Analysis
-
max time kernel
72s -
max time network
72s -
platform
macos-10.15_amd64 -
resource
macos-20240711.1-en -
resource tags
arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
25-07-2024 07:16
Behavioral task
behavioral1
Sample
3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho
Resource
macos-20240711.1-en
General
-
Target
3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho
-
Size
8.0MB
-
MD5
832837adb745a3f708c3b0043c937f62
-
SHA1
8e8127b2bd6052ca9c11f2284b253d7cb26388a2
-
SHA256
3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc
-
SHA512
de7f1b2ed5464fb7052fdccebd497fc10ffde72f37183da5a732c14e36e6ec438aed2ee06c910ae13d638f5cbe242de809c613aca51e63976827f1920215897f
-
SSDEEP
49152:U33dQ333dQ33b33dQ333dQ33b33dQ333dQ33b33dQ333dQ33b33dQ333dQ33b33P:O
Malware Config
Signatures
-
EvilQuest payload 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000000030008c3a1-0.dat family_evilquest -
Compromise Client Software Binary 1 TTPs 7 IoCs
Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server.
Processes:
ioc Process /Users/run/Library/AppQuest/com.apple.questd /Library/AppQuest/com.apple.questd /Users/run/Library/AppQuest/com.apple.questd /Library/AppQuest/com.apple.questd /Library/AppQuest/com.apple.questd /var/root/Library/AppQuest/com.apple.questd /Users/run/Library/AppQuest/com.apple.questd -
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
-
AppleScript 1 TTPs 24 IoCs
AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.
Processes:
ioc Process osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\"" osascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" -
Launchctl 1 TTPs 55 IoCs
Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.
Processes:
ioc Process sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" launchctl start questd launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" launchctl start questd launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" launchctl start questd /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" launchctl start questd launchctl start questd sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" launchctl start questd /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" launchctl start questd launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" launchctl start questd /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" launchctl start questd sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\"" launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd /bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd" sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho\""1⤵PID:490
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho\""1⤵PID:490
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho1⤵PID:490
-
/bin/zsh/bin/zsh -c /Users/run/3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho2⤵PID:491
-
-
/Users/run/3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho/Users/run/3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho2⤵PID:491
-
-
/Users/run/.3afb321a3e194a41da2ee825c922da21205cf64003e39b73ccc8b3a2fb80acbc.macho12⤵PID:491
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:514
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:514
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:514
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.authtrampoline1⤵PID:515
-
/System/Library/Frameworks/Security.framework/authtrampoline/System/Library/Frameworks/Security.framework/authtrampoline1⤵PID:515
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:516
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:516
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:517
-
-
/bin/launchctllaunchctl start questd2⤵PID:519
-
-
/usr/libexec/xpcproxyxpcproxy questd1⤵PID:518
-
/usr/bin/sudosudo /Library/AppQuest/com.apple.questd --silent1⤵PID:518
-
/Library/AppQuest/com.apple.questd/Library/AppQuest/com.apple.questd --silent2⤵PID:524
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\""1⤵PID:521
-
/bin/bashsh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\""1⤵PID:521
-
/usr/bin/osascriptosascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges"1⤵PID:521
-
/bin/sh/bin/sh -c "sudo /Library/AppQuest/com.apple.questd"1⤵PID:522
-
/bin/bash/bin/sh -c "sudo /Library/AppQuest/com.apple.questd"1⤵PID:522
-
/usr/bin/sudosudo /Library/AppQuest/com.apple.questd1⤵PID:522
-
/Library/AppQuest/com.apple.questd/Library/AppQuest/com.apple.questd2⤵PID:523
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:527
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:527
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:527
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:528
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:528
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:528
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:529
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:529
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:530
-
-
/bin/launchctllaunchctl start questd2⤵PID:531
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:532
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:532
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:532
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:533
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:533
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:534
-
-
/bin/launchctllaunchctl start questd2⤵PID:535
-
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:536
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:536
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:537
-
-
/bin/launchctllaunchctl start questd2⤵PID:538
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:539
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:539
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:539
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:540
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:540
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:540
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:542
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:542
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:543
-
-
/bin/launchctllaunchctl start questd2⤵PID:544
-
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:545
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:545
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:546
-
-
/bin/launchctllaunchctl start questd2⤵PID:547
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.PerformanceAnalysis.animationperfd1⤵PID:548
-
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd1⤵PID:548
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:549
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:549
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:549
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:551
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:551
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:552
-
-
/bin/launchctllaunchctl start questd2⤵PID:553
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:555
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:555
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:555
-
/usr/libexec/xpcproxyxpcproxy com.apple.spindump1⤵PID:557
-
/usr/sbin/spindump/usr/sbin/spindump1⤵PID:557
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:558
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:558
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:559
-
-
/bin/launchctllaunchctl start questd2⤵PID:560
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:561
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:561
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:561
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:562
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:562
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:562
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:563
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:563
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:564
-
-
/bin/launchctllaunchctl start questd2⤵PID:565
-
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:566
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:566
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:567
-
-
/bin/launchctllaunchctl start questd2⤵PID:568
-
-
/bin/shsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:575
-
/bin/bashsh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""1⤵PID:575
-
/usr/bin/osascriptosascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"1⤵PID:575
-
/bin/sh/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:576
-
/bin/bash/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"1⤵PID:576
-
/bin/launchctllaunchctl load -w /Library/LaunchDaemons/com.apple.questd.plist2⤵PID:577
-
-
/bin/launchctllaunchctl start questd2⤵PID:578
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.9MB
MD53e2723c39c9d67e1fdad52e2a14ce7af
SHA128db62731aa491039595b3e6039cb901a499c48a
SHA25689c45efb747dde07c200aa6adc2e5132e70260a0be5cc9a61d005f941f9f8337
SHA51230274a5afea2d3d4c9b2b4d493ad77b5613a05a9581dcf4f75e6f30cf305846da7f977c52c3263e74f589ed8504387a06b509d27c774ecff0fd24e247937e40f
-
Filesize
435B
MD5a3d34532a7dd2cd1d73cea75deb0677f
SHA13019d1c50907fb2597121c03619990c5670ff6f4
SHA256779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735
SHA51252618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91
-
Filesize
423B
MD5eb73619f4e724257ff0fd951883a30ae
SHA15032251e50b32e340d8171631a598596bad8991e
SHA2566e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4
SHA512ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c
-
Filesize
422B
MD570c1e05ff6b32db6e1ef873321abd1f9
SHA116878e40cd5a569bc8f441988cc07b66ffc8534a
SHA256ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378
SHA5121e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e