cac515badb605cef28052c10ebc19a3cf6a3eeabc240b4c4e1108237071be1c5

Analysis

max time kernel
149s
max time network
140s
platform
macos-10.15_amd64
resource
macos-20241106-en
resource tags

arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
19-12-2024 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe
Size

190KB
MD5

2d15c816826bf21e01fecde56f00ee13
SHA1

460b6a50d745ce20431c6e0e0346ee284cbb9173
SHA256

cac515badb605cef28052c10ebc19a3cf6a3eeabc240b4c4e1108237071be1c5
SHA512

e290f212bff5f5701e9c9ed4ef1d88f4e3bc3b261401d3352c89c37fca0cdf65ac150568852b9ff124584223298e2eb2cc2b755881b627e736086523b85b4e8a
SSDEEP

3072:cx6SZwEgOQtbap1jZNFnYo6w68cqhS2iJvHLzxq9jYzFt0p2Dn5km:5SeOQdaZNxtk8cqhSxvHY9cpM2Dn5km

Score

5^/10

evasion execution persistence

Malware Config

Signatures

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001
Launch Daemon 1 TTPs
Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS.
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 46 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"sudo /Library/osxmobiledata/com.apple.afsvcpd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"sudo /Library/osxmobiledata/com.apple.afsvcpd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found

Resource Forking 1 TTPs 2 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found

Launchctl 1 TTPs 64 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl start afsvcpd	Process not Found
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe\""
1⤵
PID:456

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe\""
1⤵
PID:456

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe
1⤵
PID:456
- /bin/zsh
  /bin/zsh -c /Users/run/2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe
  2⤵
  PID:458
- /Users/run/2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe
  /Users/run/2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe
  2⤵
  PID:458
- - /Users/run/.2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe1
    /Users/run/.2024-12-19_2d15c816826bf21e01fecde56f00ee13_adload_evilquest_rekoobe1
    3⤵
    PID:504

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:451

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:444

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:442

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:447

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:454

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:461

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:461

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:461

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:484

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:484

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:484

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:485

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:485

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:486

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:486

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:486

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:487

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:487
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:490

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:488

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:488

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:488

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:489

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:489

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:489

/bin/sh
sh -c "osascript -e \"do shell script \\\"sudo /Library/osxmobiledata/com.apple.afsvcpd\\\" with administrator privileges\""
1⤵
PID:492

/bin/bash
sh -c "osascript -e \"do shell script \\\"sudo /Library/osxmobiledata/com.apple.afsvcpd\\\" with administrator privileges\""
1⤵
PID:492

/usr/bin/osascript
osascript -e "do shell script \"sudo /Library/osxmobiledata/com.apple.afsvcpd\" with administrator privileges"
1⤵
PID:492

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:493

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:493

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:493

/bin/sh
/bin/sh -c "sudo /Library/osxmobiledata/com.apple.afsvcpd"
1⤵
PID:494

/bin/bash
/bin/sh -c "sudo /Library/osxmobiledata/com.apple.afsvcpd"
1⤵
PID:494

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd
1⤵
PID:494
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd
  2⤵
  PID:495

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:496

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:496

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:496

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:499

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:499

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:499

/bin/sh
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:501

/bin/bash
/bin/sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:501

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:501

/bin/sh
sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:502

/bin/bash
sh -c "launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:502

/bin/launchctl
launchctl load -w /Users/run/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:502

/bin/sh
sh -c "launchctl start afsvcpd"
1⤵
PID:503

/bin/bash
sh -c "launchctl start afsvcpd"
1⤵
PID:503

/bin/launchctl
launchctl start afsvcpd
1⤵
PID:503

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:506

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:506
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:508

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:509

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:509

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:509

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:511

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:511

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:511

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:512

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:512

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:512

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:513

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:513

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:513

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:514

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:514

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:514

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:516

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:516
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:517

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:518

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:518

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:518

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:520

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged --privileged
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:523

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:523
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:524

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:525

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:525

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:525

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:526

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:526

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:526

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:527

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:527

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:527

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:528

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:528

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:528

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:529

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:529

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:530

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:530
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:531

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:532

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:532

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:532

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:536

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:536
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:537

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:538

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:538

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:538

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:539

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:542

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:542
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:543

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:544

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:544

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:544

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:546

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:546
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:547

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:548

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:548

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:548

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:550

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:550
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:551

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:552

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:552

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:552

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:553

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:553

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:553

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:554

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:554

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:554

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:555

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:555

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:555

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:556

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:556

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:556

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:557

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:557
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:558

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:559

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:559

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:559

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:560

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:560

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:560

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:561

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:561

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:561

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:562

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:562

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:562

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:563

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:563

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:563

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:564

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:564

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:564

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:565

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:565

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:565

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:566

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:566

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:566

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:567

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:567

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:567

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:568

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:568
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:569

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:570

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:570

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:570

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:571

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:571

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:571

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:572

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:572

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:572

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:573

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:573

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:573

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:574

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:574

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:575

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:575
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:576

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:577

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:577

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:577

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:578

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:578

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:578

/bin/sh
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:579

/bin/bash
/bin/sh -c "launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:579

/bin/launchctl
launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:579

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:580

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:580

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:580

/bin/sh
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:581

/bin/bash
/bin/sh -c "launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist"
1⤵
PID:581

/bin/launchctl
launchctl start /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist
1⤵
PID:581

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:582

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:582

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:582

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:583

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:583

/bin/launchctl
launchctl load -w /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:583

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:584

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:584

/usr/bin/osascript
osascript -e "do shell script \"launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist\" with administrator privileges"
1⤵
PID:584

/bin/sh
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:585

/bin/bash
/bin/sh -c "launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist"
1⤵
PID:585

/bin/launchctl
launchctl start /Library/LaunchDaemons/com.apple.afsvcpd.plist
1⤵
PID:585

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:586

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:586
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:587

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:588

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:588

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:588

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /var/root/Library/LaunchAgents/com.apple.afsvcpd.plist\\\" with administrator privileges\""
1⤵
PID:589

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:590

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:590
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:591

/bin/sh
sh -c "sysctl -n hw.ncpu"
1⤵
PID:592

/bin/bash
sh -c "sysctl -n hw.ncpu"
1⤵
PID:592

/usr/sbin/sysctl
sysctl -n hw.ncpu
1⤵
PID:592

/usr/libexec/xpcproxy
xpcproxy afsvcpd
1⤵
PID:593

/usr/bin/sudo
sudo /Library/osxmobiledata/com.apple.afsvcpd --silent
1⤵
PID:593
- /Library/osxmobiledata/com.apple.afsvcpd
  /Library/osxmobiledata/com.apple.afsvcpd --silent
  2⤵
  PID:594

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Agent

T1543.001

Launch Daemon

T1543.004

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/db/nsurlstoraged/dafsaData.bin

Filesize
54KB

MD5
64f469698e53d0c828b7f90acd306082

SHA1
bcc041b3849e1b0b4104ffeb46002207eeac54f3

SHA256
d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

SHA512
a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

Download Submit