b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1

Analysis

max time kernel
149s
max time network
161s
platform
ubuntu-24.04_amd64
resource
ubuntu2404-amd64-20240523-en
resource tags

arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
submitted
04-09-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
Size

8.6MB
MD5

ae747bc7fff9bc23f06635ef60ea0e8d
SHA1

64315e834f67905ed4e47f36155362a78ac23462
SHA256

103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
SHA512

e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2
SSDEEP

98304:rDSceJ/GqDu6P0ypQ0Qv5knSTH20ejwBcHjI7Xk:rDSceJ/GqD18RZv5knS720e7s

Score

8^/10

antivm defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Adds new SSH keys 1 TTPs 1 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

persistence privilege_escalation

SSH Authorized Keys

T1098.004

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

Deletes itself 1 IoCs

pid
2874

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 64 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
3147	sudo
3366	sudo
4140	Process not Found
4574	Process not Found
4627	Process not Found
4895	Process not Found
2934	sudo
3157	sudo
3230	sudo
4413	Process not Found
4456	Process not Found
3044	sudo
3608	sudo
4692	Process not Found
3264	sudo
3476	sudo
3975	sudo
4716	Process not Found
4845	Process not Found
2932	sudo
3028	sudo
3181	sudo
3946	sudo
4122	Process not Found
4352	Process not Found
4405	Process not Found
3145	sudo
3661	sudo
4136	Process not Found
2904	sudo
3040	sudo
3175	sudo
3671	sudo
4024	sudo
4076	Process not Found
4342	Process not Found
4729	Process not Found
2938	sudo
3246	sudo
3504	sudo
3655	sudo
3132	sudo
3159	sudo
4224	Process not Found
4415	Process not Found
4584	Process not Found
4893	Process not Found
4899	Process not Found
3099	sudo
3932	sudo
4116	Process not Found
4222	Process not Found
4236	Process not Found
4511	Process not Found
4658	Process not Found
4760	Process not Found
3462	sudo
3718	sudo
4001	sudo
4244	Process not Found
4252	Process not Found
4254	Process not Found
4360	Process not Found
3238	which

Deletes log files 1 TTPs 1 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046	103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

Enumerates running processes
Discovers information about currently running processes on the system

Checks CPU configuration 1 TTPs 64 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	ps
File opened for reading	/proc/cpuinfo	Process not Found
File opened for reading	/proc/cpuinfo	Process not Found

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	ps
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	pkill
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found
File opened for reading	/sys/devices/system/cpu/possible	Process not Found

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	pkill
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	ps
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found
File opened for reading	/sys/devices/system/node	Process not Found

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/2370/cgroup	Process not Found
File opened for reading	/proc/63/cgroup	Process not Found
File opened for reading	/proc/2300/cmdline	Process not Found
File opened for reading	/proc/2367/cmdline	pkill
File opened for reading	/proc/37/stat	killall
File opened for reading	/proc/2529/stat	pkill
File opened for reading	/proc/2867/ctty	Process not Found
File opened for reading	/proc/2878/status	Process not Found
File opened for reading	/proc/2346/status	Process not Found
File opened for reading	/proc/12/stat	Process not Found
File opened for reading	/proc/7/status	pkill
File opened for reading	/proc/2628	killall
File opened for reading	/proc/2284/cmdline	ps
File opened for reading	/proc/sys/kernel/seccomp/actions_avail	sudo
File opened for reading	/proc/2877/cmdline	ps
File opened for reading	/proc/728/cgroup	Process not Found
File opened for reading	/proc/2368/environ	Process not Found
File opened for reading	/proc/194/stat	pidof
File opened for reading	/proc/2189/environ	ps
File opened for reading	/proc/24/cmdline	pkill
File opened for reading	/proc/56/stat	Process not Found
File opened for reading	/proc/2300/status	ps
File opened for reading	/proc/731/stat	Process not Found
File opened for reading	/proc/2651/ctty	Process not Found
File opened for reading	/proc/2074	killall
File opened for reading	/proc/56/cmdline	Process not Found
File opened for reading	/proc/13/stat	Process not Found
File opened for reading	/proc/1112/ctty	ps
File opened for reading	/proc/2189	killall
File opened for reading	/proc/1400/cmdline	pkill
File opened for reading	/proc/31/environ	ps
File opened for reading	/proc/52/ctty	pkill
File opened for reading	/proc/1067/cgroup	Process not Found
File opened for reading	/proc/25/cmdline	Process not Found
File opened for reading	/proc/2191/status	Process not Found
File opened for reading	/proc/2	killall
File opened for reading	/proc/33/environ	ps
File opened for reading	/proc/3545	killall
File opened for reading	/proc/2345/cmdline	Process not Found
File opened for reading	/proc/2300/cgroup	Process not Found
File opened for reading	/proc/2523	killall
File opened for reading	/proc/1085/stat	pkill
File opened for reading	/proc/2621/environ	ps
File opened for reading	/proc/2867/cgroup	Process not Found
File opened for reading	/proc/2352/status	ps
File opened for reading	/proc/199/status	pkill
File opened for reading	/proc/357/ctty	Process not Found
File opened for reading	/proc/2300/stat	Process not Found
File opened for reading	/proc/8	Process not Found
File opened for reading	/proc/51	Process not Found
File opened for reading	/proc/2610/cmdline	Process not Found
File opened for reading	/proc/21/ctty	pkill
File opened for reading	/proc/2639/cmdline	pkill
File opened for reading	/proc/457/stat	Process not Found
File opened for reading	/proc/2539/cmdline	ps
File opened for reading	/proc/49/status	Process not Found
File opened for reading	/proc/2870/cmdline	ps
File opened for reading	/proc/2161/cmdline	pkill
File opened for reading	/proc/2682/stat	ps
File opened for reading	/proc/2370/stat	ps
File opened for reading	/proc/2807/ctty	Process not Found
File opened for reading	/proc/2373/environ	Process not Found
File opened for reading	/proc/2468	Process not Found
File opened for reading	/proc/793/environ	Process not Found

Writes file to tmp directory 21 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc	103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_2149	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20765	Process not Found
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_10129	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_19923	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_29275	Process not Found
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_21234	Process not Found
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_28289	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_4503	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_24732	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20634	Process not Found
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_30673	Process not Found
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9137	Process not Found
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9481	Process not Found
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_15039	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_9750	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_7509	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_31374	Process not Found
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_20654	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_24420	touch
File opened for modification	/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/.local_22887	Process not Found

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046
1⤵
- Adds new SSH keys
- Deletes log files
- Writes file to tmp directory
PID:2870
- /usr/bin/uname
  uname -a
  2⤵
  PID:2885
- /usr/bin/cat
  cat /proc/cpuinfo
  2⤵
  PID:2886
- /usr/bin/cat
  cat /etc/issue
  2⤵
  PID:2888
- /usr/bin/free
  free -m
  2⤵
  PID:2889
- /usr/bin/uptime
  uptime
  2⤵
  PID:2890
- /usr/bin/journalctl
  journalctl -S "@0" -u sshd
  2⤵
  PID:2891
- /usr/bin/cat
  cat "/var/log/auth*"
  2⤵
  PID:2892
- /usr/bin/zcat
  zcat "/var/log/auth*"
  2⤵
  PID:2893
- /usr/local/sbin/gzip
  gzip -cd "/var/log/auth*"
  2⤵
  PID:2893
- /usr/local/bin/gzip
  gzip -cd "/var/log/auth*"
  2⤵
  PID:2893
- /usr/sbin/gzip
  gzip -cd "/var/log/auth*"
  2⤵
  PID:2893
- /usr/bin/gzip
  gzip -cd "/var/log/auth*"
  2⤵
  PID:2893
- /bin/bash
  /bin/bash -
  2⤵
  PID:2894
- - /usr/bin/which
    which sudo
    3⤵
    PID:2896
- - /usr/bin/wc
    wc -l
    3⤵
    PID:2897
- - /usr/bin/sudo
    sudo -S touch .local_20654
    3⤵
    PID:2899
  - - /usr/bin/touch
      touch .local_20654
      4⤵
      Writes file to tmp directory
      PID:2900
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:2903
- - /usr/bin/ls
    ls -l .local_20654
    3⤵
    PID:2902
- - /usr/bin/sudo
    sudo rm .local_20654
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:2904
  - - /usr/bin/rm
      rm .local_20654
      4⤵
      PID:2905
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:2907
  - - /usr/bin/ps
      ps auxff
      4⤵
      Checks CPU configuration
      PID:2911
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:2908
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2909
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:2910
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:2912
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:2913
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:2914
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:2915
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:2916
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:2917
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:2918
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:2919
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:2920
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:2921
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:2922
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:2923
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:2924
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:2925
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:2926
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:2927
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:2928
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:2929
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:2930
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:2931
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:2932
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:2933
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:2934
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:2935
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:2936
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      PID:2937
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:2938
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      Reads CPU attributes
      PID:2939
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:2940
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      PID:2941
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:2942
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:2943
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    PID:2944
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      PID:2945
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    PID:2946
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:2947
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:2948
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      PID:2949
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:2950
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:2952
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:2956
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:2953
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2954
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:2955
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:2958
  - - /usr/bin/ps
      ps auxf
      4⤵
      Enumerates kernel/hardware configuration
      PID:2962
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:2959
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2960
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:2961
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:2964
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:2968
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:2965
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2966
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:2967
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:2970
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      PID:2974
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:2971
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2972
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:2973
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:2976
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      PID:2980
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:2977
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2978
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:2979
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:2982
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:2986
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:2983
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:2984
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:2985
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:2987
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      PID:2988
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:2989
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:2990
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:2991
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:2992
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:2993
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:2994
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:2995
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:2996
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:2997
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:2998
- - /usr/bin/pidof
    pidof libexec
    3⤵
    - Reads runtime system information
    PID:2999
- /usr/bin/free
  free -m
  2⤵
  PID:3000
- /usr/bin/uptime
  uptime
  2⤵
  PID:3001
- /bin/bash
  /bin/bash -
  2⤵
  PID:3002
- - /usr/bin/which
    which sudo
    3⤵
    PID:3004
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3005
- - /usr/bin/sudo
    sudo -S touch .local_28289
    3⤵
    PID:3007
  - - /usr/bin/touch
      touch .local_28289
      4⤵
      Writes file to tmp directory
      PID:3008
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3011
- - /usr/bin/ls
    ls -l .local_28289
    3⤵
    PID:3010
- - /usr/bin/sudo
    sudo rm .local_28289
    3⤵
    PID:3012
  - - /usr/bin/rm
      rm .local_28289
      4⤵
      PID:3013
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3015
  - - /usr/bin/ps
      ps auxff
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      PID:3019
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3016
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3017
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3018
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:3020
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:3021
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:3022
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3023
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:3024
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3025
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:3026
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3027
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3028
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3029
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:3030
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:3031
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:3032
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3033
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:3034
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3035
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3036
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:3037
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3038
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3039
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3040
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3041
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3042
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3043
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3044
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3045
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3046
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      PID:3047
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3048
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      PID:3049
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:3050
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      Reads CPU attributes
      PID:3051
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    PID:3052
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      PID:3053
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    PID:3054
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3055
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:3056
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      PID:3057
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3058
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3060
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3064
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3061
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3062
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3063
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3066
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3070
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3067
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3068
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3069
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3072
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3076
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3073
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3074
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3075
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3078
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:3082
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3079
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3080
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3081
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3084
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Enumerates kernel/hardware configuration
      PID:3088
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3085
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3086
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3087
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3090
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3094
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3091
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3092
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3093
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:3095
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      PID:3096
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:3097
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3098
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3099
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3100
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3101
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:3102
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:3103
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:3104
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:3105
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3106
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3107
- /usr/bin/free
  free -m
  2⤵
  PID:3125
- /usr/bin/uptime
  uptime
  2⤵
  PID:3126
- /bin/bash
  /bin/bash -
  2⤵
  PID:3127
- - /usr/bin/which
    which sudo
    3⤵
    PID:3129
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3130
- - /usr/bin/sudo
    sudo -S touch .local_2149
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3132
  - - /usr/bin/touch
      touch .local_2149
      4⤵
      Writes file to tmp directory
      PID:3133
- - /usr/bin/ls
    ls -l .local_2149
    3⤵
    PID:3135
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3136
- - /usr/bin/sudo
    sudo rm .local_2149
    3⤵
    PID:3137
  - - /usr/bin/rm
      rm .local_2149
      4⤵
      PID:3138
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3140
  - - /usr/bin/ps
      ps auxff
      4⤵
      PID:3144
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3141
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3142
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3143
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3145
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      Reads runtime system information
      PID:3146
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3147
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3148
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:3149
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3150
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:3151
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3152
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:3153
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3154
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:3155
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:3156
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3157
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3158
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3159
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3160
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3161
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:3162
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3163
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3164
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:3165
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3166
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3167
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3168
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:3169
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3170
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3171
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      PID:3172
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3173
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      PID:3174
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3175
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3176
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    PID:3177
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      PID:3178
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    PID:3179
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3180
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3181
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      Enumerates kernel/hardware configuration
      PID:3182
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3183
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3185
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      PID:3189
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3186
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3187
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3188
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3191
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3195
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3192
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3193
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3194
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3197
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads runtime system information
      PID:3201
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3198
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3199
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3200
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3203
  - - /usr/bin/ps
      ps auxf
      4⤵
      Enumerates kernel/hardware configuration
      PID:3207
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3204
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3205
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3206
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3209
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3213
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3211
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3210
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3212
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3215
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3219
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3216
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3217
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3218
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:3220
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      PID:3221
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:3222
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3223
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:3224
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3225
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3226
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:3227
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:3228
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:3229
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3230
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3231
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3232
- /bin/bash
  /bin/bash -
  2⤵
  PID:3236
- - /usr/bin/which
    which sudo
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3238
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3239
- - /usr/bin/sudo
    sudo -S touch .local_4503
    3⤵
    PID:3241
  - - /usr/bin/touch
      touch .local_4503
      4⤵
      Writes file to tmp directory
      PID:3242
- - /usr/bin/ls
    ls -l .local_4503
    3⤵
    PID:3244
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3245
- - /usr/bin/sudo
    sudo rm .local_4503
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3246
  - - /usr/bin/rm
      rm .local_4503
      4⤵
      PID:3247
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3249
  - - /usr/bin/ps
      ps auxff
      4⤵
      Checks CPU configuration
      PID:3253
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3250
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3252
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3251
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:3254
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:3255
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:3256
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3257
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:3258
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3259
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:3260
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3261
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:3262
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3263
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3264
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:3265
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:3266
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3267
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:3268
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3269
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3270
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:3271
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3272
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3273
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:3274
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3275
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3276
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3277
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:3278
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3279
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3280
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      Reads CPU attributes
      PID:3281
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3282
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3283
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:3284
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      Reads runtime system information
      PID:3285
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    PID:3286
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3287
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    PID:3288
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3289
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:3290
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      Reads CPU attributes
      PID:3291
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3292
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3294
  - - /usr/bin/ps
      ps auxf
      4⤵
      Enumerates kernel/hardware configuration
      PID:3298
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3295
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3296
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3297
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3300
  - - /usr/bin/ps
      ps auxf
      4⤵
      Enumerates kernel/hardware configuration
      PID:3304
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3301
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3302
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3303
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3306
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      PID:3310
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3307
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3308
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3309
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3312
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads runtime system information
      PID:3316
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3313
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3314
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3315
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3318
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      PID:3322
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3319
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3320
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3321
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3324
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      PID:3328
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3325
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3326
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3327
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:3329
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      Reads runtime system information
      PID:3330
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:3331
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3332
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:3333
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3334
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3335
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:3336
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:3337
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:3338
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:3339
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3340
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3341
- /usr/bin/free
  free -m
  2⤵
  PID:3342
- /usr/bin/uptime
  uptime
  2⤵
  PID:3343
- /bin/bash
  /bin/bash -
  2⤵
  PID:3344
- - /usr/bin/which
    which sudo
    3⤵
    PID:3346
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3347
- - /usr/bin/sudo
    sudo -S touch .local_24732
    3⤵
    PID:3349
  - - /usr/bin/touch
      touch .local_24732
      4⤵
      Writes file to tmp directory
      PID:3350
- - /usr/bin/ls
    ls -l .local_24732
    3⤵
    PID:3352
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3353
- - /usr/bin/sudo
    sudo rm .local_24732
    3⤵
    PID:3354
  - - /usr/bin/rm
      rm .local_24732
      4⤵
      PID:3355
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3357
  - - /usr/bin/ps
      ps auxff
      4⤵
      Checks CPU configuration
      PID:3361
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3358
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3359
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3360
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:3362
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:3363
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:3364
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3365
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3366
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3367
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:3368
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3369
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:3370
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3371
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:3372
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:3373
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:3374
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3375
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:3376
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3377
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3378
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      Reads runtime system information
      PID:3379
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3380
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3381
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:3382
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3383
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3384
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3385
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:3386
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      PID:3387
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3388
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      Reads runtime system information
      PID:3389
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3390
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3391
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:3392
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      Reads CPU attributes
      PID:3393
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    PID:3394
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      PID:3395
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    PID:3396
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3397
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:3398
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      PID:3399
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3400
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3402
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3406
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3403
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3404
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3405
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3408
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3412
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3409
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3410
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3411
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3414
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads runtime system information
      PID:3418
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3415
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3416
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3417
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3420
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3424
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3421
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3422
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3423
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3426
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      PID:3430
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3427
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3428
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3429
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3432
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3436
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3433
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3434
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3435
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:3437
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      PID:3438
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:3439
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3440
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:3441
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3442
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3443
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      Reads runtime system information
      PID:3444
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:3445
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:3446
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:3447
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3448
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3449
- /usr/bin/free
  free -m
  2⤵
  PID:3450
- /usr/bin/uptime
  uptime
  2⤵
  PID:3451
- /bin/bash
  /bin/bash -
  2⤵
  PID:3452
- - /usr/bin/which
    which sudo
    3⤵
    PID:3454
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3455
- - /usr/bin/sudo
    sudo -S touch .local_15039
    3⤵
    PID:3457
  - - /usr/bin/touch
      touch .local_15039
      4⤵
      Writes file to tmp directory
      PID:3458
- - /usr/bin/ls
    ls -l .local_15039
    3⤵
    PID:3460
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3461
- - /usr/bin/sudo
    sudo rm .local_15039
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3462
  - - /usr/bin/rm
      rm .local_15039
      4⤵
      PID:3463
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3465
  - - /usr/bin/ps
      ps auxff
      4⤵
      Enumerates kernel/hardware configuration
      PID:3469
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3466
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3467
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3468
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:3470
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:3471
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:3472
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3473
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:3474
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3475
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3476
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3477
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:3478
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3479
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:3480
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:3481
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:3482
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3483
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:3484
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3485
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3486
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:3487
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3488
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3489
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:3490
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3491
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3492
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3493
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:3494
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      PID:3495
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3496
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      Reads runtime system information
      PID:3497
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3498
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      PID:3499
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:3500
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      Reads CPU attributes
      PID:3501
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    PID:3502
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:3503
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3504
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3505
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:3506
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      PID:3507
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3508
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3510
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads runtime system information
      PID:3514
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3511
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3512
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3513
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3516
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      PID:3520
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3517
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3518
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3519
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3522
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3526
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3523
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3524
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3525
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3528
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3532
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3529
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3530
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3531
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3534
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3538
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3535
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3536
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3537
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3540
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads runtime system information
      PID:3544
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3541
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3542
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3543
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:3545
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      Reads runtime system information
      PID:3546
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:3547
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3548
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:3549
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3550
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3551
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:3552
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:3553
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      Reads runtime system information
      PID:3554
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:3555
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3556
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3557
- /bin/bash
  /bin/bash -
  2⤵
  PID:3558
- - /usr/bin/which
    which sudo
    3⤵
    PID:3560
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3561
- - /usr/bin/sudo
    sudo -S touch .local_9750
    3⤵
    PID:3563
  - - /usr/bin/touch
      touch .local_9750
      4⤵
      Writes file to tmp directory
      PID:3564
- - /usr/bin/ls
    ls -l .local_9750
    3⤵
    PID:3566
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3567
- - /usr/bin/sudo
    sudo rm .local_9750
    3⤵
    PID:3568
  - - /usr/bin/rm
      rm .local_9750
      4⤵
      PID:3569
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3571
  - - /usr/bin/ps
      ps auxff
      4⤵
      Reads runtime system information
      PID:3575
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3572
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3573
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3574
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:3576
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:3577
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:3578
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3579
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:3580
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3581
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:3582
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3583
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:3584
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3585
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:3586
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:3587
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:3588
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3589
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:3590
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3591
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3592
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:3593
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3594
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3595
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:3596
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3597
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3598
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3599
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:3600
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      PID:3601
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3602
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      Reads runtime system information
      PID:3603
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3604
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      PID:3605
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:3606
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      PID:3607
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3608
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      PID:3609
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    PID:3610
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3611
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:3612
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      PID:3613
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3616
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3618
  - - /usr/bin/ps
      ps auxf
      4⤵
      Enumerates kernel/hardware configuration
      PID:3622
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3619
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3620
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3621
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3624
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      PID:3628
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3625
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3626
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3627
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3630
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3634
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3632
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3633
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3631
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3636
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Enumerates kernel/hardware configuration
      PID:3640
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3637
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3638
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3639
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3642
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3646
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3643
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3644
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3645
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3648
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      PID:3652
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3649
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3650
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3651
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:3653
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      PID:3654
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3655
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3656
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:3657
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3658
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3659
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:3660
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3661
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:3662
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:3663
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3664
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3665
- /usr/bin/free
  free -m
  2⤵
  PID:3614
- /usr/bin/uptime
  uptime
  2⤵
  PID:3615
- /bin/bash
  /bin/bash -
  2⤵
  PID:3666
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3669
- - /usr/bin/which
    which sudo
    3⤵
    PID:3668
- - /usr/bin/sudo
    sudo -S touch .local_7509
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3671
  - - /usr/bin/touch
      touch .local_7509
      4⤵
      Writes file to tmp directory
      PID:3672
- - /usr/bin/ls
    ls -l .local_7509
    3⤵
    PID:3674
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3675
- - /usr/bin/sudo
    sudo rm .local_7509
    3⤵
    PID:3676
  - - /usr/bin/rm
      rm .local_7509
      4⤵
      PID:3677
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3679
  - - /usr/bin/ps
      ps auxff
      4⤵
      Checks CPU configuration
      PID:3683
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3680
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3681
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3682
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:3684
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:3685
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:3686
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3687
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:3688
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3689
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:3690
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3691
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:3692
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3693
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:3694
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      Reads runtime system information
      PID:3695
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:3696
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3697
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:3698
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3699
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3700
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:3701
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3702
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3703
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:3704
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3705
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3706
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3707
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:3708
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      PID:3709
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3710
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      Reads runtime system information
      PID:3711
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3712
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:3713
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:3714
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      Reads CPU attributes
      Reads runtime system information
      PID:3715
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    PID:3716
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:3717
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3718
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3719
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:3720
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      PID:3721
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3722
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3724
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads runtime system information
      PID:3728
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3725
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3726
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3727
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3730
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3734
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3731
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3732
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3733
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3736
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3740
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3737
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3738
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3739
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3742
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:3746
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3743
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3744
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3745
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3748
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3752
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3749
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3750
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3751
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3754
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3758
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3755
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3756
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3757
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:3759
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      PID:3760
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:3761
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3762
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:3763
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3764
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3765
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:3766
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:3767
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:3768
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:3769
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3770
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3771
- /usr/bin/free
  free -m
  2⤵
  PID:3772
- /usr/bin/uptime
  uptime
  2⤵
  PID:3773
- /bin/bash
  /bin/bash -
  2⤵
  PID:3774
- - /usr/bin/which
    which sudo
    3⤵
    PID:3776
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3777
- - /usr/bin/sudo
    sudo -S touch .local_24420
    3⤵
    PID:3779
  - - /usr/bin/touch
      touch .local_24420
      4⤵
      Writes file to tmp directory
      PID:3780
- - /usr/bin/ls
    ls -l .local_24420
    3⤵
    PID:3782
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3783
- - /usr/bin/sudo
    sudo rm .local_24420
    3⤵
    PID:3784
  - - /usr/bin/rm
      rm .local_24420
      4⤵
      PID:3785
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3787
  - - /usr/bin/ps
      ps auxff
      4⤵
      Enumerates kernel/hardware configuration
      PID:3791
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3788
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3789
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3790
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:3792
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:3793
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:3794
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3795
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    - Reads runtime system information
    PID:3796
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3797
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:3798
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3799
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:3800
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3801
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:3802
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:3803
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:3804
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3805
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:3806
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3807
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3808
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:3809
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3810
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3811
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:3812
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3813
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3814
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3815
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:3816
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3817
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3818
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      Enumerates kernel/hardware configuration
      PID:3819
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3820
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      PID:3821
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:3822
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      PID:3823
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    PID:3824
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      PID:3825
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    PID:3826
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3827
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:3828
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      PID:3829
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3830
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3832
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads runtime system information
      PID:3836
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3833
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3834
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3835
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3838
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads runtime system information
      PID:3842
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3839
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3840
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3841
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3844
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3848
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3845
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3846
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3847
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3850
  - - /usr/bin/ps
      ps auxf
      4⤵
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      PID:3854
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3851
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3852
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3853
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3856
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      PID:3860
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3857
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3858
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3859
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3862
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      Enumerates kernel/hardware configuration
      PID:3866
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3863
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3864
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3865
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    PID:3867
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      PID:3868
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:3869
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3870
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:3871
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3872
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3873
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:3874
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:3875
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:3876
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:3877
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3878
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3879
- /usr/bin/free
  free -m
  2⤵
  PID:3880
- /usr/bin/uptime
  uptime
  2⤵
  PID:3881
- /bin/bash
  /bin/bash -
  2⤵
  PID:3882
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3885
- - /usr/bin/which
    which sudo
    3⤵
    PID:3884
- - /usr/bin/sudo
    sudo -S touch .local_10129
    3⤵
    PID:3887
  - - /usr/bin/touch
      touch .local_10129
      4⤵
      Writes file to tmp directory
      PID:3888
- - /usr/bin/ls
    ls -l .local_10129
    3⤵
    PID:3890
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3891
- - /usr/bin/sudo
    sudo rm .local_10129
    3⤵
    PID:3892
  - - /usr/bin/rm
      rm .local_10129
      4⤵
      PID:3893
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    PID:3895
  - - /usr/bin/ps
      ps auxff
      4⤵
      Checks CPU configuration
      Reads runtime system information
      PID:3899
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:3896
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3897
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3898
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:3900
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:3901
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:3902
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:3903
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:3904
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:3905
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:3906
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:3907
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:3908
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:3909
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:3910
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:3911
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:3912
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:3913
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:3914
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:3915
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:3916
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:3917
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    PID:3918
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:3919
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:3920
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:3921
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:3922
  - - /usr/bin/rm
      rm -rf /tmp/.iolanda
      4⤵
      PID:3923
- - /usr/bin/sudo
    sudo pkill test.mod
    3⤵
    PID:3924
  - - /usr/bin/pkill
      pkill test.mod
      4⤵
      PID:3925
- - /usr/bin/sudo
    sudo pkill daemon.i686.mod
    3⤵
    PID:3926
  - - /usr/bin/pkill
      pkill daemon.i686.mod
      4⤵
      PID:3927
- - /usr/bin/sudo
    sudo pkill daemon.armv4l.mod
    3⤵
    PID:3928
  - - /usr/bin/pkill
      pkill daemon.armv4l.mod
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:3929
- - /usr/bin/sudo
    sudo pkill daemon.mips.mod
    3⤵
    PID:3930
  - - /usr/bin/pkill
      pkill daemon.mips.mod
      4⤵
      PID:3931
- - /usr/bin/sudo
    sudo pkill daemon.mipsel.mod
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3932
  - - /usr/bin/pkill
      pkill daemon.mipsel.mod
      4⤵
      PID:3933
- - /usr/bin/sudo
    sudo rm -rf /tmp/.xs
    3⤵
    PID:3934
  - - /usr/bin/rm
      rm -rf /tmp/.xs
      4⤵
      PID:3935
- - /usr/bin/sudo
    sudo pkill ld-linux-x86-64
    3⤵
    PID:3936
  - - /usr/bin/pkill
      pkill ld-linux-x86-64
      4⤵
      PID:3937
- - /usr/bin/rm
    rm -rf "/var/tmp/. *"
    3⤵
    PID:3938
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3940
  - - /usr/bin/ps
      ps auxf
      4⤵
      Enumerates kernel/hardware configuration
      Reads runtime system information
      PID:3944
- - /usr/bin/grep
    grep xmr
    3⤵
    PID:3941
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3942
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3943
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3946
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      Reads CPU attributes
      PID:3950
- - /usr/bin/grep
    grep cryptonight
    3⤵
    PID:3947
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3948
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3949
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3952
  - - /usr/bin/ps
      ps auxf
      4⤵
      Checks CPU configuration
      PID:3956
- - /usr/bin/grep
    grep stratum
    3⤵
    PID:3953
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3955
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3954
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3958
  - - /usr/bin/ps
      ps auxf
      4⤵
      Enumerates kernel/hardware configuration
      PID:3962
- - /usr/bin/grep
    grep dbus-daemon--system
    3⤵
    PID:3959
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3960
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3961
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3964
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3968
- - /usr/bin/grep
    grep "\\[\\]"
    3⤵
    PID:3965
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3967
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3966
- - /usr/bin/sudo
    sudo ps auxf
    3⤵
    PID:3970
  - - /usr/bin/ps
      ps auxf
      4⤵
      PID:3974
- - /usr/bin/grep
    grep xm64
    3⤵
    PID:3971
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:3972
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:3973
- - /usr/bin/sudo
    sudo killall -9 "[atd]"
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:3975
  - - /usr/bin/killall
      killall -9 "[atd]"
      4⤵
      PID:3976
- - /usr/bin/sudo
    sudo rm -rf /tmp/.jk
    3⤵
    PID:3977
  - - /usr/bin/rm
      rm -rf /tmp/.jk
      4⤵
      PID:3978
- - /usr/bin/sudo
    sudo killall -9 "[ntpd]"
    3⤵
    PID:3979
  - - /usr/bin/killall
      killall -9 "[ntpd]"
      4⤵
      PID:3980
- - /usr/bin/sudo
    sudo killall -9 "[rpciod]"
    3⤵
    PID:3981
  - - /usr/bin/killall
      killall -9 "[rpciod]"
      4⤵
      PID:3982
- - /usr/bin/sudo
    sudo killall -9 "[ext4-dio-unwrit]"
    3⤵
    PID:3983
  - - /usr/bin/killall
      killall -9 "[ext4-dio-unwrit]"
      4⤵
      PID:3984
- - /usr/bin/sudo
    sudo rm -rf "/tmp/.xm*"
    3⤵
    PID:3985
  - - /usr/bin/rm
      rm -rf "/tmp/.xm*"
      4⤵
      PID:3986
- - /usr/bin/pidof
    pidof libexec
    3⤵
    PID:3987
- /bin/bash
  /bin/bash -
  2⤵
  PID:3988
- - /usr/bin/which
    which sudo
    3⤵
    PID:3990
- - /usr/bin/wc
    wc -l
    3⤵
    PID:3991
- - /usr/bin/sudo
    sudo -S touch .local_19923
    3⤵
    PID:3993
  - - /usr/bin/touch
      touch .local_19923
      4⤵
      Writes file to tmp directory
      PID:3994
- - /usr/bin/ls
    ls -l .local_19923
    3⤵
    PID:3996
- - /usr/bin/grep
    grep -c root
    3⤵
    PID:3997
- - /usr/bin/sudo
    sudo rm .local_19923
    3⤵
    PID:3998
  - - /usr/bin/rm
      rm .local_19923
      4⤵
      PID:3999
- - /usr/bin/sudo
    sudo ps auxff
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:4001
  - - /usr/bin/ps
      ps auxff
      4⤵
      Reads CPU attributes
      PID:4005
- - /usr/bin/grep
    grep "./crond -t=all"
    3⤵
    PID:4002
- - /usr/bin/grep
    grep -v grep
    3⤵
    PID:4003
- - /usr/bin/awk
    awk "{ print \$2 }"
    3⤵
    PID:4004
- - /usr/bin/sudo
    sudo killall -9 bssh
    3⤵
    PID:4006
  - - /usr/bin/killall
      killall -9 bssh
      4⤵
      PID:4007
- - /usr/bin/sudo
    sudo rm -rf /tmp/.an
    3⤵
    PID:4008
  - - /usr/bin/rm
      rm -rf /tmp/.an
      4⤵
      PID:4009
- - /usr/bin/sudo
    sudo killall -9 xm64
    3⤵
    PID:4010
  - - /usr/bin/killall
      killall -9 xm64
      4⤵
      PID:4011
- - /usr/bin/sudo
    sudo killall -9 rpc.idmapd
    3⤵
    PID:4012
  - - /usr/bin/killall
      killall -9 rpc.idmapd
      4⤵
      PID:4013
- - /usr/bin/sudo
    sudo rm -rf /tmp/.m2
    3⤵
    PID:4014
  - - /usr/bin/rm
      rm -rf /tmp/.m2
      4⤵
      PID:4015
- - /usr/bin/sudo
    sudo killall -9 xorgg
    3⤵
    PID:4016
  - - /usr/bin/killall
      killall -9 xorgg
      4⤵
      PID:4017
- - /usr/bin/sudo
    sudo rm -rf /tmp/seconfig
    3⤵
    PID:4018
  - - /usr/bin/rm
      rm -rf /tmp/seconfig
      4⤵
      PID:4019
- - /usr/bin/sudo
    sudo killall -9 crond64
    3⤵
    PID:4020
  - - /usr/bin/killall
      killall -9 crond64
      4⤵
      PID:4021
- - /usr/bin/sudo
    sudo killall -9 tsm
    3⤵
    PID:4022
  - - /usr/bin/killall
      killall -9 tsm
      4⤵
      PID:4023
- - /usr/bin/sudo
    sudo rm -rf /tmp/.ssh
    3⤵
    - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
    PID:4024
  - - /usr/bin/rm
      rm -rf /tmp/.ssh
      4⤵
      PID:4025
- - /usr/bin/sudo
    sudo rm -rf /tmp/.java
    3⤵
    PID:4026
  - - /usr/bin/rm
      rm -rf /tmp/.java
      4⤵
      PID:4027
- - /usr/bin/sudo
    sudo rm -rf /tmp/.iolanda
    3⤵
    PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/The-MALWARE-Repo-master/Botnets/FritzFrog/nc

Filesize
8.6MB

MD5
ae747bc7fff9bc23f06635ef60ea0e8d

SHA1
64315e834f67905ed4e47f36155362a78ac23462

SHA256
103b8404dc64c9a44511675981a09fd01395ee837452d114f1350c295357c046

SHA512
e24914a58565a43883c27ae4a41061e8edd3d5eef7b86c1c0e9910d9fbe0eef3e78ed49136ac0c9378311e99901b1847bcfd926aa9a3ea44149a7478480f82b2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads