evilquest | 314c4e108d38fdb98ddf8cf4879603ae43d6e1031f065f305990500a6e47d89a

General

Target

2024-09-14_a08b5005241b80b39253efd916878e26_adload_evilquest_rekoobe
Size

359KB
MD5

a08b5005241b80b39253efd916878e26
SHA1

3fce7b7325f4ff5e9cf84e9d570988e1b2b4c50d
SHA256

314c4e108d38fdb98ddf8cf4879603ae43d6e1031f065f305990500a6e47d89a
SHA512

232b2ef41cf566c504c8d00356258d21de9a983ab551ee6b11748363663281b4513d6a4ab7150d12a9cf24fb4211bf0bffe35451e94c997d7a9bee0baf8932d1
SSDEEP

6144:5SeOQdaZNxtk8cqhSxvHY9DSeOQdaZNxtk8cqhSxvHY962Dn5kM:5LOQdaDxq8cqavHYtLOQdaDxq8cqavHk

Score

10^/10

evilquest backdoor evasion execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 3 IoCs

Processes:

resource	yara_rule
/var/root/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/var/root/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest
/Library/osxmobiledata/com.apple.afsvcpd	family_evilquest

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 64 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

Processes:

ioc	process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck

Launchctl 1 TTPs 64 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

Processes:

ioc	process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-09-14_a08b5005241b80b39253efd916878e26_adload_evilquest_rekoobe\""
1⤵
PID:486

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-09-14_a08b5005241b80b39253efd916878e26_adload_evilquest_rekoobe\""
1⤵
PID:486

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-09-14_a08b5005241b80b39253efd916878e26_adload_evilquest_rekoobe
1⤵
PID:486
- /bin/zsh
  /bin/zsh -c /Users/run/2024-09-14_a08b5005241b80b39253efd916878e26_adload_evilquest_rekoobe
  2⤵
  PID:488
- /Users/run/2024-09-14_a08b5005241b80b39253efd916878e26_adload_evilquest_rekoobe
  /Users/run/2024-09-14_a08b5005241b80b39253efd916878e26_adload_evilquest_rekoobe
  2⤵
  PID:488

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:471

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:474

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:473

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:475

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:476

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:489

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:489

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:489

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:514

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:514

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:515

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:515

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:516

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:516

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:517

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:517
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:520

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:518

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:518

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:518

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:519

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:519

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:519

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:521

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:521

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:523

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:523

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:524

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:524

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:524

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:525

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:525

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:525

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:526

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:526

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:526

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:527

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:527

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:527

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:529

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:529
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:530

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:531

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:531

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:531

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:532

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:532

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:532

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:533

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:533

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:533

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:534

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:534

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:534

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:535

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:535

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:543

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:543
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:544

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:545

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:545

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:545

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:547

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:547

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:547

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:548

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:548

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:548

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:549

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:549

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:549

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:550

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:550

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:550

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:551

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:551

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:551

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:553

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:553

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:553

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:554

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:554

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:554

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:555

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:555

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:556

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:556
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:557

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:558

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:558

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:558

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:559

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:559

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:559

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:560

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:560

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:560

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:561

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:561

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:561

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:562

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:562

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:562

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:563

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:563

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:563

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:564

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:564

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:564

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:565

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:565

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:565

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:566

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:566

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:566

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:567

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:570

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:570
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:571

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:572

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:572

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:572

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:575

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:575
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:576

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:577

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:577

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:577

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:578

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:580

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:580
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:581

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:582

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:582

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:582

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:583

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:583

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:583

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:584

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:584

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:584

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:585

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:585

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:585

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:586

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:586

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:586

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:587

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:587

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:587

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:588

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:588

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:588

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:589

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:589

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:589

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:590

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:590

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:590

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:591

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:591
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:592

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:593

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:593

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:593

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:595

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:595

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:595

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:596

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:596

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:596

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:597

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:597

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:597

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:598

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:598

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:598

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:599

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:599

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:599

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:600

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:600

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:600

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:601

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:601

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:601

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:602

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:602

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:602

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:603

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:603
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:604

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:605

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:605

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:605

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:606

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:609

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:609
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:610

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:611

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:611

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:611

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:612

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:612

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:612

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:613

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:613

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:613

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:614

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:614

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:614

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:615

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:615

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:615

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:616

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:616

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:616

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:617

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:617

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:617

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:618

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:618

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:618

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:619

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:619

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:619

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:628

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:628
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:629

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:630

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:630

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:631

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:632

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:632
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:633

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:634

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:634

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:634

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:635

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:636

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:636
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:637

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:638

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:638

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:638

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:639

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:639

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:639

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:640

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:640

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:640

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:641

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:641

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:641

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:642

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:642

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:642

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:643

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:643

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:643

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:644

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:644

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:644

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:645

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:645

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:645

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:646

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:646

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:646

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:647

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:648

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:648
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:649

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:650

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:650

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:650

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:651

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:651

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:651

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:652

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:652

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:652

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:653

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:653

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:653

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:654

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:654

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:654

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:655

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:655

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:655

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:656

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:656

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:656

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:657

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:658

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:658
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:659

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

System Services

1

T1569

Launchctl

1

T1569.001

Persistence

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Privilege Escalation

Create or Modify System Process

2

T1543

Launch Agent

1

T1543.001

Launch Daemon

1

T1543.004

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
339e12001c4dcab70e331d30a0874366

SHA1
4640aad3ddcbf5050451bb2ab833c9b6ec93c402

SHA256
630e797d16ad81a8af067e33b33e88f960d930fab35345f4683d301d8cfc2313

SHA512
ca863e08b1b3881aac944d8e03dad5589bc9417ce15349988fd03a08ea55f0667bd64fc04ba95358068bde6e2127e9447123c2416511d4b59eb13c61e8b43eec

Download Submit
/var/root/Library/LaunchAgents/com.apple.afsvcpd.plist

Filesize
429B

MD5
b29145cf94cd1ef0d81552c333c3603a

SHA1
4095a7b7b982b8875a6256919b7d80c50b0a2799

SHA256
2cac13ffabc18f7010fffce9f31aaacc06e0c5ae898c3faa79d747567ce1e2fc

SHA512
fd0ccb56cb0c5084950ad4d04363ae9919a0bfa76c45554df8a7fe0eb0f8a7ed2525af3b4f64982eedac0f9aaec28b7985b4ce5ec80434fc3cf426cb96b1def0

Download Submit
/var/root/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
8a0fc450b7923ee8d32ef78ce04799c7

SHA1
ad6207bd06daf4898b67e947a37789b3a0faa9ba

SHA256
da22379095b7d9a3008f723bc5d16fd743bd9deb173167935ffe0ee696126062

SHA512
f13b15a78deacc5e4d3d3a5ec563f7a201ecb12d88795dd4b012bd0b425580576642cf9dd368356c20264f860b11bdc91bf120a2251a2bd478e6e1558646ce10

Download Submit
/var/root/Library/osxmobiledata/com.apple.afsvcpd

Filesize
337KB

MD5
3200b7bd02f2a45b77f9811b12daf4d2

SHA1
9792925d46fab9fab88a718cef94eaedfcaac092

SHA256
26a7913e2b03be12a6d53bfca04597a2dd024f2082f26c61b8db787993109204

SHA512
88e9978eace3f6e53091dd762b059d59405a80456b9de97d5f5995a5a207e440bdf20e68fb9749c5123b05a9b66828bed7c13b0d5a0a2ee22d4efec3f72379a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads