45e6cf404b13c5a5ba1abcbacf9b93997a83322c36c07dee70b7a4ef92f8
SHA512 2186eb312da29b0dbb8e19819af4c350dfede9ff88fb3475bdfd8b971d25b90b4bf386ebcedb809bf96ba23b32e883f4b02a99b46dc4680a844c7b3ba676d1c1

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 3ad2b5f9d301882305b6c651af1ba58f
SHA1 949889d7af911c683b78118e7a05c51a490df11e
SHA256 574ff7c9bca0eb65dfd011a774e3ed815497e58aed866bbf839d3fe3c31e50e0
SHA512 f680671362556bdbddb4d11fd6c64086e1d3fcd7ea16ba777a24d76bed368f0ab5fc7edbaa50e38f76ff11de51fc498e97ab3eb2c77056f75ea486a0b7deb9c7