evilquest | d46d34d2be0b787fe9fdf62f743c891f065a7f83b67b9d6bd6eb6e54da90e98a

Analysis

max time kernel
151s
max time network
155s
platform
macos-10.15_amd64
resource
macos-20240214-en
resource tags

arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
29-03-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_b18f770f812d531be2b6f9e8bb0e618c_adload_evilquest
Size

168KB
MD5

b18f770f812d531be2b6f9e8bb0e618c
SHA1

9f9283f9af34e7823a2a705200a399a1e7c2067b
SHA256

d46d34d2be0b787fe9fdf62f743c891f065a7f83b67b9d6bd6eb6e54da90e98a
SHA512

c4b4c3b217193fdd87998e74413c412d009be4e4415ee99749a7a52133bc94fee39f5163228abe6fffee1835f55fe36f32d70d4bca86c35f950a421911bed730
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9Zd20:5SeOQdaZNxtk8cqhSxvHY9

Score

10^/10

evilquest backdoor execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 16 IoCs

Processes:

resource	yara_rule
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 10 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"

Launchctl 1 TTPs 20 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-03-29_b18f770f812d531be2b6f9e8bb0e618c_adload_evilquest\""
1⤵
PID:532

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-03-29_b18f770f812d531be2b6f9e8bb0e618c_adload_evilquest\""
1⤵
PID:532

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-03-29_b18f770f812d531be2b6f9e8bb0e618c_adload_evilquest
1⤵
PID:532

/bin/zsh
/bin/zsh -c /Users/run/2024-03-29_b18f770f812d531be2b6f9e8bb0e618c_adload_evilquest
2⤵
PID:533

/Users/run/2024-03-29_b18f770f812d531be2b6f9e8bb0e618c_adload_evilquest
/Users/run/2024-03-29_b18f770f812d531be2b6f9e8bb0e618c_adload_evilquest
2⤵
PID:533

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:534

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:534

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.secd
1⤵
PID:541

/usr/libexec/secd
/usr/libexec/secd
1⤵
PID:541

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:542

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:542

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:543

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:544

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:544

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:545

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:545

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:546

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:546

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:547

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:547

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:547

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:548

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:548

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:548

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:543

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:549

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:549

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:550

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:550

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:550

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:551

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:551

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:551

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:552

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:552

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:552

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:553

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:553

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:553

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:554

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:554

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:554

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:556

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:555

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:555

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:557

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:557

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:557

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:558

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:559

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:584

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:584

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:585

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:585

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:589

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:590

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:591

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.cfprefsd.xpc.agent
1⤵
PID:592

/usr/sbin/cfprefsd
/usr/sbin/cfprefsd agent
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:594

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:594

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:595

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:595

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:595

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:596

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:597

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:601

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:603

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:603

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:604

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:604

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:604

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:605

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:605

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:606

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:606

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:608

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:608

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:609

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:609

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:609

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:610

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:610

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:611

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:611

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:611

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:614

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:614

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:615

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:615

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:615

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:616

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:616

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:617

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:617

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:618

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:619

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:619

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:620

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:620

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:628

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:628

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:629

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:629

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:629

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:630

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:630

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:631

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:631

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:631

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:632

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:632

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:633

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:633

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:633

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:634

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:634

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:635

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:635

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:635

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:636

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:636

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:637

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:637

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:637

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
482012c6c029eb8bb5c78777d7241a76

SHA1
9a72a7f315f6b64075408ce76c06567f5259092e

SHA256
6d1c96555cf9d7f2da66d294060d5e0cb51aa18057a5f16ca431454a3efc64bb

SHA512
e34bc8ae7d999b01ff40b18176a7e612e4090da36ca695dd1ef91214ce34dd047b65f671f704cd58c609b45e2022b8866ca48a56802cf7db14ca4e6b9aa9d2aa

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
73971d7eb72eeb777b9ffb020c94f5db

SHA1
b24ad65682baa8237f040be54cbc1e0610ae859e

SHA256
cb0874df5e7a5b5489bd56bbe9044799b3a57aaa11f9500a9985b8cb1a70857e

SHA512
229d60bbd35efcd9755cfe44b5c6ffcd232664ff0609d17eb97f24a822c44f00739eeda0cfa5cae46437f044ed9d3d3e08428d1819c2de1ddb5d0ececa923225

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
4cd13683d77e6afbd4413622dc2562ea

SHA1
650bdd657453bb1f8949a93e583a9079559842ce

SHA256
fcb1f62881e080c67924c10fcbf21dacbe66ea179c2162540f11ab2ec5f176fe

SHA512
00efe9843f504ca5af9df02fb3a3164012239c13a6772484d4d584fa0adbe5eda0e6ffae244d39da6be668b0a2c0a6db52eee85a13675b84a6b468f1a2c60911

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
79d6a296a4005aca810918a826f45e0d

SHA1
43dad0131069fc6c378699db92b406070cddd7e0

SHA256
7eea036776a06324e2dd79846991ffc38b786f063b9deb1983e5f63c2db9ed55

SHA512
8ed2a33c037d06238c98dcd2a941fcbd2a813e8ce88cba875242d0bf4f53449ad5c10472fb199832ec5db659a3b50b818a6947bc1e4fab22f103769a173e91d2

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
1e0acbe6d21832e5a641d4d9f85120bd

SHA1
e876516490a7d017f84f7fcba4bf5b344785c4b6

SHA256
e3c4cad3cda1e9cadcc96a2c467d2e658323c9c6e416714b7c8255a0695d9835

SHA512
d5afa86506b1b101ee9fa5977df2af8296fddd9f637912506319f92bbdb8fa002a4d5db8d42024f620212ed7c819381a08f6d4d948d62a2a9e794d6b76af45eb

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
81522124198599e9be6396e2e09642dc

SHA1
2c8627bc5078ee687f6a46d75fd7b3ad948bcf14

SHA256
e81c21b5a1afb136e8654ae511a98285a2cdc142d0ff25fa70bf4e27adc4ef7c

SHA512
012bea9529389cc8ad538a1c560b0c7ce7d11cb6509632c0e488999cc7c3377b203674f4be06df4ef6a90d316f0e7326d8f3d7a666959217a19e10591ed78815

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
497d8214ddc7c3ed32e21001c1e3c792

SHA1
6b12401a548b81937848a2902323dcf5f66925d0

SHA256
89a0d001ce984bb24eb21bef623184e4aae9437d9e5fdf3af34a8807c4296276

SHA512
a006edd77fef55b54c109b734d122ba97eddedf08d90a3c0316d13f8eff9586f24694558b3157c24529ba247d17395dbf35adf6c3d0ef866bdbd948b93cae8e7

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
82095897f10db14634cb3107e2ef0c87

SHA1
0f12a725d3bb233622d37c8bcfd9b16e6437a4a1

SHA256
df1c3a04cfcec3559ea2235895dab4db2b772a6d00b20ab97c9a9aaccf1220f3

SHA512
d0b44591562d11bd1d2c699d31175c1efa7d66e51d2a0d4ae35829e321ccd1bd362493bd5b748bea1f6f924170b8579d6e478f0e422089c28d4abbb5f608b727

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
c941cbcd62dec36061291f197e825848

SHA1
df579c8fbd91d2d918a98600d9e04ce6a0b1cfe5

SHA256
ab9ce10b197f03c6f22a09769414c06218e25c9131dd7c63fe7d12944e5d95c9

SHA512
277fe168bf8f396b677d2272197cc975a9fbc6d907dac2762ab44bd9500ddaf9faf2b8f1797660984e116f46609da57705ef4ed5671a3065289d072a187e8818

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
5299eeeaa4444f5b8086c344299e7ee2

SHA1
9e24bd6734fd8ee478693bab595830f31fd70c93

SHA256
6bcbb51f8aa933a8b3d04e9633a3a9f2940f3884ed353fd914b91797f7ba7d66

SHA512
c773c6736b03c912c3f844dcdca6aff76bb184d4d51e8a27717dad2f329cab4c3f27ff9bb7b8aeac916c61660e1cb9483b3c65741af7636244edfe9ac7f5611c

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
bfb99392bab1761dce434c7ec1894a25

SHA1
c775400b79dc3e96f7fa1ba70b4eb607159e2486

SHA256
75ed895f116ee4826938ae3485177141f07292ebd571cbeea8b7e9d5303a8dbc

SHA512
0289391d2993548525a14c57c789b4843d065f1f6a310d747055ea8dccb8c081719a0335d8ce890227641a9f4b4be6a320f6253a6794c112979e64dd28237bc5

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
2e6ce065ceb5af083f6461c2b783837c

SHA1
3716231436f4a825629e675c11f4987d862cc06a

SHA256
0c72781b4f52582a1c9d6b778b9a0e4a852bc26ebac9f98770961cffe1ae330d

SHA512
bf041ceb3c8d3a631452b3960bece45dcab7b481d95a513e5aa4f32b2954800fc85606c8f17cdc7037d618aa1090f4e1f7c061a1779d98c386c67fc64a5538a5

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
d28efae59a27151ef20543f42266174e

SHA1
64cc1e0793e5a68f2d5c1a3880b099c25658394f

SHA256
954364ecf8f6cfa02bf4cd831d5612643a87a88fcf11401a2f45d486a565671a

SHA512
e4fc4f055161df0c638e4c70294a31495817aa01fc46b18efd39df6558265f99953b00ade98709f44339aaa40380ff6b1b892021da56c2e9358d3a61f95f0ba6

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
0607a22d0a0db58439780320cf98395e

SHA1
00d59d69cbc9619621c6389c56ee337d4d98d41a

SHA256
2a34562aaece8393863ba970275bed821434f03632a3c6f3088f9fced66ba9d9

SHA512
4cec951379910d23cbb81ccc68131039dcb06ab6dd5ebcf510d09829d12215080a84b2b19df55570ff927cb67f96e92657ec673a39078021de26035ee23d3b84

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist
Filesize
439B

MD5
c05b619361d2cac0288befbdef519546

SHA1
634e507971e2bd2697df0cdbbe8772e6fbec276e

SHA256
1b2c817978649cad70d67be41215a663790d97707b7512cfc156b488438cbec8

SHA512
86308ab30375670ff5eb886d50e3b5be5f3b7d60e0de53458e0372c0c67cbfd1c58450acb201c7d21a5f351c2b0e796d1777dbaa1e2b83ef7f69a83dac26ba20

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist
Filesize
487B

MD5
e251c94fc14a772dbd695b0919d4f53a

SHA1
63c2eaa2aae3f097a6ad8952064d4764fe8295e0

SHA256
2e8a5e8288abdb773269792173899a3261c3a04c2a4d07c119988542d1978b49

SHA512
92222001d9e6f4bebf5abfc02f4a0b379b33c4f7dc4e9b27170e8b2d43f7c7e017632f893619d04f01eeaa48cfd79f77c7b910cc47d74d5b81f69ea83bd69a5d

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist
Filesize
487B

MD5
7d3535f2750c80fb5549715a6eb18997

SHA1
e4c3448aa704f5a1c3e3dc8c6362ec9238e38ef9

SHA256
273fc7ecbe78aaf71d4692bc0c939735d1d6b02e48b9b7b503e9554bf54980b7

SHA512
a3344e01a57099e812e88cd83577f43e0dc756a06460ceb3177dae23a15a09a77a6175d99f7704eef66dc0edbf3539afa7982686703d7a0f2cd0a729be59fe83

Download Submit
/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
b3b86aa92b221b97594d88111ede107b

SHA1
2caeda1460dbdddeb9c5503c9e818651a6631164

SHA256
ca9cec4c520fece08328aeb323b4191e01b759b9fc158cf07427725fe9025f7f

SHA512
231fe736f51f99b7a1cf67f0d7ba0426ada0d25fea079f96043cf51c1bf38bc6ac4e0de8a336628c6da9bcdd09f95c793296aaa1886790018b100d2de9062811

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
Filesize
124KB

MD5
cab37d7de7ee4f42b749d9dcf57c8e43

SHA1
44ef152f6e6424b0ff5f488fe61de57792efc31f

SHA256
5bf5dbb2c76932d94e16f73ab7ceb62137b0db7ca5b5874c44e001c656fcf41c

SHA512
2b8dec5d9e6346675ecef5e106da72143541dc12c14c18ea86433a1c00ace0f4b1b7511e6d3ca7289f8ccfb75d209f912c6c918a15a39280f594dc83e7dbb15d

Download Submit
/Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
Filesize
430B

MD5
3d269391b44f568c96f9f5a420609082

SHA1
e2d49405da7ba6f883b366f71b6905b6ab556cae

SHA256
261e6af4aec0840afe0b4c75c21353d7bc8d69ffb1d26db364f5475962381a12

SHA512
81ae24faac0d2973a90b7ec7415273f95789fbbdeae164df6ffab10bfdfc4896d6ecf4d9b09ca13b2a151a385c59f48594d7b3d0df3b49e3bbc056f15908432c

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
84cefe1ceb0ec6f977d98a3123b40bfa

SHA1
008314b1ad57ad9ce411dd1a0e740ec5865d9856

SHA256
7b4615bc59fee32d9e24cd736e1407e4b59be920d0a390ba8d2c86c260b7ad73

SHA512
698cedd204cbb1148ef78f8f42461ab338014ac44c0ebf0327edce014edf4970f020958a06b453216ce41d24354961240ff2643a80366da9e6af07353cf6667f

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
a9d3aefdbc450c6c31e3e37528665c69

SHA1
ed983e03e31ee9ab08d703c1f7dfa9d1d588b9bb

SHA256
33a927f28b0df7c58a4243c91bd235709835abbc8b171de0bc25f29f9801432c

SHA512
ccbaf82c2024d6e40761e06f6cb22db5fabc802e81c91108921536f294fcefbd251d70e03d89fec7e6e113b5be1ac435f0f34a59b6086e9d7999bb267406d9c7

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
03b5c8765c052d92a328878c7693d8f3

SHA1
815c22cec521ac4dd215240248f6f10e7ae8d3ad

SHA256
329fc6ec5d30922f68dde3037150ea9bbac2315c2dfb625dd74cbe094f7e06a6

SHA512
fd369d54ee30aa7f59defbe239bbac664a900176882cc0a25c2c5d349822c7c4d2b25a0b1226429c35d40fe43c8493ac024f0d341c92b867044a1b8e35ff7595

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
215e954e2d73579e40e225ce44df0bd3

SHA1
392c68b0d0745a008dd5e09b470274f5283eb6c5

SHA256
13165af1b481527d84d99c104dbf94d02a01b836be13a1d784ea47e71ccfb2bd

SHA512
519dda16d4d8b5f8e48ff78758f18799abb3d7c611ad63dc14a02daddd9edcdd12293987efee8cba3c245850d85450d0c4d723be701b6b1ccd3a811416f631b3

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
c250c01f5cfec1553ecc9d35c94e33d3

SHA1
5340d85c05aae32064c14097744993a175b1813a

SHA256
64cdd75c524690df8e57899280f2371d4aace7d2e27ce480d89f3303650629d5

SHA512
40e80fd795bf1901d2cbdea1ec3a2eeea3ab76f822b9b8f494273ef08f051e2618993334fdd4be7893b8fe9920448ad042379b53c72fc5bb56c747aad3261e79

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
61bc095c113c31480bbdda93b618719c

SHA1
0c4d18f880b2d4e341181bc88e77952a354c190e

SHA256
8ded7df09828ca6048869a659ca71ec61b543a3fba97a15f9c1813d482b27511

SHA512
80c8d722b2180f211a5e65e6ce2ab23eaed67e3117f1cfcdf8bf98aacc6f1d6e03a58d47cb9a00a9b3719aed45f598eb940f522e1d245895f21e4563c3fed4c8

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
c206e0b923bfde56618e5ca577b5afe5

SHA1
2400f66814593d962c1de955a365e2833b1421e4

SHA256
073db911944c1f0a1257d71a2fbb3c5ab76a9822062e3ef6da35b84246255912

SHA512
58e5c33fd9ab7640cbb8dfe5f7a300dab58f9152ca759f8a21b3b6ba4f8093d30560731f307e1342e137129560a644edc0962c25330b630a57174f4586c3640c

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
ce87a6f04da31e347ef465e76d8ce03a

SHA1
15a266561d86cd80535c8ce6bd4f94934cad18d5

SHA256
81c10fbef9836a470a531c5b36780b8668321f984d8a83b43cae26c97e227875

SHA512
a3720badba7b5b7382d8b1082c2dce730426d9fd920ef4d9d1b9741368a6948262bbe9fc1cde6421e273efeed1489b296d95bf70459d61ea8051bc630e6dc4dc

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
ee67b99bb8b4277b7badea4891efc838

SHA1
7372526644db7635444e1908e43b89e0f635da97

SHA256
66a9934d08f26ac1750b1fc139d4f43081a8f2b9f0c3b15b2ce8ef76bd64a7ed

SHA512
0de70c138b26d4bd4006f00340049e3964e6583ca7abe8d725782f56b98aad2bed02e48208167c56bb211598e41eba2d88fb6c9765d48134307a49786f452a31

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
375148c57e598a3342a86dc22cda1465

SHA1
efd545c093ad1eaa63aef31c985f2b8e60dfd73b

SHA256
7b67390038797c9291f21142e7a77084610aa332f135917588c62e9932c341ac

SHA512
1e7926eabd70edce3836aa72cae2356efbdb8ed54967a44ec41197070a30b81e05f4c7c3e5de34a575afbd624c0231704d4095fdb30a1fff2cc8a755ac0368a3

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
ca222c212e36fe222876f080cf44d4e2

SHA1
0b02557b906db2a24589d677f62c2e95328be0bb

SHA256
2cd20759d86bd94bf0886b130480c19800cfe92128bed7ef9ce6c35b86ccf808

SHA512
a62460b27a385280936e6e416ebc0a76b9f9c07eec280610413736c80b4cc23f4b3eb898411b18a0971193332d147c4354aa034a058657d54e4c7422782161ba

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
d33009c3b988534fd07ba2497df9d31a

SHA1
fe75c48306d851ecadd75c4f201e1ef183c6abea

SHA256
41bb4694519d2bbf4884269f10a874512f9077c956666253c91460d31f65f1fb

SHA512
0acc10c910db6591ff1282ce40ca3df49a0e31877dcc7e62f70b2136b929186888e947efb3f95920525f5e2a80668fed9b6be12de6b941bf71e1fd399cedff26

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
6b83d22a9e6b226367cd6ba160b5aa05

SHA1
8be3b7ccca267bbe465cbb2267b5600ed2e2db0e

SHA256
02eb5ff9c967b8bcbc5fb672f1a6c4fdded2eca159d50d0a7d903a28cd3774fd

SHA512
d3db073d0ed18f1c9fb1d4a71856a4c50a98f5506267f0b57b9487ba97719f74712e4117070d18262c6c60f5b3cec053d33d8b6bece7b06bba9094fdec70359f

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
fbb175db5db6975a521ead9b3e972f7e

SHA1
ec172d37a099a10769824b53427a802aac19f6ab

SHA256
22ac76d4f0a2a98b94cb272ef34ef7d1962d941a7b40c757568944d4e7bee70e

SHA512
ca50bad72de517f85b3b21138955f65acfa5f40b50669972cb6d928015f8c7a220894e3027887bb8350b551f8f2973e63c23d4fe3727465c91de7c7ce72ae9bd

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
c595d816457befdbdedb8bfab3ab877f

SHA1
b9a87a4f705e152eaa5321a15f540bafc3b39f6b

SHA256
2fb6d4faf0c03b9486d758be97cd02e00c93c14f43bc5644ded7b25a9dd8afb6

SHA512
a9c76bf69058ac69387325c77534d56b32d8c5b4531a36d3130c87bb72f2142895efbdd3e1c5fad329190afee5407463f4fb74167d3bb1101db089c8997de461

Download Submit
/var/db/locationd/Library/Caches/GeoServices/Resources/altitude-1249.xml
Filesize
160KB

MD5
c0b8e6fb70a16991ed49a487448cd106

SHA1
71f21321168dc466e7f64eb2c2516cecb1a931c3

SHA256
9320e397ccc5577acc65da1f4cbafea31c1d802014ec4b4459c628b449414fdc

SHA512
ae0c5fb1b29d7f80511a846f8c3db54d018aba7b9314792e63d6844ded948610aed6aeac4388dfbfd8530dbaaeae4cf479c10f52746bab866509d71217111ba1

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit