xorddos | 02663b6c8c7738fdc443491983ea3f5d7e7ea91a784a9cb006b0b4ded0a737f4

General

Target

39ffc090c3be8b2e3835c5c887d05573_JaffaCakes118
Size

538KB
MD5

39ffc090c3be8b2e3835c5c887d05573
SHA1

70f4f7f0a05b934fe7bd709ab6341d1d7c133105
SHA256

02663b6c8c7738fdc443491983ea3f5d7e7ea91a784a9cb006b0b4ded0a737f4
SHA512

a14cebafb26bb11c242974142bfbcf7bd8308c0ded4dd95e525f8390ab47561a7452b6b1351553eae87c37c630d958ef28321dba7d060eb9ae96bca8cc222f95
SSDEEP

12288:fB+OFJ52snwnBrHnL0iTwseG3vtxaYEM/tiL6yXZ:JzL5ZyrIiTNeG3vtxaYEwiL

Score

10^/10

xorddos botnet downloader persistence

Malware Config

Extracted

Family

xorddos

C2

topbannersun.com:5212

wowapplecar.com:5212

Attributes

crc_polynomial
CDB88320

xor.plain

Signatures

XorDDoS
Botnet and downloader malware targeting Linux-based operating systems and IoT devices.
botnet downloader xorddos

XorDDoS payload 1 IoCs

Processes:

resource	yara_rule
/usr/bin/mrwpvb	family_xorddos

Deletes itself 64 IoCs

Processes:

pid
1510
1517
1520
1523
1528
1529
1532
1537
1538
1541
1547
1550
1553
1556
1559
1562
1565
1568
1571
1576
1577
1580
1583
1586
1591
1592
1595
1599
1601
1604
1607
1612
1613
1616
1620
1622
1625
1628
1631
1634
1637
1642
1643
1647
1649
1652
1655
1658
1663
1664
1667
1670
1673
1678
1679
1683
1685
1688
1691
1694
1697
1702
1703
1706

Executes dropped EXE 64 IoCs

Processes:

mrwpvbstnykrkiuogfuvmxjkutwvzkkyekgnzzndrzxnvtmxbiontknafiemtkzulntthygctuiycmhbtrptxzixymrjblyzuzsqmlswmnemtgfvmfqnxeeryiflorguxleqnwhqcschnofdmlhzfhjkuxcuczfiqsexirmqhceogcpshzdrtbvyvyxipuppfxgtnpqgcpkkfeseekgvenwigqjfnwjcgujnvhysmhimlixeqganldiuwvqfzzblxsmrgsyogmyeqmqdxwufsqcidhzovwjippcogiemsvalyxsebiijimtcoflwudykhmnvhktwrcffscmcglyjpcndofzpnemoikucileptwthwomuzdypimubjnvybekyiujjclckmyaauessofoyineyrkipscygndrpfqrgkumfnadawboabsxrijzhiyvkzczlwfyssdtuhtnpgjwqtdlxewtjuovgbmqmnipheycrkdmdmhixfmvasoxnwabqlkakpmgnmpvbyabctpnjaejpbjrowjlrdvfjnolxauhskfdygmtbmcodphaqejkojysbxywoqnmxzygysxqiohmvcnknwnpmrzwhpjuouvlofifpywqrixxvkmiblfqpwhrjixrfnwjvznbawbvlbswclu

ioc	pid	process
/usr/bin/mrwpvb	1512	mrwpvb
/usr/bin/stnykrkiuog	1516	stnykrkiuog
/usr/bin/fuvmxjkutwvzkk	1519	fuvmxjkutwvzkk
/usr/bin/yekgnzz	1522	yekgnzz
/usr/bin/ndrzxnvtm	1527	ndrzxnvtm
/usr/bin/xbiontkna	1525	xbiontkna
/usr/bin/fiemtkzulnt	1531	fiemtkzulnt
/usr/bin/thygctuiycm	1536	thygctuiycm
/usr/bin/hbtrptxzi	1534	hbtrptxzi
/usr/bin/xymrjblyzuzs	1540	xymrjblyzuzs
/usr/bin/qmlswmnemtgf	1546	qmlswmnemtgf
/usr/bin/vmfqnxee	1549	vmfqnxee
/usr/bin/ryiflorgu	1552	ryiflorgu
/usr/bin/xleqnwhqcschno	1555	xleqnwhqcschno
/usr/bin/fdmlhzfhjkux	1558	fdmlhzfhjkux
/usr/bin/cuczfiqsex	1561	cuczfiqsex
/usr/bin/irmqhceog	1564	irmqhceog
/usr/bin/cpshzdrtbvyvyx	1567	cpshzdrtbvyvyx
/usr/bin/ipuppfxgtnp	1570	ipuppfxgtnp
/usr/bin/qgcpkkfe	1575	qgcpkkfe
/usr/bin/seekgvenwigqj	1573	seekgvenwigqj
/usr/bin/fnwjcgujnvhysm	1579	fnwjcgujnvhysm
/usr/bin/himlixeqganld	1582	himlixeqganld
/usr/bin/iuwvqfzzbl	1585	iuwvqfzzbl
/usr/bin/xsmrgsyogmyeq	1588	xsmrgsyogmyeq
/usr/bin/mqdxwufsqci	1590	mqdxwufsqci
/usr/bin/dhzovwjippcogi	1594	dhzovwjippcogi
/usr/bin/emsvalyx	1597	emsvalyx
/usr/bin/sebiijimt	1600	sebiijimt
/usr/bin/coflwudyk	1603	coflwudyk
/usr/bin/hmnvhk	1606	hmnvhk
/usr/bin/twrcffscmc	1609	twrcffscmc
/usr/bin/glyjpcndofzpne	1611	glyjpcndofzpne
/usr/bin/moikucileptwth	1615	moikucileptwth
/usr/bin/womuzdypimu	1618	womuzdypimu
/usr/bin/bjnvybekyiuj	1621	bjnvybekyiuj
/usr/bin/jclckmyaau	1624	jclckmyaau
/usr/bin/essofoyi	1627	essofoyi
/usr/bin/neyrkipscygndr	1630	neyrkipscygndr
/usr/bin/pfqrgkumfna	1633	pfqrgkumfna
/usr/bin/dawboab	1636	dawboab
/usr/bin/sxrijz	1641	sxrijz
/usr/bin/hiyvkzczlwfyss	1639	hiyvkzczlwfyss
/usr/bin/dtuhtnpgjwq	1645	dtuhtnpgjwq
/usr/bin/tdlxewtjuo	1648	tdlxewtjuo
/usr/bin/vgbmqmnipheycr	1651	vgbmqmnipheycr
/usr/bin/kdmdmhixfmva	1654	kdmdmhixfmva
/usr/bin/soxnwa	1657	soxnwa
/usr/bin/bqlkakpmg	1662	bqlkakpmg
/usr/bin/nmpvbyabctpn	1660	nmpvbyabctpn
/usr/bin/jaejpbjrowjl	1666	jaejpbjrowjl
/usr/bin/rdvfjnol	1669	rdvfjnol
/usr/bin/xauhskfdygm	1672	xauhskfdygm
/usr/bin/tbmcodphaqejko	1677	tbmcodphaqejko
/usr/bin/jysbxywoq	1675	jysbxywoq
/usr/bin/nmxzygys	1681	nmxzygys
/usr/bin/xqiohmvcnk	1684	xqiohmvcnk
/usr/bin/nwnpmrzwhpjuo	1687	nwnpmrzwhpjuo
/usr/bin/uvlofifpy	1690	uvlofifpy
/usr/bin/wqrixxv	1693	wqrixxv
/usr/bin/kmiblf	1696	kmiblf
/usr/bin/qpwhrjixr	1701	qpwhrjixr
/usr/bin/fnwjvznba	1699	fnwjvznba
/usr/bin/wbvlbswclu	1705	wbvlbswclu

Creates/modifies Cron job 1 TTPs 1 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
persistence

Scheduled Task/Job
T1053

Processes:

mrwpvb

description ioc process

File opened for modification /etc/cron.hourly/bvpwrm.sh mrwpvb
Modifies init.d 1 TTPs 1 IoCs
Adds/modifies system service, likely for persistence.
persistence

Boot or Logon Autostart Execution
T1547

Processes:

mrwpvb

description ioc process

File opened for modification /etc/init.d/bvpwrm mrwpvb

description	ioc	process
File opened for modification	/etc/cron.hourly/bvpwrm.sh	mrwpvb

description	ioc	process
File opened for modification	/etc/init.d/bvpwrm	mrwpvb

Write file to user bin folder 1 TTPs 64 IoCs

Hijack Execution Flow

T1574

Processes:

mrwpvb

description	ioc	process
File opened for modification	/usr/bin/coflwudyk	mrwpvb
File opened for modification	/usr/bin/fcywxm	mrwpvb
File opened for modification	/usr/bin/iozjfoy	mrwpvb
File opened for modification	/usr/bin/gkstutbi	mrwpvb
File opened for modification	/usr/bin/hfaddrwkg	mrwpvb
File opened for modification	/usr/bin/wihwmlpkxxlbxb	mrwpvb
File opened for modification	/usr/bin/ihjiqkjjrfr	mrwpvb
File opened for modification	/usr/bin/ppmdtskp	mrwpvb
File opened for modification	/usr/bin/jajjyp	mrwpvb
File opened for modification	/usr/bin/seekgvenwigqj	mrwpvb
File opened for modification	/usr/bin/spuzxi	mrwpvb
File opened for modification	/usr/bin/cuepik	mrwpvb
File opened for modification	/usr/bin/xirqtynyqitloy	mrwpvb
File opened for modification	/usr/bin/bnvewvroyzk	mrwpvb
File opened for modification	/usr/bin/xlnycc	mrwpvb
File opened for modification	/usr/bin/xkflij	mrwpvb
File opened for modification	/usr/bin/xsmrgsyogmyeq	mrwpvb
File opened for modification	/usr/bin/bdzyqyjktpfko	mrwpvb
File opened for modification	/usr/bin/hvwkvqvwskm	mrwpvb
File opened for modification	/usr/bin/yycnsd	mrwpvb
File opened for modification	/usr/bin/xvlxgigrwuo	mrwpvb
File opened for modification	/usr/bin/fuvmxjkutwvzkk	mrwpvb
File opened for modification	/usr/bin/mqdxwufsqci	mrwpvb
File opened for modification	/usr/bin/soxnwa	mrwpvb
File opened for modification	/usr/bin/xauhskfdygm	mrwpvb
File opened for modification	/usr/bin/fmcvkzeypzwtwt	mrwpvb
File opened for modification	/usr/bin/hxqexwkqvdnt	mrwpvb
File opened for modification	/usr/bin/crlxqyosobrzoc	mrwpvb
File opened for modification	/usr/bin/kqqcqutgiwtccr	mrwpvb
File opened for modification	/usr/bin/szonqmdheyr	mrwpvb
File opened for modification	/usr/bin/kmdxcovrqtsmi	mrwpvb
File opened for modification	/usr/bin/puzucatxplbu	mrwpvb
File opened for modification	/usr/bin/pxkbebstbuam	mrwpvb
File opened for modification	/usr/bin/qouuicagi	mrwpvb
File opened for modification	/usr/bin/emsvalyx	mrwpvb
File opened for modification	/usr/bin/pfqrgkumfna	mrwpvb
File opened for modification	/usr/bin/osenpyl	mrwpvb
File opened for modification	/usr/bin/kpdkxtzpvqnnr	mrwpvb
File opened for modification	/usr/bin/ceadebetbopvhk	mrwpvb
File opened for modification	/usr/bin/kxfvkrqj	mrwpvb
File opened for modification	/usr/bin/jhgosbjansb	mrwpvb
File opened for modification	/usr/bin/uzvepleeuxpct	mrwpvb
File opened for modification	/usr/bin/oyyothootqs	mrwpvb
File opened for modification	/usr/bin/yqkjte	mrwpvb
File opened for modification	/usr/bin/ogsvynknym	mrwpvb
File opened for modification	/usr/bin/frvpws	mrwpvb
File opened for modification	/usr/bin/xleqnwhqcschno	mrwpvb
File opened for modification	/usr/bin/arxzfvbfoerf	mrwpvb
File opened for modification	/usr/bin/zojtlfureddj	mrwpvb
File opened for modification	/usr/bin/slqwjt	mrwpvb
File opened for modification	/usr/bin/misvwx	mrwpvb
File opened for modification	/usr/bin/quvnwabz	mrwpvb
File opened for modification	/usr/bin/tqrqpwik	mrwpvb
File opened for modification	/usr/bin/kayryftwoqqoux	mrwpvb
File opened for modification	/usr/bin/dkpeuvuk	mrwpvb
File opened for modification	/usr/bin/wnjuozr	mrwpvb
File opened for modification	/usr/bin/axqqqjfofyz	mrwpvb
File opened for modification	/usr/bin/jkqlkxhydfgdr	mrwpvb
File opened for modification	/usr/bin/ekebyhbbrfw	mrwpvb
File opened for modification	/usr/bin/cisogh	mrwpvb
File opened for modification	/usr/bin/vjeatye	mrwpvb
File opened for modification	/usr/bin/pxnsfgtxiryr	mrwpvb
File opened for modification	/usr/bin/dichkhckshlwk	mrwpvb
File opened for modification	/usr/bin/thygctuiycm	mrwpvb

Reads runtime system information 2 IoCs
Reads data from /proc virtual filesystem.

Processes:

39ffc090c3be8b2e3835c5c887d05573_JaffaCakes118mrwpvb

description ioc process

File opened for reading /proc/meminfo 39ffc090c3be8b2e3835c5c887d05573_JaffaCakes118
File opened for reading /proc/meminfo mrwpvb
Writes file to shm directory 2 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.

Processes:

mrwpvb

description ioc process

File opened for modification /dev/shm/sem.duekbr mrwpvb
File opened for modification /dev/shm/sem.WNG04f mrwpvb

description	ioc	process
File opened for reading	/proc/meminfo	39ffc090c3be8b2e3835c5c887d05573_JaffaCakes118
File opened for reading	/proc/meminfo	mrwpvb

description	ioc	process
File opened for modification	/dev/shm/sem.duekbr	mrwpvb
File opened for modification	/dev/shm/sem.WNG04f	mrwpvb

/tmp/39ffc090c3be8b2e3835c5c887d05573_JaffaCakes118
/tmp/39ffc090c3be8b2e3835c5c887d05573_JaffaCakes118
1⤵
- Reads runtime system information
PID:1509

/usr/bin/mrwpvb
/usr/bin/mrwpvb
1⤵
- Executes dropped EXE
- Creates/modifies Cron job
- Modifies init.d
- Write file to user bin folder
- Reads runtime system information
- Writes file to shm directory
PID:1512

/usr/bin/stnykrkiuog
/usr/bin/stnykrkiuog -d 1513
1⤵
- Executes dropped EXE
PID:1516

/usr/bin/fuvmxjkutwvzkk
/usr/bin/fuvmxjkutwvzkk -d 1513
1⤵
- Executes dropped EXE
PID:1519

/usr/bin/yekgnzz
/usr/bin/yekgnzz -d 1513
1⤵
- Executes dropped EXE
PID:1522

/usr/bin/ndrzxnvtm
/usr/bin/ndrzxnvtm -d 1513
1⤵
- Executes dropped EXE
PID:1527

/usr/bin/xbiontkna
/usr/bin/xbiontkna -d 1513
1⤵
- Executes dropped EXE
PID:1525

/usr/bin/fiemtkzulnt
/usr/bin/fiemtkzulnt -d 1513
1⤵
- Executes dropped EXE
PID:1531

/usr/bin/thygctuiycm
/usr/bin/thygctuiycm -d 1513
1⤵
- Executes dropped EXE
PID:1536

/usr/bin/hbtrptxzi
/usr/bin/hbtrptxzi -d 1513
1⤵
- Executes dropped EXE
PID:1534

/usr/bin/xymrjblyzuzs
/usr/bin/xymrjblyzuzs -d 1513
1⤵
- Executes dropped EXE
PID:1540

/usr/bin/qmlswmnemtgf
/usr/bin/qmlswmnemtgf -d 1513
1⤵
- Executes dropped EXE
PID:1546

/usr/bin/vmfqnxee
/usr/bin/vmfqnxee -d 1513
1⤵
- Executes dropped EXE
PID:1549

/usr/bin/ryiflorgu
/usr/bin/ryiflorgu -d 1513
1⤵
- Executes dropped EXE
PID:1552

/usr/bin/xleqnwhqcschno
/usr/bin/xleqnwhqcschno -d 1513
1⤵
- Executes dropped EXE
PID:1555

/usr/bin/fdmlhzfhjkux
/usr/bin/fdmlhzfhjkux -d 1513
1⤵
- Executes dropped EXE
PID:1558

/usr/bin/cuczfiqsex
/usr/bin/cuczfiqsex -d 1513
1⤵
- Executes dropped EXE
PID:1561

/usr/bin/irmqhceog
/usr/bin/irmqhceog -d 1513
1⤵
- Executes dropped EXE
PID:1564

/usr/bin/cpshzdrtbvyvyx
/usr/bin/cpshzdrtbvyvyx -d 1513
1⤵
- Executes dropped EXE
PID:1567

/usr/bin/ipuppfxgtnp
/usr/bin/ipuppfxgtnp -d 1513
1⤵
- Executes dropped EXE
PID:1570

/usr/bin/qgcpkkfe
/usr/bin/qgcpkkfe -d 1513
1⤵
- Executes dropped EXE
PID:1575

/usr/bin/seekgvenwigqj
/usr/bin/seekgvenwigqj -d 1513
1⤵
- Executes dropped EXE
PID:1573

/usr/bin/fnwjcgujnvhysm
/usr/bin/fnwjcgujnvhysm -d 1513
1⤵
- Executes dropped EXE
PID:1579

/usr/bin/himlixeqganld
/usr/bin/himlixeqganld -d 1513
1⤵
- Executes dropped EXE
PID:1582

/usr/bin/iuwvqfzzbl
/usr/bin/iuwvqfzzbl -d 1513
1⤵
- Executes dropped EXE
PID:1585

/usr/bin/xsmrgsyogmyeq
/usr/bin/xsmrgsyogmyeq -d 1513
1⤵
- Executes dropped EXE
PID:1588

/usr/bin/mqdxwufsqci
/usr/bin/mqdxwufsqci -d 1513
1⤵
- Executes dropped EXE
PID:1590

/usr/bin/dhzovwjippcogi
/usr/bin/dhzovwjippcogi -d 1513
1⤵
- Executes dropped EXE
PID:1594

/usr/bin/emsvalyx
/usr/bin/emsvalyx -d 1513
1⤵
- Executes dropped EXE
PID:1597

/usr/bin/sebiijimt
/usr/bin/sebiijimt -d 1513
1⤵
- Executes dropped EXE
PID:1600

/usr/bin/coflwudyk
/usr/bin/coflwudyk -d 1513
1⤵
- Executes dropped EXE
PID:1603

/usr/bin/hmnvhk
/usr/bin/hmnvhk -d 1513
1⤵
- Executes dropped EXE
PID:1606

/usr/bin/twrcffscmc
/usr/bin/twrcffscmc -d 1513
1⤵
- Executes dropped EXE
PID:1609

/usr/bin/glyjpcndofzpne
/usr/bin/glyjpcndofzpne -d 1513
1⤵
- Executes dropped EXE
PID:1611

/usr/bin/moikucileptwth
/usr/bin/moikucileptwth -d 1513
1⤵
- Executes dropped EXE
PID:1615

/usr/bin/womuzdypimu
/usr/bin/womuzdypimu -d 1513
1⤵
- Executes dropped EXE
PID:1618

/usr/bin/bjnvybekyiuj
/usr/bin/bjnvybekyiuj -d 1513
1⤵
- Executes dropped EXE
PID:1621

/usr/bin/jclckmyaau
/usr/bin/jclckmyaau -d 1513
1⤵
- Executes dropped EXE
PID:1624

/usr/bin/essofoyi
/usr/bin/essofoyi -d 1513
1⤵
- Executes dropped EXE
PID:1627

/usr/bin/neyrkipscygndr
/usr/bin/neyrkipscygndr -d 1513
1⤵
- Executes dropped EXE
PID:1630

/usr/bin/pfqrgkumfna
/usr/bin/pfqrgkumfna -d 1513
1⤵
- Executes dropped EXE
PID:1633

/usr/bin/dawboab
/usr/bin/dawboab -d 1513
1⤵
- Executes dropped EXE
PID:1636

/usr/bin/sxrijz
/usr/bin/sxrijz -d 1513
1⤵
- Executes dropped EXE
PID:1641

/usr/bin/hiyvkzczlwfyss
/usr/bin/hiyvkzczlwfyss -d 1513
1⤵
- Executes dropped EXE
PID:1639

/usr/bin/dtuhtnpgjwq
/usr/bin/dtuhtnpgjwq -d 1513
1⤵
- Executes dropped EXE
PID:1645

/usr/bin/tdlxewtjuo
/usr/bin/tdlxewtjuo -d 1513
1⤵
- Executes dropped EXE
PID:1648

/usr/bin/vgbmqmnipheycr
/usr/bin/vgbmqmnipheycr -d 1513
1⤵
- Executes dropped EXE
PID:1651

/usr/bin/kdmdmhixfmva
/usr/bin/kdmdmhixfmva -d 1513
1⤵
- Executes dropped EXE
PID:1654

/usr/bin/soxnwa
/usr/bin/soxnwa -d 1513
1⤵
- Executes dropped EXE
PID:1657

/usr/bin/bqlkakpmg
/usr/bin/bqlkakpmg -d 1513
1⤵
- Executes dropped EXE
PID:1662

/usr/bin/nmpvbyabctpn
/usr/bin/nmpvbyabctpn -d 1513
1⤵
- Executes dropped EXE
PID:1660

/usr/bin/jaejpbjrowjl
/usr/bin/jaejpbjrowjl -d 1513
1⤵
- Executes dropped EXE
PID:1666

/usr/bin/rdvfjnol
/usr/bin/rdvfjnol -d 1513
1⤵
- Executes dropped EXE
PID:1669

/usr/bin/xauhskfdygm
/usr/bin/xauhskfdygm -d 1513
1⤵
- Executes dropped EXE
PID:1672

/usr/bin/tbmcodphaqejko
/usr/bin/tbmcodphaqejko -d 1513
1⤵
- Executes dropped EXE
PID:1677

/usr/bin/jysbxywoq
/usr/bin/jysbxywoq -d 1513
1⤵
- Executes dropped EXE
PID:1675

/usr/bin/nmxzygys
/usr/bin/nmxzygys -d 1513
1⤵
- Executes dropped EXE
PID:1681

/usr/bin/xqiohmvcnk
/usr/bin/xqiohmvcnk -d 1513
1⤵
- Executes dropped EXE
PID:1684

/usr/bin/nwnpmrzwhpjuo
/usr/bin/nwnpmrzwhpjuo -d 1513
1⤵
- Executes dropped EXE
PID:1687

/usr/bin/uvlofifpy
/usr/bin/uvlofifpy -d 1513
1⤵
- Executes dropped EXE
PID:1690

/usr/bin/wqrixxv
/usr/bin/wqrixxv -d 1513
1⤵
- Executes dropped EXE
PID:1693

/usr/bin/kmiblf
/usr/bin/kmiblf -d 1513
1⤵
- Executes dropped EXE
PID:1696

/usr/bin/qpwhrjixr
/usr/bin/qpwhrjixr -d 1513
1⤵
- Executes dropped EXE
PID:1701

/usr/bin/fnwjvznba
/usr/bin/fnwjvznba -d 1513
1⤵
- Executes dropped EXE
PID:1699

/usr/bin/wbvlbswclu
/usr/bin/wbvlbswclu -d 1513
1⤵
- Executes dropped EXE
PID:1705

/usr/bin/sjacfapgcdwtb
/usr/bin/sjacfapgcdwtb -d 1513
1⤵
PID:1708

/usr/bin/kmphefdfcriv
/usr/bin/kmphefdfcriv -d 1513
1⤵
PID:1711

/usr/bin/mikqbtrf
/usr/bin/mikqbtrf -d 1513
1⤵
PID:1714

/usr/bin/rwgvbfockapciv
/usr/bin/rwgvbfockapciv -d 1513
1⤵
PID:1717

/usr/bin/ncjekguy
/usr/bin/ncjekguy -d 1513
1⤵
PID:1720

/usr/bin/eouzfby
/usr/bin/eouzfby -d 1513
1⤵
PID:1723

/usr/bin/xgvzlldymu
/usr/bin/xgvzlldymu -d 1513
1⤵
PID:1726

/usr/bin/oddibwosqnxr
/usr/bin/oddibwosqnxr -d 1513
1⤵
PID:1731

/usr/bin/yowtphfvhtpjn
/usr/bin/yowtphfvhtpjn -d 1513
1⤵
PID:1734

/usr/bin/zpvplqhvxccqto
/usr/bin/zpvplqhvxccqto -d 1513
1⤵
PID:1739

/usr/bin/uwyrmeuwfqmxia
/usr/bin/uwyrmeuwfqmxia -d 1513
1⤵
PID:1737

/usr/bin/ciedzqhtp
/usr/bin/ciedzqhtp -d 1513
1⤵
PID:1743

/usr/bin/xgosuuvea
/usr/bin/xgosuuvea -d 1513
1⤵
PID:1748

/usr/bin/lbmtdluvikgytd
/usr/bin/lbmtdluvikgytd -d 1513
1⤵
PID:1746

/usr/bin/eqfzht
/usr/bin/eqfzht -d 1513
1⤵
PID:1752

/usr/bin/jhgosbjansb
/usr/bin/jhgosbjansb -d 1513
1⤵
PID:1754

/usr/bin/vzfdpxx
/usr/bin/vzfdpxx -d 1513
1⤵
PID:1758

/usr/bin/elsiexhltuw
/usr/bin/elsiexhltuw -d 1513
1⤵
PID:1761

/usr/bin/bnvewvroyzk
/usr/bin/bnvewvroyzk -d 1513
1⤵
PID:1764

/usr/bin/ifjdeje
/usr/bin/ifjdeje -d 1513
1⤵
PID:1769

/usr/bin/enpdnayroqzs
/usr/bin/enpdnayroqzs -d 1513
1⤵
PID:1767

/usr/bin/qtjjhakbqt
/usr/bin/qtjjhakbqt -d 1513
1⤵
PID:1775

/usr/bin/eincbcacocidr
/usr/bin/eincbcacocidr -d 1513
1⤵
PID:1773

/usr/bin/zynkeeport
/usr/bin/zynkeeport -d 1513
1⤵
PID:1779

/usr/bin/vvtlxbpo
/usr/bin/vvtlxbpo -d 1513
1⤵
PID:1781

/usr/bin/hkwttydxoygpwt
/usr/bin/hkwttydxoygpwt -d 1513
1⤵
PID:1785

/usr/bin/axqqqjfofyz
/usr/bin/axqqqjfofyz -d 1513
1⤵
PID:1788

/usr/bin/fcywxm
/usr/bin/fcywxm -d 1513
1⤵
PID:1791

/usr/bin/fmcvkzeypzwtwt
/usr/bin/fmcvkzeypzwtwt -d 1513
1⤵
PID:1796

/usr/bin/carcmpamo
/usr/bin/carcmpamo -d 1513
1⤵
PID:1794

/usr/bin/arxzfvbfoerf
/usr/bin/arxzfvbfoerf -d 1513
1⤵
PID:1800

/usr/bin/fulkinhs
/usr/bin/fulkinhs -d 1513
1⤵
PID:1803

/usr/bin/zobwnitp
/usr/bin/zobwnitp -d 1513
1⤵
PID:1808

/usr/bin/osenpyl
/usr/bin/osenpyl -d 1513
1⤵
PID:1806

/usr/bin/hviodn
/usr/bin/hviodn -d 1513
1⤵
PID:1812

/usr/bin/ozseik
/usr/bin/ozseik -d 1513
1⤵
PID:1815

/usr/bin/wdzlux
/usr/bin/wdzlux -d 1513
1⤵
PID:1818

/usr/bin/cdlhcwbcvh
/usr/bin/cdlhcwbcvh -d 1513
1⤵
PID:1821

/usr/bin/iozjfoy
/usr/bin/iozjfoy -d 1513
1⤵
PID:1823

/usr/bin/nzcccbii
/usr/bin/nzcccbii -d 1513
1⤵
PID:1827

/usr/bin/svwvidaehc
/usr/bin/svwvidaehc -d 1513
1⤵
PID:1829

/usr/bin/oekddt
/usr/bin/oekddt -d 1513
1⤵
PID:1833

/usr/bin/uwjhxn
/usr/bin/uwjhxn -d 1513
1⤵
PID:1836

/usr/bin/coskikheipji
/usr/bin/coskikheipji -d 1513
1⤵
PID:1839

/usr/bin/qmyfqikweuqy
/usr/bin/qmyfqikweuqy -d 1513
1⤵
PID:1842

/usr/bin/kxqqfha
/usr/bin/kxqqfha -d 1513
1⤵
PID:1847

/usr/bin/fsmqwck
/usr/bin/fsmqwck -d 1513
1⤵
PID:1845

/usr/bin/wxchqiicvpfj
/usr/bin/wxchqiicvpfj -d 1513
1⤵
PID:1851

/usr/bin/gshwrmkrytgi
/usr/bin/gshwrmkrytgi -d 1513
1⤵
PID:1854

/usr/bin/vwkpggmj
/usr/bin/vwkpggmj -d 1513
1⤵
PID:1857

/usr/bin/etyiqnqarwsa
/usr/bin/etyiqnqarwsa -d 1513
1⤵
PID:1860

/usr/bin/spuzxi
/usr/bin/spuzxi -d 1513
1⤵
PID:1865

/usr/bin/jmeakxiuf
/usr/bin/jmeakxiuf -d 1513
1⤵
PID:1863

/usr/bin/kpdkxtzpvqnnr
/usr/bin/kpdkxtzpvqnnr -d 1513
1⤵
PID:1869

/usr/bin/kpodekebt
/usr/bin/kpodekebt -d 1513
1⤵
PID:1874

/usr/bin/yflyqk
/usr/bin/yflyqk -d 1513
1⤵
PID:1872

/usr/bin/oirahmaxiqkxhs
/usr/bin/oirahmaxiqkxhs -d 1513
1⤵
PID:1878

/usr/bin/guzderzt
/usr/bin/guzderzt -d 1513
1⤵
PID:1881

/usr/bin/wandrsyo
/usr/bin/wandrsyo -d 1513
1⤵
PID:1884

/usr/bin/fosgfxqobi
/usr/bin/fosgfxqobi -d 1513
1⤵
PID:1887

/usr/bin/hxqexwkqvdnt
/usr/bin/hxqexwkqvdnt -d 1513
1⤵
PID:1890

/usr/bin/aywtyk
/usr/bin/aywtyk -d 1513
1⤵
PID:1893

/usr/bin/ebrmirc
/usr/bin/ebrmirc -d 1513
1⤵
PID:1896

/usr/bin/uljcibihxsyvx
/usr/bin/uljcibihxsyvx -d 1513
1⤵
PID:1899

/usr/bin/oconyjnjirmc
/usr/bin/oconyjnjirmc -d 1513
1⤵
PID:1902

/usr/bin/utisnvbrddz
/usr/bin/utisnvbrddz -d 1513
1⤵
PID:1905

/usr/bin/crlxqyosobrzoc
/usr/bin/crlxqyosobrzoc -d 1513
1⤵
PID:1908

/usr/bin/gqylrlpjynb
/usr/bin/gqylrlpjynb -d 1513
1⤵
PID:1913

/usr/bin/onkjxey
/usr/bin/onkjxey -d 1513
1⤵
PID:1911

/usr/bin/aedospxrtwkb
/usr/bin/aedospxrtwkb -d 1513
1⤵
PID:1919

/usr/bin/bunelou
/usr/bin/bunelou -d 1513
1⤵
PID:1917

/usr/bin/xzsmzxpor
/usr/bin/xzsmzxpor -d 1513
1⤵
PID:1925

/usr/bin/kmdxcovrqtsmi
/usr/bin/kmdxcovrqtsmi -d 1513
1⤵
PID:1923

/usr/bin/lizjubvgpbd
/usr/bin/lizjubvgpbd -d 1513
1⤵
PID:1929

/usr/bin/rakjwev
/usr/bin/rakjwev -d 1513
1⤵
PID:1932

/usr/bin/cufvgfuxvldiv
/usr/bin/cufvgfuxvldiv -d 1513
1⤵
PID:1935

/usr/bin/ssepyvscpmezva
/usr/bin/ssepyvscpmezva -d 1513
1⤵
PID:1938

/usr/bin/zbkctcikafd
/usr/bin/zbkctcikafd -d 1513
1⤵
PID:1941

/usr/bin/urlwolchumxjs
/usr/bin/urlwolchumxjs -d 1513
1⤵
PID:1944

/usr/bin/gtozipasrvwbfy
/usr/bin/gtozipasrvwbfy -d 1513
1⤵
PID:1946

/usr/bin/bdzyqyjktpfko
/usr/bin/bdzyqyjktpfko -d 1513
1⤵
PID:1952

/usr/bin/kdddqz
/usr/bin/kdddqz -d 1513
1⤵
PID:1950

/usr/bin/zojtlfureddj
/usr/bin/zojtlfureddj -d 1513
1⤵
PID:1956

/usr/bin/hzizcoaaebj
/usr/bin/hzizcoaaebj -d 1513
1⤵
PID:1959

/usr/bin/uzvepleeuxpct
/usr/bin/uzvepleeuxpct -d 1513
1⤵
PID:1962

/usr/bin/gzorix
/usr/bin/gzorix -d 1513
1⤵
PID:1965

/usr/bin/sysgatmbecwfaa
/usr/bin/sysgatmbecwfaa -d 1513
1⤵
PID:1968

/usr/bin/lgbhdqjzbryri
/usr/bin/lgbhdqjzbryri -d 1513
1⤵
PID:1971

/usr/bin/oyyothootqs
/usr/bin/oyyothootqs -d 1513
1⤵
PID:1974

/usr/bin/oyyqvlxwsaoe
/usr/bin/oyyqvlxwsaoe -d 1513
1⤵
PID:1977

/usr/bin/rxzigfyggmbndp
/usr/bin/rxzigfyggmbndp -d 1513
1⤵
PID:1980

/usr/bin/ahparxfq
/usr/bin/ahparxfq -d 1513
1⤵
PID:1985

/usr/bin/vkgjkezfrwbmz
/usr/bin/vkgjkezfrwbmz -d 1513
1⤵
PID:1983

/usr/bin/nehchxnehtnta
/usr/bin/nehchxnehtnta -d 1513
1⤵
PID:1989

/usr/bin/ntkujqkpymzv
/usr/bin/ntkujqkpymzv -d 1513
1⤵
PID:1994

/usr/bin/rlzfmqxnz
/usr/bin/rlzfmqxnz -d 1513
1⤵
PID:1992

/usr/bin/devrxxgxo
/usr/bin/devrxxgxo -d 1513
1⤵
PID:1998

/usr/bin/afjhnsyq
/usr/bin/afjhnsyq -d 1513
1⤵
PID:2001

/usr/bin/hevpfgtiuehz
/usr/bin/hevpfgtiuehz -d 1513
1⤵
PID:2004

/usr/bin/cmsnsuufnukw
/usr/bin/cmsnsuufnukw -d 1513
1⤵
PID:2007

/usr/bin/aobsclwacegvoc
/usr/bin/aobsclwacegvoc -d 1513
1⤵
PID:2009

/usr/bin/vbpxphkjbgopbb
/usr/bin/vbpxphkjbgopbb -d 1513
1⤵
PID:2013

/usr/bin/ebcivgtrgvx
/usr/bin/ebcivgtrgvx -d 1513
1⤵
PID:2016

/usr/bin/slqwjt
/usr/bin/slqwjt -d 1513
1⤵
PID:2019

/usr/bin/gkstutbi
/usr/bin/gkstutbi -d 1513
1⤵
PID:2022

/usr/bin/elyjocrjim
/usr/bin/elyjocrjim -d 1513
1⤵
PID:2025

/usr/bin/pjafdowzxrkfc
/usr/bin/pjafdowzxrkfc -d 1513
1⤵
PID:2028

/usr/bin/gkgskp
/usr/bin/gkgskp -d 1513
1⤵
PID:2031

/usr/bin/misvwx
/usr/bin/misvwx -d 1513
1⤵
PID:2034

/usr/bin/fzrlnpkmhxsl
/usr/bin/fzrlnpkmhxsl -d 1513
1⤵
PID:2037

/usr/bin/shdwnodhyuq
/usr/bin/shdwnodhyuq -d 1513
1⤵
PID:2040

/usr/bin/fkibhuj
/usr/bin/fkibhuj -d 1513
1⤵
PID:2042

/usr/bin/nuwdgkmdc
/usr/bin/nuwdgkmdc -d 1513
1⤵
PID:2046

/usr/bin/hxgkvva
/usr/bin/hxgkvva -d 1513
1⤵
PID:2049

/usr/bin/dbtvoyhw
/usr/bin/dbtvoyhw -d 1513
1⤵
PID:2052

/usr/bin/qskyfgukn
/usr/bin/qskyfgukn -d 1513
1⤵
PID:2055

/usr/bin/ysjxzidme
/usr/bin/ysjxzidme -d 1513
1⤵
PID:2058

/usr/bin/zytlwbut
/usr/bin/zytlwbut -d 1513
1⤵
PID:2061

/usr/bin/hambjjduppy
/usr/bin/hambjjduppy -d 1513
1⤵
PID:2064

/usr/bin/dcutcxyzhaaf
/usr/bin/dcutcxyzhaaf -d 1513
1⤵
PID:2067

/usr/bin/odwiymp
/usr/bin/odwiymp -d 1513
1⤵
PID:2070

/usr/bin/yqkjte
/usr/bin/yqkjte -d 1513
1⤵
PID:2073

/usr/bin/keqqgmli
/usr/bin/keqqgmli -d 1513
1⤵
PID:2076

/usr/bin/jkqlkxhydfgdr
/usr/bin/jkqlkxhydfgdr -d 1513
1⤵
PID:2079

/usr/bin/crqoblsdywu
/usr/bin/crqoblsdywu -d 1513
1⤵
PID:2082

/usr/bin/egznskxkwjifi
/usr/bin/egznskxkwjifi -d 1513
1⤵
PID:2085

/usr/bin/kqqcqutgiwtccr
/usr/bin/kqqcqutgiwtccr -d 1513
1⤵
PID:2088

/usr/bin/eguwrth
/usr/bin/eguwrth -d 1513
1⤵
PID:2091

/usr/bin/crumeefuiv
/usr/bin/crumeefuiv -d 1513
1⤵
PID:2094

/usr/bin/ebzauccmca
/usr/bin/ebzauccmca -d 1513
1⤵
PID:2097

/usr/bin/danhgseppv
/usr/bin/danhgseppv -d 1513
1⤵
PID:2102

/usr/bin/hfaddrwkg
/usr/bin/hfaddrwkg -d 1513
1⤵
PID:2100

/usr/bin/quvnwabz
/usr/bin/quvnwabz -d 1513
1⤵
PID:2106

/usr/bin/wihwmlpkxxlbxb
/usr/bin/wihwmlpkxxlbxb -d 1513
1⤵
PID:2109

/usr/bin/evovljodejqcjt
/usr/bin/evovljodejqcjt -d 1513
1⤵
PID:2112

/usr/bin/mqmtma
/usr/bin/mqmtma -d 1513
1⤵
PID:2115

/usr/bin/ekebyhbbrfw
/usr/bin/ekebyhbbrfw -d 1513
1⤵
PID:2118

/usr/bin/ihjiqkjjrfr
/usr/bin/ihjiqkjjrfr -d 1513
1⤵
PID:2121

/usr/bin/pnlcmmfqzeyytt
/usr/bin/pnlcmmfqzeyytt -d 1513
1⤵
PID:2124

/usr/bin/xpwgxfpfv
/usr/bin/xpwgxfpfv -d 1513
1⤵
PID:2127

/usr/bin/ogsvynknym
/usr/bin/ogsvynknym -d 1513
1⤵
PID:2130

/usr/bin/nusmaqnujit
/usr/bin/nusmaqnujit -d 1513
1⤵
PID:2133

/usr/bin/gbxlrei
/usr/bin/gbxlrei -d 1513
1⤵
PID:2136

/usr/bin/uopqoc
/usr/bin/uopqoc -d 1513
1⤵
PID:2139

/usr/bin/bdrdslvellthw
/usr/bin/bdrdslvellthw -d 1513
1⤵
PID:2142

/usr/bin/cxjeuuxzerttgl
/usr/bin/cxjeuuxzerttgl -d 1513
1⤵
PID:2145

/usr/bin/lonqfqisnodai
/usr/bin/lonqfqisnodai -d 1513
1⤵
PID:2148

/usr/bin/tqrqpwik
/usr/bin/tqrqpwik -d 1513
1⤵
PID:2151

/usr/bin/qyadmnttfdluu
/usr/bin/qyadmnttfdluu -d 1513
1⤵
PID:2153

/usr/bin/ucdtptmmoceft
/usr/bin/ucdtptmmoceft -d 1513
1⤵
PID:2157

/usr/bin/pgthev
/usr/bin/pgthev -d 1513
1⤵
PID:2160

/usr/bin/ppmdtskp
/usr/bin/ppmdtskp -d 1513
1⤵
PID:2165

/usr/bin/slgnskyngqhiua
/usr/bin/slgnskyngqhiua -d 1513
1⤵
PID:2163

/usr/bin/bvrjbmwt
/usr/bin/bvrjbmwt -d 1513
1⤵
PID:2169

/usr/bin/cisogh
/usr/bin/cisogh -d 1513
1⤵
PID:2172

/usr/bin/woesrgjgup
/usr/bin/woesrgjgup -d 1513
1⤵
PID:2175

/usr/bin/ozqkdnboopkjpo
/usr/bin/ozqkdnboopkjpo -d 1513
1⤵
PID:2178

/usr/bin/fzqbyggsz
/usr/bin/fzqbyggsz -d 1513
1⤵
PID:2181

/usr/bin/atprkgapis
/usr/bin/atprkgapis -d 1513
1⤵
PID:2186

/usr/bin/chirjwszivpj
/usr/bin/chirjwszivpj -d 1513
1⤵
PID:2184

/usr/bin/gbyyamai
/usr/bin/gbyyamai -d 1513
1⤵
PID:2190

/usr/bin/mcfwkin
/usr/bin/mcfwkin -d 1513
1⤵
PID:2195

/usr/bin/rumschhnrn
/usr/bin/rumschhnrn -d 1513
1⤵
PID:2193

/usr/bin/ceadebetbopvhk
/usr/bin/ceadebetbopvhk -d 1513
1⤵
PID:2199

/usr/bin/oqlcjaqycxw
/usr/bin/oqlcjaqycxw -d 1513
1⤵
PID:2202

/usr/bin/fkjkqln
/usr/bin/fkjkqln -d 1513
1⤵
PID:2205

/usr/bin/tnqjfnq
/usr/bin/tnqjfnq -d 1513
1⤵
PID:2208

/usr/bin/kayryftwoqqoux
/usr/bin/kayryftwoqqoux -d 1513
1⤵
PID:2211

/usr/bin/lrwpkfo
/usr/bin/lrwpkfo -d 1513
1⤵
PID:2214

/usr/bin/hxevzlgsvgtog
/usr/bin/hxevzlgsvgtog -d 1513
1⤵
PID:2217

/usr/bin/yhmromxll
/usr/bin/yhmromxll -d 1513
1⤵
PID:2222

/usr/bin/hepxxfuudhna
/usr/bin/hepxxfuudhna -d 1513
1⤵
PID:2220

/usr/bin/bpqbmvxgaeucc
/usr/bin/bpqbmvxgaeucc -d 1513
1⤵
PID:2228

/usr/bin/ufdayuj
/usr/bin/ufdayuj -d 1513
1⤵
PID:2226

/usr/bin/lqlccinn
/usr/bin/lqlccinn -d 1513
1⤵
PID:2232

/usr/bin/hvwkvqvwskm
/usr/bin/hvwkvqvwskm -d 1513
1⤵
PID:2235

/usr/bin/xjsfkybocvasge
/usr/bin/xjsfkybocvasge -d 1513
1⤵
PID:2238

/usr/bin/rkibhendvizpu
/usr/bin/rkibhendvizpu -d 1513
1⤵
PID:2241

/usr/bin/mrvezh
/usr/bin/mrvezh -d 1513
1⤵
PID:2244

/usr/bin/awgyyyecvvv
/usr/bin/awgyyyecvvv -d 1513
1⤵
PID:2247

/usr/bin/fypklshts
/usr/bin/fypklshts -d 1513
1⤵
PID:2250

/usr/bin/qgkhdqilu
/usr/bin/qgkhdqilu -d 1513
1⤵
PID:2252

/usr/bin/jajjyp
/usr/bin/jajjyp -d 1513
1⤵
PID:2256

/usr/bin/wnieshte
/usr/bin/wnieshte -d 1513
1⤵
PID:2259

/usr/bin/onqgngozprpy
/usr/bin/onqgngozprpy -d 1513
1⤵
PID:2262

/usr/bin/jlpjuykllg
/usr/bin/jlpjuykllg -d 1513
1⤵
PID:2265

/usr/bin/wmtffzzvp
/usr/bin/wmtffzzvp -d 1513
1⤵
PID:2268

/usr/bin/cvreljtlpdwf
/usr/bin/cvreljtlpdwf -d 1513
1⤵
PID:2271

/usr/bin/sdadri
/usr/bin/sdadri -d 1513
1⤵
PID:2274

/usr/bin/puzucatxplbu
/usr/bin/puzucatxplbu -d 1513
1⤵
PID:2277

/usr/bin/sytdtevwaansfp
/usr/bin/sytdtevwaansfp -d 1513
1⤵
PID:2280

/usr/bin/yycnsd
/usr/bin/yycnsd -d 1513
1⤵
PID:2283

/usr/bin/uddsvqvpynpst
/usr/bin/uddsvqvpynpst -d 1513
1⤵
PID:2286

/usr/bin/yohzqwtvltu
/usr/bin/yohzqwtvltu -d 1513
1⤵
PID:2288

/usr/bin/vjeatye
/usr/bin/vjeatye -d 1513
1⤵
PID:2292

/usr/bin/szonqmdheyr
/usr/bin/szonqmdheyr -d 1513
1⤵
PID:2295

/usr/bin/maeewzzktv
/usr/bin/maeewzzktv -d 1513
1⤵
PID:2297

/usr/bin/xvlxgigrwuo
/usr/bin/xvlxgigrwuo -d 1513
1⤵
PID:2304

/usr/bin/mpbirywrrd
/usr/bin/mpbirywrrd -d 1513
1⤵
PID:2307

/usr/bin/mdhgcqtxnqkny
/usr/bin/mdhgcqtxnqkny -d 1513
1⤵
PID:2310

/usr/bin/vprqdee
/usr/bin/vprqdee -d 1513
1⤵
PID:2313

/usr/bin/ogjupswilw
/usr/bin/ogjupswilw -d 1513
1⤵
PID:2318

/usr/bin/fmoelh
/usr/bin/fmoelh -d 1513
1⤵
PID:2316

/usr/bin/egkcbgsswx
/usr/bin/egkcbgsswx -d 1513
1⤵
PID:2322

/usr/bin/cuepik
/usr/bin/cuepik -d 1513
1⤵
PID:2325

/usr/bin/pjqxvmpnjx
/usr/bin/pjqxvmpnjx -d 1513
1⤵
PID:2328

/usr/bin/huenfholbij
/usr/bin/huenfholbij -d 1513
1⤵
PID:2331

/usr/bin/unccxe
/usr/bin/unccxe -d 1513
1⤵
PID:2334

/usr/bin/udrbyxpfg
/usr/bin/udrbyxpfg -d 1513
1⤵
PID:2339

/usr/bin/ixrdjg
/usr/bin/ixrdjg -d 1513
1⤵
PID:2337

/usr/bin/sjobkv
/usr/bin/sjobkv -d 1513
1⤵
PID:2343

/usr/bin/eirjhxdpuuted
/usr/bin/eirjhxdpuuted -d 1513
1⤵
PID:2345

/usr/bin/ygecgcrn
/usr/bin/ygecgcrn -d 1513
1⤵
PID:2349

/usr/bin/yfsmie
/usr/bin/yfsmie -d 1513
1⤵
PID:2352

/usr/bin/xirqtynyqitloy
/usr/bin/xirqtynyqitloy -d 1513
1⤵
PID:2355

/usr/bin/ogbqpdjcni
/usr/bin/ogbqpdjcni -d 1513
1⤵
PID:2358

/usr/bin/fwsjerux
/usr/bin/fwsjerux -d 1513
1⤵
PID:2361

/usr/bin/xlnycc
/usr/bin/xlnycc -d 1513
1⤵
PID:2364

/usr/bin/frvpws
/usr/bin/frvpws -d 1513
1⤵
PID:2367

/usr/bin/iybexmtvlhluqk
/usr/bin/iybexmtvlhluqk -d 1513
1⤵
PID:2370

/usr/bin/xkflij
/usr/bin/xkflij -d 1513
1⤵
PID:2372

/usr/bin/wudulbmvjm
/usr/bin/wudulbmvjm -d 1513
1⤵
PID:2376

/usr/bin/njmhhyossffmep
/usr/bin/njmhhyossffmep -d 1513
1⤵
PID:2379

/usr/bin/pxaflwbosnsekd
/usr/bin/pxaflwbosnsekd -d 1513
1⤵
PID:2382

/usr/bin/tewaluq
/usr/bin/tewaluq -d 1513
1⤵
PID:2385

/usr/bin/pxkbebstbuam
/usr/bin/pxkbebstbuam -d 1513
1⤵
PID:2388

/usr/bin/dlrvrb
/usr/bin/dlrvrb -d 1513
1⤵
PID:2391

/usr/bin/ohtbcmgrl
/usr/bin/ohtbcmgrl -d 1513
1⤵
PID:2394

/usr/bin/upuolv
/usr/bin/upuolv -d 1513
1⤵
PID:2397

/usr/bin/lkapnngkfhkrse
/usr/bin/lkapnngkfhkrse -d 1513
1⤵
PID:2400

/usr/bin/czienq
/usr/bin/czienq -d 1513
1⤵
PID:2403

/usr/bin/nreaflmmuzd
/usr/bin/nreaflmmuzd -d 1513
1⤵
PID:2408

/usr/bin/zjrqgfbbp
/usr/bin/zjrqgfbbp -d 1513
1⤵
PID:2406

/usr/bin/dkpeuvuk
/usr/bin/dkpeuvuk -d 1513
1⤵
PID:2412

/usr/bin/kxfvkrqj
/usr/bin/kxfvkrqj -d 1513
1⤵
PID:2417

/usr/bin/twllesphhev
/usr/bin/twllesphhev -d 1513
1⤵
PID:2415

/usr/bin/fogwuaton
/usr/bin/fogwuaton -d 1513
1⤵
PID:2421

/usr/bin/lrsootnytnzmsd
/usr/bin/lrsootnytnzmsd -d 1513
1⤵
PID:2424

/usr/bin/hhlafmscrruwd
/usr/bin/hhlafmscrruwd -d 1513
1⤵
PID:2427

/usr/bin/plniedwzqwud
/usr/bin/plniedwzqwud -d 1513
1⤵
PID:2430

/usr/bin/iyzgfj
/usr/bin/iyzgfj -d 1513
1⤵
PID:2433

/usr/bin/hofzrysnxxqmj
/usr/bin/hofzrysnxxqmj -d 1513
1⤵
PID:2436

/usr/bin/wnjuozr
/usr/bin/wnjuozr -d 1513
1⤵
PID:2439

/usr/bin/fnrdoykxrrozs
/usr/bin/fnrdoykxrrozs -d 1513
1⤵
PID:2442

/usr/bin/zmuwkmktsgi
/usr/bin/zmuwkmktsgi -d 1513
1⤵
PID:2445

/usr/bin/bwcufhhzmvz
/usr/bin/bwcufhhzmvz -d 1513
1⤵
PID:2448

/usr/bin/vsplrhs
/usr/bin/vsplrhs -d 1513
1⤵
PID:2451

/usr/bin/dnkmmw
/usr/bin/dnkmmw -d 1513
1⤵
PID:2454

/usr/bin/ltfdisx
/usr/bin/ltfdisx -d 1513
1⤵
PID:2456

/usr/bin/kqoafudhtyqcyb
/usr/bin/kqoafudhtyqcyb -d 1513
1⤵
PID:2460

/usr/bin/zfujtifdva
/usr/bin/zfujtifdva -d 1513
1⤵
PID:2463

/usr/bin/blcydoq
/usr/bin/blcydoq -d 1513
1⤵
PID:2466

/usr/bin/pxnsfgtxiryr
/usr/bin/pxnsfgtxiryr -d 1513
1⤵
PID:2468

/usr/bin/fobzwjesl
/usr/bin/fobzwjesl -d 1513
1⤵
PID:2472

/usr/bin/twttbiju
/usr/bin/twttbiju -d 1513
1⤵
PID:2475

/usr/bin/gjtnpo
/usr/bin/gjtnpo -d 1513
1⤵
PID:2478

/usr/bin/zijtaqhepdnwxy
/usr/bin/zijtaqhepdnwxy -d 1513
1⤵
PID:2481

/usr/bin/batege
/usr/bin/batege -d 1513
1⤵
PID:2484

/usr/bin/gexgljytoyh
/usr/bin/gexgljytoyh -d 1513
1⤵
PID:2487

/usr/bin/qouuicagi
/usr/bin/qouuicagi -d 1513
1⤵
PID:2492

/usr/bin/dichkhckshlwk
/usr/bin/dichkhckshlwk -d 1513
1⤵
PID:2490

/usr/bin/rjhhjproztvjay
/usr/bin/rjhhjproztvjay -d 1513
1⤵
PID:2496

/usr/bin/vhhtrvjfr
/usr/bin/vhhtrvjfr -d 1513
1⤵
PID:2499

/usr/bin/ptgxeuppcy
/usr/bin/ptgxeuppcy -d 1513
1⤵
PID:2502

/usr/bin/tqmsljcohy
/usr/bin/tqmsljcohy -d 1513
1⤵
PID:2505

/usr/bin/qheheoovwe
/usr/bin/qheheoovwe -d 1513
1⤵
PID:2508

/usr/bin/cdxxumbtk
/usr/bin/cdxxumbtk -d 1513
1⤵
PID:2511

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Hijack Execution Flow

Scheduled Task/Job

Defense Evasion

Hijack Execution Flow

1

T1574

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/dev/shm/sem.WNG04f

Filesize
16B

MD5
076933ff9904d1110d896e2c525e39e5

SHA1
4188442577fa77f25820d9b2d01cc446e30684ac

SHA256
4cbbd8ca5215b8d161aec181a74b694f4e24b001d5b081dc0030ed797a8973e0

SHA512
6fcee9a7b7a7b821d241c03c82377928bc6882e7a08c78a4221199bfa220cdc55212273018ee613317c8293bb8d1ce08d1e017508e94e06ab85a734c99c7cc34

Download Submit
/etc/cron.hourly/bvpwrm.sh

Filesize
155B

MD5
249264c9dc3abcfad6fee972cd61a111

SHA1
3ec966a1985cac4cc87ecad3f167a0b859de9511

SHA256
9c709185eb1a5890c2933b45802ac94ba57e65cc769e0c2823ffe363e57c94f8

SHA512
ebc55f0a6eec955b1a157fc3b9978f19277b5aded899b57534a3a4bf1af1827e5fb9d9c042c86a7af24f02cbaa170de030d449b4d7ffcf1e271d8563301dca4f

Download Submit
/etc/daemon.cfg

Filesize
32B

MD5
dc81fab74725e7ce27717a3a3aba02fa

SHA1
70868c1f8a2485ae206781277a80fe192f911009

SHA256
23e110aa7ff527ca06d37c7559258cf436d9768f5779cdedd810ca38a0d1daf4

SHA512
5156ba335d788f953a57e6b7e48e0f7700c95f0c11197a7cf9e880e1b582b0a006af95635c697ffda21bc8923841929eaa3c74bf5bd8fc86ad6a34637c021557

Download Submit
/etc/init.d/bvpwrm

Filesize
326B

MD5
6ccf0b7adf22be863c9640e27f876edd

SHA1
d6f2d10cb4c3f0932f756e04598fde443c614c19

SHA256
719771d4d6b8fbbffceb3a6d824deab5566521df3b2c4aabbde310ef91157b89

SHA512
6113316a18b0abeebfee71bf6b80a7afaf5811dee00a68adff9771ea4d6caedabbbd19e440fa349537c8e0571205cb2c5c1ccb61a7578e914479f708c6c129a0

Download Submit
/usr/bin/mrwpvb

Filesize
538KB

MD5
d18b4d1a854a85230955d16ca411a59b

SHA1
4fa5877b1f47cec24d1d11364586a4e8f565e99b

SHA256
fcd74bb10dac1a133f6f5638c80aaa0809d3848831492a8c07e0a708909fbece

SHA512
76ecae79cccf96ae56bb51d4b1a3845bcc68c335a81a815675a302a60f4858c1a15113626b4647e7ee70ccb62a1d59e1d11967fa74d80e3cc87a4c151aa84c57

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads