evilquest | 75fc0061c6a215bb620dd1a21b575a04cf11fec277ad2adaf484c207fd06f3b5

Analysis

max time kernel
150s
max time network
149s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
12-04-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest
Size

177KB
MD5

b1d9795de8f92a836113d1d0a098a56b
SHA1

4e975e5f40cf4798f08945973bda65d4a6e3a793
SHA256

75fc0061c6a215bb620dd1a21b575a04cf11fec277ad2adaf484c207fd06f3b5
SHA512

83ca6f43ee800112df37829a7fc82585b4d32d415de91022c87ea941e79d27f569f101d925a51676a3c61007bbdb3b263512c4995267f5eb74c68d8b5600d1a1
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9WX07:5SeOQdaZNxtk8cqhSxvHY9V

Score

10^/10

evilquest backdoor execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000000030008ad90-0.dat	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 50 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	Process
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"sudo /Library/osxmobiledata/com.apple.afsvcpd\\\" with administrator privileges\""
osascript -e "do shell script \"sudo /Library/osxmobiledata/com.apple.afsvcpd\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""

Launchctl 1 TTPs 64 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl start afsvcpd
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest\""
1⤵
PID:476

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest\""
1⤵
PID:476

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest
1⤵
PID:476
- /bin/zsh
  /bin/zsh -c /Users/run/2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest
  2⤵
  PID:478
- /Users/run/2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest
  /Users/run/2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest
  2⤵
  PID:478
- - /Users/run/.2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest1
    /Users/run/.2024-04-12_b1d9795de8f92a836113d1d0a098a56b_adload_evilquest1
    3⤵
    PID:526

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:480

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:480

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:480

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:484

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0BF23177/OneDrive.app
1⤵
PID:485

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:505

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:505

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:505

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:506

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:506

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:507

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:507

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:508

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:508
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:509

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:510

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:510

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:510

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:511

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:511

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:511

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:513

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:513

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:513

/bin/sh
sh -c "osascript -e \"do shell script \\\"sudo /Library/osxmobiledata/com.apple.afsvcpd\\\" with administrator privileges\""
1⤵
PID:515

/bin/bash
sh -c "osascript -e \"do shell script \\\"sudo /Library/osxmobiledata/com.apple.afsvcpd\\\" with administrator privileges\""
1⤵
PID:515

/usr/bin/osascript
osascript -e "do shell script \"sudo /Library/osxmobiledata/com.apple.afsvcpd\" with administrator privileges"
1⤵
PID:515

/bin/sh
/bin/sh -c "sudo /Library/osxmobiledata/com.apple.afsvcpd"
1⤵
PID:516

/bin/bash
/bin/sh -c "sudo /Library/osxmobiledata/com.apple.afsvcpd"
1⤵
PID:516

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd
1⤵
PID:516
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd
  2⤵
  PID:517

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:518

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:518

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:518

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:519

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:519

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:521

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:521

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:521

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:523

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:523

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:523

/bin/sh
sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:524

/bin/bash
sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:524

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:524

/bin/sh
sh -c "launchctl start afsvcpd"
1⤵
PID:525

/bin/bash
sh -c "launchctl start afsvcpd"
1⤵
PID:525

/bin/launchctl
launchctl start afsvcpd
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:527

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:527
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:528

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:529

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:529

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:529

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:532

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:536

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:536
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:537

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:538

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:538

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:538

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:541

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:541

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:541

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:542

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:542

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:542

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:543

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:543

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:543

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:544

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:544

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:546

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:546
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:547

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:548

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:548

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:548

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:551

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:551
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:552

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:553

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:553

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:553

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:554

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:554

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:554

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:556

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:556

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:556

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:557

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:557

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:557

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:558

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:558

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:558

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:561

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:561
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:562

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:563

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:563

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:563

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:564

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:564

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:564

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:565

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:565

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:565

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:566

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:566

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:566

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:567

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:567

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:567

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:568

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:568

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:568

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:569

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:569

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:569

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:570

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:570

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:570

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:571

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:571

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:571

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:572

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:572
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:573

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:574

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:574

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:574

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:575

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:576

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:576
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:577

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:578

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:578

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:578

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:579

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:579

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:579

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:580

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:580

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:580

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:581

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:581

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:581

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:582

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:582

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:582

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:583

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:583
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:584

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:585

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:585

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:585

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:587

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:587
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:588

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:589

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:589

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:589

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:592

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:592
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:593

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:594

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:594

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:594

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:596

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:600

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:600
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:601

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:602

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:602

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:602

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:603

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:603

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:603

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:604

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:604

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:604

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:605

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:605

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:605

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:606

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:606

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:606

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:607

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:607

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:607

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:608

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:608

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:608

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:609

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:609

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:609

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:610

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:610

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:610

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:611

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:611

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:611

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:614

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:614

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:614

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:615

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:615

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:615

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:616

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:616

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:616

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:617

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:617

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:617

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:618

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:618

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:618

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:619

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:619

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:619

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
eb715c003754ddb8bb29d5191277313d

SHA1
5936d342a8df629b3777954c5d8673efd0ca3bad

SHA256
2988e459de7190ad9f6395842224a644e9963647d142c1512c9fb728187dabd6

SHA512
7a618c12ceec3159ce34e46058b84d858be716654cb92820a523ad656a3758d31ffc63dd1b030f779efdcd97f168348987c8a2efbf08b20bb0e789a7f00fde21

Download Submit
/var/root/Library/LaunchAgents/com.apple.afsvcpd.plist

Filesize
429B

MD5
b29145cf94cd1ef0d81552c333c3603a

SHA1
4095a7b7b982b8875a6256919b7d80c50b0a2799

SHA256
2cac13ffabc18f7010fffce9f31aaacc06e0c5ae898c3faa79d747567ce1e2fc

SHA512
fd0ccb56cb0c5084950ad4d04363ae9919a0bfa76c45554df8a7fe0eb0f8a7ed2525af3b4f64982eedac0f9aaec28b7985b4ce5ec80434fc3cf426cb96b1def0

Download Submit