evilquest | d001c33ab7391e2c99904661df1a7f98388fe67cde162c7654a5d3dae892318c

Analysis

max time kernel
149s
max time network
137s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
12-04-2024 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-12_a6b63d09b247dabab53bb3e43a2b5f87_adload_evilquest
Size

337KB
MD5

a6b63d09b247dabab53bb3e43a2b5f87
SHA1

77005cb57642e15ed782775a6d2b6dcc435b48c6
SHA256

d001c33ab7391e2c99904661df1a7f98388fe67cde162c7654a5d3dae892318c
SHA512

447fda51aae25dd6fede9dfcc3cd6c88b8a4ca753bf87a014dabbd9dbad3c29582922e2738a611ee006f5565bbcd99892bb5d2228075501f16eb73a08cf2a5ce
SSDEEP

6144:5SeOQdaZNxtk8cqhSxvHY9dSeOQdaZNxtk8cqhSxvHY9:5LOQdaDxq8cqavHY3LOQdaDxq8cqavHY

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 15 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000000030008ad9e-0.dat	family_evilquest
behavioral1/files/0x000000030008adef-3.dat	family_evilquest
behavioral1/files/0x000000030008adef-6.dat	family_evilquest
behavioral1/files/0x000000030008adef-17.dat	family_evilquest
behavioral1/files/0x000000030008adef-25.dat	family_evilquest
behavioral1/files/0x000000030008adef-28.dat	family_evilquest
behavioral1/files/0x000000030008adef-33.dat	family_evilquest
behavioral1/files/0x000000030008adef-42.dat	family_evilquest
behavioral1/files/0x000000030008adef-47.dat	family_evilquest
behavioral1/files/0x000000030008adef-52.dat	family_evilquest
behavioral1/files/0x000000030008adef-57.dat	family_evilquest
behavioral1/files/0x000000030008adef-62.dat	family_evilquest
behavioral1/files/0x000000030008adef-67.dat	family_evilquest
behavioral1/files/0x000000030008adef-72.dat	family_evilquest
behavioral1/files/0x000000030008adef-77.dat	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 8 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"

Resource Forking 1 TTPs 1 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	Process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

Launchctl 1 TTPs 16 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-04-12_a6b63d09b247dabab53bb3e43a2b5f87_adload_evilquest\""
1⤵
PID:552

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-04-12_a6b63d09b247dabab53bb3e43a2b5f87_adload_evilquest\""
1⤵
PID:552

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-04-12_a6b63d09b247dabab53bb3e43a2b5f87_adload_evilquest
1⤵
PID:552
- /bin/zsh
  /bin/zsh -c /Users/run/2024-04-12_a6b63d09b247dabab53bb3e43a2b5f87_adload_evilquest
  2⤵
  PID:555
- /Users/run/2024-04-12_a6b63d09b247dabab53bb3e43a2b5f87_adload_evilquest
  /Users/run/2024-04-12_a6b63d09b247dabab53bb3e43a2b5f87_adload_evilquest
  2⤵
  PID:555

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:556

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:556

/usr/libexec/dmd
/usr/libexec/dmd
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:565

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:565

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:580

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:580

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:580

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:581

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:581

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:582

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:582

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:583

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:583

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:584

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:584

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:584

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:585

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:585

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:585

/bin/sh
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:586

/bin/bash
/bin/sh -c "launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:586

/bin/launchctl
launchctl start /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:586

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:587

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:587

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:587

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:588

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:588

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:588

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:589

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:589

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:589

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:590

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:590

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:591

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash
1⤵
PID:592

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:591

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash agent
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:594

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:594

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:597

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:597

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:598

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:598

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:602

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:604

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:604

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:605

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:606

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:606

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:612

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:612

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:617

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:619

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:619

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:618

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:620

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:621

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:621

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:623

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:623

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:623

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:629

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:629

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:631

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:631

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:632

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:632

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:633

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:633

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:634

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:634

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:636

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:636

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:637

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:637

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:637

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:638

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:638

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:640

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:640

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:641

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:641

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:644

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:644

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:645

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:645

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:645

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:646

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:646

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:647

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:647

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:647

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:648

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:648

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:649

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:649

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:650

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:650

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:651

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:651

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:651

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:652

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:652

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:653

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:653

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:653

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:654

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:655

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:656

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:656

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:657

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:657

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:657

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:658

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:658

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:659

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:659

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:659

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:660

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:660

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:661

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:661

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:662

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:662

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:662

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:664

/Users/run/Library/osxmobiledata/com.apple.afsvcpd
/Users/run/Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:664

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:665

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:665

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:665

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
61e5f1a3a70e23157810b45cb2e5e7af

SHA1
4424de1ffc52cfb294ea9df1487d51805b63dffc

SHA256
7bc397ae88691ba31d658a596a57239a20a7eb7429abe3096470e2e6e2a938ec

SHA512
aca7e9165b027197a1ae45181c6b3e72ab28878c26cd9b7f025574bbd757101e3c7030711f97228f8ba20fdbe52193d4cdc6a747a83ec40973de9cba171544ff

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
cea3e4db9ae5faa111c9cad6f11b68ab

SHA1
efc2f7c95f12357a5b79d88cc0f9758a00456ccb

SHA256
2cb5644ef8d4da1548dd9f522f0eac367307218667adc697a61319491078e6a6

SHA512
244e8e154bb6effd2c021bc0f8b3b7ec72943f7b2425cc0b993a0ae3a1de5fddab73e0a302414cd3f1eacb88098a08f77267197c6117f943590cec7e727b6f12

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
f0b84e7bafe3c8bc6f4abed3e2c48017

SHA1
758e3a130fafd49494a286869e2de6af49bcf3bd

SHA256
2afa5f275f4ceddc560a68457b71acc10f859f24408dc07c21f4d184129fdc38

SHA512
7df273c8d0ac158095120372016eb3a0abb768ed9b845e2b84a677b4f8411617587bdb262a116f9bfa37014265ba06d776954dc707377d0e32142ef9685e94ad

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
ea29ec68f738fe2b6c87365d8a9b57a3

SHA1
43daa13c25e5ce51d98345b0c27b28c778ed14e7

SHA256
ceac63964916c9e50a714e358a0bfceb8aa74eeaa20c3ba70fec72dabc88b15f

SHA512
d29a9994b45897b686707f1757166d8554b544bd0bbd7346264d616e8579a11a7137135feea3859ff39585f3ca609da0c7f61d5d35eca8351e63a77fae697937

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
333edba9c2a8777685f3f59a57af9a9d

SHA1
70bc9ab18b80164b03f0b19d3c5c57aaf961a163

SHA256
43c53f5d5cd7bde8e0703d5ece118eba58cbf0896c5fb0b9dc53c951e86970a7

SHA512
fef44561eaeff278c3541b3534fdb002969fb3d64d41459e540f7cb80f6f5873649488879f2d65a7ae99d65932fef63dc2644b61e90cd02aff9e25124085d0c3

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
360b5b4582280536e129d3059cc4ed24

SHA1
a38d4b4b6a7fc26a1f328cd527b7069ffddc6f4b

SHA256
194ab92e994fcea6c46d7e27fe9470d5275cb28f1b8d5fc3c4a4a48f4b4b20e9

SHA512
bae5b60518bff56f574c8d1c2155bfd471922029c28ee3670f1dcc244c9172abb6d89799995e9eedb2e147a9007d61224bdbb931161d95c54dd1cbee885f6a72

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
e5e4b7598aa7dd3c943765cb727e29b8

SHA1
413ffb2fed1f4996fb468ef0e10adcd4b9797f31

SHA256
bb9816959edae9d4382c25d599e3cf8b93de495b9cb6050252337999da98fdec

SHA512
63621b4acb7c2425df91dca37ddaa2c6ed268bc451359d82fd718ae3611b066aadb00c15806edc93649af1198198680af772aa1a395cf08f08787b164105db60

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
45a50035bd2eb94fc51b3f78a57ec8ee

SHA1
ec90c2df9ce9d6e87e5fac106aa7bfec03cb635f

SHA256
e75e519451fb47e793134d0552edbcc81305b1f6c9c380ccf495d8acb0c94f98

SHA512
e5ee93cb63dca944f90b65628ed4ed3b24cc3072f1659f31fb65add8e0158c43e30eca06b488b22ab800ec7d504d445a945ffc632fe14a2ef252e5963e62d68e

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
1f50a792eccc1518e7281a220193a9ed

SHA1
a0854d9b0594b9b3b5907908eed8e311d326bf31

SHA256
a165463cdb9eb79bd78774fc288690eba0669380f59651c7789a4007172f0d79

SHA512
95c206c79b54cd23450b2f6521a117ee2e66dfc86842e565cc599924bef049ab19d64b42fccec490c473a48c80f9365906ded186ef5048ea876cf1f3330ee45c

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
57eaa0814b3577f2dc5adb52d71cb9b9

SHA1
56029d3e2b8f6e609e703a00143683803ec1564d

SHA256
074cb103db5d54dc8ecbbbff1772c08cb86a04e966c20bdc5e2dd3f4f05c02c6

SHA512
387ecfaf445544dbf3d329e047fe125a3d4b3cdab1bc3e4eda069edd637d96a7991603937a0938bf5daf42b89847a09d5d84ab7b07f9c89a6d73d6a3f2c7926f

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
03c4c0525ad8139e8e60dd016506a9c5

SHA1
4bee123f2a6cf4da6591a5cb3aeab3dac9e447e3

SHA256
441ceaa3e318a73978c7b81552a2a8dad3adf90841ceda8f8e5036fd10eb9011

SHA512
685df7bb3c591d077d2941e63ff97859ce1eccc7388c150e900d9d0872a6707139c91d90f34e31ccd5818b9c8cd47b7b21dd15bcc1aabb7e1d095e905335c91f

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
b1d88a1ba4d1e5792347d97c36a014a6

SHA1
ade5c47421a2aba1cc6007e6bb89b4226d416aaa

SHA256
4055340d70b5aa915013ae1804b696ef9e890370f2f7c2707b2b1bb42e3daebc

SHA512
402486db6e87ac714ab728035eaa5ee72004a0515c27bb28b7d2d7b9edca59ddaac0fdd185923d3e94abd356b1553735cad54ceff189b26643552e508c726b38

Download Submit
/Library/Application Support/CrashReporter/com.apple.afsvcpd_79C87F0E-9227-5AAD-AA91-25F794E1F52E.plist

Filesize
156B

MD5
a29b8f3f6a9e808cb63794e9e94422ad

SHA1
e09f9ee386532e5480693f16764d9086c5213c8d

SHA256
b51b6bf2e60ea9d362e5b2a6e1469e0ea34f54d57eca9d1f34de3091c7219321

SHA512
8effefd0fc73c4ba5fc4284c1e5b9263a3d262a5e0193bc2838753f4f5cbdd144006c780f9455b827b137e7de8011e64bd987c239c1c186f57e0c29053cabc93

Download Submit
/Users/run/2024-04-12_a6b63d09b247dabab53bb3e43a2b5f87_adload_evilquest

Filesize
337KB

MD5
5db3612deddcd700f83899f7366a9d78

SHA1
62b197cf1407628863ec1ec0106a166979541520

SHA256
b56c8aa80b4a0277281c2c1898397504b8a9504e40ea922945a01dc9c3f3b0c2

SHA512
cf81988edf25bb9b9da615c98cff3434c2a2cfd1d515928df83a43c36cfe79db01945da9cb8521e9235b1f256e1003b83f1a3f29543b2ff59dc08e368e9d5d9b

Download Submit
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd

Filesize
124KB

MD5
139d03565fe906847075eab0773a70d1

SHA1
cd62ee4961e45bb2602412b0c303f40234115162

SHA256
4d6d624079186047668601cfe0a4d4a49198a48d88f35450911388d7f1e74090

SHA512
73e8ae11d4dc8a06e322cb32ef38c8164285dcb0a56d82b58242f8606a6f4331ab42996faaada050988fdb9bc293b7bacc8ee4535c6ce0a6eff2ca216e8892b9

Download Submit
/Users/run/Library/Caches/GeoServices/Resources/altitude-1265.xml

Filesize
164KB

MD5
cd3a24c9f245dee3eff33b1ddfded4ec

SHA1
e1f48c8a5eb35381ab1810e9e106279033b652fa

SHA256
9125b82222346c1ff34f67382258c95ebab029bfe869572ab49f6cf002c717be

SHA512
258f9b90e4325d13897abd0183c5a60e3c93a82541185e5b5ebea1aea1b641035a5865f115687becab43c186807ab238d111e35a3cd59e5d5c6ee237c9dca87a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
6fbe3627ac7bc3a150ac4b35a7a2b76d

SHA1
9f23c6081e066c1a2ed5d655d74b2af7286560e5

SHA256
94cc1086edb479b92139ffda3730520724f3b8fc5fbc28a9f86bc5f6ff5b5108

SHA512
ea54db1d939f0f80a4b4fa940108a1783184324f7f7894de4413bbbc39b551a4885e67936562b5920739d1df8be041b1a7a0b9132ee4aa9cc65280338493f78d

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
583701f207e1546a454bd4a613f15376

SHA1
a091423a661b18012f0466b1953c6dd45b7c979e

SHA256
2ebe834a50634fb2c399883a0de764026130fd57557269580d973fea0574065d

SHA512
85c1d656d85d4061091b194e4494100f72cf4503d5213b1f77b7e8dd703dfe734249a98f80ebf8f547952f97fc1186756dcf5558959b10fd9f6383dbc8bb4adc

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
20631e8db75c9fb1d1c04bdf73034fea

SHA1
a700b49ccaf67a2c8ee560fcc23b78b3938452ce

SHA256
2d6f70527670e6114c6132f7e50d43a766a1d1a1f1495ab822ead7fa2374098d

SHA512
fd350ea87a5206fb3a2949f8a25470a589d384e4eeb4749cb0c06e2796c65a4293eb3b0e24e07c5c2e84a27eb148090e4098a3fa70cf33f3642f743cfd942e18

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
d1bf1bafd52e25fd361652ec5ad3e3d1

SHA1
45513c33322de64c4d4f0e8ed6695064acc605ac

SHA256
abafa1a84c25e88d156b9f5aac510278d022b36669973bf3014eb15f60a59059

SHA512
aa343387b2cd03a44649d1d6f2174573f6b1515ba8d8b538229a7fc2fc21b1bca8c1dea1944de4427dba329dee3e7854c4cba1699c50539dd6e91925087d67ff

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
aa286fdbabcc18569a2b2c491d42efcd

SHA1
1403e62762dc5ef011e172be06ac69b8385b743c

SHA256
70c6f31dcb9264afae1e846557683c5219a0e05247a1cf4499093ab78d3eae56

SHA512
fc7ab2b96e997110c0581a5e67e028284084eb02fba2243dd93ba89a81fba7344ef8b011248557b336aa8bb874be8cdd01b6f74a9befba9fca2a4a72f127b770

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
45947e2c1a91fe6b48acaa0d64cb5f14

SHA1
c85bcb6f9de0272c87de83a129b86ff70a91981b

SHA256
ec8b429da354b8f336b79c287098eebc4345d060eaba01e47fe7abe55cd12c83

SHA512
422831bea808f0d2c279161f51640fa480e1e42d6a2b8fc094ecb454e29b3d63741465c08f7a4f8a8352b30b5bafaff5603af48e307f3380ed92309e08d5c8cd

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
3e7cbea1683687d31bfd33276a45fff8

SHA1
4637cf2a1d5187783c0321f8401e85dff574bf79

SHA256
28cb8a7bc8f52da7ee8f6f546904cce2b2c38b87d2d1c8b0ee873039a3f3d662

SHA512
3b4201f7dc29f26e2d267a9b068b2eba779847447cf8f858e9d61d915bc3737c160c4f2f58de4d00569d2b5de5f823a83e413c8cb8df4eb97f282069a4791208

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
3dc34b8e97b0037de51c968f085c2ed2

SHA1
960ced6611868e78a5cba5db4685bde7bb695cf2

SHA256
2ad73be6e562ad0d188cfb2205b38f5c4985e4b4f58821ec216d74607773f644

SHA512
2f4bae0b9faf92df4ad973291cc940a327a0fa5d579122acd90cf20b33e88cc77963453ab7f8415d2201dc2bcc51ca553e010cab53bacf8960e53ad9a593a0a4

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
0a1d8380c65ab092b922fca9f9a9b183

SHA1
c8997246027bc89d6eea3b573f6100305b2a64a3

SHA256
7ddee274d7b309b8663e43d3b5a3fbf2619523c099290409fde7ac5d864d840e

SHA512
720e10a1a8d7af14244a63cdd05d2925f0625290b4ce1acbc1c695eaa57f00b09c11675274f08a5b26c46b0f598dbc6ae3c82560a7fe5d04e2fecdf9f0c74bd1

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
3028df56bd196121955edf4f0c8b711c

SHA1
9efa92ee593f39388350c7c86003324d93307dab

SHA256
0c5a71bf20b09905c9bb0bbf27e5b82d783f807e77550c802251ca5a4eaafe7b

SHA512
5374536ceaa2917d3e9ebe3836fb474c2221e2e7c501c4c21abdbb40057765c0ae213d4cc4e722061b25adf531ae797c69a5154c6d3472fd6b9a221f943bc946

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
51e830236fddbc0a3fd8d78c8a893abe

SHA1
7262606cfc55e2aec1dd880b955d9a0564e5b351

SHA256
49d755d608a740172db8c965ec86a5ecfc6a0de6d4a0c7d5554e02b0f103cbf8

SHA512
4780970e6caa54df916864049a35d6d9645aff7431503f0e0e3c8bdaf1f57a6bca3b97f95b75bd7100199cd78a0ff35e5c1232944dcd0f9c76618d3c4b28882a

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
7cf9662c29c66ad83de546b8b9bbe911

SHA1
f7402add4cd2b95747f455d671034be04d2ea5b7

SHA256
6d0a6a303009b570caf2aa671528c28d9ccf29b97aee9ec3cc80605ac15aec72

SHA512
9c7df828ee0693d8cae48143a721982ab815659e2644ed89c27b15316ff1a9eb71783fcf06d935e235a5b95a8a95061a9382c972116cf410e426a90f6de18c31

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
d0b656d55808e4bbcb49774424578270

SHA1
448861db6cdcced2607aa326bfd7bbc2ddd3678c

SHA256
d1dbd2e79904dd04fb55adb3e8143d9d8829d1b9005885738d5bf9ff82fef773

SHA512
10ba83c703dc5b57236b42e1d78839f6dd5cbeb85be74290aca21d208c3e4e28f84ba2bbff9e1dd872d77ce07eb5eb7361d0b9eaaf3e53fe924d01f8999effb7

Download Submit
/Users/run/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
936b8ad031fcfd15eca02e19ff01fe87

SHA1
fdb9c809754a2738a812d6a07914297457736394

SHA256
c48bc7ca41465e7b2caf82ffd5d4b256dbe5f4698aac779bf5821e65166bd893

SHA512
5dd85bf09bc4f00b40d048a60d76df7f042c9c4e738359ffa3abbf02695dd2d061583ad9e103c1f93a3cd2f40722d2169ecffef17aa8f0161a0db989326a50a3

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit