Analysis
-
max time kernel
150s -
max time network
151s -
platform
macos-10.15_amd64 -
resource
macos-20240410-en -
resource tags
-
submitted
12-04-2024 23:36
General
-
Target
2024-04-12_be007841af6009c3a2d0ebe1f8889f4e_adload_evilquest
-
Size
190KB
-
MD5
be007841af6009c3a2d0ebe1f8889f4e
-
SHA1
f5f3bea8a6a97a7bfbf5b6bc2f8331f840da6446
-
SHA256
9de06d78004fdf6997535fde5eb547d63473d9ad4c4027047177ec0d1c6d65aa
-
SHA512
2b49cf83a81c53948ed27ef7c18ac47aec330c6fcf216a75c85b3bbee5a0a35b5a063d4fcbc7b0dc88bbd43c7c005fef2745c8dd0bf7e16aebb86c8c503f0dd1
-
SSDEEP
3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9WX0p2Dn5km:5SeOQdaZNxtk8cqhSxvHY932Dn5km
Malware Config
Signatures
-
EvilQuest
EvilQuest family.
-
EvilQuest payload 8 IoCs
-
Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
-
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
-
AppleScript 1 TTPs 44 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
-
Launchctl 1 TTPs 64 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes
-
/usr/libexec/xpcproxyxpcproxy com.apple.newsyslog1⤵
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/2024-04-12_be007841af6009c3a2d0ebe1f8889f4e_adload_evilquest\""1⤵
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/2024-04-12_be007841af6009c3a2d0ebe1f8889f4e_adload_evilquest\""1⤵
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/2024-04-12_be007841af6009c3a2d0ebe1f8889f4e_adload_evilquest1⤵
-
/bin/zsh/bin/zsh -c /Users/run/2024-04-12_be007841af6009c3a2d0ebe1f8889f4e_adload_evilquest2⤵
-
-
/Users/run/2024-04-12_be007841af6009c3a2d0ebe1f8889f4e_adload_evilquest/Users/run/2024-04-12_be007841af6009c3a2d0ebe1f8889f4e_adload_evilquest2⤵
-
-
/usr/sbin/newsyslog/usr/sbin/newsyslog1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.sysmond1⤵
-
/usr/libexec/sysmond/usr/libexec/sysmond1⤵
-
/usr/bin/pluginkit/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync1⤵
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterB516C108/OneDrive.app1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.authtrampoline1⤵
-
/System/Library/Frameworks/Security.framework/authtrampoline/System/Library/Frameworks/Security.framework/authtrampoline1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportCrash.Root1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/System/Library/CoreServices/ReportCrash/System/Library/CoreServices/ReportCrash daemon1⤵
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/usr/libexec/xpcproxyxpcproxy com.apple.pbs1⤵
-
/System/Library/CoreServices/pbs/System/Library/CoreServices/pbs1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"1⤵
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"1⤵
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""1⤵
-
/usr/libexec/xpcproxyxpcproxy afsvcpd1⤵
-
/usr/bin/sudosudo /Library/osxmobiledata/com.apple.afsvcpd --silent1⤵
-
/Library/osxmobiledata/com.apple.afsvcpd/Library/osxmobiledata/com.apple.afsvcpd --silent2⤵
-
-
/bin/shsh -c "sysctl -n hw.ncpu"1⤵
-
/bin/bashsh -c "sysctl -n hw.ncpu"1⤵
-
/usr/sbin/sysctlsysctl -n hw.ncpu1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156B
MD598c042116c1b13902d9c70448a2f6e1d
SHA19f046e11aa5e4f1d6a14b7e8b2db44bf4236de60
SHA25611b0c5d27369fc9988f4145d52cea5eb155d6be13ce1ff181e11660df1d8bc25
SHA51277061ed182f9591a55f792e708b1658f4502072ddb208409e51dddac32dc62bcc9e4ba08968d427b68a1d0caa863aaaab0902a42907edb5d9153525631d8b22e
-
Filesize
158B
MD5591ab0355e71ae4a54213a6a3736cce6
SHA1b9e18901064e7ff720d38b617963faf08c1ab012
SHA2567cb7049d4cadc44720087e7ecf1d769cb97da7f665d36b46a71df0fc50b8136c
SHA512cc9246f82308a502ca7c6e3df909eb548426ec448c3c3d7ef1de37cc04003586babb8741dcf2df99b3239b76a4251930dd8f8eadb5ece6398ba452ee429a587c
-
Filesize
156B
MD573e16523ae94c6f16e5cccc2b886b10b
SHA1010d42be9d4e8779d4859868fd8240ebed8a6006
SHA2569bc3e564caf740132849ad4b5eaca41b9f6f7b77c91248a92ee510545ef9952b
SHA512fe7612c67d4e81be6efe978059554d4b55ee9f3cb7348eb6b45f075e08fba5da387340c80f8e5e6c7e830dec3d21fda50b16add7222d29826109a8e1f51bd409
-
Filesize
158B
MD5f3dfebd8fc9c85447ade6ad01859464e
SHA1085d6e93b3fc0d4da2f25567164e704625b276cb
SHA256cf63bc3e961c64bbff49ad7f54dc6e1e2425fe39b7c51cba84179188d966eb13
SHA51203ff1f24fc9ab0379300eb390a3fd51d9d5b40292691efe1a26fe9863c5408b146b55e3e7e4544ec0bae3230225d6aea08e2179f16315023bcb03ff104323ae6
-
Filesize
156B
MD54f9a0a777ef7e10c3656fe0c83150a92
SHA10a503a2c5e755ce702583c3d0b12da8f783d7d63
SHA25694f5bbc5abb6b0b662f36bcc39de46aaf8d28e086c600908f425fced29c06172
SHA5121a8dcb4b7ec6f24adf613bc24de7f82c9d163d4fbfbfd507d7ff332a70648f3d935b1cc2179e46fa9fa085df79d63aadb916e1a19ea75a6fe6733212bef1e6b8
-
Filesize
156B
MD53334dbcb39617a5466ff9d073cf46fff
SHA13c1888d64ecb030a712a3a70b56dacce022f6d5d
SHA256665a306aa54aa527ce2d6916978c173a4cad81d8889ffb1e33d9a43d3496775c
SHA5122134e9a98768a6431e73a1cbfb0894e6133d2a600afe2ef5013e51600a389c4ae364b24ec353cb29522362dd8d63f110ef85dffb43fd2abf8ce3e09c4c16165e
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
156B
MD5d7807d0d1643ac0c9b0222711bf5fb60
SHA16ac8e9279e3bd7a9a7ed3f14a272cbed5c6c29ad
SHA256163ea5ebbb6b2fd846d549d8e76c40fa72eb0afb98e3a7ca12c715e52dce433a
SHA512d3e92330fc47135e094f66195344afca780473d6ce3f8d87251bcad5a5a8570f8000dda46b6ec5851bfb0b14cbb5c92cc1601c4cad08ff564aeb5eed2b93ad2f
-
Filesize
156B
MD5f5855a89fa545a4f150375b9a3c5624a
SHA112a81cc093fa9fcac2ec2e760bfffbeeb23f4f4b
SHA256f9e835472a1f39fd0f69d871d36d02d6c63350533be82e996366e60794bae11a
SHA512957a6f3b78e78db0461fb4a89905614b50305a7e8b158280eb6445bdc12fca97b8c86482b0688396a7a6a9cd7b3acce958ff9f26079047298d0c7fd2cb8cff06
-
Filesize
143B
MD5b543bb350829c5d46b44c85453f0b85f
SHA1dffe8f65c875803eb98b397dad3e7c35ad049d34
SHA256b2c9abdb1ab70ecdb36c196d6b91ce8b5cf657dee4a71b136748db544b8ec613
SHA5121c649b5e289933b83746b7dc05dd27fc415f556b486dfdb94c24614f926aaa101250219d865840872ac710e7310cdf0ee49f356ed84636d619aad0d86a2e6233
-
Filesize
143B
MD58a2c2d58ea3380d2e2458737073d592c
SHA1b89cb1d9336f3c0073485f4ca85a49687febb709
SHA256f0b2ea7ceb6afbb2aa30e03cd2576b1255a7baae2a22b132470dc8c58f3a7d59
SHA512e17bdaea4fd69982968a535a0772d335458e541308939732b94f6375b7fb7fb0b52a5b634f6a9608aba52554fe0ab667b13169046c721a2cf816b072bfccc4d3
-
Filesize
143B
MD530ee208487b2fca5460d1e5432760905
SHA1ccf31a3c267514a64a7111bb4c0885df9d5e9c42
SHA256902b4df6a56374946abf80d44e7b0ecd856b328dabb5b78f8cbf566a93cb363c
SHA5120160046070f5b6d3a0a533bc5489315bf7dcf09b1220a7bd9fe70b31bc029543cc0164d757a38b79df3c58adfbf53281a3941d409f8e4280599408917a9af6a3
-
Filesize
143B
MD5b07142ae7d6298ab18d07ace8c508159
SHA1da5d5cb31f9661348dd5216419a690d594988654
SHA256af9ef2d4e39efd297f5b2b0ea4fb0a70678f7f953ff901f3f9b55a98de047b28
SHA512c5792d19561b671aa487c32ab56d038c2728cba066a573fa119fd011433d42e143fef0c1b26612327c7de21412bb76fc86f94667030b7d1a90a6350e5a5fffa8
-
Filesize
143B
MD57f4b49d9c19f421935bb9cddf60e2201
SHA1f483269b7b0589d12a6f96da9ed4edf12b74ae83
SHA256e03d076576bd4a2f60e22ed9f205fba6149286144c3164d26608556f3bfb95d6
SHA512e77faa1e4fddcb96e83972de0541ab2dbfbac0ef98f0fcc2d32fa6d9daca84e96df50b95d050a09b5daf3b9ffe0d5619189960df2bee9c5b70969ae6e4bffe69
-
Filesize
145B
MD5707d1408c1f6392407ecb6d2481551c7
SHA15d98e4d72fa546fc85f1b0fd805ad50467bd7b6d
SHA256d52f8595850557560aff058d48ca76d2cd3964ff3c1b8e72956f50c05f43c158
SHA51237d4b5b8fd3dd5e1ccc9d48df3a0dd7835b70955517a9f0dfd3a5b59192224f7d3193658e75a3423a05d87d851bd3d278a28c110afec2f9e296cd8ad45c572df
-
Filesize
40KB
MD587addb847ffa67aa0693d485d8caf47d
SHA10c43cddc95c4171db97d10b87c596a94a54cd94d
SHA256a5960f02e75a135c4c5762c386238113685e45104c00a774eccc2ae7ec21f34f
SHA512ba9dc95401094215dd1cb3e9d751ea6b6bc458c0ac5b27109e1fc0427d8116a9bf1c6c68a6246d3063d575b09b9410ec30eddf1d24edc330337e9c971e68064a
-
Filesize
40KB
MD59329821d9b5d90a334f431d1dcd9e4d9
SHA1f87ed2e3fb9e22882366b71117d03da897cb7b00
SHA25630f76c89863be18ced305c6023a9a49864b25515b05edd5eb24308e0c056d626
SHA51207767b935122fade5714022388b23fed28e375a085a2b8d491de170c69a1d462fff822db4ecec081d09390aff99fd07ecef211475bc01f5ae0eee0eb4c6efabc
-
Filesize
40KB
MD549d72a28a00e6ccede61d7ace5feee08
SHA1e444650479199df3b6461050b0e19b29d3b70512
SHA256227424467438a72c9a7aa0f7ff7f0ee2c60e5408c2310d0907161395331ef345
SHA512988a5cbabc9fc79d564daa331390224aa135a351889b192b0a03c03f0f92e4848ad31c4e87a4e5d76fd79c7807e9790626f5ac1098961a981116140f0828f913
-
Filesize
47KB
MD5fbffd8797af37246e36699658da3639f
SHA14d3088a56308303eea283e37f886f3b72d175b3c
SHA256066735f4699f9ba19af3338358c101fb28c6e382fe25db5d72b04f242c31c4e4
SHA5124d54f5ae3a8814e2c8e1c59b2542302b7d400f71282bbbb345a3a05eadca939a9de43aeb91fa2d62353fc8573e2b19612b5a45ca4181d20e760ac040153c7e40
-
Filesize
168KB
MD5c855e80a91e433b31665f06a6aa0b336
SHA104ee87c1d53debe6f15bcb13389c377cb65d96c1
SHA2569042919eb47e492d3eb1902d5946d32a0d72da702ab5e8b4fc33eef4ba969d10
SHA5126ab668169a9b78957bd614ff8229beaed531dee67efdb2bb2ae84fa55f4fe7b8a516d3168226c4a7cd59dd487f60e0f15bc7015ef284825057d945a278a90544
-
Filesize
168KB
MD5927ae966eec8b4cc46a822b42796e8f0
SHA100a53b01812e3acab2e575a7c375e41da1977ca3
SHA25693d88180b944b148382535f4b60c3db4eb9d71b60d7a5ae82360963c4deaaa13
SHA51252ca3aa527249b6e1c4b34dc523a6ad220237d611faaea8fbc5833c224230b728d67a33eb4ffeb4e9b67aef8cfefe14ccb8b10e48a281c1352b03c1b29e9188f
-
Filesize
168KB
MD521f2307859617c30a4be8842c90882cf
SHA164ee6b1f8de487e54e9a604a2589db92a18266d2
SHA256a197bd8fb8e53f47e6cb9d987764b4aede3d6eb93067077ec360918a562963ae
SHA51290b44d62ad8ffe37ef2f90a1e7c48dcd9fb8ac18676adc4e4aba81f1748d3c628ec117c567edfd0aa882ba8fb41db7fb54360e28b31c149888aad2352182fd62
-
Filesize
168KB
MD58f7322acd40b81e8a5d175eb0983c34a
SHA11d5270a11721dbfa68d243c1720363b8cadf2cc7
SHA256b2e9ac235f9def9eeaa50cd29665ab7f74017d365c2b45f849664be1a452914b
SHA5123c3727888376ac24d2f9d81f3e237f25eff741fb30bbd335dd6d8b735acf4e9a82184ce520dec2944616630e68218e4abb8e572e8802097d2d2b0bc8fd2f5b27
-
Filesize
168KB
MD5dabf428c47097b9d67bd3a06ff05e65c
SHA1ede1ca75f049c4bdde204836177fb507596f3e43
SHA256cda65acf01c9267e68a688fdffcd05d81c14920969b6c15e38244afa511623ac
SHA512a3e610ac28aedb5e9fdb0fe34c7cc0399d3eb736643145077aa965761e809f972d61f1b8cf58b6262aa41239c0b0ea4d9430345c13a8d824ee90d17d4a3deb25
-
Filesize
168KB
MD5aa35c45e4ac5da0be88a2d1fa11d7380
SHA13d10177e23913ae2a03b311c1b82c4f71e59bc49
SHA256760f3cd446427dd6ccf14271ec047212d9b944ee343b756558e8fdf8fc446671
SHA51208eed6dd5ccdb026637f9386ea6d039cd220e20b3bf0803a2eae40cca6707b48a41cf328e03cbf923f7f51f43e716d9707d589b9cc92a762d28295edfa852fb8
-
Filesize
168KB
MD5bfc98d40fbdc189a3a7b11596abbf6ce
SHA1548d3dab7b6de899154b2269b3e0f271bcbac507
SHA25656386728613a924116f104b28884056bc10f2b18caf87a14cd36cc8cbfa06d8a
SHA5120399dcd884eaca3a9d4f6aca503d690d160438fdc689a8caf53d5eb4cdddcba46bd2d97e13dc4bec57e38324acf07458339671a97153b32226b2e9ca45767bed
-
Filesize
168KB
MD5075fba9ec2891fa8eddd71f0dc4e2b82
SHA16ec93cbd96f28623b7312933cd18520dc01d25a7
SHA25657ea6ca3a96e01a06cd5d4f44aa8a6b73892449637d639c25a6d1484ebc3d2e8
SHA5124fc97ea4be009810d1491f74e4adde762ad80176aa5a0b7d5a29fdb1bc94be95fd1e69db8f796003e1949775fca404b6f7068c45b18ff2e9a1d69fcd03a4dfad