evilquest | 454bd33dedc789d78374f923f7973710f448235673b2b414c434af3e7168aa81

Analysis

max time kernel
150s
max time network
151s
platform
macos-10.15_amd64
resource
macos-20240711.1-en
resource tags

arch:amd64arch:i386image:macos-20240711.1-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
12-09-2024 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20240912ff518e7b84421876e36339aa7458485fadloadevilquestrekoobe
Size

177KB
MD5

ff518e7b84421876e36339aa7458485f
SHA1

d5b7633132caf8e468e0171100bbcb7bc9344f46
SHA256

454bd33dedc789d78374f923f7973710f448235673b2b414c434af3e7168aa81
SHA512

4a11771f44134c2a8d08a78d821b55208c2c52dbbd0ae06c6ae5d42100260cef049f77981f61763b17ababdbd357085a9b83e8775c98b4f34a77e889c87931d2
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9oe0k:5SeOQdaZNxtk8cqhSxvHY9oa

Score

10^/10

evilquest backdoor execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000000030008c2b8-1.dat	family_evilquest
behavioral1/files/0x000000030008c2aa-30.dat	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 43 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found

Launchctl 1 TTPs 64 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/20240912ff518e7b84421876e36339aa7458485fadloadevilquestrekoobe\""
1⤵
PID:483

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/20240912ff518e7b84421876e36339aa7458485fadloadevilquestrekoobe\""
1⤵
PID:483

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/20240912ff518e7b84421876e36339aa7458485fadloadevilquestrekoobe
1⤵
PID:483
- /bin/zsh
  /bin/zsh -c /Users/run/20240912ff518e7b84421876e36339aa7458485fadloadevilquestrekoobe
  2⤵
  PID:485
- /Users/run/20240912ff518e7b84421876e36339aa7458485fadloadevilquestrekoobe
  /Users/run/20240912ff518e7b84421876e36339aa7458485fadloadevilquestrekoobe
  2⤵
  PID:485

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:486

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:486

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:486

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:512

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:512

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:512

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:513

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:513

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:514

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:514

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:515

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:515
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:518

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:516

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:516

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:516

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:517

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:517

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:517

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:519

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:519

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:521

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:521
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:522

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:523

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:523

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:523

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:524

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:524

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:524

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:526

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:526

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:526

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:527

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:527

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:527

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:528

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:528

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:529

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:529
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:530

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:531

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:531

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:531

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:532

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:532

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:532

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:533

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:533

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:533

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:534

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:534

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:534

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:535

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:535

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:535

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:536

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:536

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:536

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:537

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:537

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:537

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:538

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:538

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:538

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:539

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:539

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:539

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:542

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:542
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:544

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:545

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:545

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:545

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:546

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:546

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:546

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:548

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:548

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:548

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:549

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:549

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:550

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:549

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:551

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:552

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:552

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:552

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:553

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:553

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:553

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:554

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:554

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:554

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:555

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:555

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:555

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:556

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:556

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:560

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:560
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:561

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:562

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:562

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:562

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:566

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:569

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:569
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:570

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:571

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:571

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:571

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:572

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:573

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:573
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:574

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:575

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:575

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:575

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:576

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:576

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:576

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:577

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:577

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:577

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:578

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:578

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:578

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:579

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:579

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:579

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:581

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:581
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:582

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:583

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:583

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:583

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:586

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:589

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:589
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:590

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:591

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:591

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:591

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:601

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:601
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:602

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:603

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:603

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:603

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:604

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:604

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:604

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:605

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:605

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:605

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:606

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:606

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:606

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:607

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:607

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:607

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:608

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:608

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:608

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:609

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:609

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:609

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:610

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:610

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:610

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:611

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:611

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:611

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:612

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:613

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:613
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:614

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:615

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:615

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:615

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:616

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:617

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:617
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:618

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:619

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:619

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:619

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:620

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:621

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:621
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:622

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:623

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:623

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:623

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:624

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:624
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:625

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:626

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:626

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:626

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:627

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:627

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
12d7ac0128d3bf270e0ab9852273c406

SHA1
623ba1c28f0031182e698ff22ec276e42dd4dff5

SHA256
2f409dc273744590d9c09c9d79bf7c5c450ef883842c8fcc6fd0b7c9d3adcd70

SHA512
5b8e451d2988b8c2fe6d2758538d7dcc921b5023a0838c11fa85c6223a1565065340f40d5884ecd59c426d4c03ac47a1975ba08477aa7caaf707f744e135df2e

Download Submit
/var/root/Library/LaunchAgents/com.apple.afsvcpd.plist

Filesize
429B

MD5
b29145cf94cd1ef0d81552c333c3603a

SHA1
4095a7b7b982b8875a6256919b7d80c50b0a2799

SHA256
2cac13ffabc18f7010fffce9f31aaacc06e0c5ae898c3faa79d747567ce1e2fc

SHA512
fd0ccb56cb0c5084950ad4d04363ae9919a0bfa76c45554df8a7fe0eb0f8a7ed2525af3b4f64982eedac0f9aaec28b7985b4ce5ec80434fc3cf426cb96b1def0

Download Submit
/var/root/Library/osxmobiledata/com.apple.afsvcpd

Filesize
168KB

MD5
a11b03d9fc121284849fbd1611f81212

SHA1
4c98f0e6461cf934a52644d1a4c804947ab349a9

SHA256
e563180537de87d519663c0feecfc2e5639d35b0a6ef6a0918d0bb49fb5cc0c0

SHA512
e4cd2887eceaa221b10c2b0806ebdfdd6935f4fc2a98ec1ac72f3150899f35ffb63de0924b359f8cdecbda9c17f7ae8dc74fbdabbc21ed19b37a4cc6f571618e

Download Submit