d30538787f9b9b9c2bdb9a438e49b39e655642bc1ce21dac8a7b58f71d0f3f45

Analysis

max time kernel
127s
max time network
0s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20231222-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20231222-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
14/02/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

al.txt
Size

3KB
MD5

a84cc0a810b8772bfd33e660dd1f05da
SHA1

155b9c06a1e3896f6336ea7a250078a015d269e5
SHA256

d30538787f9b9b9c2bdb9a438e49b39e655642bc1ce21dac8a7b58f71d0f3f45
SHA512

ecf516c1147ea307c2254c4b622bfc24984f011be42fe1a4c3356ae2bde51192af13f77f7238a2ba93233f4516a34478a893fdc035f901426540ba00ecb21421

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.CpZ1rC	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill

Enumerates kernel/hardware configuration 1 TTPs 3 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/node/node0/meminfo	top
File opened for reading	/sys/devices/system/cpu	top
File opened for reading	/sys/devices/system/node	top

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/1374/cmdline	pkill
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/1034	ls
File opened for reading	/proc/1120/cmdline	pkill
File opened for reading	/proc/484/cmdline	ps
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/84/cmdline	pkill
File opened for reading	/proc/19/status	pkill
File opened for reading	/proc/1275/status	pkill
File opened for reading	/proc/1234/cmdline	pkill
File opened for reading	/proc/1715/stat	ps
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/1101/status	pkill
File opened for reading	/proc/29/cmdline	pkill
File opened for reading	/proc/450/cmdline	pgrep
File opened for reading	/proc/1049/cmdline	pkill
File opened for reading	/proc/1101/cmdline	pkill
File opened for reading	/proc/198/cmdline	pkill
File opened for reading	/proc/36/cmdline	pkill
File opened for reading	/proc/166/status	pkill
File opened for reading	/proc/35/cmdline	pkill
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/881/cmdline	ps
File opened for reading	/proc/1153/cmdline	pkill
File opened for reading	/proc/10/statm	top
File opened for reading	/proc/165/status	pkill
File opened for reading	/proc/1664/stat	ps
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/1110/status	pkill
File opened for reading	/proc/450/stat	ps
File opened for reading	/proc/173/stat	ps
File opened for reading	/proc/159/status	pkill
File opened for reading	/proc/1128/cmdline	pkill
File opened for reading	/proc/31/status	pkill
File opened for reading	/proc/336/status	pkill
File opened for reading	/proc/1230/status	pgrep
File opened for reading	/proc/80/cmdline	pkill
File opened for reading	/proc/650/status	pkill
File opened for reading	/proc/970/status	ps
File opened for reading	/proc/1159/status	ps
File opened for reading	/proc/151/cmdline	pkill
File opened for reading	/proc/1165/status	pkill
File opened for reading	/proc/1169/cmdline	pkill
File opened for reading	/proc/164/status	pkill
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/1134/cmdline	ps
File opened for reading	/proc/993/cmdline	ps
File opened for reading	/proc/507/status	pkill
File opened for reading	/proc/972/status	pkill
File opened for reading	/proc/654/status	pkill
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/808/status	pkill
File opened for reading	/proc/1153/status	pkill
File opened for reading	/proc/166/cmdline	pkill
File opened for reading	/proc/1291/status	pkill
File opened for reading	/proc/1550/status	pkill
File opened for reading	/proc/78/cmdline	pkill
File opened for reading	/proc/650/cmdline	pkill
File opened for reading	/proc/1126/status	pkill
File opened for reading	/proc/22/status	pkill
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/1110/cmdline	pkill
File opened for reading	/proc/168/stat	ps
File opened for reading	/proc/993/status	pkill

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/~/.bash_profile	al.txt
File opened for modification	/tmp/~/.bash_history	al.txt
File opened for modification	/tmp/~/.bashrc	al.txt

/tmp/al.txt
/tmp/al.txt
1⤵
- Writes file to tmp directory
PID:1556
- /bin/rm
  rm -f "/dev/shm/*"
  2⤵
  PID:1557
- /bin/rm
  rm -f /dev/shm/. /dev/shm/..
  2⤵
  PID:1558
- /usr/bin/pkill
  pkill -f telnetd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1559
- /usr/bin/pkill
  pkill -f network-managerr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1560
- /usr/bin/pkill
  pkill -f ipv6_addrconfd
  2⤵
  - Reads CPU attributes
  PID:1561
- /usr/bin/pkill
  pkill -f bdus-daemon
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1562
- /usr/bin/pkill
  pkill JavaUpdate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1563
- /usr/bin/pkill
  pkill SSHD2
  2⤵
  - Reads CPU attributes
  PID:1564
- /usr/bin/pkill
  pkill LSHT
  2⤵
  - Reads CPU attributes
  PID:1565
- /usr/bin/pgrep
  pgrep LSHT
  2⤵
  - Reads runtime system information
  PID:1566
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1567
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1568
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1568
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1568
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1568
- - /sbin/kill
    kill -9
    3⤵
    PID:1568
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1568
- /bin/chmod
  chmod +w /var/tmp/.bin
  2⤵
  PID:1569
- /bin/rm
  rm -rf /var/tmp/.bin
  2⤵
  PID:1570
- /bin/rm
  rm -rf "~/.bash_history"
  2⤵
  PID:1571
- /usr/bin/touch
  touch /var/tmp/.bin
  2⤵
  PID:1572
- /usr/bin/pkill
  pkill mysqlserver
  2⤵
  - Reads CPU attributes
  PID:1573
- /usr/bin/pkill
  pkill gitlab-redis
  2⤵
  - Reads CPU attributes
  PID:1574
- /bin/rm
  rm -rf /var/tmp/. /var/tmp/.. /var/tmp/.bin
  2⤵
  PID:1575
- /usr/bin/pkill
  pkill -9 -f donate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1576
- /usr/bin/pkill
  pkill -f /tmp/.solr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1577
- /usr/bin/pkill
  pkill -9 -f crond64
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1578
- /usr/bin/pkill
  pkill -9 -f stratum
  2⤵
  PID:1579
- /usr/bin/pkill
  pkill -9 -f /tmp/java
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1580
- /usr/bin/pkill
  pkill -9 -f KIXER
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1581
- /usr/bin/pkill
  pkill -9 -f /tmp/system
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1582
- /usr/bin/pkill
  pkill -9 -f telnetd
  2⤵
  - Reads CPU attributes
  PID:1583
- /usr/bin/pkill
  pkill -9 -f agettyd
  2⤵
  - Reads CPU attributes
  PID:1584
- /usr/bin/pkill
  pkill -9 -f /var/tmp
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1585
- /usr/bin/pkill
  pkill -9 -f "\\./python"
  2⤵
  - Reads CPU attributes
  PID:1586
- /usr/bin/pkill
  pkill -9 -f "\\./crun"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1587
- /usr/bin/pkill
  pkill -9 -f "\\./\\."
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1588
- /usr/bin/pkill
  pkill -9 -f "118/cf\\.sh"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1589
- /usr/bin/pkill
  pkill -9 "\\.6379"
  2⤵
  - Reads CPU attributes
  PID:1590
- /usr/bin/pkill
  pkill -9 "load\\.sh"
  2⤵
  PID:1591
- /usr/bin/pkill
  pkill -9 "init\\.sh"
  2⤵
  - Reads CPU attributes
  PID:1595
- /usr/bin/pkill
  pkill -9 "solr\\.sh"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1596
- /usr/bin/pkill
  pkill -9 "\\.rsyslogds"
  2⤵
  - Reads CPU attributes
  PID:1597
- /usr/bin/pkill
  pkill -9 pnscan
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1598
- /usr/bin/pkill
  pkill -9 masscan
  2⤵
  - Reads runtime system information
  PID:1599
- /usr/bin/pkill
  pkill -9 kthreaddi
  2⤵
  PID:1600
- /usr/bin/pkill
  pkill -9 sysguard
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1601
- /usr/bin/pkill
  pkill -9 kthreaddk
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1602
- /usr/bin/pkill
  pkill -9 kdevtmpfsi
  2⤵
  - Reads runtime system information
  PID:1603
- /usr/bin/pkill
  pkill -9 networkservice
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1604
- /usr/bin/pkill
  pkill -9 sysupdate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1605
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1610
- /usr/bin/awk
  awk "{if(\$9<=50.0) print \$1}"
  2⤵
  PID:1609
- /bin/grep
  grep unifiw
  2⤵
  PID:1608
- /bin/grep
  grep -v grep
  2⤵
  PID:1607
- /usr/bin/top
  top -b -n 1
  2⤵
  - Reads CPU attributes
  - Enumerates kernel/hardware configuration
  - Reads runtime system information
  PID:1606
- /usr/bin/pkill
  pkill -9 phpguard
  2⤵
  - Reads CPU attributes
  PID:1611
- /usr/bin/pkill
  pkill -9 phpupdate
  2⤵
  - Reads CPU attributes
  PID:1612
- /usr/bin/pkill
  pkill -9 networkmanager
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1613
- /usr/bin/pkill
  pkill -9 knthread
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1614
- /usr/bin/pkill
  pkill -9 mysqlserver
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1615
- /usr/bin/pkill
  pkill -9 watchbog
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1616
- /usr/bin/pkill
  pkill -9 xmrig
  2⤵
  - Reads CPU attributes
  PID:1617
- /usr/bin/pkill
  pkill -f /tmp/.x111
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1618
- /usr/bin/killall
  killall "/tmp/.x111/*"
  2⤵
  PID:1619
- /usr/bin/pkill
  pkill -9 -f /dev/shm
  2⤵
  - Reads CPU attributes
  PID:1620
- /usr/bin/pkill
  pkill -9 bashirc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1621
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1623
- /usr/bin/pgrep
  pgrep pbotbyjanhotzu
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1622
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1628
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1629
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1629
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1629
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1629
- - /sbin/kill
    kill -9
    3⤵
    PID:1629
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1629
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1627
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1626
- /bin/grep
  grep :13531
  2⤵
  PID:1625
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1634
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1635
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1635
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1635
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1635
- - /sbin/kill
    kill -9
    3⤵
    PID:1635
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1635
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1633
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1632
- /bin/grep
  grep :5555
  2⤵
  PID:1631
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1640
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1641
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1641
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1641
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1641
- - /sbin/kill
    kill -9
    3⤵
    PID:1641
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1641
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1639
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1638
- /bin/grep
  grep :33331
  2⤵
  PID:1637
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1646
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1647
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1647
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1647
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1647
- - /sbin/kill
    kill -9
    3⤵
    PID:1647
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1647
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1645
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1644
- /bin/grep
  grep :33332
  2⤵
  PID:1643
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1650
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1651
- /bin/grep
  grep :17777
  2⤵
  PID:1649
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1652
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1653
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1653
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1653
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1653
- - /sbin/kill
    kill -9
    3⤵
    PID:1653
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1653
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  - Reads runtime system information
  PID:1656
- /bin/grep
  grep :3333
  2⤵
  PID:1655
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1657
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1658
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1659
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1659
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1659
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1659
- - /sbin/kill
    kill -9
    3⤵
    PID:1659
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1659
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1663
- /bin/grep
  grep /tmp/.x111
  2⤵
  PID:1662
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1664
- /bin/grep
  grep -v grep
  2⤵
  PID:1661
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1660
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1669
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1668
- /bin/grep
  grep kinsing
  2⤵
  PID:1667
- /bin/grep
  grep -v grep
  2⤵
  PID:1666
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1665
- /bin/grep
  grep kremasys
  2⤵
  PID:1672
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1674
- /bin/grep
  grep -v grep
  2⤵
  PID:1671
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1673
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1670
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1679
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1678
- /bin/grep
  grep "while read procid"
  2⤵
  PID:1677
- /bin/grep
  grep -v grep
  2⤵
  PID:1676
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1675
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1684
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1683
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:1682
- /bin/grep
  grep -v grep
  2⤵
  PID:1681
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1680
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1689
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1688
- /bin/grep
  grep KGN1cmwg
  2⤵
  PID:1687
- /bin/grep
  grep -v grep
  2⤵
  PID:1686
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1685
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1694
- - /usr/local/sbin/kill
    kill -9 1159
    3⤵
    PID:1695
- - /usr/local/bin/kill
    kill -9 1159
    3⤵
    PID:1695
- - /usr/sbin/kill
    kill -9 1159
    3⤵
    PID:1695
- - /usr/bin/kill
    kill -9 1159
    3⤵
    PID:1695
- - /sbin/kill
    kill -9 1159
    3⤵
    PID:1695
- - /bin/kill
    kill -9 1159
    3⤵
    - Reads CPU attributes
    PID:1695
- - /usr/local/sbin/kill
    kill -9 1298
    3⤵
    PID:1697
- - /usr/local/bin/kill
    kill -9 1298
    3⤵
    PID:1697
- - /usr/sbin/kill
    kill -9 1298
    3⤵
    PID:1697
- - /usr/bin/kill
    kill -9 1298
    3⤵
    PID:1697
- - /sbin/kill
    kill -9 1298
    3⤵
    PID:1697
- - /bin/kill
    kill -9 1298
    3⤵
    - Reads CPU attributes
    PID:1697
- - /usr/local/sbin/kill
    kill -9 1344
    3⤵
    PID:1701
- - /usr/local/bin/kill
    kill -9 1344
    3⤵
    PID:1701
- - /usr/sbin/kill
    kill -9 1344
    3⤵
    PID:1701
- - /usr/bin/kill
    kill -9 1344
    3⤵
    PID:1701
- - /sbin/kill
    kill -9 1344
    3⤵
    PID:1701
- - /bin/kill
    kill -9 1344
    3⤵
    - Reads CPU attributes
    PID:1701
- - /usr/local/sbin/kill
    kill -9 1357
    3⤵
    PID:1702
- - /usr/local/bin/kill
    kill -9 1357
    3⤵
    PID:1702
- - /usr/sbin/kill
    kill -9 1357
    3⤵
    PID:1702
- - /usr/bin/kill
    kill -9 1357
    3⤵
    PID:1702
- - /sbin/kill
    kill -9 1357
    3⤵
    PID:1702
- - /bin/kill
    kill -9 1357
    3⤵
    - Reads CPU attributes
    PID:1702
- - /usr/local/sbin/kill
    kill -9 1550
    3⤵
    PID:1703
- - /usr/local/bin/kill
    kill -9 1550
    3⤵
    PID:1703
- - /usr/sbin/kill
    kill -9 1550
    3⤵
    PID:1703
- - /usr/bin/kill
    kill -9 1550
    3⤵
    PID:1703
- - /sbin/kill
    kill -9 1550
    3⤵
    PID:1703
- - /bin/kill
    kill -9 1550
    3⤵
    PID:1703
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1693
- /bin/grep
  grep .dat
  2⤵
  PID:1692
- /bin/grep
  grep -v grep
  2⤵
  PID:1691
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1690
- /bin/rm
  rm /tmp/.dat
  2⤵
  PID:1706
- /usr/bin/pkill
  pkill kinsing
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1707
- /usr/bin/pkill
  pkill -9 zgrab
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1708
- /bin/grep
  grep -q https://pastebin.com/raw/rVXcPD8Z
  2⤵
  PID:1710
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:1709
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:1711
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:1713
- /bin/grep
  grep unifiw
  2⤵
  PID:1725
- /bin/ls
  ls -al /proc/1
  2⤵
  PID:1724
- /bin/grep
  grep -a donate-level /proc/1/exe
  2⤵
  PID:1726
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1729
- /bin/grep
  grep exe
  2⤵
  PID:1728
- /bin/ls
  ls -al /proc/1
  2⤵
  PID:1727
- /bin/grep
  grep unifiw
  2⤵
  PID:1732
- /bin/ls
  ls -al /proc/10
  2⤵
  PID:1731
- /bin/grep
  grep -a donate-level /proc/10/exe
  2⤵
  PID:1735
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1739
- /bin/ls
  ls -al /proc/10
  2⤵
  PID:1737
- /bin/grep
  grep exe
  2⤵
  PID:1738
- /bin/grep
  grep unifiw
  2⤵
  PID:1744
- /bin/ls
  ls -al /proc/1012
  2⤵
  PID:1743
- /bin/grep
  grep -a donate-level /proc/1012/exe
  2⤵
  PID:1745
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1748
- /bin/grep
  grep exe
  2⤵
  PID:1747
- /bin/ls
  ls -al /proc/1012
  2⤵
  PID:1746
- /bin/grep
  grep unifiw
  2⤵
  PID:1750
- /bin/ls
  ls -al /proc/1018
  2⤵
  PID:1749
- /bin/grep
  grep -a donate-level /proc/1018/exe
  2⤵
  PID:1751
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1754
- /bin/grep
  grep exe
  2⤵
  PID:1753
- /bin/ls
  ls -al /proc/1018
  2⤵
  PID:1752
- /bin/grep
  grep unifiw
  2⤵
  PID:1756
- /bin/ls
  ls -al /proc/1034
  2⤵
  PID:1755
- /bin/grep
  grep -a donate-level /proc/1034/exe
  2⤵
  PID:1757
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1760
- /bin/grep
  grep exe
  2⤵
  PID:1759
- /bin/ls
  ls -al /proc/1034
  2⤵
  - Reads runtime system information
  PID:1758
- /bin/grep
  grep unifiw
  2⤵
  PID:1762
- /bin/ls
  ls -al /proc/1038
  2⤵
  PID:1761
- /bin/grep
  grep -a donate-level /proc/1038/exe
  2⤵
  PID:1763
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1766
- /bin/grep
  grep exe
  2⤵
  PID:1765
- /bin/ls
  ls -al /proc/1038
  2⤵
  PID:1764
- /bin/grep
  grep unifiw
  2⤵
  PID:1768
- /bin/ls
  ls -al /proc/1040
  2⤵
  PID:1767
- /bin/grep
  grep -a donate-level /proc/1040/exe
  2⤵
  PID:1769
- /bin/grep
  grep exe
  2⤵
  PID:1771
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1772
- /bin/ls
  ls -al /proc/1040
  2⤵
  PID:1770
- /bin/grep
  grep unifiw
  2⤵
  PID:1774
- /bin/ls
  ls -al /proc/1042
  2⤵
  PID:1773
- /bin/grep
  grep -a donate-level /proc/1042/exe
  2⤵
  PID:1775
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1778
- /bin/grep
  grep exe
  2⤵
  PID:1777
- /bin/ls
  ls -al /proc/1042
  2⤵
  PID:1776
- /bin/grep
  grep unifiw
  2⤵
  PID:1780
- /bin/ls
  ls -al /proc/1049
  2⤵
  PID:1779
- /bin/grep
  grep -a donate-level /proc/1049/exe
  2⤵
  PID:1781
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1784
- /bin/grep
  grep exe
  2⤵
  PID:1783
- /bin/ls
  ls -al /proc/1049
  2⤵
  PID:1782
- /bin/grep
  grep unifiw
  2⤵
  PID:1786
- /bin/ls
  ls -al /proc/1068
  2⤵
  PID:1785
- /bin/grep
  grep -a donate-level /proc/1068/exe
  2⤵
  PID:1787
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1790
- /bin/grep
  grep exe
  2⤵
  PID:1789
- /bin/ls
  ls -al /proc/1068
  2⤵
  PID:1788
- /bin/grep
  grep unifiw
  2⤵
  PID:1792
- /bin/ls
  ls -al /proc/1072
  2⤵
  PID:1791
- /bin/grep
  grep -a donate-level /proc/1072/exe
  2⤵
  PID:1793
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1796
- /bin/grep
  grep exe
  2⤵
  PID:1795
- /bin/ls
  ls -al /proc/1072
  2⤵
  PID:1794
- /bin/grep
  grep unifiw
  2⤵
  PID:1798
- /bin/ls
  ls -al /proc/1081
  2⤵
  PID:1797
- /bin/grep
  grep -a donate-level /proc/1081/exe
  2⤵
  PID:1799
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1802
- /bin/grep
  grep exe
  2⤵
  PID:1801
- /bin/ls
  ls -al /proc/1081
  2⤵
  PID:1800
- /bin/grep
  grep unifiw
  2⤵
  PID:1804
- /bin/ls
  ls -al /proc/1085
  2⤵
  PID:1803
- /bin/grep
  grep -a donate-level /proc/1085/exe
  2⤵
  PID:1805
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1808
- /bin/grep
  grep exe
  2⤵
  PID:1807
- /bin/ls
  ls -al /proc/1085
  2⤵
  PID:1806
- /bin/grep
  grep unifiw
  2⤵
  PID:1810
- /bin/ls
  ls -al /proc/1093
  2⤵
  PID:1809
- /bin/grep
  grep -a donate-level /proc/1093/exe
  2⤵
  PID:1811
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1814
- /bin/grep
  grep exe
  2⤵
  PID:1813
- /bin/ls
  ls -al /proc/1093
  2⤵
  PID:1812
- /bin/grep
  grep unifiw
  2⤵
  PID:1816
- /bin/ls
  ls -al /proc/1097
  2⤵
  PID:1815
- /bin/grep
  grep -a donate-level /proc/1097/exe
  2⤵
  PID:1817
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1820
- /bin/grep
  grep exe
  2⤵
  PID:1819
- /bin/ls
  ls -al /proc/1097
  2⤵
  PID:1818
- /bin/grep
  grep unifiw
  2⤵
  PID:1822
- /bin/ls
  ls -al /proc/11
  2⤵
  PID:1821
- /bin/grep
  grep -a donate-level /proc/11/exe
  2⤵
  PID:1823
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1826
- /bin/grep
  grep exe
  2⤵
  PID:1825
- /bin/ls
  ls -al /proc/11
  2⤵
  PID:1824
- /bin/grep
  grep unifiw
  2⤵
  PID:1828
- /bin/ls
  ls -al /proc/1101
  2⤵
  PID:1827
- /bin/grep
  grep -a donate-level /proc/1101/exe
  2⤵
  PID:1829
- /bin/grep
  grep exe
  2⤵
  PID:1831
- /bin/ls
  ls -al /proc/1101
  2⤵
  PID:1830
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1832
- /bin/grep
  grep unifiw
  2⤵
  PID:1834
- /bin/ls
  ls -al /proc/1110
  2⤵
  PID:1833
- /bin/grep
  grep -a donate-level /proc/1110/exe
  2⤵
  PID:1835
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1838
- /bin/grep
  grep exe
  2⤵
  PID:1837
- /bin/ls
  ls -al /proc/1110
  2⤵
  PID:1836
- /bin/grep
  grep unifiw
  2⤵
  PID:1840
- /bin/ls
  ls -al /proc/1114
  2⤵
  PID:1839
- /bin/grep
  grep -a donate-level /proc/1114/exe
  2⤵
  PID:1841
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1844
- /bin/grep
  grep exe
  2⤵
  PID:1843
- /bin/ls
  ls -al /proc/1114
  2⤵
  PID:1842
- /bin/grep
  grep unifiw
  2⤵
  PID:1846
- /bin/ls
  ls -al /proc/1120
  2⤵
  PID:1845
- /bin/grep
  grep -a donate-level /proc/1120/exe
  2⤵
  PID:1847
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1850
- /bin/grep
  grep exe
  2⤵
  PID:1849
- /bin/ls
  ls -al /proc/1120
  2⤵
  PID:1848
- /bin/grep
  grep unifiw
  2⤵
  PID:1852
- /bin/ls
  ls -al /proc/1125
  2⤵
  PID:1851
- /bin/grep
  grep -a donate-level /proc/1125/exe
  2⤵
  PID:1853
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1856
- /bin/grep
  grep exe
  2⤵
  PID:1855
- /bin/ls
  ls -al /proc/1125
  2⤵
  PID:1854
- /bin/grep
  grep unifiw
  2⤵
  PID:1858
- /bin/ls
  ls -al /proc/1126
  2⤵
  PID:1857
- /bin/grep
  grep -a donate-level /proc/1126/exe
  2⤵
  PID:1859
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1862
- /bin/grep
  grep exe
  2⤵
  PID:1861
- /bin/ls
  ls -al /proc/1126
  2⤵
  PID:1860
- /bin/grep
  grep unifiw
  2⤵
  PID:1864
- /bin/ls
  ls -al /proc/1128
  2⤵
  PID:1863
- /bin/grep
  grep -a donate-level /proc/1128/exe
  2⤵
  PID:1865
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1868
- /bin/grep
  grep exe
  2⤵
  PID:1867
- /bin/ls
  ls -al /proc/1128
  2⤵
  PID:1866
- /bin/grep
  grep unifiw
  2⤵
  PID:1870
- /bin/ls
  ls -al /proc/1132
  2⤵
  PID:1869
- /bin/grep
  grep -a donate-level /proc/1132/exe
  2⤵
  PID:1871
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1874
- /bin/grep
  grep exe
  2⤵
  PID:1873
- /bin/ls
  ls -al /proc/1132
  2⤵
  PID:1872
- /bin/grep
  grep unifiw
  2⤵
  PID:1876
- /bin/ls
  ls -al /proc/1134
  2⤵
  PID:1875
- /bin/grep
  grep -a donate-level /proc/1134/exe
  2⤵
  PID:1877
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1880
- /bin/grep
  grep exe
  2⤵
  PID:1879
- /bin/ls
  ls -al /proc/1134
  2⤵
  PID:1878
- /bin/grep
  grep unifiw
  2⤵
  PID:1882
- /bin/ls
  ls -al /proc/1136
  2⤵
  PID:1881
- /bin/grep
  grep -a donate-level /proc/1136/exe
  2⤵
  PID:1883
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1886
- /bin/grep
  grep exe
  2⤵
  PID:1885
- /bin/ls
  ls -al /proc/1136
  2⤵
  PID:1884
- /bin/grep
  grep unifiw
  2⤵
  PID:1888
- /bin/ls
  ls -al /proc/1140
  2⤵
  PID:1887
- /bin/grep
  grep -a donate-level /proc/1140/exe
  2⤵
  PID:1889
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1892
- /bin/grep
  grep exe
  2⤵
  PID:1891
- /bin/ls
  ls -al /proc/1140
  2⤵
  PID:1890
- /bin/grep
  grep unifiw
  2⤵
  PID:1894
- /bin/ls
  ls -al /proc/1148
  2⤵
  PID:1893
- /bin/grep
  grep -a donate-level /proc/1148/exe
  2⤵
  PID:1895
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1898
- /bin/grep
  grep exe
  2⤵
  PID:1897
- /bin/ls
  ls -al /proc/1148
  2⤵
  PID:1896
- /bin/grep
  grep unifiw
  2⤵
  PID:1900
- /bin/ls
  ls -al /proc/1149
  2⤵
  PID:1899
- /bin/grep
  grep -a donate-level /proc/1149/exe
  2⤵
  PID:1901
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1904
- /bin/grep
  grep exe
  2⤵
  PID:1903
- /bin/ls
  ls -al /proc/1149
  2⤵
  PID:1902
- /bin/grep
  grep unifiw
  2⤵
  PID:1906
- /bin/ls
  ls -al /proc/115
  2⤵
  PID:1905
- /bin/grep
  grep -a donate-level /proc/115/exe
  2⤵
  PID:1907
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1910
- /bin/grep
  grep exe
  2⤵
  PID:1909
- /bin/ls
  ls -al /proc/115
  2⤵
  PID:1908
- /bin/grep
  grep unifiw
  2⤵
  PID:1912
- /bin/ls
  ls -al /proc/1150
  2⤵
  PID:1911
- /bin/grep
  grep -a donate-level /proc/1150/exe
  2⤵
  PID:1913
- /bin/grep
  grep exe
  2⤵
  PID:1915
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1916
- /bin/ls
  ls -al /proc/1150
  2⤵
  PID:1914
- /bin/grep
  grep unifiw
  2⤵
  PID:1918
- /bin/ls
  ls -al /proc/1153
  2⤵
  PID:1917
- /bin/grep
  grep -a donate-level /proc/1153/exe
  2⤵
  PID:1919
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1922
- /bin/grep
  grep exe
  2⤵
  PID:1921
- /bin/ls
  ls -al /proc/1153
  2⤵
  PID:1920
- /bin/grep
  grep unifiw
  2⤵
  PID:1924
- /bin/ls
  ls -al /proc/1155
  2⤵
  PID:1923
- /bin/grep
  grep -a donate-level /proc/1155/exe
  2⤵
  PID:1925
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1928
- /bin/grep
  grep exe
  2⤵
  PID:1927
- /bin/ls
  ls -al /proc/1155
  2⤵
  PID:1926
- /bin/grep
  grep unifiw
  2⤵
  PID:1930
- /bin/ls
  ls -al /proc/1157
  2⤵
  PID:1929
- /bin/grep
  grep -a donate-level /proc/1157/exe
  2⤵
  PID:1931
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1934
- /bin/grep
  grep exe
  2⤵
  PID:1933
- /bin/ls
  ls -al /proc/1157
  2⤵
  PID:1932
- /bin/grep
  grep unifiw
  2⤵
  PID:1936
- /bin/ls
  ls -al /proc/1163
  2⤵
  PID:1935
- /bin/grep
  grep -a donate-level /proc/1163/exe
  2⤵
  PID:1937
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1940
- /bin/grep
  grep exe
  2⤵
  PID:1939
- /bin/ls
  ls -al /proc/1163
  2⤵
  PID:1938
- /bin/grep
  grep unifiw
  2⤵
  PID:1942
- /bin/ls
  ls -al /proc/1165
  2⤵
  PID:1941
- /bin/grep
  grep -a donate-level /proc/1165/exe
  2⤵
  PID:1943
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1946
- /bin/grep
  grep exe
  2⤵
  PID:1945
- /bin/ls
  ls -al /proc/1165
  2⤵
  PID:1944
- /bin/grep
  grep unifiw
  2⤵
  PID:1948
- /bin/ls
  ls -al /proc/1168
  2⤵
  PID:1947
- /bin/grep
  grep -a donate-level /proc/1168/exe
  2⤵
  PID:1949
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1952
- /bin/grep
  grep exe
  2⤵
  PID:1951
- /bin/ls
  ls -al /proc/1168
  2⤵
  PID:1950
- /bin/grep
  grep unifiw
  2⤵
  PID:1954
- /bin/ls
  ls -al /proc/1169
  2⤵
  PID:1953
- /bin/grep
  grep -a donate-level /proc/1169/exe
  2⤵
  PID:1955
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1958
- /bin/grep
  grep exe
  2⤵
  PID:1957
- /bin/ls
  ls -al /proc/1169
  2⤵
  PID:1956
- /bin/grep
  grep unifiw
  2⤵
  PID:1960
- /bin/ls
  ls -al /proc/1191
  2⤵
  PID:1959
- /bin/grep
  grep -a donate-level /proc/1191/exe
  2⤵
  PID:1961
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1964
- /bin/grep
  grep exe
  2⤵
  PID:1963
- /bin/ls
  ls -al /proc/1191
  2⤵
  PID:1962
- /bin/grep
  grep unifiw
  2⤵
  PID:1966
- /bin/ls
  ls -al /proc/12
  2⤵
  PID:1965
- /bin/grep
  grep -a donate-level /proc/12/exe
  2⤵
  PID:1967
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1970
- /bin/grep
  grep exe
  2⤵
  PID:1969
- /bin/ls
  ls -al /proc/12
  2⤵
  PID:1968
- /bin/grep
  grep unifiw
  2⤵
  PID:1972
- /bin/ls
  ls -al /proc/1220
  2⤵
  PID:1971
- /bin/grep
  grep -a donate-level /proc/1220/exe
  2⤵
  PID:1973
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1976
- /bin/grep
  grep exe
  2⤵
  PID:1975
- /bin/ls
  ls -al /proc/1220
  2⤵
  PID:1974
- /bin/grep
  grep unifiw
  2⤵
  PID:1978
- /bin/ls
  ls -al /proc/1230
  2⤵
  PID:1977
- /bin/grep
  grep -a donate-level /proc/1230/exe
  2⤵
  PID:1979
- /bin/ls
  ls -al /proc/1230
  2⤵
  PID:1980
- /bin/grep
  grep exe
  2⤵
  PID:1981
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1985

/bin/grep
grep -v grep
1⤵
PID:1716

/bin/grep
grep unifiw
1⤵
PID:1717

/usr/bin/awk
awk "{if(\$3>=50.0) print \$2}"
1⤵
PID:1718

/bin/ps
ps auxf
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1715

/bin/grep
grep "[0-9]"
1⤵
PID:1722

/bin/ls
ls /proc
1⤵
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.CpZ1rC

Filesize
388B

MD5
36cd615773de3b32c006aa3b6a93f639

SHA1
f76bfd3a4d698a24a0091a024968048b2209a200

SHA256
de9c814c4b70296d48d7a40ae94b555269d4feedd43d58b62fec717859b0f6ff

SHA512
fdc9889b16ae78f2ee2d68247b7eac9308cd5f83848c78d1187f0e8a282e191dbaba76a51fc6247ad2a308f73e5807ed0e27030136dc5eedb163b2bb01d522e0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads