Malware Analysis Report

2024-11-30 16:03

Sample ID 240307-z9lj2aec77
Target 2024-03-07_0dd62d34aad767765676aeaf0f74f050_adload_evilquest
SHA256 d9d5785355f327c58afb8992f0bcbeddbe84e3ca93b52025106a1d63e6ce27e5
Tags
evilquest backdoor execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9d5785355f327c58afb8992f0bcbeddbe84e3ca93b52025106a1d63e6ce27e5

Threat Level: Known bad

The file 2024-03-07_0dd62d34aad767765676aeaf0f74f050_adload_evilquest was found to be: Known bad.

Malicious Activity Summary

evilquest backdoor execution persistence

EvilQuest payload

Evilquest family

EvilQuest

Launch Agent

Launch Daemon

AppleScript

Launchctl

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 21:25

Signatures

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A

Evilquest family

evilquest

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 21:25

Reported

2024-03-07 21:27

Platform

macos-20240214-en

Max time kernel

150s

Max time network

155s

Command Line

[xpcproxy com.apple.pluginkit.pkd]

Signatures

EvilQuest

backdoor evilquest

EvilQuest payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launch Agent

persistence

Launch Daemon

persistence

AppleScript

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A

Launchctl

execution
Description Indicator Process Target
N/A sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A /bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" N/A N/A
N/A launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist" N/A N/A
N/A sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\"" N/A N/A
N/A /bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" N/A N/A
N/A launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist N/A N/A
N/A osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A
N/A launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist N/A N/A
N/A osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges" N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/2024-03-07_0dd62d34aad767765676aeaf0f74f050_adload_evilquest"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/2024-03-07_0dd62d34aad767765676aeaf0f74f050_adload_evilquest"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/2024-03-07_0dd62d34aad767765676aeaf0f74f050_adload_evilquest]

/bin/zsh

[/bin/zsh -c /Users/run/2024-03-07_0dd62d34aad767765676aeaf0f74f050_adload_evilquest]

/Users/run/2024-03-07_0dd62d34aad767765676aeaf0f74f050_adload_evilquest

[/Users/run/2024-03-07_0dd62d34aad767765676aeaf0f74f050_adload_evilquest]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]

/usr/libexec/xpcproxy

[xpcproxy com.apple.security.authtrampoline]

/System/Library/Frameworks/Security.framework/authtrampoline

[/System/Library/Frameworks/Security.framework/authtrampoline]

/bin/sh

[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist]

/bin/sh

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]

/bin/bash

[sh -c osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"]

/usr/bin/osascript

[osascript -e do shell script "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist" with administrator privileges]

/bin/sh

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/bin/bash

[/bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/bin/launchctl

[launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportCrash.Root]

/System/Library/CoreServices/ReportCrash

[/System/Library/CoreServices/ReportCrash daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater4B941C11/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.cfprefsd.xpc.agent]

/usr/sbin/cfprefsd

[/usr/sbin/cfprefsd agent]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]

/usr/libexec/neagent

[/usr/libexec/neagent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.routined]

/usr/libexec/routined

[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy com.apple.tailspind]

/usr/libexec/tailspind

[/usr/libexec/tailspind]

/usr/libexec/xpcproxy

[xpcproxy com.apple.Maps.mapspushd]

/System/Library/CoreServices/mapspushd

[/System/Library/CoreServices/mapspushd]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.assistantd]

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd

[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

/usr/libexec/xpcproxy

[xpcproxy afsvcpd]

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

[/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent]

/bin/sh

[sh -c sysctl -n hw.ncpu]

/bin/bash

[sh -c sysctl -n hw.ncpu]

/usr/sbin/sysctl

[sysctl -n hw.ncpu]

Network

Country Destination Domain Proto
US 8.8.8.8:53 39.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 15.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.72.131:443 tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 23-courier.push.apple.com udp
US 8.8.8.8:53 14-courier.push.apple.com udp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 23.200.147.24:443 tcp
US 8.8.8.8:53 49.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.86:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 gsp64-ssl.ls-apple.com.akadns.net udp
US 8.8.8.8:53 36.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 13-courier.push.apple.com udp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
US 8.8.8.8:53 e10499.dsce9.akamaiedge.net udp
US 8.8.8.8:53 10-courier.push.apple.com udp
US 8.8.8.8:53 24.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 27.courier-push-apple.com.akadns.net udp
US 8.8.8.8:53 50-courier.push.apple.com udp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
N/A 224.0.0.251:5353 udp

Files

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 62c6e875740e2d37f75a146a2d08db80
SHA1 ebb106b8e7c6a0684fe9e9cc86589090fe835214
SHA256 f4a9861521e31b9e36d73788e2be01cdcaf62879279bcb9dcc064671f857414b
SHA512 280d944af74cebc9c5924af86359cf355cb7abd18beeefe24adcd7566c258d3e5238209ec03a55d5c0e07a232312d70bf0509313ffbc35c11d48dc23604efcf1

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 cdafcc894a0d1115ac8cd85502a31f44
SHA1 6e8bc9c45ae8932595940c604c5775ba0504c4a9
SHA256 52ac0f49ddc5c2569ec561d30b59c1ec48ddbf766d6326db868b0c72442b35f4
SHA512 f5de5a31e4f17be276e63ba91b36c131c3c587c0ff4eb54ece2515cebf4ef21b959fdff7179099b663c80ad334e5193c0c9486ae0b321f5447982a381c917033

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 89c3569ac635f77094bab2a0ba015c1f
SHA1 430acf6bc17a1628e42238ca250541967d2d0991
SHA256 71c51fb440cced3052c8b513da2858cfc09e4972ca19ac657d416f4287a2f73e
SHA512 e3a8a5ad83975e4492ea90a74b4230ecf15c865bfa191a28ee9f7180210cf193952a1fbc4ae8295961210dd20ba37f7df4b25f139bf16ccc2d8780be7a173712

/Library/Logs/DiagnosticReports/com.apple.afsvcpd_2024-03-07-212536_tests-iMac.crash

MD5 83f49d1f46147595d23a9774f7ebd464
SHA1 962ca65f9c84fe8a8fcb00203bab6459e975de80
SHA256 9b52f74f4dc58a2efcf81dd2b2f89cbf1a09acc025f0a6209976bdb2ed3a69f4
SHA512 c2310b9a1d1a7d46cb827c94fa7bf8fcc40057e6f9c80a3340ad19b40cc1364573e5d0d4acb9a293a2a0398ccc117da94c9b22ca35d2e34035a590567d9ea434

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 844ba63777da19905ff009e65e449a33
SHA1 a28fbabb8bdb92753e31204aae4a5ff225d4186b
SHA256 cf2c4db0cec1c9aaa21aac1fed38a095a4a781db1ffd59e1d47690ef133ddf82
SHA512 f1025fc88b1d68061b401de1503dd7cac0c38b6eea9c9025da6f204a2afff4b9bdc0ed9197de937374dcbcc264b3956cfd49404d41cf098988ebc295b65f76e9

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 a6ef4856e99c9d8e1d9bb762c5a8503a
SHA1 25d5405ad91791b716ae5a56b37aa2b393854967
SHA256 232441aa129d4f21999860b8bf31db4b8617df9f7d32ef5f25a383edff82d9fa
SHA512 582fa1ea60766a5a4e99b295a8ed98c94f6bab45e42b7e8db61e9ad645f531891082cd457bfd11d660195af86f02c4ed93589e6e6daded683cff2d8319bbc489

/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1202.xml

MD5 f627cf4820da06be8e6ff3fdec6ebfee
SHA1 993d8ec88721b9e76c3fe1f5987338a61b452bf8
SHA256 f1d2905b871b9b80172b7c9dc298c1a3dd355e6ae633f77562f4e06ed52a54e7
SHA512 bf698aa0eee296df872b91432670af719bda88be3b6d210a567b500da1cedc0e07055a805c2331ccacea0a8a17396e2e37b4bf70894b9052723049c96083001f

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 f4432f1274f401aa27efe89b5f8eed74
SHA1 0ba270861af3a066e44c6224a5229904781004e5
SHA256 26941840d8e96012140b6455323727f24a883aca5b17746d84991fca7c679b91
SHA512 be5e572d1e6fc3fd4f4dddbfffce86994cbf6f722770e9c3eac9d355976525fc817bf3c9473ed563e182c53b2ffde3382ba73911da97fd7780f6e99a08d41566

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 3dea696f980a2db7c197bb61fa5a9adc
SHA1 d07e0fff19ac35bcbd83803c4e16c3093ed8bb96
SHA256 18851494dcf0dc040b9be44b13188f845439c6d5caa76fd5cba7ccde174c29b4
SHA512 14170714575414e34ee1c1bd8d3d7a97620a7452af8771557396647593581cc713cda177cd6ae5e7209e32e9c19c466673e11b42dfd282f56e60f3e603d8fdd5

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 6169f58093b1bb33c396258b944458b8
SHA1 3b323a6b1b370e963e751a2b5f3eeb7e33bd0a1c
SHA256 4eb0bda612da37d9cde1b74ec6a6f0c1cf17e52e7ffa7bfdab3b537e6097c472
SHA512 a76aff19f0ff039c30a39415e4b161d23acca9db36a05415d3c6c3f80b079480023b59919afea6c51628a2fcc58f8bd9255d302a338a619bf593f35e55730af3

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 2f01f7a00c85e424f82b00b2bf794a7c
SHA1 c75cb52aa31012888dd7c65373d5faba6048c425
SHA256 23d6746cb1c1906c9cfb5c69f7377f7cb68965ac0708ed1d600bfd3d3c34ce32
SHA512 75131e0145182653cef2edbb968853c9cb3c26c37c5821f3cd69c3ecdde7979ae37e74ecea8ad333090a473177c6dad43bc34f94a8fd104cd4c9b16c8f7b54f8

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 82e9ad1f21d8fceec8588ba7e3423136
SHA1 9d30c067f9e2e0212e042bc3869596442cdbf215
SHA256 50111924644068cf73daab27ed93634d2a8ddd7042d6992df591bea90cec6955
SHA512 8141ea3f355f3961f6f941054056431cf773bde9ae9aa07ec4efcfde040ce0f494c191b7fa9fb63e5f51ac0b651e6f558b3f8e1fa693f8e808fdc3ac626c4ca9

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 d5dd128feef99c01a29725df9b7de41a
SHA1 9342b29df0404f49ed6d3502bf1b2d58a29b93c0
SHA256 2a854815bd63bbf0d4e2789342f5b24dde4daf5b49b1f55525d0fe04d52e1bea
SHA512 1c4930a796aa6d964f1b3237592b45c9f4a1c730ee9310b613f07e65e6d9d715f7151d7970f411831e0df543445f81a459151f0139862e19c6828e265d405700

/Library/Logs/DiagnosticReports/com.apple.afsvcpd_2024-03-07-212625_tests-iMac.crash

MD5 7fb910f034892b16826ef300507a4b64
SHA1 28a8e459bb3e3eb167cf859a8c064458d0deb4d8
SHA256 fb46ea3d9c1e18eba06b9879ef1bb287aedf3a077e9fcd0c112f43201c1b2108
SHA512 699feb97bc2a8d1ee39475cbbb5022696c1d746071276587cce741340dd0f138b0fef06e0c76c2ba90acca9b57b036189328c3140a18e7d21082694ef2de14b7

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 9b4dcc50329616e1872eab6158730b51
SHA1 d74bc1ba263a0e8394972731ebb721cdfeb0da37
SHA256 ea722a2d1a99cf032282257b1aee419e421894940bd0664e759c69471ea383fc
SHA512 2173ad43af9fa3e2130afd628e4d21b96405f2f05feab18284d4db8197b095b8673427873f5d860ee3c2796459f97922cf2fb63a402a97b2b7d68b937ccff9b0

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

MD5 94bac9739da2a5bcc722c2eb3cb6e7d5
SHA1 c8966006ce371636b800683d2c97ecb0541216fd
SHA256 c124f48818e4646c6501bbe6b7b37c0d6ab84a49f6f00a6bb518b1ebea761741
SHA512 787b419892207d2d5db349479fb6ec31695a9fea7b3cb0cbc34f407c41ff7125c0c1a8ee58b2ca51bf70cea5d155060db78d884598f15fd0bf81c4f68014dacc

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 d428b07ee5faa02e5d2a5b2a44e5dbe9
SHA1 5f0dc0f4ba21cd07bd7a9c988f5e4fc9e8a7e230
SHA256 040e081098194ddeb84ef10113ecfcc54f4ef1d3cd47389bbee9f87d5ff69a99
SHA512 ba0c0822a402f116efb57a9a9a7e1e7d8b978553f36ef813133364e706cd236cac8960424c7e5485e46445f3e913416fd60efa6ccb971e40bf60d1559887a33d

/Library/Logs/DiagnosticReports/com.apple.afsvcpd_2024-03-07-212638_tests-iMac.crash

MD5 beec08a4a6d0b419c00a05cafda8dc61
SHA1 7f0f5a25c4f95bea52878f52a916cd864e2b06c1
SHA256 b8a5f955dde9752ab9f71852b04e0ed9d32df0b44317ccf8c61dcb517a1550b5
SHA512 1a6362058abb87b3098f2d54f64b806a5429b71468a8806992442b1a0d7fc264af75a00924e2c36a2f71801b76033cf69c8f165086831446e739f86cc938306e

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 970cefeab9cb01423a193bd771428c30
SHA1 7d55787cca28b21198969b693dc9c7ed7506549e
SHA256 60faef608beda0278b2254e3a5be951c30d9f76e2e58983997aff4822a563ddd
SHA512 91e1a50e1a39a6ba3fce8143df63c0bb88b9c71c56b9b016e427cad1bd6ed689fb9388aeed2f8717797434079f47e780ef1a228596669be19085fb3f5029fc7e

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 fde35e6f1a230bf898d558add7ba9171
SHA1 2019f8050184741f87f2658857924192bf207c2a
SHA256 19884cf4db162fe91676eba620c9790a4a5b7efca83afec63bb2884cd1349b75
SHA512 d217c4b0079cc6a7472dd4aed7cfbd7eb6667c47ec0218c2cc30976e77bd8787b93e06f8d8291f2717421e912f0850108541cc2ca0c2320a51c35405573a7c44

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 067c4b40a7c6fc10f0750cf11f51cc75
SHA1 325989c6f02dac9c4416bc33c3e21ee38876f19d
SHA256 27994b2a268333dff05e76ae8e692c05c1d59149518f0f412a50b44f84147de2
SHA512 66e1ca391fdcbcae215d25745aa0543621e1bbce5deb6b8d2213ed7c5c3a8be9df141aed4b19e05cb3865a170523834a2188953eff419d9848cf457e58417d3f

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 8d044669932f736dad7eea668cbd6c2b
SHA1 28f9845be905d3b5b8b935e48c2c408fcef91109
SHA256 a77159b732e0dae61fb0481f08f0cf7636a1c50d1a29956444be0a4a13a48ebf
SHA512 d207d95019d1a7387e2a91eb1f3c5f6e52cacf5147d24f48a3981708347936c454bfad6b006ca444dc6b1336f9423b27ecf818ecb19262b58fd3dbd00254b234

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 7e6ce92f1ed609b78d5dcf3bedb48526
SHA1 681ccd647ea94e6fd339ed2b3f15a7c5858a24c3
SHA256 6bac328dfb5dbf4f6805348b5e315b580f2e8150a66418695258ccd272c7e3c0
SHA512 d6b3d0bf745f0169fad6dd66b34d8207e70b0130bc27a5ef9c80f6f6fe7277336ad62f0e58624f8b6c8b10e1c913fd828f114f7d7b2da17ed2dbac6631432201

/Library/Preferences/com.apple.networkextension.uuidcache.plist

MD5 ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1 ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA256 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512 db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 b88db2be2beb763cbccc1106c09a3bee
SHA1 7512f947b3dc01a6f1a46c6230fddc17b6f4a35e
SHA256 91f9d4f4e7a995c257f42aaf013bd7d0ad0f613b3937ee3e2c0f441ba68e7183
SHA512 b23b083dbcaeb9aad623204cbbcb1e0766fbc8401a233c144564969a11c6fee64c79598f21978f32c15035965345bad930d774c0db835e1441e5f69c25288a74

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 af5a441c632640498d428a03a71ac0aa
SHA1 1f2ef38cb3a292663cf2da130027d5fe71af9f12
SHA256 b7e392eeea96e2c10ed2fa19c21da14698a8c515fb0fb8d5ea94bb9f61bcbf5b
SHA512 fe6e59986cce1c4865735ba5269c7bda1f370d91177fe3c0c5d9e5d77fb97ce04da867d6bfc945b7ede0e80b33fcb69d443ab7d98623be853e1fcb591f61d1a4

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 6d3d082ecafadafc60c7af11b97354a2
SHA1 cc2e9001c94edd5ee938cb332a60d90f4992b880
SHA256 e1afa0b797d1136c8bd00588da9a94bdda30ff14bc18b26002d4dd5c577431ac
SHA512 8ae133258a72cfbda4ecf43ffe801f4e39afaa3b8c5028fe23039366cddb96541302b7ffab68809ddbfc14faf68dc112be5c70f2b1c5f1ee839affdfb93a8a8a

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 54836856ff3b597d0a6ff73f50320e60
SHA1 b25dbeb256f45fb38f8d227b29fe9759bbcd140e
SHA256 68f2b63536f8c4f1e1cc1612a702bffc2ecbf87e1a60ba4583d016445179b1c5
SHA512 8a2525cc3b1072b9c28281f13f3348cbad39a6bfeff9d942c7df9da6da68d9b300c5099a1932d82558da11f4f109ecfbbe1bd2f55d6fa68f6874a1f30e12bbff

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 0738b0e69c308165dc71fbff4c4b285f
SHA1 e201383e120f74edb402c9ff9f9785e6a4786dde
SHA256 404fdafedf0c6121e9b3c7778df161b2ddc87f6398d3736448254d394c603e36
SHA512 b750abeda42a8beeecba46481ecd6e0654b9c5024d2d27d64826d56cd32d036ae2121982a16885214caf2174a8e7a0e34e7aeb5fd9c4f46c6f5ea45c8e81dad7

/Users/run/Library/osxmobiledata/com.apple.afsvcpd

MD5 a1a379861ac753657f52336098b5fcbf
SHA1 c987e21a0566a34ac3e885c41ff9e1ce80e4e844
SHA256 bf22bbd1353cf55a0ef39f91cb97452cffa375ce9ba028e477116a3afc5daded
SHA512 829cf7784d087d53554216a4e749c052bfe5ab1af540cb90b16c1562bd1d5ca2e4ebbc8d2cd7536e41bb4c3e913c4455d81af99ad9ecc4f53a99a29f9abd3deb

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist

MD5 1ef625ccc046d6658c2c3554e8435269
SHA1 b0268253a2e5352ba11e73c12844d3bbb036eb60
SHA256 60a82a9eb80f8635ddf7dc3c342a243b9f171b07952232ce0067670ae8f41e09
SHA512 9512fbd604867cb6ea1ac6273f0b75d7f08a8a032c060f8bb7041a21828f7d8998e89a0dfd2efc2405842a13bcb6e9f8d2fe81533dae120053dd6b1d2aafbb0e