196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910

Analysis

max time kernel
39s
max time network
2s
platform
debian-9_armhf
resource
debian9-armhf-20240729-en
resource tags

arch:armhfimage:debian9-armhf-20240729-enkernel:4.9.0-13-armmp-lpaelocale:en-usos:debian-9-armhfsystem
submitted
23-01-2025 06:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
Size

37KB
MD5

d6648f420423f9dad4292a606f743c4b
SHA1

dcae47ec15e96274a39fcce4352077846ebf7b70
SHA256

196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910
SHA512

3820b4fb435732fef05157ff0713ed3a62269dc1c21240dbf7e2e59191a0f34050247573b4d9758cd84495fb28d8f346e381b8f09a9041c70ca88333b1303f93
SSDEEP

384:Q7pQQwQHDf6lpTWg3vM4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdUeUoJpJydIi:Q7xFNB48Fkc2zq0xvMGdl18r

Score

7^/10

antivm defense_evasion discovery

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
686	iptables

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
735	xargs
903	xargs
963	xargs
975	xargs
1127	xargs
1175	xargs
804	xargs
926	xargs
982	xargs
1010	xargs
723	xargs
783	xargs
1207	xargs
790	xargs
817	xargs
874	xargs
943	xargs
741	xargs
938	xargs
969	xargs
1053	xargs
1117	xargs
697	grep
748	xargs
919	xargs
711	xargs
810	xargs
1047	xargs
1073	xargs
1093	xargs
824	xargs
867	xargs
948	xargs
1003	xargs
1018	xargs
706	xargs
797	xargs
831	xargs
1107	xargs
1195	xargs
1148	xargs
1170	xargs
776	xargs
838	xargs
932	xargs
953	xargs
1032	xargs
1083	xargs
1180	xargs
683	chattr
845	xargs
1039	xargs
1102	xargs
1165	xargs
1217	xargs
1155	xargs
1185	xargs
890	xargs
989	xargs
996	xargs
1059	xargs
1122	xargs
1133	xargs
699	grep

Enumerates running processes
Discovers information about currently running processes on the system

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Checks CPU configuration 1 TTPs 1 IoCs

Checks CPU information which indicate if the system is a virtual machine.

antivm

System Checks

T1497.001

description	ioc	Process
File opened for reading	/proc/cpuinfo	curl

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
1055	ps
813	ps
841	ps
893	ps
944	ps
965	ps
1028	ps
1113	ps
806	ps
820	ps
922	ps
1089	ps
1094	ps
939	ps
954	ps
1021	ps
863	ps
1123	ps
1166	ps
999	ps
1103	ps
857	ps
899	ps
907	ps
1139	ps
1161	ps
978	ps
1062	ps
1134	ps
1208	ps
1213	ps
696	ps
834	ps
949	ps
959	ps
1203	ps
1049	ps
1079	ps
1035	ps
1098	ps
1118	ps
1149	ps
1171	ps
698	ps
971	ps
992	ps
1186	ps
1191	ps
870	ps
1197	ps
1043	ps
1069	ps
1084	ps
1108	ps
1156	ps
877	ps
928	ps
985	ps
1181	ps
915	ps
1144	ps
1176	ps
1006	ps
1014	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/105/cmdline	ps
File opened for reading	/proc/311/status	ps
File opened for reading	/proc/42/stat	ps
File opened for reading	/proc/981/cmdline	ps
File opened for reading	/proc/151/cmdline	ps
File opened for reading	/proc/264/stat	ps
File opened for reading	/proc/3/status	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/598/cmdline	ps
File opened for reading	/proc/137/status	ps
File opened for reading	/proc/1136/stat	ps
File opened for reading	/proc/105/stat	ps
File opened for reading	/proc/self/stat	ps
File opened for reading	/proc/266/stat	ps
File opened for reading	/proc/262/stat	ps
File opened for reading	/proc/638/cmdline	ps
File opened for reading	/proc/638/stat	ps
File opened for reading	/proc/140/cmdline	ps
File opened for reading	/proc/581/stat	ps
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/638/cmdline	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/297/cmdline	ps
File opened for reading	/proc/279/cmdline	ps
File opened for reading	/proc/41/status	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/644/status	ps
File opened for reading	/proc/581/stat	ps
File opened for reading	/proc/139/cmdline	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/262/cmdline	ps
File opened for reading	/proc/884/status	ps
File opened for reading	/proc/42/status	ps
File opened for reading	/proc/588/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/311/stat	ps
File opened for reading	/proc/645/stat	ps
File opened for reading	/proc/581/status	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/311/cmdline	ps
File opened for reading	/proc/139/status	ps
File opened for reading	/proc/266/status	ps
File opened for reading	/proc/41/stat	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/650/stat	ps
File opened for reading	/proc/650/stat	ps
File opened for reading	/proc/41/cmdline	ps
File opened for reading	/proc/645/stat	ps
File opened for reading	/proc/280/stat	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/298/cmdline	ps
File opened for reading	/proc/646/cmdline	ps
File opened for reading	/proc/650/stat	ps
File opened for reading	/proc/140/status	ps
File opened for reading	/proc/16/stat	ps
File opened for reading	/proc/10/stat	ps

System Network Configuration Discovery 1 TTPs 2 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1051	grep
1091	grep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/dev/null	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh

/tmp/196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
/tmp/196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
1⤵
- Writes file to tmp directory
PID:646
- /bin/grep
  grep -i CN
  2⤵
  PID:649
- /usr/bin/curl
  curl http://ip-api.com/json/
  2⤵
  - Checks CPU configuration
  PID:647
- /bin/sed
  sed "s/,/\\n/g"
  2⤵
  PID:648
- /bin/sync
  sync
  2⤵
  PID:670
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:673
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:674
- /bin/mv
  mv /usr/bin/curl /usr/bin/url
  2⤵
  PID:675
- /bin/mv
  mv /usr/bin/url /usr/bin/cd1
  2⤵
  PID:677
- /bin/mv
  mv /usr/bin/wget /usr/bin/get
  2⤵
  PID:679
- /bin/mv
  mv /usr/bin/get /usr/bin/wd1
  2⤵
  PID:681
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:682
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:683
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:685
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:686
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:690
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:692
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:693
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:694
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:695
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:696
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:697
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:699
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:698
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:700
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  - Reads CPU attributes
  PID:701
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:703
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:706
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:705
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:704
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:711
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:709
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:708
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:710
- /bin/grep
  grep -v -
  2⤵
  PID:716
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:714
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:717
- /bin/grep
  grep :443
  2⤵
  PID:713
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:715
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:720
- /bin/grep
  grep :23
  2⤵
  PID:719
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:721
- /bin/grep
  grep -v -
  2⤵
  PID:722
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:723
- /bin/grep
  grep -v -
  2⤵
  PID:728
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:727
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:729
- /bin/grep
  grep :443
  2⤵
  PID:725
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:726
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:732
- /bin/grep
  grep -v -
  2⤵
  PID:734
- /bin/grep
  grep :143
  2⤵
  PID:731
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:735
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:733
- /bin/grep
  grep -v -
  2⤵
  PID:740
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:738
- /bin/grep
  grep :2222
  2⤵
  PID:737
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:741
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:739
- /bin/grep
  grep -v -
  2⤵
  PID:747
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:745
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:748
- /bin/grep
  grep :3333
  2⤵
  PID:744
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:746
- /bin/grep
  grep -v -
  2⤵
  PID:754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:752
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:755
- /bin/grep
  grep :3389
  2⤵
  PID:751
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:753
- /bin/grep
  grep -v -
  2⤵
  PID:761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:760
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:762
- /bin/grep
  grep :5555
  2⤵
  PID:758
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:759
- /bin/grep
  grep -v -
  2⤵
  PID:768
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:769
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:766
- /bin/grep
  grep :6666
  2⤵
  PID:765
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:767
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:773
- /bin/grep
  grep -v -
  2⤵
  PID:775
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:776
- /bin/grep
  grep :6665
  2⤵
  PID:772
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:774
- /bin/grep
  grep -v -
  2⤵
  PID:782
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:781
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:780
- /bin/grep
  grep :6667
  2⤵
  PID:779
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:783
- /bin/grep
  grep -v -
  2⤵
  PID:789
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:788
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:787
- /bin/grep
  grep :7777
  2⤵
  PID:786
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:790
- /bin/grep
  grep :8444
  2⤵
  PID:793
- /bin/grep
  grep -v -
  2⤵
  PID:796
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:797
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:794
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:795
- /bin/grep
  grep -v -
  2⤵
  PID:803
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:804
- /bin/grep
  grep :3347
  2⤵
  PID:800
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:801
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:810
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:809
- /bin/grep
  grep :3333
  2⤵
  PID:808
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:806
- /bin/grep
  grep -v grep
  2⤵
  PID:807
- /bin/grep
  grep -v grep
  2⤵
  PID:814
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:813
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:817
- /bin/grep
  grep :5555
  2⤵
  PID:815
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:824
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:822
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:823
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:820
- /bin/grep
  grep -v grep
  2⤵
  PID:821
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:831
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:830
- /bin/grep
  grep log_
  2⤵
  PID:829
- /bin/grep
  grep -v grep
  2⤵
  PID:828
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:827
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:838
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:837
- /bin/grep
  grep systemten
  2⤵
  PID:836
- /bin/grep
  grep -v grep
  2⤵
  PID:835
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:845
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:848
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:848
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:848
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:848
- - /sbin/kill
    kill -9 14
    3⤵
    PID:848
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:848
- /bin/grep
  grep netns
  2⤵
  PID:843
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:841
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:844
- /bin/grep
  grep -v grep
  2⤵
  PID:842
- /bin/grep
  grep voltuned
  2⤵
  PID:851
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:849
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:853
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:852
- /bin/grep
  grep -v grep
  2⤵
  PID:850
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:861
- /bin/grep
  grep darwin
  2⤵
  PID:859
- /bin/grep
  grep -v grep
  2⤵
  PID:858
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:857
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:860
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:865
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:866
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:867
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:863
- /bin/grep
  grep -v grep
  2⤵
  PID:864
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:874
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:872
- /bin/grep
  grep -v grep
  2⤵
  PID:871
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:870
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:873
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:881
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:879
- /bin/grep
  grep -v grep
  2⤵
  PID:878
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:880
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:877
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:890
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:889
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:888
- /bin/grep
  grep -v grep
  2⤵
  PID:887
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:886
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:897
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:895
- /bin/grep
  grep -v grep
  2⤵
  PID:894
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:896
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:893
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:903
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:901
- /bin/grep
  grep -v grep
  2⤵
  PID:900
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:902
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:899
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:911
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:909
- /bin/grep
  grep -v grep
  2⤵
  PID:908
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:910
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:907
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:919
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:918
- /bin/grep
  grep -v grep
  2⤵
  PID:916
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:917
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:915
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:926
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:925
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:924
- /bin/grep
  grep -v grep
  2⤵
  PID:923
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:922
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:932
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:931
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:930
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:928
- /bin/grep
  grep -v grep
  2⤵
  PID:929
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:938
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:936
- /bin/grep
  grep -v grep
  2⤵
  PID:935
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:937
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:934
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:943
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:941
- /bin/grep
  grep -v grep
  2⤵
  PID:940
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:942
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:939
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:948
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:947
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:946
- /bin/grep
  grep -v grep
  2⤵
  PID:945
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:944
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:951
- /bin/grep
  grep -v grep
  2⤵
  PID:950
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:952
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:953
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:949
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:958
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:957
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:956
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:954
- /bin/grep
  grep -v grep
  2⤵
  PID:955
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:963
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:962
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:961
- /bin/grep
  grep -v grep
  2⤵
  PID:960
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:959
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:969
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:967
- /bin/grep
  grep -v grep
  2⤵
  PID:966
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:965
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:968
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:973
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:974
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:971
- /bin/grep
  grep -v grep
  2⤵
  PID:972
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:975
- /bin/grep
  grep -v grep
  2⤵
  PID:979
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:982
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:978
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:981
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:980
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:987
- /bin/grep
  grep -v grep
  2⤵
  PID:986
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:985
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:988
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:989
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:996
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:995
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:994
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:992
- /bin/grep
  grep -v grep
  2⤵
  PID:993
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1003
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1001
- /bin/grep
  grep -v grep
  2⤵
  PID:1000
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1002
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:999
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1010
- /bin/grep
  grep svc
  2⤵
  PID:1008
- /bin/grep
  grep -v grep
  2⤵
  PID:1007
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1009
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1006
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1014
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1018
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1017
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1016
- /bin/grep
  grep -v grep
  2⤵
  PID:1015
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1023
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1025
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1021
- /bin/grep
  grep -v grep
  2⤵
  PID:1022
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1024
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1032
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1031
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1030
- /bin/grep
  grep -v grep
  2⤵
  PID:1029
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1028
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1039
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1038
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1037
- /bin/grep
  grep -v grep
  2⤵
  PID:1036
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1035
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1047
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1046
- /bin/grep
  grep -v grep
  2⤵
  PID:1044
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1043
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1045
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1053
- /bin/grep
  grep HiPxCJRS
  2⤵
  - System Network Configuration Discovery
  PID:1051
- /bin/grep
  grep -v grep
  2⤵
  PID:1050
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1052
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1049
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:1057
- /bin/grep
  grep -v grep
  2⤵
  PID:1056
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1058
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1059
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1055
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1066
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1064
- /bin/grep
  grep -v grep
  2⤵
  PID:1063
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1065
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1062
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1072
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1073
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1071
- /bin/grep
  grep -v grep
  2⤵
  PID:1070
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1069
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1083
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1082
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1081
- /bin/grep
  grep -v grep
  2⤵
  PID:1080
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1079
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1087
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:1086
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1088
- /bin/grep
  grep -v grep
  2⤵
  PID:1085
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1084
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1093
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1092
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:1091
- /bin/grep
  grep -v grep
  2⤵
  PID:1090
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1089
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:1096
- /bin/grep
  grep -v grep
  2⤵
  PID:1095
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1097
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1094
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1102
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:1100
- /bin/grep
  grep -v grep
  2⤵
  PID:1099
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1101
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1098
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1107
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:1105
- /bin/grep
  grep -v grep
  2⤵
  PID:1104
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1106
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1103
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:1110
- /bin/grep
  grep -v grep
  2⤵
  PID:1109
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1111
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1108
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1112
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1117
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:1115
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1116
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1113
- /bin/grep
  grep -v grep
  2⤵
  PID:1114
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1121
- /bin/grep
  grep nqscheduler
  2⤵
  PID:1120
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1122
- /bin/grep
  grep -v grep
  2⤵
  PID:1119
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1118
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1126
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:1125
- /bin/grep
  grep -v grep
  2⤵
  PID:1124
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1127
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1123
- /bin/grep
  grep "]"
  2⤵
  PID:1131
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1133
- /bin/grep
  grep -v grep
  2⤵
  PID:1129
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:1132
- /bin/grep
  grep -v aux
  2⤵
  PID:1130
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1128
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1138
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:1136
- /bin/grep
  grep -v grep
  2⤵
  PID:1135
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1134
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1137
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1143
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:1141
- /bin/grep
  grep -v grep
  2⤵
  PID:1140
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1142
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1139
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1148
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:1146
- /bin/grep
  grep -v grep
  2⤵
  PID:1145
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1147
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1144
- /bin/grep
  grep -v /
  2⤵
  PID:1151
- /bin/grep
  grep -v -
  2⤵
  PID:1152
- /bin/grep
  grep -v _
  2⤵
  PID:1153
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:1154
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1155
- /bin/grep
  grep -v grep
  2⤵
  PID:1150
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1149
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1156
- /bin/grep
  grep -v grep
  2⤵
  PID:1157
- /bin/grep
  grep "\\[^"
  2⤵
  PID:1158
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1160
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1159
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1164
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1165
- /bin/grep
  grep -v grep
  2⤵
  PID:1162
- /bin/grep
  grep rsync
  2⤵
  PID:1163
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1161
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1170
- /bin/grep
  grep watchd0g
  2⤵
  PID:1168
- /bin/grep
  grep -v grep
  2⤵
  PID:1167
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1166
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1169
- /bin/grep
  grep -v grep
  2⤵
  PID:1172
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1175
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1171
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1174
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1173
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1173
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1173
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1173
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1173
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1173
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1173
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1180
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1179
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:1178
- /bin/grep
  grep -v grep
  2⤵
  PID:1177
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1176
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1185
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1184
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1183
- /bin/grep
  grep -v grep
  2⤵
  PID:1182
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1181
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1190
- /bin/grep
  grep gitee.com
  2⤵
  PID:1188
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1189
- /bin/grep
  grep -v grep
  2⤵
  PID:1187
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1186
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1195
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1193
- /bin/grep
  grep -v grep
  2⤵
  PID:1192
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1194
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1191
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1201
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:1199
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1200
- /bin/grep
  grep -v grep
  2⤵
  PID:1198
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1197
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1207
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1206
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:1205
- /bin/grep
  grep -v grep
  2⤵
  PID:1204
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1203
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1212
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:1210
- /bin/grep
  grep -v grep
  2⤵
  PID:1209
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1208
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1211
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1216
- /bin/grep
  grep kthrotlds
  2⤵
  PID:1215
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1217
- /bin/grep
  grep -v grep
  2⤵
  PID:1214
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1213

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Virtualization/Sandbox Evasion

T1497

System Checks

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/zzhs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads