Loading ...

Play interactive tourEdit tour

Analysis Report Nt7gLoFlYn

Overview

General Information

Sample Name:Nt7gLoFlYn (renamed file extension from none to dmg)
Analysis ID:106234
MD5:58680abd58baca826c2029f32e5b78b3
SHA1:98040c4d358a6fb9fed970df283a9b25f0ab393b
SHA256:b34738e181a6119f23e930476ae949fc0c7c4ded6efa003019fa946c4e5b287a

Most interesting Screenshot:

Detection

EvilQuest
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Detected macOS EvilQuest ransomware
Yara detected EvilQuest Ransomware
Contains functionality related to in-memory code execution
Contains functionality related to key logging
Contains symbols with suspicious names likely related to anti-analysis
Contains symbols with suspicious names likely related to privilege escalation
Creates hidden Mach-O files
Deletes many files in the user directory
Denies being traced/debugged (via ptrace PT_DENY_ATTACH)
Executes shell scripts with administrative rights
Executes the "sudo" command used to execute a command as another user
Might steal keychain information which contains credentials
Moves itself during installation or deletes itself after installation
Reads local browser cookies
Reads process information of other processes
Writes Mach-O files to untypical directories
Changes permissions of written Mach-O files
Contains symbols with suspicious names likely related to encryption
Contains symbols with suspicious names likely related to networking
Contains symbols with suspicious names likely related to well-known browsers
Creates 'launchd' managed services aka launch agents with bundle ID names to possibly disguise malicious intentions
Creates application bundles
Creates code signed application bundles
Creates hidden files, links and/or directories
Creates memory-persistent launch services
Creates system-wide 'launchd' managed services aka launch daemons
Creates user-wide 'launchd' managed services aka launch agents
Executes Apple scripts and/or other OSA language scripts with shell command 'osascript'
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "mkdir" command used to create folders
Executes the "security_authtrampoline" command used to authorize execution with root privileges (GUI prompt)
Explicitly loads/starts launch services
HTTP GET or POST without a user agent
Many shell processes execute programs via execve syscall (might be indicative for malicious behavior)
Reads hardware related sysctl values
Reads launchservices plist files
Reads the sysctl safe boot value (probably to check if the system is in safe boot mode)
Reads the systems OS release and/or type
Reads the systems hostname
Reads user launchservices plist file containing default apps for corresponding file types
Uses AppleScript framework/components containing Apple Script related functionalities
Uses AppleScript scripting additions containing additional functionalities for Apple Scripts
Uses CFNetwork bundle containing interfaces for network communication (HTTP, sockets, and Bonjour)
Uses Security framework containing interfaces for system-level user authentication and authorization
Writes 64-bit Mach-O files to disk
Writes RTF files to disk
Writes a file containing only its PID

Classification

Startup

  • system is mac-mojave
  • Installer (MD5: 93dd388d90b35bc29b3f6cd499ace778) Arguments: /System/Library/CoreServices/Installer.app/Contents/MacOS/Installer
  • installd (MD5: c94a70b5dcbe257244d585c24b6073bb) Arguments: /System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
    • shove New Fork (PID: 750, Parent: 735)
    • postinstall New Fork (PID: 751, Parent: 735)
      • sh New Fork (PID: 752, Parent: 751)
      • mkdir (MD5: 0948c3e8dfd7f3d3628ca8b819092ccf) Arguments: mkdir /Library/mixednkey
      • sh New Fork (PID: 753, Parent: 751)
      • mv (MD5: 71b4f7c9a383f7c62c738273039ba658) Arguments: mv /Applications/Utils/patch /Library/mixednkey/toolroomd
      • sh New Fork (PID: 754, Parent: 751)
      • rmdir (MD5: a900434ad49b67ad1b43d3dc47fe74ef) Arguments: rmdir /Application/Utils
      • sh New Fork (PID: 755, Parent: 751)
      • chmod (MD5: d7df83ea3a49de5d07e0c1730e910852) Arguments: chmod +x /Library/mixednkey/toolroomd
      • sh New Fork (PID: 756, Parent: 751)
      • toolroomd (MD5: 322f4fb8f257a2e651b128c41df92b1d) Arguments: /Library/mixednkey/toolroomd
        • sh New Fork (PID: 763, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 10 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 765, Parent: 764)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 767, Parent: 764)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 769, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 15 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 771, Parent: 770)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 772, Parent: 770)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 773, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 17 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 775, Parent: 774)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 776, Parent: 774)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 777, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 18 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 779, Parent: 778)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 780, Parent: 778)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 797, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 18 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 799, Parent: 798)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 800, Parent: 798)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 801, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 18 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 803, Parent: 802)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 804, Parent: 802)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 806, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 18 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 810, Parent: 808)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 812, Parent: 808)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 822, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 18 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 824, Parent: 823)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 825, Parent: 823)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 835, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
          • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 18 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
            • sh New Fork (PID: 837, Parent: 836)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
            • sh New Fork (PID: 838, Parent: 836)
            • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
        • sh New Fork (PID: 839, Parent: 756)
        • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e beep 18say 'Your files are encrypted' waiting until completion falseset alTitle to 'Many of your important documents, photos, videos, images and other files are no longer accessible because they have been encrypted.Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.We guarantee however that you can recover your files safely and easily and this will cost you 50 USD without any additional fees.Our offer is valid FOR 3 DAYS (starting now!). Full details can be found in the file: READ_ME_NOW.txt located on your Desktop'set alText to 'Your files are encrypted'display alert alText message alTitle as critical buttons {'OK'}set the clipboard to '13roGMpWd7Pb3ZoJyce8eoQpfegQvGHHK7'
  • iBooksCacheDelete (MD5: d712c1710db543f2f6000412ed3314b0) Arguments: /Applications/Books.app/Contents/PlugIns/iBooksCacheDelete.appex/Contents/MacOS/iBooksCacheDelete
  • sudo (MD5: 3ad133b223883539638210c984bb92d0) Arguments: sudo /Library/AppQuest/com.apple.questd --silent
    • sudo New Fork (PID: 768, Parent: 766)
    • com.apple.questd (MD5: 322f4fb8f257a2e651b128c41df92b1d) Arguments: /Library/AppQuest/com.apple.questd --silent
      • sh New Fork (PID: 781, Parent: 768)
      • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
        • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 10 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh New Fork (PID: 783, Parent: 782)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
          • sh New Fork (PID: 784, Parent: 782)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
      • sh New Fork (PID: 785, Parent: 768)
      • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
        • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 14 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh New Fork (PID: 787, Parent: 786)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
          • sh New Fork (PID: 788, Parent: 786)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
      • sh New Fork (PID: 789, Parent: 768)
      • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
        • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 17 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh New Fork (PID: 791, Parent: 790)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
          • sh New Fork (PID: 792, Parent: 790)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
      • sh New Fork (PID: 793, Parent: 768)
      • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
        • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 18 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh New Fork (PID: 795, Parent: 794)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
          • sh New Fork (PID: 796, Parent: 794)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
      • sh New Fork (PID: 805, Parent: 768)
      • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
        • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 17 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478dede15b269f4517f) Arguments: /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • sh (MD5: 348affb69862798fd7b2f8874437f649) Arguments: /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
          • sh New Fork (PID: 809, Parent: 807)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
          • sh New Fork (PID: 811, Parent: 807)
          • launchctl (MD5: 3e04cf4fe184467aa2dbf4e4d5c72f3d) Arguments: launchctl start questd
      • sh New Fork (PID: 813, Parent: 768)
      • osascript (MD5: bec2959dde44c809741cf5069e08bf0f) Arguments: osascript -e do shell script 'launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd' with administrator privileges
        • security_authtrampoline (MD5: f55206da7dd9b6699ecb7e3e8ce994f7) Arguments: /usr/libexec/security_authtrampoline /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid auth 18 /System/Library/ScriptingAdditions/StandardAdditions.osax/Contents/MacOS/uid /bin/sh -c launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist launchctl start questd
        • uid (MD5: cb71c60e99e14478d