evilquest | 60863bcc4b5901aa49f344f3b1e3e526cd1bdd0a27c06fd7b4360014c425683a

Analysis

max time kernel
150s
max time network
135s
platform
macos-10.15_amd64
resource
macos-20240214-en
resource tags

arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
29-03-2024 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest
Size

168KB
MD5

6a2658e5f616a4828abf3d32baf17db5
SHA1

e5262c616a10dfe0950ebd793080258cb83367d0
SHA256

60863bcc4b5901aa49f344f3b1e3e526cd1bdd0a27c06fd7b4360014c425683a
SHA512

c99efe05c1b36772632d173cf9c0aca8897ff800289ec86a6f2636d82796c1fff1c13361f4e2ac69ea981fbbd21348a6822320fb72c48031b2ec45ba3660e076
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9fMc0:5SeOQdaZNxtk8cqhSxvHY9fM

Score

10^/10

evilquest backdoor execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 16 IoCs

Processes:

resource	yara_rule
/Users/run/2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Users/run/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""

Launchctl 1 TTPs 16 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist

/usr/libexec/xpcproxy
xpcproxy com.apple.pluginkit.pkd
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:521

/usr/libexec/pkd
/usr/libexec/pkd
1⤵
PID:520

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged
1⤵
PID:521

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest\""
1⤵
PID:523

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest\""
1⤵
PID:523

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest
1⤵
PID:523

/bin/zsh
/bin/zsh -c /Users/run/2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest
2⤵
PID:524

/Users/run/2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest
/Users/run/2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest
2⤵
PID:524

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:525

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:525

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:549

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:549

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:550

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:550

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:551

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:551

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:552

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:552

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:553

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:553

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:554

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:554

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:554

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:555

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:555

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:555

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:556

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:557

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:557

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:557

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:558

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:558

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:558

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:559

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:560

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:559

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:559

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:561

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:561

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:561

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:560

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:563

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:563

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:565

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterDA6CE80A/OneDrive.app
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:573

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:574

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:574

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:575

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:575

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:575

/usr/libexec/xpcproxy
xpcproxy com.apple.nehelper
1⤵
PID:581

/usr/libexec/nehelper
/usr/libexec/nehelper
1⤵
PID:581

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:582

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:583

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:583

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:584

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:584

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:584

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:585

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:586

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:589

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:592

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:593

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:593

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:594

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:594

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:596

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:596

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:597

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:597

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:600

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:600

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:601

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:601

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:602

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:602

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:603

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:603

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:603

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:605

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:605

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:606

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:606

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:606

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:607

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:609

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:609

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:613

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:613

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:614

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:614

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:614

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:616

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:616

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:617

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:617

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:618

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:618

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:621

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:621

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:622

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:622

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:622

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:623

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:623

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:624

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:624

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:624

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:625

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:625

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:626

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:626

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:626

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:627

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:628

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:629

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:629

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:637

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:637

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:638

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:638

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:638

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
6e56a61a13fd3caa5c39257fd6e5f0ad

SHA1
d10160ed2494cd4f04b581b7b0c58df862836015

SHA256
28497da6d457b73f11eb1657c734dcdfe2e36216ff4bcbb77eb9aed0799c5b54

SHA512
46b70448c89633148756aa6c0af705bc61b4887bc8320235c607028ff98557fe43e3498ef84fe8a2d4c3ed0b8b7d05076b6ac3bafa81ae18435453e0bfb3a589

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
bc0dd0e4f3872c121f17c933e01b5102

SHA1
b8dfc96f113d1d7215a288e70cd86cb575ec9579

SHA256
cc68b347d9278b8854c611924c90794e33a4abff88d2be8c3c3bb74adb8632d0

SHA512
0ad4a462a7942b68e004cc8e7b04ca4c6ae898d6f109dcb8bc2006f238c19b8eff89b11760622ebfac9b8c18692036a1b927402e1d6fbccdc6b2e0c4c71d8efb

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
02eb54409f25e1dbf666678a30ca0bcb

SHA1
ce7d329754c0d3c2700b56cdb50f4e23ea26ff25

SHA256
10a9f5966d5b9924c624cc6ec6d33d2506a6290e7d25af5389012f87a7a2904c

SHA512
71cd07b0cd0cfd6c8ae23cbfff61cf7262cd7ecd220fd0b47ac491527df569bf8635940b7627ee3735535c2327ca93082f9b24d7f0650baa1028f4eebf07897c

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
8273de61b9967977a33aebe0a33cc2f9

SHA1
88e3d0cf559ff1e39d033ea2430f487796534a65

SHA256
fb755a8dfc3a4d6f0512cbd7028a7a9510820fe48ecffa7732241206ee654353

SHA512
3928fdb1af67625b1ba7b3896e5f1ac3039e1bb3ca18242ef2ba4dcf6e80bcc6647baf98fef542652ee4757e8a83e4113df99bc29f2b0ac4f27de519f10d528f

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
d122afd797fb87a15535e89c54b027e0

SHA1
b0851bbe9c3ff544a1a8c52e8662a03afad21ef6

SHA256
fff695371c64e16f04b5d2835ff95386626eddf5215a4121a65ef672dc4b8d3c

SHA512
e153cf8e54941d7f916259242d6714d7ad2f784cd5f95d0fcedb81abfd9ee131c8f0b103864d52ee0c583471faf2a8a3d522378faff640a48eb0035905ed6c9e

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
c6bacb86405678dc32d091c9a92ecb5f

SHA1
be37466ca1d7fd3d56a65795cd033f39fd3d4235

SHA256
64111dae4152c3059f57c15ebd78806eb79f38e9c10bf95aaa9cb53df2ee63b3

SHA512
27004e7883a211853c9744dc93bb76a2a13245cd614be9eb6f072ee55fdaefef08d7933cfd8c7a018d0c5e53142bfe199a825ebfd47741afa14251d33287719a

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
98706ed36c0d56582ebe7862fcc317ef

SHA1
bb312f7876f4f27653b3b89194572a09e9e47d11

SHA256
86375963dd426ab7e558d77253cf33b5d79e2b91150d39fe260935b15050871f

SHA512
38c187b1a2903be5826cbca226b0d3bcfb3acb1f6a9fffc24decbc0d315abe31a349260b7bd46951594289bb975cb9deaa33bd35fd7ab08b9cebb5c3d0f6778f

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
6144f4af9e6e125012f3e2366030e46e

SHA1
f4cfafaba141b89c3f72c19320977e1606a374b8

SHA256
cad0e0e9160dd16c98658a6f1719c5b72e72e74cdc13e06f726fb4b414b33748

SHA512
13ca9ed4860b1c2a64683c9ed26125cb8d130d9e78eb5eb3e2da6751788c7e05d3880e233fe4da25b9158a941bb6f4723662686f832432d0ef1d304cdf8a8923

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
d3d1c40c98520581fe66b6be5bdd718d

SHA1
14e5dab9601051d7d36ea626ad1b59c642af743a

SHA256
775a3336be07046c385d6f178d5e5745709eede9dc51e7d165c2a0b7bb2542b2

SHA512
cce5e9b1e8a62cc004f59848075f15dcec0698d40e917500db9cc7e25e8a88bee984a0bc982c665b8c85d6ad423d093a19cf2bcded92984a8b8fe53d90a72d82

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
4cebe088744467c63067a1f8ba964971

SHA1
49680390d29293ede83683c6992096a9cabbe7ce

SHA256
83684c3e380522a1dd52e83217b21b5bb3d0d19ecf15b4df604a3a2a2979950d

SHA512
29b6923f681bece1867e8b556786419591506b4768d1f8a99f03b543c021cccb4999b809dc55d30c47a54571929ab7c8f502b42bc8beb7c1ead0f4476be413fb

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
82f517f2ab4d8a30c5717c5696ddd50d

SHA1
9e2286bada290a9635ee71a348b024569776fcce

SHA256
ca7dc748e37b6f56d0fb4fe72091e8da912e9f1180f7300b7c29239a6a7626b2

SHA512
bb95c45e888c3464bf0033851cc6a21a57782a2da06327a374d2647f4b5115d583050a92e23d7390d0beb6f0c8a8bde26c2e9166d6ca95f40d3c00c1e5df0612

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
723e6f2890e812f03da537954168c820

SHA1
681c977b38e67a1b3167356d5adba50d3c04f7e3

SHA256
97fa7b8d665c77ca54271569ea7c4928bd422a68dc7f27aa35605d0703ed82fe

SHA512
f3bb38b3ca85daa8bf2ba541e3313705bc2e1e9960c6c60bc58e9b2b4d71789ad5f86edb9ee6722f1d6f9b605b916efdb524e78d9f4a61876be3ba01a68acf3a

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
a044551b79d3192f997848099add5af5

SHA1
204498f8ed0c9b29f670d018b3d805d9a3111128

SHA256
8e9d0ceb066f0a60e15b74be422113657b77c6a8104576779892d73ed56ae088

SHA512
22de907a06b7575ffb7516cfda911f62d84bd4d32eb675bfbfe370a9a1b314f4960264f7fbc050ec8556300176725f39a50c48aee4fddb9f62028fc1e1c7a1fc

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_C589348B-0863-5695-96A0-3DAE1B1C0B90.plist
Filesize
156B

MD5
2b4ff81b2ec256163d78a7b6638281ab

SHA1
f1c882410e0e8017c4e130e3e90546477ca2099d

SHA256
8a00eb75667892c3cfe2172f6d4e79c77a68f9c8230cf9407d0a1d80a243860a

SHA512
4b2808c1b7c87112f3d4e99721613fdb3c55f0de6589f931b28655af8ea134ee62b98ffd9ccfbf6a4b7471315a206d54b9ab25ca8d937e66867e4463e83dca93

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist
Filesize
288B

MD5
c92127f7ee48ad5e3c8b165ef0dcba1c

SHA1
7fabbe716497efc2de185429b40127cdd58f59b7

SHA256
04fefbaa058a5c300a90a50be6894dde2138fa47239dd93e7b9265352a96e4eb

SHA512
29d6c275b4337e642dfc183316969acbc345c0cfae53f94a103192e56fbf73499cc05cbf8076788191434162ba75275adfbbe0bf31ade37be0c76954570b1ccc

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist
Filesize
288B

MD5
180d9b3949b39ff1f5c85cecb6d6785c

SHA1
c0d976708fd5a19728d7f0f275e93e19b7558eba

SHA256
87a9a1a2c137609da7808452aa71478cca04d1b0a778b1d1f559446bd8178d19

SHA512
68ee36c2cf3ab0699358181e5027b9cc69adb9847de0206fe0dd46d3a06155b0f5557bd39863f6e1cfde3698f7abd873e57bd41398983fbbdf07a02e97b5ff43

Download Submit
/Library/Preferences/com.apple.networkextension.uuidcache.plist
Filesize
42B

MD5
ce7f5b3d4bfc7b4b0da6a06dccc515f2

SHA1
ce657a52a052a3aaf534ecfbf7cbdde4ee334c10

SHA256
9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1

SHA512
db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb

Download Submit
/Users/run/2024-03-29_6a2658e5f616a4828abf3d32baf17db5_adload_evilquest
Filesize
168KB

MD5
11d8d9a3bbe6297e73d3fc9a950878d0

SHA1
af68adca343efd69064690b6621a783b2eb2aacb

SHA256
80bdb72f8b85a51df03c3103eb1d7f6ed89400d8885939c8eebff62f96b8f5cf

SHA512
8e8bfe24083ff4ffa94aad02c7b4d42e5986759ad61d998492e46bc4d1447361b3ba68cf564afd23aa01d88130db93205e4ed626b185375b3f499ffd22f79889

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
Filesize
124KB

MD5
38fd30b74693f3a0b8593dbc9fae1dad

SHA1
deffbed12675b64fdf233582267986b6f599b7b8

SHA256
8febc0d48764f5876a896273ddf7a093242a2d7e9900edcb57204b98b6442054

SHA512
e712126af78986889db2d0767fb045fc0a74672c1a60da61cea035c4f22b238e021fafe78634d5298cd2bc5386e15ad55fb47d3ef1ffdbd3e8ffc949b0a15e9d

Download Submit
/Users/run/Library/Caches/GeoServices/Resources/altitude-1249.xml
Filesize
160KB

MD5
c0b8e6fb70a16991ed49a487448cd106

SHA1
71f21321168dc466e7f64eb2c2516cecb1a931c3

SHA256
9320e397ccc5577acc65da1f4cbafea31c1d802014ec4b4459c628b449414fdc

SHA512
ae0c5fb1b29d7f80511a846f8c3db54d018aba7b9314792e63d6844ded948610aed6aeac4388dfbfd8530dbaaeae4cf479c10f52746bab866509d71217111ba1

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
1d9c5a9ecb93e0eadbfd86bbbcc57a92

SHA1
dc1980897be80513c8ea351c85cec4a299f44722

SHA256
818beeb0739d5c4023f926dca107e692d8868d49fdffddca58a91f285927d933

SHA512
d2125c891a54646b3c46532f57ade3dd0260c8df9ec71a5a3235fbd65f3bc71e3e2113ba276745962360c0f1020b5cadda7dbcfb538f3bce4dccb3ee9d503e6f

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
cb57a20c0afa00172e99ead9dd9d8e36

SHA1
3c1a42ce3ffd8f2542b884ca1d53740ce1ef3754

SHA256
c1bf7e040f1a25b9054ac9b2fd5304ffa0601286ee59e0f1802e54e95499868e

SHA512
42c7779e9748a31d2eb965b533ae053b5b45c899c2a03e58d1767aabe15ff341c33a759b12733f96d18d44be3aa0d3cfab2be2e14ac90f4583a030c89a1ec8f1

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
a527cbfa95942ccafb275172a4f60bb9

SHA1
6187c7875be76fc083c930b4fa15356560795b71

SHA256
ef6047dfc928ae442fe1a916ea3a2dfd4adfd33bfabcc1cac956eff6fa90c430

SHA512
5d5fc5635428c4e92b740ace04162b337f81a647da0817f4b51e0bfb048186a038dd74fc8aa0ec67f9fe3978c63dcb033f6083f8c99507eb5c318246d253a3fc

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
f115bd608471e4d94e428a052eadcc9d

SHA1
12c598ae3fc634138579c1d9e61536bdba096ed8

SHA256
3dce90012ce731b188c5f9f5d7f07024cbd70d57b38634559d661662616b52b7

SHA512
3e26d0b58de94dc679058a78aefe810c0dc255f525b8f5f88caee4fbfc4933c8fdcc5fa0011c9c4748ce31ef35f1fcd310996ac571ed5506d59ac528a09ac5fe

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
16bb021f566ef8edd9d268ac0a928f07

SHA1
ad8826cc0b4d7bca073d68ab0dd61e5d6772343b

SHA256
87f61d12b1a3a5c48ddc09d6c9192b1d8e112c26e1b84b1fe064b00c3cd9a6fd

SHA512
7b4bf1a41f18cf856e93f7855afedf9294d5fcd0f6ab9ad19ae7fb7c0026e0fa0eb27f60d3f4e18ab488c68a96dec49b23ec7073eb08e24c789c09b1817c8790

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
ae45e672ae24801e5232133906e0255b

SHA1
39c43c9564c8984e2092acd5670acef38d33f039

SHA256
09e3ed00a51b45258dcb094a1b880bb53ddd8959e797853a84408f099d88a3e8

SHA512
c56070dda33d8a154bfbca09cc04b60e7c73e4fd5ee6ef2cfc35cb44c84110e08746643e97b7e7653bd28999b7a88c7473cd58d89f3633ca05e9df073216b7dd

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
e3971bd0c3882c36fc1617bf4ef80eed

SHA1
1d14dd040d940be96570cbc1162d751e739a3a41

SHA256
08fb7e6fd99aabf8b335fe3a81d95ea30b2955a495594e205dbdf442494b785c

SHA512
51af713e3849966344c1caaefc77ed94c071051a6770e1563cdd4e3ebf6fdae35225460d5416e9a7b991e588fb932355f991a8853f87ccd203b1b8287fe6033f

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
1f4004a7bd5bcd4f44583129b63da346

SHA1
039158ad4c9891ad72ae9613a9a8c54cb050aeb1

SHA256
c9090ebdb847623db209c8695f48f641136a2405b1d654b6083f30b8ece22923

SHA512
7937e5e2714e094479c79729c851c4d359689f1cc36a763968cb2bbd62b638a72830d6a5130871cdc02728c40b9478bc0b5dcff7cdb73235c7091ba61eb97193

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
a7592d3829f0845747e2340f421a82e1

SHA1
c853aa9390b1e9efe800fe0b0518c3e02085332d

SHA256
d95cc4c31f76e238fbaebeff63a52f7a80c5ada987584c5842e5be9050934cd3

SHA512
c26610d875de3291660cb0fa356847e569901aee49d40512073143226f96a647bfff6dd98ef54339ec8f8d7eec0a9cc64d830a9ca7cdbaa6658973ac9b45eede

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
0c4576556db960ec45d725102125dfaa

SHA1
18025a6b4ea024bda2389dbe0f4385a5b5026bdf

SHA256
362e5ddcb53f6aec5d0e2075baea2d7887c182ab12f16fc9c885133bc1f6f555

SHA512
0accac3c7c347074328656d8192d1ef05341d4ad6e23b636cf4900d27977144ed0613d2e354ebf7a895d2085f129f4bdab3e0f0ca3407cbd63077ee7b9be9fc2

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
7b2c469b857dc2d276412814c32baff6

SHA1
3f4284919b03805951931acca2e870ba8cc754ab

SHA256
0294b0e81e02c449553613186e506f6cf69ddff17acd03f5207c7e41e4e8f673

SHA512
aff092f9a7e901d4f72473a2fcf1bd46fcafaa7d15af988793bc73c70e379f06c11c8a3f883c277cf98d317ed3a4c6051c3596895c0912337b37cbeef96718e3

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
6367c7f8464c67e71cccfd8fb078b3b6

SHA1
6313a88e0cf7e057f4165679db09f2af02bbcfd1

SHA256
51cf0a0eebda1b82491a122fafd5a8f17709bbe157e4bbea6fae844c56dc9210

SHA512
fc7466621cb315ea8326c6ed8d9566c61dd14596cfea75aaa870d3c8fc7b5ada3efdd018fbae6aadcd59504e0602a71570192fc4bd89b0860a4c545dca2b647a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
f50e666c665fedff47e28dd101f72b70

SHA1
98b3a4efce06af46ec042156c3627d5290b23d6a

SHA256
57182b27b3b671ff4abca16621348d0ea5b22060b71ee10d5aa5179c31eb17b5

SHA512
79a8cb91e9608aea8b4ae48090bab5ee70d2a474a9056447aca7dee8340155e12e93cb04aa427c967087d6d4f1c70f3974fc250071aa498247e188cabfef4a2e

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
692fea3154cf7d3116c7737a22118d20

SHA1
d34b5e4c5d1307ba7696bbe3d2d5ec716332ad8f

SHA256
da912e84fd3db990e4e68db56753a93d85c8e495adfa0bca57f1d977275f862f

SHA512
8d65369c10a07e5fce3a08482006f30c6453fb8840d162863c6e1bfc8bc206f499347fcf54f3912bc286db7a47da3d26a95f2f41d791ba73d10cd37d043fd3d4

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd
Filesize
168KB

MD5
6e0ada76275f9d1b804923e8cdaa936f

SHA1
a8dc4b0eeb2f4793d919d3c731ced3cf6c9cc9a3

SHA256
fe8ece29f33499ee6fbd103ca3a2a362e30176a42f5165de8c7d54976fe0ea04

SHA512
84a42ef2e52f1a611984151028dd41439c3ccac1005b4707dc85d34560f7292912fc63f0f59f4f9aadd4bd652679a5d833c4d51b70ee9ed1b0c7248a6e9cbaaf

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db
Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db
Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit