Edit tour

Linux Analysis Report
watchdog.elf

Overview

General Information

Sample name:	watchdog.elf
Analysis ID:	1586448
MD5:	f124e8a9e771966e3846a638be333e8d
SHA1:	07a3ee5d11f8c31f650de519edaa18a4c7548a9d
SHA256:	50dad45e91f61043118a822c13316171108c676db874ab5cfc77f149a41eba9f
Tags:	elfuser-abuse_ch
Infos:

Detection

Xmrig

Score:	100
Range:	0 - 100
Whitelisted:	false

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected Xmrig cryptocurrency miner

Detected Stratum mining protocol

Executes the "crontab" command typically for achieving persistence

Sample deletes itself

Sample reads /proc/mounts (often used for finding a writable filesystem)

Sample tries to persist itself using cron

Tries to load the MSR kernel module used for reading/writing to CPUs model specific register

Uses known network protocols on non-standard ports

Writes ELF files to hidden directories

Writes identical ELF files to multiple locations

Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)

Contains symbols related to standard C library sleeps (sometimes used to evade sandboxing)

Detected TCP or UDP traffic on non-standard ports

ELF contains segments with high entropy indicating compressed/encrypted content

Executes commands using a shell command-line interpreter

Executes the "grep" command used to find patterns in files or piped streams

Executes the "modprobe" command used for loading kernel modules

Reads CPU information from /proc indicative of miner or evasive malware

Reads CPU information from /sys indicative of miner or evasive malware

Reads system information from the proc file system

Reads the 'hosts' file potentially containing internal network hosts

Sample and/or dropped files contains symbols with suspicious names

Sample has stripped symbol table

Sample listens on a socket

Sample tries to set the executable flag

Suricata IDS alerts with low severity for network traffic

Uses the "uname" system call to query kernel version information (possible evasion)

Writes ELF files to disk

Yara signature match

Classification

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586448
Start date and time:	2025-01-09 07:07:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Sample name:	watchdog.elf
Detection:	MAL
Classification:	mal100.troj.evad.mine.linELF@0/96@4/0
Cookbook Comments:	Analysis time extended to 480s due to sleep detection in submitted sample

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: http://1.1.1.1:8080/
VT rate limit hit for: http://162.240.239.103:8000/
VT rate limit hit for: http://191.252.194.180:8000/
VT rate limit hit for: http://67.205.135.145:8000/
VT rate limit hit for: http://91.227.18.60:8000/
VT rate limit hit for: http://HTTP/1.0Connection

Runtime Messages

Command:	/tmp/watchdog.elf
PID:	5514
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	starting server removing cronjob deleting self stopping server
Standard Error:	no crontab for root

Process Tree

system is lnxubuntu20

watchdog.elf (PID: 5514, Parent: 5441, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: /tmp/watchdog.elf

watchdog.elf New Fork (PID: 5515, Parent: 5514)

sh (PID: 5515, Parent: 5514, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /tmp/watchdog.elf'; } | crontab -"

sh New Fork (PID: 5516, Parent: 5515)

crontab (PID: 5516, Parent: 5515, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5517, Parent: 5515)

sh New Fork (PID: 5519, Parent: 5517)

cat (PID: 5519, Parent: 5517, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5518, Parent: 5515)

crontab (PID: 5518, Parent: 5515, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

watchdog.elf New Fork (PID: 5529, Parent: 5514)

watchdog.elf New Fork (PID: 5530, Parent: 5529)

sh (PID: 5530, Parent: 5529, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/tmp/watchdog.elf' | crontab -"

sh New Fork (PID: 5531, Parent: 5530)

crontab (PID: 5531, Parent: 5530, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5532, Parent: 5530)

grep (PID: 5532, Parent: 5530, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /tmp/watchdog.elf

sh New Fork (PID: 5533, Parent: 5530)

crontab (PID: 5533, Parent: 5530, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

HIsZygoZ2jW0Q (PID: 5529, Parent: 5514, MD5: e11b7cf1f0512317321e6a7cf532296a) Arguments: HIsZygoZ2jW0Q

HIsZygoZ2jW0Q New Fork (PID: 5963, Parent: 5529)

daemon (PID: 5963, Parent: 5529, MD5: fd8121e312db46f3b1ac123fce2e73d1) Arguments: daemon

daemon New Fork (PID: 5964, Parent: 5963)

daemon New Fork (PID: 5966, Parent: 5964)

sh (PID: 5966, Parent: 5964, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"

sh New Fork (PID: 5967, Parent: 5966)

modprobe (PID: 5967, Parent: 5966, MD5: 0b44462b1a40df8039d6d61cfff7ea84) Arguments: /sbin/modprobe msr allow_writes=on

daemon New Fork (PID: 6792, Parent: 5964)

daemon New Fork (PID: 8215, Parent: 5964)

daemon New Fork (PID: 9017, Parent: 5964)

daemon New Fork (PID: 11953, Parent: 5964)

watchdog.elf New Fork (PID: 5543, Parent: 5514)

watchdog.elf New Fork (PID: 5545, Parent: 5543)

sh (PID: 5545, Parent: 5543, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/tmp/watchdog.elf' | crontab -"

sh New Fork (PID: 5549, Parent: 5545)

crontab (PID: 5549, Parent: 5545, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5550, Parent: 5545)

grep (PID: 5550, Parent: 5545, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /tmp/watchdog.elf

sh New Fork (PID: 5551, Parent: 5545)

crontab (PID: 5551, Parent: 5545, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

3JlaqAbw (PID: 5543, Parent: 5514, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: 3JlaqAbw

3JlaqAbw New Fork (PID: 5556, Parent: 5543)

sh (PID: 5556, Parent: 5543, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /root/.local/3JlaqAbw'; } | crontab -"

sh New Fork (PID: 5557, Parent: 5556)

crontab (PID: 5557, Parent: 5556, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5558, Parent: 5556)

sh New Fork (PID: 5560, Parent: 5558)

cat (PID: 5560, Parent: 5558, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5559, Parent: 5556)

crontab (PID: 5559, Parent: 5556, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

3JlaqAbw New Fork (PID: 5572, Parent: 5543)

3JlaqAbw New Fork (PID: 5574, Parent: 5572)

sh (PID: 5574, Parent: 5572, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.local/3JlaqAbw' | crontab -"

sh New Fork (PID: 5578, Parent: 5574)

crontab (PID: 5578, Parent: 5574, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5579, Parent: 5574)

grep (PID: 5579, Parent: 5574, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.local/3JlaqAbw

sh New Fork (PID: 5580, Parent: 5574)

crontab (PID: 5580, Parent: 5574, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

v7JYhylR (PID: 5572, Parent: 5543, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: v7JYhylR

v7JYhylR New Fork (PID: 5585, Parent: 5572)

sh (PID: 5585, Parent: 5572, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR'; } | crontab -"

sh New Fork (PID: 5586, Parent: 5585)

crontab (PID: 5586, Parent: 5585, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5587, Parent: 5585)

sh New Fork (PID: 5589, Parent: 5587)

cat (PID: 5589, Parent: 5587, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5588, Parent: 5585)

crontab (PID: 5588, Parent: 5585, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

v7JYhylR New Fork (PID: 5605, Parent: 5572)

v7JYhylR New Fork (PID: 5607, Parent: 5605)

sh (PID: 5607, Parent: 5605, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR' | crontab -"

sh New Fork (PID: 5611, Parent: 5607)

crontab (PID: 5611, Parent: 5607, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5612, Parent: 5607)

grep (PID: 5612, Parent: 5607, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR

sh New Fork (PID: 5613, Parent: 5607)

crontab (PID: 5613, Parent: 5607, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

3IjY1dOX (PID: 5605, Parent: 5572, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: 3IjY1dOX

3IjY1dOX New Fork (PID: 5618, Parent: 5605)

sh (PID: 5618, Parent: 5605, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /root/.config/3IjY1dOX'; } | crontab -"

sh New Fork (PID: 5619, Parent: 5618)

crontab (PID: 5619, Parent: 5618, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5620, Parent: 5618)

sh New Fork (PID: 5622, Parent: 5620)

cat (PID: 5622, Parent: 5620, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5621, Parent: 5618)

crontab (PID: 5621, Parent: 5618, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

3IjY1dOX New Fork (PID: 5632, Parent: 5605)

3IjY1dOX New Fork (PID: 5634, Parent: 5632)

sh (PID: 5634, Parent: 5632, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.config/3IjY1dOX' | crontab -"

sh New Fork (PID: 5638, Parent: 5634)

crontab (PID: 5638, Parent: 5634, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5639, Parent: 5634)

grep (PID: 5639, Parent: 5634, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.config/3IjY1dOX

sh New Fork (PID: 5640, Parent: 5634)

crontab (PID: 5640, Parent: 5634, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

FfvI9TNe (PID: 5632, Parent: 5605, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: FfvI9TNe

FfvI9TNe New Fork (PID: 5645, Parent: 5632)

sh (PID: 5645, Parent: 5632, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe'; } | crontab -"

sh New Fork (PID: 5646, Parent: 5645)

crontab (PID: 5646, Parent: 5645, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5647, Parent: 5645)

sh New Fork (PID: 5649, Parent: 5647)

cat (PID: 5649, Parent: 5647, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5648, Parent: 5645)

crontab (PID: 5648, Parent: 5645, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

FfvI9TNe New Fork (PID: 5661, Parent: 5632)

FfvI9TNe New Fork (PID: 5663, Parent: 5661)

sh (PID: 5663, Parent: 5661, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe' | crontab -"

sh New Fork (PID: 5667, Parent: 5663)

crontab (PID: 5667, Parent: 5663, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5668, Parent: 5663)

grep (PID: 5668, Parent: 5663, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe

sh New Fork (PID: 5669, Parent: 5663)

crontab (PID: 5669, Parent: 5663, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

1ay0mCs9 (PID: 5661, Parent: 5632, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: 1ay0mCs9

1ay0mCs9 New Fork (PID: 5674, Parent: 5661)

sh (PID: 5674, Parent: 5661, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /root/.ssh/1ay0mCs9'; } | crontab -"

sh New Fork (PID: 5675, Parent: 5674)

crontab (PID: 5675, Parent: 5674, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5676, Parent: 5674)

sh New Fork (PID: 5678, Parent: 5676)

cat (PID: 5678, Parent: 5676, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5677, Parent: 5674)

crontab (PID: 5677, Parent: 5674, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

1ay0mCs9 New Fork (PID: 5688, Parent: 5661)

1ay0mCs9 New Fork (PID: 5690, Parent: 5688)

sh (PID: 5690, Parent: 5688, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.ssh/1ay0mCs9' | crontab -"

sh New Fork (PID: 5694, Parent: 5690)

crontab (PID: 5694, Parent: 5690, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5695, Parent: 5690)

grep (PID: 5695, Parent: 5690, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.ssh/1ay0mCs9

sh New Fork (PID: 5696, Parent: 5690)

crontab (PID: 5696, Parent: 5690, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

eBc7g8EI (PID: 5688, Parent: 5661, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: eBc7g8EI

eBc7g8EI New Fork (PID: 5701, Parent: 5688)

sh (PID: 5701, Parent: 5688, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/eBc7g8EI'; } | crontab -"

sh New Fork (PID: 5702, Parent: 5701)

crontab (PID: 5702, Parent: 5701, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5703, Parent: 5701)

sh New Fork (PID: 5705, Parent: 5703)

cat (PID: 5705, Parent: 5703, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5704, Parent: 5701)

crontab (PID: 5704, Parent: 5701, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

eBc7g8EI New Fork (PID: 5715, Parent: 5688)

eBc7g8EI New Fork (PID: 5717, Parent: 5715)

sh (PID: 5717, Parent: 5715, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/eBc7g8EI' | crontab -"

sh New Fork (PID: 5721, Parent: 5717)

crontab (PID: 5721, Parent: 5717, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5722, Parent: 5717)

grep (PID: 5722, Parent: 5717, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/eBc7g8EI

sh New Fork (PID: 5723, Parent: 5717)

crontab (PID: 5723, Parent: 5717, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

5MRubITn (PID: 5715, Parent: 5688, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: 5MRubITn

5MRubITn New Fork (PID: 5729, Parent: 5715)

sh (PID: 5729, Parent: 5715, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn'; } | crontab -"

sh New Fork (PID: 5730, Parent: 5729)

crontab (PID: 5730, Parent: 5729, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5731, Parent: 5729)

sh New Fork (PID: 5733, Parent: 5731)

cat (PID: 5733, Parent: 5731, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5732, Parent: 5729)

crontab (PID: 5732, Parent: 5729, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

5MRubITn New Fork (PID: 5743, Parent: 5715)

5MRubITn New Fork (PID: 5745, Parent: 5743)

sh (PID: 5745, Parent: 5743, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn' | crontab -"

sh New Fork (PID: 5749, Parent: 5745)

crontab (PID: 5749, Parent: 5745, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5750, Parent: 5745)

grep (PID: 5750, Parent: 5745, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn

sh New Fork (PID: 5751, Parent: 5745)

crontab (PID: 5751, Parent: 5745, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

oZtriZN1 (PID: 5743, Parent: 5715, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: oZtriZN1

oZtriZN1 New Fork (PID: 5758, Parent: 5743)

sh (PID: 5758, Parent: 5743, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1'; } | crontab -"

sh New Fork (PID: 5759, Parent: 5758)

crontab (PID: 5759, Parent: 5758, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5760, Parent: 5758)

sh New Fork (PID: 5762, Parent: 5760)

cat (PID: 5762, Parent: 5760, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5761, Parent: 5758)

crontab (PID: 5761, Parent: 5758, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

oZtriZN1 New Fork (PID: 5772, Parent: 5743)

oZtriZN1 New Fork (PID: 5774, Parent: 5772)

sh (PID: 5774, Parent: 5772, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1' | crontab -"

sh New Fork (PID: 5778, Parent: 5774)

crontab (PID: 5778, Parent: 5774, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5779, Parent: 5774)

grep (PID: 5779, Parent: 5774, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1

sh New Fork (PID: 5780, Parent: 5774)

crontab (PID: 5780, Parent: 5774, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

HxJw69zN (PID: 5772, Parent: 5743, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: HxJw69zN

HxJw69zN New Fork (PID: 5785, Parent: 5772)

sh (PID: 5785, Parent: 5772, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /root/.local/HxJw69zN'; } | crontab -"

sh New Fork (PID: 5786, Parent: 5785)

crontab (PID: 5786, Parent: 5785, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5787, Parent: 5785)

sh New Fork (PID: 5789, Parent: 5787)

cat (PID: 5789, Parent: 5787, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5788, Parent: 5785)

crontab (PID: 5788, Parent: 5785, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

HxJw69zN New Fork (PID: 5799, Parent: 5772)

HxJw69zN New Fork (PID: 5801, Parent: 5799)

sh (PID: 5801, Parent: 5799, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.local/HxJw69zN' | crontab -"

sh New Fork (PID: 5805, Parent: 5801)

crontab (PID: 5805, Parent: 5801, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5806, Parent: 5801)

grep (PID: 5806, Parent: 5801, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.local/HxJw69zN

sh New Fork (PID: 5807, Parent: 5801)

crontab (PID: 5807, Parent: 5801, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

T3B6PyyF (PID: 5799, Parent: 5772, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: T3B6PyyF

T3B6PyyF New Fork (PID: 5812, Parent: 5799)

sh (PID: 5812, Parent: 5799, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /root/snap/T3B6PyyF'; } | crontab -"

sh New Fork (PID: 5813, Parent: 5812)

crontab (PID: 5813, Parent: 5812, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5814, Parent: 5812)

sh New Fork (PID: 5816, Parent: 5814)

cat (PID: 5816, Parent: 5814, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5815, Parent: 5812)

crontab (PID: 5815, Parent: 5812, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

T3B6PyyF New Fork (PID: 5826, Parent: 5799)

T3B6PyyF New Fork (PID: 5828, Parent: 5826)

sh (PID: 5828, Parent: 5826, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/snap/T3B6PyyF' | crontab -"

sh New Fork (PID: 5832, Parent: 5828)

crontab (PID: 5832, Parent: 5828, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5833, Parent: 5828)

grep (PID: 5833, Parent: 5828, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/snap/T3B6PyyF

sh New Fork (PID: 5834, Parent: 5828)

crontab (PID: 5834, Parent: 5828, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

Osk130te (PID: 5826, Parent: 5799, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: Osk130te

Osk130te New Fork (PID: 5839, Parent: 5826)

sh (PID: 5839, Parent: 5826, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te'; } | crontab -"

sh New Fork (PID: 5840, Parent: 5839)

crontab (PID: 5840, Parent: 5839, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5841, Parent: 5839)

sh New Fork (PID: 5843, Parent: 5841)

cat (PID: 5843, Parent: 5841, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5842, Parent: 5839)

crontab (PID: 5842, Parent: 5839, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

Osk130te New Fork (PID: 5855, Parent: 5826)

Osk130te New Fork (PID: 5857, Parent: 5855)

sh (PID: 5857, Parent: 5855, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te' | crontab -"

sh New Fork (PID: 5861, Parent: 5857)

crontab (PID: 5861, Parent: 5857, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5862, Parent: 5857)

grep (PID: 5862, Parent: 5857, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te

sh New Fork (PID: 5863, Parent: 5857)

crontab (PID: 5863, Parent: 5857, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

mwxK5CRX (PID: 5855, Parent: 5826, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: mwxK5CRX

mwxK5CRX New Fork (PID: 5868, Parent: 5855)

sh (PID: 5868, Parent: 5855, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /root/mwxK5CRX'; } | crontab -"

sh New Fork (PID: 5869, Parent: 5868)

crontab (PID: 5869, Parent: 5868, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5870, Parent: 5868)

sh New Fork (PID: 5872, Parent: 5870)

cat (PID: 5872, Parent: 5870, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5871, Parent: 5868)

crontab (PID: 5871, Parent: 5868, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

mwxK5CRX New Fork (PID: 5903, Parent: 5855)

mwxK5CRX New Fork (PID: 5905, Parent: 5903)

sh (PID: 5905, Parent: 5903, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/mwxK5CRX' | crontab -"

sh New Fork (PID: 5909, Parent: 5905)

crontab (PID: 5909, Parent: 5905, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5910, Parent: 5905)

grep (PID: 5910, Parent: 5905, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/mwxK5CRX

sh New Fork (PID: 5911, Parent: 5905)

crontab (PID: 5911, Parent: 5905, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

r9nyGbJf (PID: 5903, Parent: 5855, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: r9nyGbJf

r9nyGbJf New Fork (PID: 5914, Parent: 5903)

sh (PID: 5914, Parent: 5903, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf'; } | crontab -"

sh New Fork (PID: 5917, Parent: 5914)

crontab (PID: 5917, Parent: 5914, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5918, Parent: 5914)

sh New Fork (PID: 5920, Parent: 5918)

cat (PID: 5920, Parent: 5918, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5919, Parent: 5914)

crontab (PID: 5919, Parent: 5914, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

r9nyGbJf New Fork (PID: 5932, Parent: 5903)

r9nyGbJf New Fork (PID: 5934, Parent: 5932)

sh (PID: 5934, Parent: 5932, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf' | crontab -"

sh New Fork (PID: 5935, Parent: 5934)

crontab (PID: 5935, Parent: 5934, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5936, Parent: 5934)

grep (PID: 5936, Parent: 5934, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf

sh New Fork (PID: 5937, Parent: 5934)

crontab (PID: 5937, Parent: 5934, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

Ppo5qPwq (PID: 5932, Parent: 5903, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: Ppo5qPwq

Ppo5qPwq New Fork (PID: 5941, Parent: 5932)

sh (PID: 5941, Parent: 5932, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq'; } | crontab -"

sh New Fork (PID: 5943, Parent: 5941)

crontab (PID: 5943, Parent: 5941, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5944, Parent: 5941)

sh New Fork (PID: 5946, Parent: 5944)

cat (PID: 5946, Parent: 5944, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5945, Parent: 5941)

crontab (PID: 5945, Parent: 5941, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

Ppo5qPwq New Fork (PID: 5969, Parent: 5932)

Ppo5qPwq New Fork (PID: 5971, Parent: 5969)

sh (PID: 5971, Parent: 5969, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq' | crontab -"

sh New Fork (PID: 5975, Parent: 5971)

crontab (PID: 5975, Parent: 5971, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5976, Parent: 5971)

grep (PID: 5976, Parent: 5971, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq

sh New Fork (PID: 5977, Parent: 5971)

crontab (PID: 5977, Parent: 5971, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

os83CR7k (PID: 5969, Parent: 5932, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: os83CR7k

os83CR7k New Fork (PID: 5979, Parent: 5969)

sh (PID: 5979, Parent: 5969, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k'; } | crontab -"

sh New Fork (PID: 5984, Parent: 5979)

crontab (PID: 5984, Parent: 5979, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5985, Parent: 5979)

sh New Fork (PID: 5987, Parent: 5985)

cat (PID: 5987, Parent: 5985, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 5986, Parent: 5979)

crontab (PID: 5986, Parent: 5979, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

os83CR7k New Fork (PID: 5998, Parent: 5969)

os83CR7k New Fork (PID: 6000, Parent: 5998)

sh (PID: 6000, Parent: 5998, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k' | crontab -"

sh New Fork (PID: 6004, Parent: 6000)

crontab (PID: 6004, Parent: 6000, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6005, Parent: 6000)

grep (PID: 6005, Parent: 6000, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k

sh New Fork (PID: 6006, Parent: 6000)

crontab (PID: 6006, Parent: 6000, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

qXgzqvkC (PID: 5998, Parent: 5969, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: qXgzqvkC

qXgzqvkC New Fork (PID: 6011, Parent: 5998)

sh (PID: 6011, Parent: 5998, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC'; } | crontab -"

sh New Fork (PID: 6012, Parent: 6011)

crontab (PID: 6012, Parent: 6011, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6013, Parent: 6011)

sh New Fork (PID: 6015, Parent: 6013)

cat (PID: 6015, Parent: 6013, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 6014, Parent: 6011)

crontab (PID: 6014, Parent: 6011, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

qXgzqvkC New Fork (PID: 6027, Parent: 5998)

qXgzqvkC New Fork (PID: 6029, Parent: 6027)

sh (PID: 6029, Parent: 6027, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC' | crontab -"

sh New Fork (PID: 6033, Parent: 6029)

crontab (PID: 6033, Parent: 6029, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6034, Parent: 6029)

grep (PID: 6034, Parent: 6029, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC

sh New Fork (PID: 6035, Parent: 6029)

crontab (PID: 6035, Parent: 6029, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

EAELj4z6 (PID: 6027, Parent: 5998, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: EAELj4z6

EAELj4z6 New Fork (PID: 6040, Parent: 6027)

sh (PID: 6040, Parent: 6027, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | { cat; echo '*/2 * * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6'; } | crontab -"

sh New Fork (PID: 6041, Parent: 6040)

crontab (PID: 6041, Parent: 6040, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6042, Parent: 6040)

sh New Fork (PID: 6044, Parent: 6042)

cat (PID: 6044, Parent: 6042, MD5: 7e9d213e404ad3bb82e4ebb2e1f2c1b3) Arguments: cat

sh New Fork (PID: 6043, Parent: 6040)

crontab (PID: 6043, Parent: 6040, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

EAELj4z6 New Fork (PID: 6054, Parent: 6027)

EAELj4z6 New Fork (PID: 6056, Parent: 6054)

sh (PID: 6056, Parent: 6054, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6' | crontab -"

sh New Fork (PID: 6060, Parent: 6056)

crontab (PID: 6060, Parent: 6056, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6061, Parent: 6056)

grep (PID: 6061, Parent: 6056, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6

sh New Fork (PID: 6062, Parent: 6056)

yTqqXMpV (PID: 6054, Parent: 6027, MD5: f124e8a9e771966e3846a638be333e8d) Arguments: yTqqXMpV

yTqqXMpV New Fork (PID: 6067, Parent: 6054)

yTqqXMpV New Fork (PID: 6081, Parent: 6054)

yTqqXMpV New Fork (PID: 6082, Parent: 6054)

yTqqXMpV New Fork (PID: 6090, Parent: 6054)

EAELj4z6 New Fork (PID: 6055, Parent: 6027)

sh (PID: 6055, Parent: 6027, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6' | crontab -"

sh New Fork (PID: 6057, Parent: 6055)

crontab (PID: 6057, Parent: 6055, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6058, Parent: 6055)

grep (PID: 6058, Parent: 6055, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6

sh New Fork (PID: 6059, Parent: 6055)

crontab (PID: 6059, Parent: 6055, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

EAELj4z6 New Fork (PID: 6063, Parent: 6027)

qXgzqvkC New Fork (PID: 6028, Parent: 5998)

sh (PID: 6028, Parent: 5998, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC' | crontab -"

sh New Fork (PID: 6030, Parent: 6028)

crontab (PID: 6030, Parent: 6028, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6031, Parent: 6028)

grep (PID: 6031, Parent: 6028, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC

sh New Fork (PID: 6032, Parent: 6028)

crontab (PID: 6032, Parent: 6028, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

qXgzqvkC New Fork (PID: 6036, Parent: 5998)

sh (PID: 6036, Parent: 5998, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC' | crontab -"

sh New Fork (PID: 6037, Parent: 6036)

crontab (PID: 6037, Parent: 6036, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6038, Parent: 6036)

grep (PID: 6038, Parent: 6036, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC

sh New Fork (PID: 6039, Parent: 6036)

crontab (PID: 6039, Parent: 6036, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

os83CR7k New Fork (PID: 5999, Parent: 5969)

sh (PID: 5999, Parent: 5969, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k' | crontab -"

sh New Fork (PID: 6001, Parent: 5999)

crontab (PID: 6001, Parent: 5999, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6002, Parent: 5999)

grep (PID: 6002, Parent: 5999, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k

sh New Fork (PID: 6003, Parent: 5999)

crontab (PID: 6003, Parent: 5999, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

os83CR7k New Fork (PID: 6007, Parent: 5969)

sh (PID: 6007, Parent: 5969, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k' | crontab -"

sh New Fork (PID: 6008, Parent: 6007)

crontab (PID: 6008, Parent: 6007, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 6009, Parent: 6007)

grep (PID: 6009, Parent: 6007, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k

sh New Fork (PID: 6010, Parent: 6007)

crontab (PID: 6010, Parent: 6007, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

Ppo5qPwq New Fork (PID: 5970, Parent: 5932)

sh (PID: 5970, Parent: 5932, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq' | crontab -"

sh New Fork (PID: 5972, Parent: 5970)

crontab (PID: 5972, Parent: 5970, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5973, Parent: 5970)

grep (PID: 5973, Parent: 5970, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq

sh New Fork (PID: 5974, Parent: 5970)

crontab (PID: 5974, Parent: 5970, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

Ppo5qPwq New Fork (PID: 5978, Parent: 5932)

sh (PID: 5978, Parent: 5932, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq' | crontab -"

sh New Fork (PID: 5980, Parent: 5978)

crontab (PID: 5980, Parent: 5978, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5981, Parent: 5978)

grep (PID: 5981, Parent: 5978, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq

sh New Fork (PID: 5982, Parent: 5978)

crontab (PID: 5982, Parent: 5978, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

r9nyGbJf New Fork (PID: 5933, Parent: 5903)

sh (PID: 5933, Parent: 5903, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf' | crontab -"

sh New Fork (PID: 5938, Parent: 5933)

crontab (PID: 5938, Parent: 5933, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5939, Parent: 5933)

grep (PID: 5939, Parent: 5933, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf

sh New Fork (PID: 5940, Parent: 5933)

crontab (PID: 5940, Parent: 5933, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

r9nyGbJf New Fork (PID: 5942, Parent: 5903)

sh (PID: 5942, Parent: 5903, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf' | crontab -"

sh New Fork (PID: 5947, Parent: 5942)

crontab (PID: 5947, Parent: 5942, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5948, Parent: 5942)

grep (PID: 5948, Parent: 5942, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf

sh New Fork (PID: 5949, Parent: 5942)

crontab (PID: 5949, Parent: 5942, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

r9nyGbJf New Fork (PID: 5950, Parent: 5903)

sh (PID: 5950, Parent: 5903, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf' | crontab -"

sh New Fork (PID: 5951, Parent: 5950)

crontab (PID: 5951, Parent: 5950, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5952, Parent: 5950)

grep (PID: 5952, Parent: 5950, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf

sh New Fork (PID: 5953, Parent: 5950)

crontab (PID: 5953, Parent: 5950, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

mwxK5CRX New Fork (PID: 5904, Parent: 5855)

sh (PID: 5904, Parent: 5855, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/mwxK5CRX' | crontab -"

sh New Fork (PID: 5906, Parent: 5904)

crontab (PID: 5906, Parent: 5904, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5907, Parent: 5904)

grep (PID: 5907, Parent: 5904, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/mwxK5CRX

sh New Fork (PID: 5908, Parent: 5904)

crontab (PID: 5908, Parent: 5904, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

mwxK5CRX New Fork (PID: 5912, Parent: 5855)

sh (PID: 5912, Parent: 5855, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/mwxK5CRX' | crontab -"

sh New Fork (PID: 5913, Parent: 5912)

crontab (PID: 5913, Parent: 5912, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5915, Parent: 5912)

grep (PID: 5915, Parent: 5912, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/mwxK5CRX

sh New Fork (PID: 5916, Parent: 5912)

crontab (PID: 5916, Parent: 5912, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

Osk130te New Fork (PID: 5856, Parent: 5826)

sh (PID: 5856, Parent: 5826, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te' | crontab -"

sh New Fork (PID: 5858, Parent: 5856)

crontab (PID: 5858, Parent: 5856, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5859, Parent: 5856)

grep (PID: 5859, Parent: 5856, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te

sh New Fork (PID: 5860, Parent: 5856)

crontab (PID: 5860, Parent: 5856, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

Osk130te New Fork (PID: 5864, Parent: 5826)

sh (PID: 5864, Parent: 5826, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te' | crontab -"

sh New Fork (PID: 5865, Parent: 5864)

crontab (PID: 5865, Parent: 5864, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5866, Parent: 5864)

grep (PID: 5866, Parent: 5864, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te

sh New Fork (PID: 5867, Parent: 5864)

crontab (PID: 5867, Parent: 5864, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

T3B6PyyF New Fork (PID: 5827, Parent: 5799)

sh (PID: 5827, Parent: 5799, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/snap/T3B6PyyF' | crontab -"

sh New Fork (PID: 5829, Parent: 5827)

crontab (PID: 5829, Parent: 5827, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5830, Parent: 5827)

grep (PID: 5830, Parent: 5827, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/snap/T3B6PyyF

sh New Fork (PID: 5831, Parent: 5827)

crontab (PID: 5831, Parent: 5827, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

T3B6PyyF New Fork (PID: 5835, Parent: 5799)

sh (PID: 5835, Parent: 5799, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/snap/T3B6PyyF' | crontab -"

sh New Fork (PID: 5836, Parent: 5835)

crontab (PID: 5836, Parent: 5835, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5837, Parent: 5835)

grep (PID: 5837, Parent: 5835, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/snap/T3B6PyyF

sh New Fork (PID: 5838, Parent: 5835)

crontab (PID: 5838, Parent: 5835, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

HxJw69zN New Fork (PID: 5800, Parent: 5772)

sh (PID: 5800, Parent: 5772, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.local/HxJw69zN' | crontab -"

sh New Fork (PID: 5802, Parent: 5800)

crontab (PID: 5802, Parent: 5800, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5803, Parent: 5800)

grep (PID: 5803, Parent: 5800, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.local/HxJw69zN

sh New Fork (PID: 5804, Parent: 5800)

crontab (PID: 5804, Parent: 5800, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

HxJw69zN New Fork (PID: 5808, Parent: 5772)

sh (PID: 5808, Parent: 5772, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.local/HxJw69zN' | crontab -"

sh New Fork (PID: 5809, Parent: 5808)

crontab (PID: 5809, Parent: 5808, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5810, Parent: 5808)

grep (PID: 5810, Parent: 5808, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.local/HxJw69zN

sh New Fork (PID: 5811, Parent: 5808)

crontab (PID: 5811, Parent: 5808, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

oZtriZN1 New Fork (PID: 5773, Parent: 5743)

sh (PID: 5773, Parent: 5743, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1' | crontab -"

sh New Fork (PID: 5775, Parent: 5773)

crontab (PID: 5775, Parent: 5773, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5776, Parent: 5773)

grep (PID: 5776, Parent: 5773, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1

sh New Fork (PID: 5777, Parent: 5773)

crontab (PID: 5777, Parent: 5773, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

oZtriZN1 New Fork (PID: 5781, Parent: 5743)

sh (PID: 5781, Parent: 5743, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1' | crontab -"

sh New Fork (PID: 5782, Parent: 5781)

crontab (PID: 5782, Parent: 5781, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5783, Parent: 5781)

grep (PID: 5783, Parent: 5781, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1

sh New Fork (PID: 5784, Parent: 5781)

crontab (PID: 5784, Parent: 5781, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

5MRubITn New Fork (PID: 5744, Parent: 5715)

sh (PID: 5744, Parent: 5715, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn' | crontab -"

sh New Fork (PID: 5746, Parent: 5744)

crontab (PID: 5746, Parent: 5744, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5747, Parent: 5744)

grep (PID: 5747, Parent: 5744, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn

sh New Fork (PID: 5748, Parent: 5744)

crontab (PID: 5748, Parent: 5744, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

5MRubITn New Fork (PID: 5754, Parent: 5715)

sh (PID: 5754, Parent: 5715, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn' | crontab -"

sh New Fork (PID: 5755, Parent: 5754)

crontab (PID: 5755, Parent: 5754, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5756, Parent: 5754)

grep (PID: 5756, Parent: 5754, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn

sh New Fork (PID: 5757, Parent: 5754)

crontab (PID: 5757, Parent: 5754, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

eBc7g8EI New Fork (PID: 5716, Parent: 5688)

sh (PID: 5716, Parent: 5688, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/eBc7g8EI' | crontab -"

sh New Fork (PID: 5718, Parent: 5716)

crontab (PID: 5718, Parent: 5716, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5719, Parent: 5716)

grep (PID: 5719, Parent: 5716, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/eBc7g8EI

sh New Fork (PID: 5720, Parent: 5716)

crontab (PID: 5720, Parent: 5716, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

eBc7g8EI New Fork (PID: 5724, Parent: 5688)

sh (PID: 5724, Parent: 5688, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/eBc7g8EI' | crontab -"

sh New Fork (PID: 5725, Parent: 5724)

crontab (PID: 5725, Parent: 5724, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5726, Parent: 5724)

grep (PID: 5726, Parent: 5724, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/eBc7g8EI

sh New Fork (PID: 5727, Parent: 5724)

crontab (PID: 5727, Parent: 5724, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

1ay0mCs9 New Fork (PID: 5689, Parent: 5661)

sh (PID: 5689, Parent: 5661, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.ssh/1ay0mCs9' | crontab -"

sh New Fork (PID: 5691, Parent: 5689)

crontab (PID: 5691, Parent: 5689, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5692, Parent: 5689)

grep (PID: 5692, Parent: 5689, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.ssh/1ay0mCs9

sh New Fork (PID: 5693, Parent: 5689)

crontab (PID: 5693, Parent: 5689, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

1ay0mCs9 New Fork (PID: 5697, Parent: 5661)

sh (PID: 5697, Parent: 5661, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.ssh/1ay0mCs9' | crontab -"

sh New Fork (PID: 5698, Parent: 5697)

crontab (PID: 5698, Parent: 5697, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5699, Parent: 5697)

grep (PID: 5699, Parent: 5697, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.ssh/1ay0mCs9

sh New Fork (PID: 5700, Parent: 5697)

crontab (PID: 5700, Parent: 5697, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

FfvI9TNe New Fork (PID: 5662, Parent: 5632)

sh (PID: 5662, Parent: 5632, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe' | crontab -"

sh New Fork (PID: 5664, Parent: 5662)

crontab (PID: 5664, Parent: 5662, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5665, Parent: 5662)

grep (PID: 5665, Parent: 5662, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe

sh New Fork (PID: 5666, Parent: 5662)

crontab (PID: 5666, Parent: 5662, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

FfvI9TNe New Fork (PID: 5670, Parent: 5632)

sh (PID: 5670, Parent: 5632, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe' | crontab -"

sh New Fork (PID: 5671, Parent: 5670)

crontab (PID: 5671, Parent: 5670, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5672, Parent: 5670)

grep (PID: 5672, Parent: 5670, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe

sh New Fork (PID: 5673, Parent: 5670)

crontab (PID: 5673, Parent: 5670, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

3IjY1dOX New Fork (PID: 5633, Parent: 5605)

sh (PID: 5633, Parent: 5605, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.config/3IjY1dOX' | crontab -"

sh New Fork (PID: 5635, Parent: 5633)

crontab (PID: 5635, Parent: 5633, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5636, Parent: 5633)

grep (PID: 5636, Parent: 5633, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.config/3IjY1dOX

sh New Fork (PID: 5637, Parent: 5633)

crontab (PID: 5637, Parent: 5633, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

3IjY1dOX New Fork (PID: 5641, Parent: 5605)

sh (PID: 5641, Parent: 5605, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.config/3IjY1dOX' | crontab -"

sh New Fork (PID: 5642, Parent: 5641)

crontab (PID: 5642, Parent: 5641, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5643, Parent: 5641)

grep (PID: 5643, Parent: 5641, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.config/3IjY1dOX

sh New Fork (PID: 5644, Parent: 5641)

crontab (PID: 5644, Parent: 5641, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

v7JYhylR New Fork (PID: 5606, Parent: 5572)

sh (PID: 5606, Parent: 5572, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR' | crontab -"

sh New Fork (PID: 5608, Parent: 5606)

crontab (PID: 5608, Parent: 5606, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5609, Parent: 5606)

grep (PID: 5609, Parent: 5606, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR

sh New Fork (PID: 5610, Parent: 5606)

crontab (PID: 5610, Parent: 5606, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

v7JYhylR New Fork (PID: 5614, Parent: 5572)

sh (PID: 5614, Parent: 5572, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR' | crontab -"

sh New Fork (PID: 5615, Parent: 5614)

crontab (PID: 5615, Parent: 5614, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5616, Parent: 5614)

grep (PID: 5616, Parent: 5614, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR

sh New Fork (PID: 5617, Parent: 5614)

crontab (PID: 5617, Parent: 5614, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

3JlaqAbw New Fork (PID: 5573, Parent: 5543)

sh (PID: 5573, Parent: 5543, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.local/3JlaqAbw' | crontab -"

sh New Fork (PID: 5575, Parent: 5573)

crontab (PID: 5575, Parent: 5573, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5576, Parent: 5573)

grep (PID: 5576, Parent: 5573, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.local/3JlaqAbw

sh New Fork (PID: 5577, Parent: 5573)

crontab (PID: 5577, Parent: 5573, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

3JlaqAbw New Fork (PID: 5581, Parent: 5543)

sh (PID: 5581, Parent: 5543, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/root/.local/3JlaqAbw' | crontab -"

sh New Fork (PID: 5582, Parent: 5581)

crontab (PID: 5582, Parent: 5581, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5583, Parent: 5581)

grep (PID: 5583, Parent: 5581, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /root/.local/3JlaqAbw

sh New Fork (PID: 5584, Parent: 5581)

crontab (PID: 5584, Parent: 5581, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

watchdog.elf New Fork (PID: 5544, Parent: 5514)

sh (PID: 5544, Parent: 5514, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/tmp/watchdog.elf' | crontab -"

sh New Fork (PID: 5546, Parent: 5544)

crontab (PID: 5546, Parent: 5544, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5547, Parent: 5544)

grep (PID: 5547, Parent: 5544, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /tmp/watchdog.elf

sh New Fork (PID: 5548, Parent: 5544)

crontab (PID: 5548, Parent: 5544, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

watchdog.elf New Fork (PID: 5552, Parent: 5514)

sh (PID: 5552, Parent: 5514, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "crontab -l | grep -v '/tmp/watchdog.elf' | crontab -"

sh New Fork (PID: 5553, Parent: 5552)

crontab (PID: 5553, Parent: 5552, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -l

sh New Fork (PID: 5554, Parent: 5552)

grep (PID: 5554, Parent: 5552, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -v /tmp/watchdog.elf

sh New Fork (PID: 5555, Parent: 5552)

crontab (PID: 5555, Parent: 5552, MD5: 66e521d421ac9b407699061bf21806f5) Arguments: crontab -

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XMRIG		No Attribution	https://www.aquasec.com/blog/container-security-tnt-container-attack/ https://www.aquasec.com/blog/pg_mem-a-malware-hidden-in-the-postgres-processes/	https://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Xmrig	Yara detected Xmrig cryptocurrency miner	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
5963.1.0000000000401000.0000000000928000.r-x.sdmp	Linux_Trojan_Pornoasset_927f314f	unknown	unknown	0x21ee98:$a: C3 D3 CB D3 C3 48 31 C3 48 0F AF F0 48 0F AF F0 48 0F AF F0 48

Suricata Signatures

ETPRO COINMINER XMR CoinMiner Usage

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T07:15:36.529345+0100	2826930	2	Crypto Currency Mining Activity Detected	192.168.2.14	40106	88.198.117.174	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: watchdog.elf

Avira: detected

Antivirus detection for dropped file

Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /root/snap/T3B6PyyF	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q	Avira: detection malicious, Label: LINUX/AVF.Miner.dwjxi
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/eBc7g8EI	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /dev/shm/daemon	Avira: detection malicious, Label: LINUX/AVF.Miner.exrsj
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /root/.local/3JlaqAbw	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /root/.config/5ILIPv7r	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /root/mwxK5CRX	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /root/.local/HxJw69zN	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /root/.config/3IjY1dOX	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	Avira: detection malicious, Label: LINUX/Siggen.lkbka
Source: /root/.ssh/1ay0mCs9	Avira: detection malicious, Label: LINUX/Siggen.lkbka

Multi AV Scanner detection for submitted file

Source: watchdog.elf	Virustotal: Detection: 43%			Perma Link
Source: watchdog.elf	ReversingLabs: Detection: 36%

Bitcoin Miner

Yara detected Xmrig cryptocurrency miner

Source: Yara match

File source: dump.pcap, type: PCAP

Detected Stratum mining protocol

Source: global traffic

TCP traffic: 192.168.2.14:40106 -> 88.198.117.174:80 payload: data raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 37 4e 73 61 45 77 68 62 6b 39 32 43 66 69 62 4d 4a 67 38 4d 38 68 4a 37 33 4c 4b 44 76 39 4e 54 6a 4e 74 48 4c 46 48 36 45 51 45 32 73 41 55 64 67 6e 77 50 63 32 33 31 67 67 68 66 33 72 59 42 76 43 36 63 58 76 67 4c 61 68 4a 4b 61 34 72 69 71 51 42 78 62 54 31 48 42 6a 51 68 46 75 22 2c 22 70 61 73 73 22 3a 22 38 34 34 79 32 6b 58 31 68 30 72 7a 56 68 30 6d 50 73 6c 54 6e 43 44 35 22 2c 22 61 67 65 6e 74 22 3a 22 58 4d 52 69 67 2f 36 2e 32 31 2e 30 2d 43 33 50 6f 6f 6c 20 28 4c 69 6e 75 78 20 78 38 36 5f 36 34 29 20 6c 69 62 75 76 2f 31 2e 34 34 2e 32 20 67 63 63 2f 31 33 2e 32 2e 31 22 2c 22 61 6c 67 6f 22 3a 5b 22 63 6e 2f 31 22 2c 22 63 6e 2f 32 22 2c 22 63 6e 2f 72 22 2c 22 63 6e 2f 66 61 73 74 22 2c 22 63 6e 2f 68 61 6c 66 22 2c 22 63 6e 2f 78 61 6f 22 2c 22 63 6e 2f 72 74 6f 22 2c 22 63 6e 2f 72 77 7a 22 2c 22 63 6e 2f 7a 6c 73 22 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 2c 22 63 6e 2f 63 63 78 22 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 2c 22 63 6e 2d 70 69 63 6f 22 2c 22 63 6e 2d 70 69 63 6f 2f 74 6c 6f 22 2c 22 63 6e 2f 75 70 78 32 22 2c 22 63 6e 2f 67 70 75 22 2c 22 72 78 2f 30 22 2c 22 72 78 2f 77 6f 77 22 2c 22 72 78 2f 61 72 71 22 2c 22 72 78 2f 67 72 61 66 74 22 2c 22 72 78 2f 73 66 78 22 2c 22 72 78 2f 6b 65 76 61 22 2c 22 70 61 6e 74 68 65 72 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 22 2c 22 61 72 67 6f 6e 32 2f 63 68 75 6b 77 61 76 32 22 2c 22 61 72 67 6f 6e 32 2f 6e 69 6e 6a 61 22 2c 22 67 68 6f 73 74 72 69 64 65 72 22 5d 2c 22 61 6c 67 6f 2d 70 65 72 66 22 3a 7b 22 63 6e 2f 31 22 3a 38 34 2e 30 39 36 34 31 30 39 30 34 31 31 35 33 36 2c 22 63 6e 2f 32 22 3a 38 34 2e 30 39 36 34 31 30 39 30 34 31 31 35 33 36 2c 22 63 6e 2f 72 22 3a 38 34 2e 30 39 36 34 31 30 39 30 34 31 31 35 33 36 2c 22 63 6e 2f 66 61 73 74 22 3a 31 36 38 2e 31 39 32 38 32 31 38 30 38 32 33 30 37 32 2c 22 63 6e 2f 68 61 6c 66 22 3a 31 36 38 2e 31 39 32 38 32 31 38 30 38 32 33 30 37 32 2c 22 63 6e 2f 78 61 6f 22 3a 38 34 2e 30 39 36 34 31 30 39 30 34 31 31 35 33 36 2c 22 63 6e 2f 72 74 6f 22 3a 38 34 2e 30 39 36 34 31 30 39 30 34 31 31 35 33 36 2c 22 63 6e 2f 72 77 7a 22 3a 31 31 32 2e 31 32 38 35 34 37 38 37 32 31 35 33 38 2c 22 63 6e 2f 7a 6c 73 22 3a 31 31 32 2e 31 32 38 35 34 37 38 37 32 31 35 33 38 2c 22 63 6e 2f 64 6f 75 62 6c 65 22 3a 34 32 2e 30 34 38 32 30 35 34 35 32 30 35 37 36 38 2c 22 63 6e 2f 63 63 78 22 3a 31 36 30 2e 37 31 39 39 32 34 32 31 38 35 30 33 33 2c 22 63 6e 2d 6c 69 74 65 2f 31 22 3a 32 33 32 2e 30 2c 22 63 6e 2d 68 65 61 76 79 2f 30 22 3a 30 2e 30 2c 22 63 6e 2d 68 65 61 76 79 2f 74 75 62 65 22 3a 30 2e 30 2c 22 63 6e 2d 68 65 61 76 79 2f 78 68 76 22 3a 35 35 2e 36 37 3

Tries to load the MSR kernel module used for reading/writing to CPUs model specific register

Source: /bin/sh (PID: 5967)

Modprobe: /sbin/modprobe -> /sbin/modprobe msr allow_writes=on

Jump to behavior

Writes to CPU model specific registers (MSR) (e.g. miners improve performance by disabling HW prefetcher)

Source: /dev/shm//daemon (PID: 5964)	MSR open for writing: /dev/cpu/0/msr	Jump to behavior
Source: /dev/shm//daemon (PID: 5964)	MSR open for writing: /dev/cpu/1/msr	Jump to behavior
Source: /dev/shm//daemon (PID: 5964)	MSR open for writing: /dev/cpu/0/msr	Jump to behavior
Source: /dev/shm//daemon (PID: 5964)	MSR open for writing: /dev/cpu/1/msr	Jump to behavior

Source: /dev/shm//daemon (PID: 5963)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /tmp/watchdog.elf (PID: 5514)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q (PID: 5529)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/die_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/package_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/die_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/package_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/physical_package_id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/possible	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5543)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5605)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5688)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5772)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5799)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/mwxK5CRX (PID: 5855)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 36672 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 36672
Source: unknown	Network traffic detected: HTTP traffic on port 36676 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 36676
Source: unknown	Network traffic detected: HTTP traffic on port 59946 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 36690 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 36690
Source: unknown	Network traffic detected: HTTP traffic on port 39732 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 50634 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 59978 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 36722 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 36722

Source: global traffic	TCP traffic: 192.168.2.14:36672 -> 67.205.135.145:8000
Source: global traffic	TCP traffic: 192.168.2.14:33408 -> 1.1.1.1:8080
Source: global traffic	TCP traffic: 192.168.2.14:59946 -> 91.227.18.60:8000
Source: global traffic	TCP traffic: 192.168.2.14:39732 -> 162.240.239.103:8000
Source: global traffic	TCP traffic: 192.168.2.14:50634 -> 191.252.194.180:8000

Source: /tmp/watchdog.elf (PID: 5514)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q (PID: 5529)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5543)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5605)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5688)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5772)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5799)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /root/mwxK5CRX (PID: 5855)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	Reads hosts file: /etc/hosts	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV (PID: 6054)	Reads hosts file: /etc/hosts	Jump to behavior

Source: /tmp/watchdog.elf (PID: 5514)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q (PID: 5529)	Socket: 127.0.0.1:44443	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5543)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5605)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5688)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5772)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5799)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /root/mwxK5CRX (PID: 5855)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	Socket: 127.0.0.1:44444	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	Socket: 127.0.0.1:44444	Jump to behavior

Source: Network traffic

Suricata IDS: 2826930 - Severity 2 - ETPRO COINMINER XMR CoinMiner Usage : 192.168.2.14:40106 -> 88.198.117.174:80

Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145
Source: unknown	TCP traffic detected without corresponding DNS query: 67.205.135.145

Source: global traffic	DNS traffic detected: DNS query: daisy.ubuntu.com
Source: global traffic	DNS traffic detected: DNS query: auto.c3pool.org

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Accept: */*Connection: closeContent-Length: 64Content-Type: text/plainHost: 67.205.135.145:8000User-Agent: cpp-httplib/0.14.3

Source: watchdog.elf	ELF static info symbol of initial sample: freeaddrinfo
Source: watchdog.elf	ELF static info symbol of initial sample: getaddrinfo
Source: watchdog.elf	ELF static info symbol of initial sample: getnameinfo
Source: HIsZygoZ2jW0Q.12.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: HIsZygoZ2jW0Q.12.dr	ELF static info symbol of dropped file: getaddrinfo
Source: HIsZygoZ2jW0Q.12.dr	ELF static info symbol of dropped file: getnameinfo
Source: 3JlaqAbw.12.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: 3JlaqAbw.12.dr	ELF static info symbol of dropped file: getaddrinfo
Source: 3JlaqAbw.12.dr	ELF static info symbol of dropped file: getnameinfo
Source: v7JYhylR.50.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: v7JYhylR.50.dr	ELF static info symbol of dropped file: getaddrinfo
Source: v7JYhylR.50.dr	ELF static info symbol of dropped file: getnameinfo
Source: 3IjY1dOX.86.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: 3IjY1dOX.86.dr	ELF static info symbol of dropped file: getaddrinfo
Source: 3IjY1dOX.86.dr	ELF static info symbol of dropped file: getnameinfo
Source: FfvI9TNe.121.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: FfvI9TNe.121.dr	ELF static info symbol of dropped file: getaddrinfo
Source: FfvI9TNe.121.dr	ELF static info symbol of dropped file: getnameinfo
Source: 1ay0mCs9.156.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: 1ay0mCs9.156.dr	ELF static info symbol of dropped file: getaddrinfo
Source: 1ay0mCs9.156.dr	ELF static info symbol of dropped file: getnameinfo
Source: eBc7g8EI.195.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: eBc7g8EI.195.dr	ELF static info symbol of dropped file: getaddrinfo
Source: eBc7g8EI.195.dr	ELF static info symbol of dropped file: getnameinfo
Source: 5MRubITn.226.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: 5MRubITn.226.dr	ELF static info symbol of dropped file: getaddrinfo
Source: 5MRubITn.226.dr	ELF static info symbol of dropped file: getnameinfo
Source: oZtriZN1.261.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: oZtriZN1.261.dr	ELF static info symbol of dropped file: getaddrinfo
Source: oZtriZN1.261.dr	ELF static info symbol of dropped file: getnameinfo
Source: HxJw69zN.296.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: HxJw69zN.296.dr	ELF static info symbol of dropped file: getaddrinfo
Source: HxJw69zN.296.dr	ELF static info symbol of dropped file: getnameinfo
Source: T3B6PyyF.331.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: T3B6PyyF.331.dr	ELF static info symbol of dropped file: getaddrinfo
Source: T3B6PyyF.331.dr	ELF static info symbol of dropped file: getnameinfo
Source: Osk130te.366.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: Osk130te.366.dr	ELF static info symbol of dropped file: getaddrinfo
Source: Osk130te.366.dr	ELF static info symbol of dropped file: getnameinfo
Source: mwxK5CRX.401.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: mwxK5CRX.401.dr	ELF static info symbol of dropped file: getaddrinfo
Source: mwxK5CRX.401.dr	ELF static info symbol of dropped file: getnameinfo
Source: r9nyGbJf.436.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: r9nyGbJf.436.dr	ELF static info symbol of dropped file: getaddrinfo
Source: r9nyGbJf.436.dr	ELF static info symbol of dropped file: getnameinfo
Source: Ppo5qPwq.470.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: Ppo5qPwq.470.dr	ELF static info symbol of dropped file: getaddrinfo
Source: Ppo5qPwq.470.dr	ELF static info symbol of dropped file: getnameinfo
Source: os83CR7k.504.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: os83CR7k.504.dr	ELF static info symbol of dropped file: getaddrinfo
Source: os83CR7k.504.dr	ELF static info symbol of dropped file: getnameinfo
Source: qXgzqvkC.555.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: qXgzqvkC.555.dr	ELF static info symbol of dropped file: getaddrinfo
Source: qXgzqvkC.555.dr	ELF static info symbol of dropped file: getnameinfo
Source: EAELj4z6.591.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: EAELj4z6.591.dr	ELF static info symbol of dropped file: getaddrinfo
Source: EAELj4z6.591.dr	ELF static info symbol of dropped file: getnameinfo
Source: yTqqXMpV.627.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: yTqqXMpV.627.dr	ELF static info symbol of dropped file: getaddrinfo
Source: yTqqXMpV.627.dr	ELF static info symbol of dropped file: getnameinfo
Source: 5ILIPv7r.659.dr	ELF static info symbol of dropped file: freeaddrinfo
Source: 5ILIPv7r.659.dr	ELF static info symbol of dropped file: getaddrinfo
Source: 5ILIPv7r.659.dr	ELF static info symbol of dropped file: getnameinfo

Source: watchdog.elf, 5514.1.0000000000f49000.0000000000fd9000.rw-.sdmp, HIsZygoZ2jW0Q.12.dr	String found in binary or memory: http://HTTP/1.0Connection
Source: daemon.31.dr	String found in binary or memory: http://upx.sf.net

System Summary

Malicious sample detected (through community Yara rule)

Source: 5963.1.0000000000401000.0000000000928000.r-x.sdmp, type: MEMORY

Matched rule: Linux_Trojan_Pornoasset_927f314f Author: unknown

Source: watchdog.elf	ELF static info symbol of initial sample: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: watchdog.elf	ELF static info symbol of initial sample: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: HIsZygoZ2jW0Q.12.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: HIsZygoZ2jW0Q.12.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: 3JlaqAbw.12.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: 3JlaqAbw.12.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: v7JYhylR.50.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: v7JYhylR.50.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: 3IjY1dOX.86.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: 3IjY1dOX.86.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: FfvI9TNe.121.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: FfvI9TNe.121.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: 1ay0mCs9.156.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: 1ay0mCs9.156.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: eBc7g8EI.195.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: eBc7g8EI.195.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: 5MRubITn.226.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: 5MRubITn.226.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: oZtriZN1.261.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: oZtriZN1.261.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: HxJw69zN.296.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: HxJw69zN.296.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: T3B6PyyF.331.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: T3B6PyyF.331.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: Osk130te.366.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: Osk130te.366.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: mwxK5CRX.401.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: mwxK5CRX.401.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: r9nyGbJf.436.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: r9nyGbJf.436.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: Ppo5qPwq.470.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: Ppo5qPwq.470.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: os83CR7k.504.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: os83CR7k.504.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: qXgzqvkC.555.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: qXgzqvkC.555.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: EAELj4z6.591.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: EAELj4z6.591.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: yTqqXMpV.627.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: yTqqXMpV.627.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv
Source: 5ILIPv7r.659.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base7_M_hookEPS0_
Source: 5ILIPv7r.659.dr	ELF static info symbol of dropped file: _ZNSt8__detail15_List_node_base9_M_unhookEv

Source: ELF static info symbol of initial sample

.symtab present: no

Source: 5963.1.0000000000401000.0000000000928000.r-x.sdmp, type: MEMORY

Matched rule: Linux_Trojan_Pornoasset_927f314f reference_sample = d653598df857535c354ba21d96358d4767d6ada137ee32ce5eb4972363b35f93, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Pornoasset, fingerprint = 7214d3132fc606482e3f6236d291082a3abc0359c80255048045dba6e60ec7bf, id = 927f314f-2cbb-4f87-b75c-9aa5ef758599, last_modified = 2021-09-16

Source: classification engine

Classification label: mal100.troj.evad.mine.linELF@0/96@4/0

Persistence and Installation Behavior

Executes the "crontab" command typically for achieving persistence

Source: /bin/sh (PID: 5516)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5518)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5531)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5533)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5549)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5551)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5557)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5559)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5578)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5580)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5586)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5588)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5611)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5613)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5619)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5621)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5638)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5640)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5646)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5648)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5667)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5669)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5675)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5677)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5694)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5696)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5702)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5704)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5721)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5723)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5730)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5732)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5749)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5751)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5759)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5761)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5778)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5780)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5786)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5788)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5805)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5807)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5813)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5815)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5832)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5834)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5840)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5842)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5861)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5863)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5869)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5871)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5909)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5911)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5917)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5919)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5935)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5937)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5943)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5945)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5975)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5977)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5984)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5986)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6004)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6006)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6012)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6014)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6033)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6035)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6041)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6043)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6060)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6057)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6059)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6030)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6032)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6037)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6039)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6001)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6003)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 6008)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 6010)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5972)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5974)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5980)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5982)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5938)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5940)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5947)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5949)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5951)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5953)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5906)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5908)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5913)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5916)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5858)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5860)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5865)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5867)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5829)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5831)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5836)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5838)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5802)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5804)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5809)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5811)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5775)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5777)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5782)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5784)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5746)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5748)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5755)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5757)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5718)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5720)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5725)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5727)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5691)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5693)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5698)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5700)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5664)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5666)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5671)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5673)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5635)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5637)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5642)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5644)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5608)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5610)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5615)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5617)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5575)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5577)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5582)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5584)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5546)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5548)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior
Source: /bin/sh (PID: 5553)	Crontab executable: /usr/bin/crontab -> crontab -l	Jump to behavior
Source: /bin/sh (PID: 5555)	Crontab executable: /usr/bin/crontab -> crontab -	Jump to behavior

Sample reads /proc/mounts (often used for finding a writable filesystem)

Source: /dev/shm//daemon (PID: 5963)

File: /proc/5963/mounts

Jump to behavior

Sample tries to persist itself using cron

Source: /usr/bin/crontab (PID: 5518)	File: /var/spool/cron/crontabs/tmp.GbndMr	Jump to behavior
Source: /usr/bin/crontab (PID: 5518)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5533)	File: /var/spool/cron/crontabs/tmp.y2GvFz	Jump to behavior
Source: /usr/bin/crontab (PID: 5533)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5551)	File: /var/spool/cron/crontabs/tmp.ez3vHW	Jump to behavior
Source: /usr/bin/crontab (PID: 5551)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5559)	File: /var/spool/cron/crontabs/tmp.kbwOhw	Jump to behavior
Source: /usr/bin/crontab (PID: 5559)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5580)	File: /var/spool/cron/crontabs/tmp.UtkWL9	Jump to behavior
Source: /usr/bin/crontab (PID: 5580)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5588)	File: /var/spool/cron/crontabs/tmp.TjcwNL	Jump to behavior
Source: /usr/bin/crontab (PID: 5588)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5613)	File: /var/spool/cron/crontabs/tmp.crkHsB	Jump to behavior
Source: /usr/bin/crontab (PID: 5613)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5621)	File: /var/spool/cron/crontabs/tmp.X2w5Hf	Jump to behavior
Source: /usr/bin/crontab (PID: 5621)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5640)	File: /var/spool/cron/crontabs/tmp.f2tXpH	Jump to behavior
Source: /usr/bin/crontab (PID: 5640)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5648)	File: /var/spool/cron/crontabs/tmp.iQOefg	Jump to behavior
Source: /usr/bin/crontab (PID: 5648)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5669)	File: /var/spool/cron/crontabs/tmp.UhgxgT	Jump to behavior
Source: /usr/bin/crontab (PID: 5669)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5677)	File: /var/spool/cron/crontabs/tmp.NfIHOr	Jump to behavior
Source: /usr/bin/crontab (PID: 5677)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5696)	File: /var/spool/cron/crontabs/tmp.dfuzVV	Jump to behavior
Source: /usr/bin/crontab (PID: 5696)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5704)	File: /var/spool/cron/crontabs/tmp.tdlgJu	Jump to behavior
Source: /usr/bin/crontab (PID: 5704)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5723)	File: /var/spool/cron/crontabs/tmp.AtspgY	Jump to behavior
Source: /usr/bin/crontab (PID: 5723)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5732)	File: /var/spool/cron/crontabs/tmp.uqHUgD	Jump to behavior
Source: /usr/bin/crontab (PID: 5732)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5751)	File: /var/spool/cron/crontabs/tmp.InnWm6	Jump to behavior
Source: /usr/bin/crontab (PID: 5751)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5761)	File: /var/spool/cron/crontabs/tmp.x99AmN	Jump to behavior
Source: /usr/bin/crontab (PID: 5761)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5780)	File: /var/spool/cron/crontabs/tmp.NEJAhi	Jump to behavior
Source: /usr/bin/crontab (PID: 5780)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5788)	File: /var/spool/cron/crontabs/tmp.atQzVR	Jump to behavior
Source: /usr/bin/crontab (PID: 5788)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5807)	File: /var/spool/cron/crontabs/tmp.QU57Hh	Jump to behavior
Source: /usr/bin/crontab (PID: 5807)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5815)	File: /var/spool/cron/crontabs/tmp.Xsp0WT	Jump to behavior
Source: /usr/bin/crontab (PID: 5815)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5834)	File: /var/spool/cron/crontabs/tmp.Y5g48m	Jump to behavior
Source: /usr/bin/crontab (PID: 5834)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5842)	File: /var/spool/cron/crontabs/tmp.12euVY	Jump to behavior
Source: /usr/bin/crontab (PID: 5842)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5863)	File: /var/spool/cron/crontabs/tmp.JHIfbz	Jump to behavior
Source: /usr/bin/crontab (PID: 5863)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5871)	File: /var/spool/cron/crontabs/tmp.tYBQl8	Jump to behavior
Source: /usr/bin/crontab (PID: 5871)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5911)	File: /var/spool/cron/crontabs/tmp.kao4S7	Jump to behavior
Source: /usr/bin/crontab (PID: 5911)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5919)	File: /var/spool/cron/crontabs/tmp.7KuJ4M	Jump to behavior
Source: /usr/bin/crontab (PID: 5919)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5937)	File: /var/spool/cron/crontabs/tmp.MKY0J6	Jump to behavior
Source: /usr/bin/crontab (PID: 5937)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5945)	File: /var/spool/cron/crontabs/tmp.dwC0KH	Jump to behavior
Source: /usr/bin/crontab (PID: 5945)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5977)	File: /var/spool/cron/crontabs/tmp.zbPDX7	Jump to behavior
Source: /usr/bin/crontab (PID: 5977)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5986)	File: /var/spool/cron/crontabs/tmp.wMgW3O	Jump to behavior
Source: /usr/bin/crontab (PID: 5986)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6006)	File: /var/spool/cron/crontabs/tmp.kSeOSk	Jump to behavior
Source: /usr/bin/crontab (PID: 6006)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6014)	File: /var/spool/cron/crontabs/tmp.yo4PsV	Jump to behavior
Source: /usr/bin/crontab (PID: 6014)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6035)	File: /var/spool/cron/crontabs/tmp.s5RGSw	Jump to behavior
Source: /usr/bin/crontab (PID: 6035)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6043)	File: /var/spool/cron/crontabs/tmp.cYIHs9	Jump to behavior
Source: /usr/bin/crontab (PID: 6043)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6059)	File: /var/spool/cron/crontabs/tmp.CgNfao	Jump to behavior
Source: /usr/bin/crontab (PID: 6059)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6032)	File: /var/spool/cron/crontabs/tmp.Aowpxi	Jump to behavior
Source: /usr/bin/crontab (PID: 6032)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6039)	File: /var/spool/cron/crontabs/tmp.o2SU0Q	Jump to behavior
Source: /usr/bin/crontab (PID: 6039)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6003)	File: /var/spool/cron/crontabs/tmp.fKS528	Jump to behavior
Source: /usr/bin/crontab (PID: 6003)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 6010)	File: /var/spool/cron/crontabs/tmp.9YGa5C	Jump to behavior
Source: /usr/bin/crontab (PID: 6010)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5974)	File: /var/spool/cron/crontabs/tmp.eCzTfT	Jump to behavior
Source: /usr/bin/crontab (PID: 5974)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5982)	File: /var/spool/cron/crontabs/tmp.5Vn4Hx	Jump to behavior
Source: /usr/bin/crontab (PID: 5982)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5940)	File: /var/spool/cron/crontabs/tmp.WcXxcn	Jump to behavior
Source: /usr/bin/crontab (PID: 5940)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5949)	File: /var/spool/cron/crontabs/tmp.1dDMy3	Jump to behavior
Source: /usr/bin/crontab (PID: 5949)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5953)	File: /var/spool/cron/crontabs/tmp.G2Egsm	Jump to behavior
Source: /usr/bin/crontab (PID: 5953)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5908)	File: /var/spool/cron/crontabs/tmp.vyq2eU	Jump to behavior
Source: /usr/bin/crontab (PID: 5908)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5916)	File: /var/spool/cron/crontabs/tmp.Pljamy	Jump to behavior
Source: /usr/bin/crontab (PID: 5916)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5860)	File: /var/spool/cron/crontabs/tmp.FZoLqk	Jump to behavior
Source: /usr/bin/crontab (PID: 5860)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5867)	File: /var/spool/cron/crontabs/tmp.YV1tCN	Jump to behavior
Source: /usr/bin/crontab (PID: 5867)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5831)	File: /var/spool/cron/crontabs/tmp.9loi14	Jump to behavior
Source: /usr/bin/crontab (PID: 5831)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5838)	File: /var/spool/cron/crontabs/tmp.9WES5F	Jump to behavior
Source: /usr/bin/crontab (PID: 5838)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5804)	File: /var/spool/cron/crontabs/tmp.83QaW4	Jump to behavior
Source: /usr/bin/crontab (PID: 5804)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5811)	File: /var/spool/cron/crontabs/tmp.U1Dr3B	Jump to behavior
Source: /usr/bin/crontab (PID: 5811)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5777)	File: /var/spool/cron/crontabs/tmp.rZqgc2	Jump to behavior
Source: /usr/bin/crontab (PID: 5777)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5784)	File: /var/spool/cron/crontabs/tmp.kXuoSx	Jump to behavior
Source: /usr/bin/crontab (PID: 5784)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5748)	File: /var/spool/cron/crontabs/tmp.29wH4Q	Jump to behavior
Source: /usr/bin/crontab (PID: 5748)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5757)	File: /var/spool/cron/crontabs/tmp.xr19mu	Jump to behavior
Source: /usr/bin/crontab (PID: 5757)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5720)	File: /var/spool/cron/crontabs/tmp.HMGV2I	Jump to behavior
Source: /usr/bin/crontab (PID: 5720)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5727)	File: /var/spool/cron/crontabs/tmp.pyvReh	Jump to behavior
Source: /usr/bin/crontab (PID: 5727)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5693)	File: /var/spool/cron/crontabs/tmp.ioWc5G	Jump to behavior
Source: /usr/bin/crontab (PID: 5693)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5700)	File: /var/spool/cron/crontabs/tmp.J2jsnb	Jump to behavior
Source: /usr/bin/crontab (PID: 5700)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5666)	File: /var/spool/cron/crontabs/tmp.1x531C	Jump to behavior
Source: /usr/bin/crontab (PID: 5666)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5673)	File: /var/spool/cron/crontabs/tmp.bdTd89	Jump to behavior
Source: /usr/bin/crontab (PID: 5673)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5637)	File: /var/spool/cron/crontabs/tmp.vEDrcr	Jump to behavior
Source: /usr/bin/crontab (PID: 5637)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5644)	File: /var/spool/cron/crontabs/tmp.8mou9Y	Jump to behavior
Source: /usr/bin/crontab (PID: 5644)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5610)	File: /var/spool/cron/crontabs/tmp.bi6wLn	Jump to behavior
Source: /usr/bin/crontab (PID: 5610)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5617)	File: /var/spool/cron/crontabs/tmp.15NUyV	Jump to behavior
Source: /usr/bin/crontab (PID: 5617)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5577)	File: /var/spool/cron/crontabs/tmp.m0cKnV	Jump to behavior
Source: /usr/bin/crontab (PID: 5577)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5584)	File: /var/spool/cron/crontabs/tmp.GQUzes	Jump to behavior
Source: /usr/bin/crontab (PID: 5584)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5548)	File: /var/spool/cron/crontabs/tmp.RFw2cK	Jump to behavior
Source: /usr/bin/crontab (PID: 5548)	File: /var/spool/cron/crontabs/root	Jump to behavior
Source: /usr/bin/crontab (PID: 5555)	File: /var/spool/cron/crontabs/tmp.JtXLgh	Jump to behavior
Source: /usr/bin/crontab (PID: 5555)	File: /var/spool/cron/crontabs/root	Jump to behavior

Writes ELF files to hidden directories

Source: /tmp/watchdog.elf (PID: 5514)	File written to hidden directory: /root/.local/3JlaqAbw	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	File written to hidden directory: /root/.config/3IjY1dOX	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	File written to hidden directory: /root/.ssh/1ay0mCs9	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	File written to hidden directory: /root/.local/HxJw69zN	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV (PID: 6054)	File written to hidden directory: /root/.config/5ILIPv7r	Jump to dropped file

Writes identical ELF files to multiple locations

Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /root/.config/3IjY1dOX	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /root/.local/HxJw69zN	Jump to dropped file
Source: /root/.local/HxJw69zN (PID: 5772)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /root/snap/T3B6PyyF	Jump to dropped file
Source: /root/snap/T3B6PyyF (PID: 5799)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	Jump to dropped file
Source: /root/.config/3IjY1dOX (PID: 5605)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	Jump to dropped file
Source: /root/.local/3JlaqAbw (PID: 5543)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	Jump to dropped file
Source: /var/tmp/eBc7g8EI (PID: 5688)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /root/.ssh/1ay0mCs9	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /root/mwxK5CRX	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	Jump to dropped file
Source: /root/mwxK5CRX (PID: 5855)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV (PID: 6054)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /root/.config/5ILIPv7r	Jump to dropped file
Source: /tmp/watchdog.elf (PID: 5514)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /root/.local/3JlaqAbw	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV	Jump to dropped file
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	File with SHA-256 50DAD45E91F61043118A822C13316171108C676DB874AB5CFC77F149A41EBA9F written: /var/tmp/eBc7g8EI	Jump to dropped file

Source: /tmp/watchdog.elf (PID: 5515)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /tmp/watchdog.elf'; } \| crontab -"	Jump to behavior
Source: /tmp/watchdog.elf (PID: 5530)	Shell command executed: sh -c "crontab -l \| grep -v '/tmp/watchdog.elf' \| crontab -"	Jump to behavior
Source: /dev/shm//daemon (PID: 5966)	Shell command executed: sh -c "/sbin/modprobe msr allow_writes=on > /dev/null 2>&1"	Jump to behavior
Source: /tmp/watchdog.elf (PID: 5545)	Shell command executed: sh -c "crontab -l \| grep -v '/tmp/watchdog.elf' \| crontab -"	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5556)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /root/.local/3JlaqAbw'; } \| crontab -"	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5574)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.local/3JlaqAbw' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5585)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5607)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR' \| crontab -"	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5618)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /root/.config/3IjY1dOX'; } \| crontab -"	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5634)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.config/3IjY1dOX' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5645)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5663)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe' \| crontab -"	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5674)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /root/.ssh/1ay0mCs9'; } \| crontab -"	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5690)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.ssh/1ay0mCs9' \| crontab -"	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5701)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/eBc7g8EI'; } \| crontab -"	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5717)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/eBc7g8EI' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5729)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5745)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5758)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5774)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1' \| crontab -"	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5785)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /root/.local/HxJw69zN'; } \| crontab -"	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5801)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.local/HxJw69zN' \| crontab -"	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5812)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /root/snap/T3B6PyyF'; } \| crontab -"	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5828)	Shell command executed: sh -c "crontab -l \| grep -v '/root/snap/T3B6PyyF' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5839)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5857)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te' \| crontab -"	Jump to behavior
Source: /root/mwxK5CRX (PID: 5868)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /root/mwxK5CRX'; } \| crontab -"	Jump to behavior
Source: /root/mwxK5CRX (PID: 5905)	Shell command executed: sh -c "crontab -l \| grep -v '/root/mwxK5CRX' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5914)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5934)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5941)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5971)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5979)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 6000)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 6011)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 6029)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6040)	Shell command executed: sh -c "crontab -l \| { cat; echo '/2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6'; } \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6056)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6055)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 6028)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 6036)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5999)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 6007)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5970)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5978)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5933)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5942)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5950)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf' \| crontab -"	Jump to behavior
Source: /root/mwxK5CRX (PID: 5904)	Shell command executed: sh -c "crontab -l \| grep -v '/root/mwxK5CRX' \| crontab -"	Jump to behavior
Source: /root/mwxK5CRX (PID: 5912)	Shell command executed: sh -c "crontab -l \| grep -v '/root/mwxK5CRX' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5856)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5864)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te' \| crontab -"	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5827)	Shell command executed: sh -c "crontab -l \| grep -v '/root/snap/T3B6PyyF' \| crontab -"	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5835)	Shell command executed: sh -c "crontab -l \| grep -v '/root/snap/T3B6PyyF' \| crontab -"	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5800)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.local/HxJw69zN' \| crontab -"	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5808)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.local/HxJw69zN' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5773)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5781)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5744)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5754)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn' \| crontab -"	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5716)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/eBc7g8EI' \| crontab -"	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5724)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/eBc7g8EI' \| crontab -"	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5689)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.ssh/1ay0mCs9' \| crontab -"	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5697)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.ssh/1ay0mCs9' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5662)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5670)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe' \| crontab -"	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5633)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.config/3IjY1dOX' \| crontab -"	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5641)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.config/3IjY1dOX' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5606)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR' \| crontab -"	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5614)	Shell command executed: sh -c "crontab -l \| grep -v '/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR' \| crontab -"	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5573)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.local/3JlaqAbw' \| crontab -"	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5581)	Shell command executed: sh -c "crontab -l \| grep -v '/root/.local/3JlaqAbw' \| crontab -"	Jump to behavior
Source: /tmp/watchdog.elf (PID: 5544)	Shell command executed: sh -c "crontab -l \| grep -v '/tmp/watchdog.elf' \| crontab -"	Jump to behavior
Source: /tmp/watchdog.elf (PID: 5552)	Shell command executed: sh -c "crontab -l \| grep -v '/tmp/watchdog.elf' \| crontab -"	Jump to behavior

Source: /bin/sh (PID: 5532)	Grep executable: /usr/bin/grep -> grep -v /tmp/watchdog.elf	Jump to behavior
Source: /bin/sh (PID: 5550)	Grep executable: /usr/bin/grep -> grep -v /tmp/watchdog.elf	Jump to behavior
Source: /bin/sh (PID: 5579)	Grep executable: /usr/bin/grep -> grep -v /root/.local/3JlaqAbw	Jump to behavior
Source: /bin/sh (PID: 5612)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	Jump to behavior
Source: /bin/sh (PID: 5639)	Grep executable: /usr/bin/grep -> grep -v /root/.config/3IjY1dOX	Jump to behavior
Source: /bin/sh (PID: 5668)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	Jump to behavior
Source: /bin/sh (PID: 5695)	Grep executable: /usr/bin/grep -> grep -v /root/.ssh/1ay0mCs9	Jump to behavior
Source: /bin/sh (PID: 5722)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/eBc7g8EI	Jump to behavior
Source: /bin/sh (PID: 5750)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	Jump to behavior
Source: /bin/sh (PID: 5779)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	Jump to behavior
Source: /bin/sh (PID: 5806)	Grep executable: /usr/bin/grep -> grep -v /root/.local/HxJw69zN	Jump to behavior
Source: /bin/sh (PID: 5833)	Grep executable: /usr/bin/grep -> grep -v /root/snap/T3B6PyyF	Jump to behavior
Source: /bin/sh (PID: 5862)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	Jump to behavior
Source: /bin/sh (PID: 5910)	Grep executable: /usr/bin/grep -> grep -v /root/mwxK5CRX	Jump to behavior
Source: /bin/sh (PID: 5936)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	Jump to behavior
Source: /bin/sh (PID: 5976)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	Jump to behavior
Source: /bin/sh (PID: 6005)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	Jump to behavior
Source: /bin/sh (PID: 6034)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	Jump to behavior
Source: /bin/sh (PID: 6061)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6	Jump to behavior
Source: /bin/sh (PID: 6058)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6	Jump to behavior
Source: /bin/sh (PID: 6031)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	Jump to behavior
Source: /bin/sh (PID: 6038)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	Jump to behavior
Source: /bin/sh (PID: 6002)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	Jump to behavior
Source: /bin/sh (PID: 6009)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	Jump to behavior
Source: /bin/sh (PID: 5973)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	Jump to behavior
Source: /bin/sh (PID: 5981)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	Jump to behavior
Source: /bin/sh (PID: 5939)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	Jump to behavior
Source: /bin/sh (PID: 5948)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	Jump to behavior
Source: /bin/sh (PID: 5952)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	Jump to behavior
Source: /bin/sh (PID: 5907)	Grep executable: /usr/bin/grep -> grep -v /root/mwxK5CRX	Jump to behavior
Source: /bin/sh (PID: 5915)	Grep executable: /usr/bin/grep -> grep -v /root/mwxK5CRX	Jump to behavior
Source: /bin/sh (PID: 5859)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	Jump to behavior
Source: /bin/sh (PID: 5866)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	Jump to behavior
Source: /bin/sh (PID: 5830)	Grep executable: /usr/bin/grep -> grep -v /root/snap/T3B6PyyF	Jump to behavior
Source: /bin/sh (PID: 5837)	Grep executable: /usr/bin/grep -> grep -v /root/snap/T3B6PyyF	Jump to behavior
Source: /bin/sh (PID: 5803)	Grep executable: /usr/bin/grep -> grep -v /root/.local/HxJw69zN	Jump to behavior
Source: /bin/sh (PID: 5810)	Grep executable: /usr/bin/grep -> grep -v /root/.local/HxJw69zN	Jump to behavior
Source: /bin/sh (PID: 5776)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	Jump to behavior
Source: /bin/sh (PID: 5783)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	Jump to behavior
Source: /bin/sh (PID: 5747)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	Jump to behavior
Source: /bin/sh (PID: 5756)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	Jump to behavior
Source: /bin/sh (PID: 5719)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/eBc7g8EI	Jump to behavior
Source: /bin/sh (PID: 5726)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/eBc7g8EI	Jump to behavior
Source: /bin/sh (PID: 5692)	Grep executable: /usr/bin/grep -> grep -v /root/.ssh/1ay0mCs9	Jump to behavior
Source: /bin/sh (PID: 5699)	Grep executable: /usr/bin/grep -> grep -v /root/.ssh/1ay0mCs9	Jump to behavior
Source: /bin/sh (PID: 5665)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	Jump to behavior
Source: /bin/sh (PID: 5672)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	Jump to behavior
Source: /bin/sh (PID: 5636)	Grep executable: /usr/bin/grep -> grep -v /root/.config/3IjY1dOX	Jump to behavior
Source: /bin/sh (PID: 5643)	Grep executable: /usr/bin/grep -> grep -v /root/.config/3IjY1dOX	Jump to behavior
Source: /bin/sh (PID: 5609)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	Jump to behavior
Source: /bin/sh (PID: 5616)	Grep executable: /usr/bin/grep -> grep -v /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	Jump to behavior
Source: /bin/sh (PID: 5576)	Grep executable: /usr/bin/grep -> grep -v /root/.local/3JlaqAbw	Jump to behavior
Source: /bin/sh (PID: 5583)	Grep executable: /usr/bin/grep -> grep -v /root/.local/3JlaqAbw	Jump to behavior
Source: /bin/sh (PID: 5547)	Grep executable: /usr/bin/grep -> grep -v /tmp/watchdog.elf	Jump to behavior
Source: /bin/sh (PID: 5554)	Grep executable: /usr/bin/grep -> grep -v /tmp/watchdog.elf	Jump to behavior

Source: /dev/shm//daemon (PID: 5963)	Reads from proc file: /proc/cpuinfo	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads from proc file: /proc/meminfo	Jump to behavior
Source: /dev/shm//daemon (PID: 5964)	Reads from proc file: /proc/meminfo	Jump to behavior

Source: /tmp/watchdog.elf (PID: 5514)	File: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/watchdog.elf (PID: 5514)	File: /root/.local/3JlaqAbw (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q (PID: 5529)	File: /dev/shm//daemon (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5543)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	File: /root/.config/3IjY1dOX (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5605)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	File: /root/.ssh/1ay0mCs9 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	File: /var/tmp//eBc7g8EI (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5688)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	File: /root/.local/HxJw69zN (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5772)	File: /root/snap/T3B6PyyF (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5799)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	File: /root//mwxK5CRX (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /root/mwxK5CRX (PID: 5855)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV (bits: - usr: - grp: - all: rwx)	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV (PID: 6054)	File: /root/.config/5ILIPv7r (bits: - usr: - grp: - all: rwx)	Jump to behavior

Source: /tmp/watchdog.elf (PID: 5514)	File written: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q	Jump to dropped file
Source: /tmp/watchdog.elf (PID: 5514)	File written: /root/.local/3JlaqAbw	Jump to dropped file
Source: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q (PID: 5529)	File written: /dev/shm/daemon	Jump to dropped file
Source: /root/.local/3JlaqAbw (PID: 5543)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	File written: /root/.config/3IjY1dOX	Jump to dropped file
Source: /root/.config/3IjY1dOX (PID: 5605)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	File written: /root/.ssh/1ay0mCs9	Jump to dropped file
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	File written: /var/tmp/eBc7g8EI	Jump to dropped file
Source: /var/tmp/eBc7g8EI (PID: 5688)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	File written: /root/.local/HxJw69zN	Jump to dropped file
Source: /root/.local/HxJw69zN (PID: 5772)	File written: /root/snap/T3B6PyyF	Jump to dropped file
Source: /root/snap/T3B6PyyF (PID: 5799)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	File written: /root/mwxK5CRX	Jump to dropped file
Source: /root/mwxK5CRX (PID: 5855)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	File written: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV	Jump to dropped file
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV (PID: 6054)	File written: /root/.config/5ILIPv7r	Jump to dropped file

Source: submitted sample

Stderr: no crontab for root: exit code = 0

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /tmp/watchdog.elf (PID: 5514)	File: /tmp/watchdog.elf	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5543)	File: /root/.local/3JlaqAbw	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5605)	File: /root/.config/3IjY1dOX	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	File: /root/.ssh/1ay0mCs9	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5688)	File: /var/tmp/eBc7g8EI	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5772)	File: /root/.local/HxJw69zN	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5799)	File: /root/snap/T3B6PyyF	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	Jump to behavior
Source: /root/mwxK5CRX (PID: 5855)	File: /root/mwxK5CRX	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV (PID: 6054)	File: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV	Jump to behavior

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 36672 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 36672
Source: unknown	Network traffic detected: HTTP traffic on port 36676 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 36676
Source: unknown	Network traffic detected: HTTP traffic on port 59946 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 36690 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 36690
Source: unknown	Network traffic detected: HTTP traffic on port 39732 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 50634 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 59978 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 36722 -> 8000
Source: unknown	Network traffic detected: HTTP traffic on port 8000 -> 36722

Source: daemon.31.dr	Dropped file: segment LOAD with 7.6401 entropy (max. 8.0)
Source: daemon.31.dr	Dropped file: segment LOAD with 7.9095 entropy (max. 8.0)

Source: /bin/sh (PID: 5967)

Modprobe: /sbin/modprobe -> /sbin/modprobe msr allow_writes=on

Jump to behavior

Source: ELF symbol in initial sample

Symbol name: nanosleep

Source: /dev/shm//daemon (PID: 5963)

Reads CPU info from proc file: /proc/cpuinfo

Jump to behavior

Source: /tmp/watchdog.elf (PID: 5514)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q (PID: 5529)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/core_id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/die_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/package_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/topology/physical_package_id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index0/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index1/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index2/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu0/cache/index3/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/core_id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/die_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/package_cpus	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/topology/physical_package_id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index0/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index1/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index2/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/shared_cpu_map	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/level	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/type	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/id	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/coherency_line_size	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/number_of_sets	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/cpu1/cache/index3/physical_line_partition	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Reads CPU info from /sys: /sys/devices/system/cpu/possible	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5543)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5605)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5688)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5772)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5799)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /root/mwxK5CRX (PID: 5855)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior

Source: /tmp/watchdog.elf (PID: 5514)	Queries kernel information via 'uname':	Jump to behavior
Source: /tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q (PID: 5529)	Queries kernel information via 'uname':	Jump to behavior
Source: /dev/shm//daemon (PID: 5963)	Queries kernel information via 'uname':	Jump to behavior
Source: /dev/shm//daemon (PID: 5964)	Queries kernel information via 'uname':	Jump to behavior
Source: /sbin/modprobe (PID: 5967)	Queries kernel information via 'uname':	Jump to behavior
Source: /root/.local/3JlaqAbw (PID: 5543)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR (PID: 5572)	Queries kernel information via 'uname':	Jump to behavior
Source: /root/.config/3IjY1dOX (PID: 5605)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe (PID: 5632)	Queries kernel information via 'uname':	Jump to behavior
Source: /root/.ssh/1ay0mCs9 (PID: 5661)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/eBc7g8EI (PID: 5688)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn (PID: 5715)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1 (PID: 5743)	Queries kernel information via 'uname':	Jump to behavior
Source: /root/.local/HxJw69zN (PID: 5772)	Queries kernel information via 'uname':	Jump to behavior
Source: /root/snap/T3B6PyyF (PID: 5799)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te (PID: 5826)	Queries kernel information via 'uname':	Jump to behavior
Source: /root/mwxK5CRX (PID: 5855)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf (PID: 5903)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq (PID: 5932)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k (PID: 5969)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC (PID: 5998)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6 (PID: 6027)	Queries kernel information via 'uname':	Jump to behavior
Source: /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV (PID: 6054)	Queries kernel information via 'uname':	Jump to behavior

Source: watchdog.elf, 5514.1.0000000000f49000.0000000000fd9000.rw-.sdmp

Binary or memory string: /tmp/vmware-root_726-2957583432

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	11 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	1 Kernel Modules and Extensions	1 File and Directory Permissions Modification	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Kernel Modules and Extensions	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	11 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Hidden Files and Directories	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
watchdog.elf	44%	Virustotal		Browse
watchdog.elf	37%	ReversingLabs	Linux.Trojan.Siggen
watchdog.elf	100%	Avira	LINUX/Siggen.lkbka

Dropped Files

Source	Detection	Scanner	Label
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6	100%	Avira	LINUX/Siggen.lkbka
/root/snap/T3B6PyyF	100%	Avira	LINUX/Siggen.lkbka
/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q	100%	Avira	LINUX/AVF.Miner.dwjxi
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/eBc7g8EI	100%	Avira	LINUX/Siggen.lkbka
/dev/shm/daemon	100%	Avira	LINUX/AVF.Miner.exrsj
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	100%	Avira	LINUX/Siggen.lkbka
/root/.local/3JlaqAbw	100%	Avira	LINUX/Siggen.lkbka
/root/.config/5ILIPv7r	100%	Avira	LINUX/Siggen.lkbka
/root/mwxK5CRX	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV	100%	Avira	LINUX/Siggen.lkbka
/root/.local/HxJw69zN	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	100%	Avira	LINUX/Siggen.lkbka
/root/.config/3IjY1dOX	100%	Avira	LINUX/Siggen.lkbka
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	100%	Avira	LINUX/Siggen.lkbka
/root/.ssh/1ay0mCs9	100%	Avira	LINUX/Siggen.lkbka
/dev/shm/daemon	67%	ReversingLabs	Linux.Hacktool.Multiverze
/root/.config/3IjY1dOX	37%	ReversingLabs	Linux.Trojan.Siggen
/root/.config/5ILIPv7r	37%	ReversingLabs	Linux.Trojan.Siggen
/root/.local/3JlaqAbw	37%	ReversingLabs	Linux.Trojan.Siggen
/root/.local/HxJw69zN	37%	ReversingLabs	Linux.Trojan.Siggen
/root/.ssh/1ay0mCs9	37%	ReversingLabs	Linux.Trojan.Siggen
/root/mwxK5CRX	37%	ReversingLabs	Linux.Trojan.Siggen
/root/snap/T3B6PyyF	37%	ReversingLabs	Linux.Trojan.Siggen
/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q	59%	ReversingLabs	Linux.Trojan.SAgnt
/var/tmp/eBc7g8EI	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-colord.service-sPszWi/Ppo5qPwq	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/oZtriZN1	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/qXgzqvkC	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/r9nyGbJf	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-0DTUmj/5MRubITn	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/EAELj4z6	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/os83CR7k	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR	37%	ReversingLabs	Linux.Trojan.Siggen
/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-upower.service-Lb1VUf/yTqqXMpV	37%	ReversingLabs	Linux.Trojan.Siggen

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://1.1.1.1:8080/	0%	Avira URL Cloud	safe
http://67.205.135.145:8000/	0%	Avira URL Cloud	safe
http://91.227.18.60:8000/	0%	Avira URL Cloud	safe
http://HTTP/1.0Connection	0%	Avira URL Cloud	safe
http://162.240.239.103:8000/	0%	Avira URL Cloud	safe
http://191.252.194.180:8000/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
auto.c3pool.org	5.75.158.61	true	false		high
daisy.ubuntu.com	162.213.35.25	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://1.1.1.1:8080/	false	Avira URL Cloud: safe	unknown
http://67.205.135.145:8000/	false	Avira URL Cloud: safe	unknown
http://91.227.18.60:8000/	false	Avira URL Cloud: safe	unknown
http://162.240.239.103:8000/	false	Avira URL Cloud: safe	unknown
http://191.252.194.180:8000/	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	daemon.31.dr	false		high
http://HTTP/1.0Connection	watchdog.elf, 5514.1.0000000000f49000.0000000000fd9000.rw-.sdmp, HIsZygoZ2jW0Q.12.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
91.227.18.60	unknown	Russian Federation	207027	EXIMIUS-ASRU	false
67.205.135.145	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
88.198.117.174	unknown	Germany	24940	HETZNER-ASDE	true
162.240.239.103	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
191.252.194.180	unknown	Brazil	27715	LocawebServicosdeInternetSABR	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1.1.1.1	6fW0GedR6j.xls	Get hash	malicious	Unknown	Browse	1.1.1.1/ctrl/playback.php
	PO-230821_pdf.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.974dp.com/sn26/?kJBLpb8=qaEGeuQorcUQurUZCuE8d9pas+Z0M0brqtX248JBolEfq8j8F1R9i1jKZexhxY54UlRG&ML0tl=NZlpi
	AFfv8HpACF.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
	INVOICE_90990_PDF.exe	Get hash	malicious	FormBook	Browse	www.quranvisor.com/usvr/?mN9d3vF=HHrW7cA9N4YJlebHFvlsdlDciSnnaQItEG8Ccfxp291VjnjcuwoPACt7EOqEq4SWjIf8&Pjf81=-Zdd-V5hqhM4p2S
	Go.exe	Get hash	malicious	Unknown	Browse	1.1.1.1/
88.198.117.174	LisectAVT_2403002B_48.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse
	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse
	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse
	xB6r0wPRyb.exe	Get hash	malicious	Xmrig	Browse
	c3p.exe	Get hash	malicious	Xmrig	Browse
162.240.239.103	INVOICE087667899.exe	Get hash	malicious	Unknown	Browse	heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
	RDFchOT4i0.exe	Get hash	malicious	Unknown	Browse	artemis-rat.comartemis-rat.com:443
	OUTSTANDING PO.exe	Get hash	malicious	FormBook	Browse	artemis-rat.comartemis-rat.com:443
	Your file name without extension goes here.exe	Get hash	malicious	AgentTesla	Browse	heygirlisheeverythingyouwantedinaman.comheygirlisheeverythingyouwantedinaman.com:443
	SecuriteInfo.com.Win64.MalwareX-gen.15169.25783.exe	Get hash	malicious	AgentTesla	Browse	artemis-rat.comartemis-rat.com:443
	dl7WL77rkA.exe	Get hash	malicious	Glupteba, Mars Stealer, Stealc, Vidar	Browse	artemis-rat.comartemis-rat.com:443
	DHL DETAILS.exe	Get hash	malicious	AgentTesla	Browse	artemis-rat.comartemis-rat.com:443

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
daisy.ubuntu.com	12.elf	Get hash	malicious	Unknown	Browse	162.213.35.24
	gigganiggax86.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	army4.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.25
	army6.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	mippywippy.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.24
	army5.elf	Get hash	malicious	Gafgyt, Mirai	Browse	162.213.35.25
	boatnet.mpsl.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	boatnet.ppc.elf	Get hash	malicious	Mirai	Browse	162.213.35.25
	boatnet.sh4.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
	boatnet.arm6.elf	Get hash	malicious	Mirai	Browse	162.213.35.24
auto.c3pool.org	copy_netaddr.elf	Get hash	malicious	Xmrig	Browse	101.32.199.27
	updater.exe	Get hash	malicious	Xmrig	Browse	5.161.65.155
	LisectAVT_2403002B_48.exe	Get hash	malicious	Bdaejec, BlackMoon	Browse	5.75.158.61
	LisectAVT_2403002B_55.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	LisectAVT_2403002A_416.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	o00DuIdf3j.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	xB6r0wPRyb.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	K4gsPJGEi4.exe	Get hash	malicious	Xmrig	Browse	5.75.158.61
	x00zm3KVwb.exe	Get hash	malicious	Xmrig	Browse	88.198.117.174

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://rinderynitvye.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	188.114.97.3
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	188.114.96.3
	Condenast eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://mail.voipmessage.uk/XZmNVMGRWSjAyR3hxcDF0LzhSdGt1ZFZjdG0vUU9uWWRDQXI2eXJwbnNYd0FnNE9TWjhBNncyakhQSlRKa0poSEVkY09KRzlaVG9SSGM4NSt2bHh3M0h4eHpwKzZNZlpMUU9rWklrRlg2R0R3ak9qbVA4T21TZXpzYUxJazlsaVo0ODNubmNtS1ZuQTdWL1dLa3kvZVpKeU5WOUJWUVRFMHcxRWhsODJKQTdVV2NSUmloaFBtRWdiL1lGQ0VCOTNUUjVmSE1nPT0tLVpvYUVQQVVmdkNSZmR3ZUItLWhoMjNyU1ZFSWhzclZVc0cwdTEwS0E9PQ==?cid=305193241	Get hash	malicious	KnowBe4	Browse	104.17.247.203
	dropper.exe	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://click.pstmrk.it/3s/click.pstmrk.it%2F3s%2Fclick.pstmrk.it%252F3s%252Fclick.pstmrk.it%25252F3s%25252F8fi5.veracidep.ru%2525252F9rQQ7pYZ%2525252F%25252FGnrm%25252FJIy6AQ%25252FAQ%25252Fc8a642e1-b752-489d-a606-2e0c28c9f43c%25252F1%25252Fp3ItI-koyL%252FGnrm%252FJYy6AQ%252FAQ%252F96a81154-bc5a-4dec-811a-9ad4ee762256%252F1%252FydnKIiaQi0%2FGnrm%2FJoy6AQ%2FAQ%2F9c58c880-73af-4c48-9b37-4983856d006d%2F1%2FdSmT7Kur-Y/Gnrm/J4y6AQ/AQ/dd03067b-b850-464f-b99d-a4582f20c822/1/nPxHYVfVwy#bWF5cmFAYnVpbGRpbmdiYWNrdG9nZXRoZXIub3Jn	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	I334hDwRjj.exe	Get hash	malicious	Blank Grabber, Njrat	Browse	162.159.137.232
	https://redduppgh.com/	Get hash	malicious	Unknown	Browse	104.17.24.14
	https://irpf2025.imbrava.com.br/	Get hash	malicious	HTMLPhisher	Browse	104.19.229.21
EXIMIUS-ASRU	81zBpBAWwc.exe	Get hash	malicious	RHADAMANTHYS	Browse	91.227.18.172
	CJF0Ri1HrG.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	91.227.16.11
	hT7clR9Gz2.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	91.227.16.11
	file.exe	Get hash	malicious	PrivateLoader, RedLine	Browse	91.227.16.22
	New_Text_Document.exe	Get hash	malicious	FormBook, Lokibot, NSISDropper, RedLine	Browse	91.227.16.22
	http://h171008.srv22.test-hf.su/timesync.exe	Get hash	malicious	Unknown	Browse	91.227.16.22
	file.exe	Get hash	malicious	Amadey, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, RedLine	Browse	91.227.16.22
	file.exe	Get hash	malicious	Amadey, Babuk, Djvu, Glupteba, RedLine, SmokeLoader, Vidar	Browse	91.227.16.22
	file.exe	Get hash	malicious	LummaC Stealer, SmokeLoader	Browse	91.227.16.22
	file.exe	Get hash	malicious	LummaC Stealer, SmokeLoader	Browse	91.227.16.22
DIGITALOCEAN-ASNUS	3.elf	Get hash	malicious	Unknown	Browse	157.230.1.137
	https://redduppgh.com/	Get hash	malicious	Unknown	Browse	159.89.102.253
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	167.174.154.107
	http://hockey30.com	Get hash	malicious	Unknown	Browse	134.122.57.34
	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	167.99.235.203
	http://cdn.statisticline.com	Get hash	malicious	Unknown	Browse	165.22.209.237
	Q1 Statements.html	Get hash	malicious	Unknown	Browse	178.62.32.18
	174.exe	Get hash	malicious	Xmrig	Browse	206.189.156.69
	3.elf	Get hash	malicious	Unknown	Browse	157.245.194.36
	i686.elf	Get hash	malicious	Mirai	Browse	188.166.182.194

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

Process:	/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q
File Type:	JSON data
Category:	dropped
Size (bytes):	1601
Entropy (8bit):	4.820234426065898
Encrypted:	false
SSDEEP:	24:YqrT6tAuZIKBh0FuDy+wkwXOugzb1usMdkqjoWwdp:YqX6tAoIHcDyHkEgzkdbon
MD5:	57938A5354D53D6F96CEA52BB516106F
SHA1:	DF5246B7A6CD383622A6CE9989AD802AEA921E79
SHA-256:	0CC6AFD16AE5C7FFB354A58A423810959A44D9DA706669DA75EF60346BEAD124
SHA-512:	618E01D48F8E5680DC0D1F7714DDF2F6177DB64F7CBA7E99A9CF5B5376846061F7C3A48871685C5BB56679DD6AAF459C9BB8A7087EA7410EFBA872767E29BE59
Malicious:	false
Reputation:	low
Preview:	{"api":{"id":null,"worker-id":null},"http":{"enabled":false,"host":"127.0.0.1","port":0,"access-token":null,"restricted":true},"autosave":false,"background":true,"colors":true,"title":true,"randomx":{"init":-1,"init-avx2":0,"mode":"auto","1gb-pages":false,"rdmsr":true,"wrmsr":true,"cache_qos":false,"numa":true,"scratchpad_prefetch_mode":1},"cpu":{"enabled":true,"huge-pages":true,"huge-pages-jit":false,"hw-aes":null,"priority":null,"memory-pool":true,"yield":true,"max-threads-hint":60,"asm":true,"argon2-impl":null,"cn/0":false,"cn-lite/0":false},"opencl":{"enabled":false,"cache":true,"loader":null,"platform":"AMD","adl":true,"cn/0":false,"cn-lite/0":false,"panthera":false},"cuda":{"enabled":false,"loader":null,"nvml":true,"cn/0":false,"cn-lite/0":false,"panthera":false,"astrobwt":false},"donate-level":0,"donate-over-proxy":0,"log-file":null,"pools":[{"algo":null,"coin":null,"url":"auto.c3pool.org:80","user":"47NsaEwhbk92CfibMJg8M8hJ73LKDv9NTjNtHLFH6EQE2sAUdgnwPc231gghf3rYBvC6cXvgLahJKa4

Process:	/dev/shm//daemon
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.1556390622295662
Encrypted:	false
SSDEEP:	3:P3D:7
MD5:	480F3E598B6E19EE175B99F196730643
SHA1:	9DC9F8714A6D8EB9514CDE6C178EB14C9B088614
SHA-256:	C531B050489A6A3125B4E9BA3AC1AAFFCB85003A6F4EF93163632190DBBED358
SHA-512:	180D37CD033DB358883EE2BD22EB5ADDF39E002A413AB5D395B2AAA16A0C982ECA57D02876099B71BF22BB8D295A576755F8E9B7B355D0871C0E8430F342EBC9
Malicious:	false
Preview:	13211053

Process:	/usr/bin/crontab
File Type:	ASCII text
Category:	dropped
Size (bytes):	289
Entropy (8bit):	5.277975784319616
Encrypted:	false
SSDEEP:	6:SUrpqoqQjEOP1KmREJOBFQLN2oiGMQ5UYLtCFt3K3F8wnGVn/AGkkTg:8QjHig8xpUeHLUaFC4wTg
MD5:	B767E6918BB28550E53DB781B08A0886
SHA1:	D0313017CCC4E07E53A82D73E07842430D0D5F25
SHA-256:	FA24B65E2DAD5DD949C97AAA7B1E33866B4DD4315D1B6F2598E28DE5DA6653E3
SHA-512:	6E8E14DFD62C7C3B66A8E65E1071CD442E4123214BFA1D98CBD7A340C53CD379029DFD6728B0808A6DB44896577A0EDF2C2E7B3CB5AED3606638DAC6D5F2B505
Malicious:	true
Preview:	# DO NOT EDIT THIS FILE - edit the master and reinstall..# (- installed on Thu Jan 9 00:08:15 2025).# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)./2 * * * /var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-switcheroo-control.service-EvKsMg/Osk130te.

File type:	ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=099e1e5560ef663dd805d4bb1d9d0c8b0ac4ff71, stripped
Entropy (8bit):	6.240258528122969
TrID:	ELF Executable and Linkable format (Linux) (4029/14) 50.16% ELF Executable and Linkable format (generic) (4004/1) 49.84%
File name:	watchdog.elf
File size:	316'480 bytes
MD5:	f124e8a9e771966e3846a638be333e8d
SHA1:	07a3ee5d11f8c31f650de519edaa18a4c7548a9d
SHA256:	50dad45e91f61043118a822c13316171108c676db874ab5cfc77f149a41eba9f
SHA512:	a7dacb77f171b4a5f475b6523dd0f6a4da009291f4a10c35cf206bfd4d31e1a605d1266ce0d885515f5e50df7aba8dbac8975c3efb0adf0e5209c4fbf7f51131
SSDEEP:	6144:uyKTXNPSWNKzpsMQspTeOKPsYekmRtwqNHexsYKlJ6dQC4yV6OEfXOd:cdSD+haTbKUMmRqqNHexsYKlJ6dQCvcj
TLSH:	89646B53FA814CF9C0CAE971C6DB922FEA6074518631A11B2BE8AD151E357309F3D3A7
File Content Preview:	.ELF..............>.......@.....@...................@.8...@.............@.......@.@.....@.@.....................................8.......8.@.....8.@...............................................@.......@....................... .............H.......H.d....

ELF header
Class:	ELF64
Data:	2's complement, little endian
Version:	1 (current)
Machine:	Advanced Micro Devices X86-64
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - Linux
ABI Version:	0
Entry Point Address:	0x408c80
Flags:	0x0
ELF Header Size:	64
Program Header Offset:	64
Program Header Size:	56
Number of Program Headers:	9
Section Header Offset:	314560
Section Header Size:	64
Number of Section Headers:	30
Header String Table Index:	29

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Link	Info	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0	0	0
.interp	PROGBITS	0x400238	0x238	0x1c	0x0	0x2	A	0	0	1
.note.ABI-tag	NOTE	0x400254	0x254	0x20	0x0	0x2	A	0	0	4
.note.gnu.build-id	NOTE	0x400274	0x274	0x24	0x0	0x2	A	0	0	4
.gnu.hash	GNU_HASH	0x400298	0x298	0x100	0x0	0x2	A	5	0	8
.dynsym	DYNSYM	0x400398	0x398	0x1740	0x18	0x2	A	6	1	8
.dynstr	STRTAB	0x401ad8	0x1ad8	0x18b2	0x0	0x2	A	0	0	1
.gnu.version	VERSYM	0x40338a	0x338a	0x1f0	0x2	0x2	A	5	0	2
.gnu.version_r	VERNEED	0x403580	0x3580	0x1a0	0x0	0x2	A	6	5	8
.rela.dyn	RELA	0x403720	0x3720	0x1e0	0x18	0x2	A	5	0	8
.rela.plt	RELA	0x403900	0x3900	0x1548	0x18	0x42	AI	5	25	8
.init	PROGBITS	0x404e48	0x4e48	0x1a	0x0	0x6	AX	0	0	4
.plt	PROGBITS	0x404e70	0x4e70	0xe40	0x10	0x6	AX	0	0	16
.plt.got	PROGBITS	0x405cb0	0x5cb0	0x8	0x0	0x6	AX	0	0	8
.text	PROGBITS	0x405cc0	0x5cc0	0x2b41f	0x0	0x6	AX	0	0	16
.fini	PROGBITS	0x4310e0	0x310e0	0x9	0x0	0x6	AX	0	0	4
.rodata	PROGBITS	0x431100	0x31100	0xe183	0x0	0x2	A	0	0	32
.eh_frame_hdr	PROGBITS	0x43f284	0x3f284	0x1804	0x0	0x2	A	0	0	4
.eh_frame	PROGBITS	0x440a88	0x40a88	0x7d6c	0x0	0x2	A	0	0	8
.gcc_except_table	PROGBITS	0x4487f4	0x487f4	0x2428	0x0	0x2	A	0	0	4
.init_array	INIT_ARRAY	0x64bb48	0x4bb48	0x10	0x8	0x3	WA	0	0	8
.fini_array	FINI_ARRAY	0x64bb58	0x4bb58	0x8	0x8	0x3	WA	0	0	8
.data.rel.ro	PROGBITS	0x64bb60	0x4bb60	0x258	0x0	0x3	WA	0	0	32
.dynamic	DYNAMIC	0x64bdb8	0x4bdb8	0x210	0x10	0x3	WA	6	0	8
.got	PROGBITS	0x64bfc8	0x4bfc8	0x20	0x8	0x3	WA	0	0	8
.got.plt	PROGBITS	0x64c000	0x4c000	0x730	0x8	0x3	WA	0	0	8
.data	PROGBITS	0x64c740	0x4c740	0x410	0x0	0x3	WA	0	0	32
.bss	NOBITS	0x64cb60	0x4cb50	0x8a8	0x0	0x3	WA	0	0	32
.comment	PROGBITS	0x0	0x4cb50	0x59	0x1	0x30	MS	0	0	1
.shstrtab	STRTAB	0x0	0x4cba9	0x116	0x0	0x0		0	0	1

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Prog Interpreter	Section Mappings
PHDR	0x40	0x400040	0x400040	0x1f8	0x1f8	1.9444	0x5	R E	0x8
INTERP	0x238	0x400238	0x400238	0x1c	0x1c	3.9408	0x4	R	0x1	/lib64/ld-linux-x86-64.so.2	.interp
LOAD	0x0	0x400000	0x400000	0x4ac1c	0x4ac1c	6.3342	0x5	R E	0x200000		.interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .plt.got .text .fini .rodata .eh_frame_hdr .eh_frame .gcc_except_table
LOAD	0x4bb48	0x64bb48	0x64bb48	0x1008	0x18c0	2.4633	0x6	RW	0x200000		.init_array .fini_array .data.rel.ro .dynamic .got .got.plt .data .bss
DYNAMIC	0x4bdb8	0x64bdb8	0x64bdb8	0x210	0x210	1.5961	0x6	RW	0x8		.dynamic
NOTE	0x254	0x400254	0x400254	0x44	0x44	3.4813	0x4	R	0x4		.note.ABI-tag .note.gnu.build-id
GNU_EH_FRAME	0x3f284	0x43f284	0x43f284	0x1804	0x1804	5.6639	0x4	R	0x4		.eh_frame_hdr
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x10
GNU_RELRO	0x4bb48	0x64bb48	0x64bb48	0x4b8	0x4b8	0.9209	0x4	R	0x1		.init_array .fini_array .data.rel.ro .dynamic .got

Type	Meta	Value	Tag
DT_NEEDED	sharedlib	libstdc++.so.6	0x1
DT_NEEDED	sharedlib	libm.so.6	0x1
DT_NEEDED	sharedlib	libgcc_s.so.1	0x1
DT_NEEDED	sharedlib	libpthread.so.0	0x1
DT_NEEDED	sharedlib	libc.so.6	0x1
DT_INIT	value	0x404e48	0xc
DT_FINI	value	0x4310e0	0xd
DT_INIT_ARRAY	value	0x64bb48	0x19
DT_INIT_ARRAYSZ	bytes	16	0x1b
DT_FINI_ARRAY	value	0x64bb58	0x1a
DT_FINI_ARRAYSZ	bytes	8	0x1c
DT_GNU_HASH	value	0x400298	0x6ffffef5
DT_STRTAB	value	0x401ad8	0x5
DT_SYMTAB	value	0x400398	0x6
DT_STRSZ	bytes	6322	0xa
DT_SYMENT	bytes	24	0xb
DT_DEBUG	value	0x0	0x15
DT_PLTGOT	value	0x64c000	0x3
DT_PLTRELSZ	bytes	5448	0x2
DT_PLTREL	pltrel	DT_RELA	0x14
DT_JMPREL	value	0x403900	0x17
DT_RELA	value	0x403720	0x7
DT_RELASZ	bytes	480	0x8
DT_RELAENT	bytes	24	0x9
DT_VERNEED	value	0x403580	0x6ffffffe
DT_VERNEEDNUM	value	5	0x6fffffff
DT_VERSYM	value	0x40338a	0x6ffffff0
DT_NULL	value	0x0	0x0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 07:10:45.079452038 CET	58924	53	192.168.2.14	8.8.8.8
Jan 9, 2025 07:10:45.079452038 CET	36971	53	192.168.2.14	8.8.8.8
Jan 9, 2025 07:10:45.085820913 CET	53	58924	8.8.8.8	192.168.2.14
Jan 9, 2025 07:10:45.085835934 CET	53	36971	8.8.8.8	192.168.2.14
Jan 9, 2025 07:14:05.446991920 CET	45894	53	192.168.2.14	8.8.8.8
Jan 9, 2025 07:14:05.447339058 CET	38452	53	192.168.2.14	8.8.8.8
Jan 9, 2025 07:14:05.454528093 CET	53	38452	8.8.8.8	192.168.2.14
Jan 9, 2025 07:14:05.455637932 CET	53	45894	8.8.8.8	192.168.2.14

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 07:07:58.898437977 CET	168	OUT	POST / HTTP/1.1 Accept: / Connection: close Content-Length: 64 Content-Type: text/plain Host: 67.205.135.145:8000 User-Agent: cpp-httplib/0.14.3
Jan 9, 2025 07:07:59.344464064 CET	100	IN	HTTP/1.1 200 OK Connection: close Content-Length: 443872 Content-Type: text/plain

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 07:08:00.778903008 CET	168	OUT	POST / HTTP/1.1 Accept: / Connection: close Content-Length: 80 Content-Type: text/plain Host: 67.205.135.145:8000 User-Agent: cpp-httplib/0.14.3
Jan 9, 2025 07:08:01.234704018 CET	112	IN	HTTP/1.1 200 OK Connection: close Content-Length: 16 Content-Type: text/plain Data Raw: 6c da ad 63 5d dd f8 f8 2c 18 11 55 8a 7b 10 ce Data Ascii: lc],U{

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 07:08:01.240868092 CET	161	OUT	POST / HTTP/1.1 Accept: / Connection: close Content-Length: 48 Content-Type: text/plain Host: 1.1.1.1:8080 User-Agent: cpp-httplib/0.14.3
Jan 9, 2025 07:08:01.684417009 CET	393	IN	HTTP/1.1 301 Moved Permanently Server: cloudflare Date: Thu, 09 Jan 2025 06:08:01 GMT Content-Type: text/html Content-Length: 167 Connection: close Location: https://1.1.1.1/ CF-RAY: 8ff2401a4ae2c340-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 07:08:03.539052010 CET	168	OUT	POST / HTTP/1.1 Accept: / Connection: close Content-Length: 96 Content-Type: text/plain Host: 67.205.135.145:8000 User-Agent: cpp-httplib/0.14.3
Jan 9, 2025 07:08:04.010571003 CET	96	IN	HTTP/1.1 200 OK Connection: close Content-Length: 16 Content-Type: text/plain

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 07:08:12.553030014 CET	168	OUT	POST / HTTP/1.1 Accept: / Connection: close Content-Length: 96 Content-Type: text/plain Host: 67.205.135.145:8000 User-Agent: cpp-httplib/0.14.3
Jan 9, 2025 07:08:13.002032042 CET	101	IN	HTTP/1.1 200 OK Connection: close Content-Length: 3669120 Content-Type: text/plain

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 07:14:05.466286898 CET	1384	OUT	Data Raw: 7b 22 69 64 22 3a 31 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 6c 6f 67 69 6e 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 6c 6f 67 69 6e 22 3a 22 34 37 4e 73 61 45 77 68 62 6b 39 32 43 66 69 62 4d 4a 67 38 4d 38 Data Ascii: {"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"47NsaEwhbk92CfibMJg8M8hJ73LKDv9NTjNtHLFH6EQE2sAUdgnwPc231gghf3rYBvC6cXvgLahJKa4riqQBxbT1HBjQhFu","pass":"844y2kX1h0rzVh0mPslTnCD5","agent":"XMRig/6.21.0-C3Pool (Linux x86_64) libuv/1.
Jan 9, 2025 07:14:06.099729061 CET	424	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 31 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 69 64 22 3a 22 31 33 30 37 37 37 33 22 2c 22 6a 6f 62 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 61 Data Ascii: {"jsonrpc":"2.0","id":1,"error":null,"result":{"id":"1307773","job":{"blob":"1010a9d2fdbb0679847df5727cc1dc03e0389f118ea80b2422e9b3221ec450ba73af1faeb3a67100000000c7dc6ddf8d976c67e85971fbfccd698f6b1a0e5127950c3d9146c95bfa8861b31e","algo":"rx/0
Jan 9, 2025 07:14:33.237761021 CET	382	IN	Data Raw: 7b 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 38 64 32 66 64 62 62 30 36 37 39 38 34 37 64 66 35 37 32 37 63 63 31 64 63 30 33 65 30 33 38 39 66 31 31 38 65 61 38 30 62 32 34 Data Ascii: {"method":"job","params":{"blob":"1010c8d2fdbb0679847df5727cc1dc03e0389f118ea80b2422e9b3221ec450ba73af1faeb3a67100000000308e02ef9bad8ccef991a84d66ae05706775fc03bbd6b55ef25666593f791a4224","algo":"rx/0","height":3321298,"seed_hash":"b9d67be7395
Jan 9, 2025 07:14:53.180660009 CET	195	OUT	Data Raw: 7b 22 69 64 22 3a 32 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 31 33 30 37 37 37 33 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 33 31 35 30 Data Ascii: {"id":2,"jsonrpc":"2.0","method":"submit","params":{"id":"1307773","job_id":"1315011","nonce":"77080000","result":"46ea5dbb7872e3c49f4b5f09381f9555dae6799a8d05fd5ce4bcedbfc8570100"}}
Jan 9, 2025 07:14:53.428054094 CET	75	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 32 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":2,"error":null,"result":{"status":"OK"}}
Jan 9, 2025 07:14:56.262763977 CET	382	IN	Data Raw: 7b 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 63 38 64 32 66 64 62 62 30 36 37 39 38 34 37 64 66 35 37 32 37 63 63 31 64 63 30 33 65 30 33 38 39 66 31 31 38 65 61 38 30 62 32 34 Data Ascii: {"method":"job","params":{"blob":"1010c8d2fdbb0679847df5727cc1dc03e0389f118ea80b2422e9b3221ec450ba73af1faeb3a671000000008948b6a8157124c29d75c81b9e462eae5eb4354dcb21071ef3a06247e7dbd55424","algo":"rx/0","height":3321298,"seed_hash":"b9d67be7395
Jan 9, 2025 07:15:03.758913994 CET	382	IN	Data Raw: 7b 22 6d 65 74 68 6f 64 22 3a 22 6a 6f 62 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 62 6c 6f 62 22 3a 22 31 30 31 30 65 36 64 32 66 64 62 62 30 36 37 39 38 34 37 64 66 35 37 32 37 63 63 31 64 63 30 33 65 30 33 38 39 66 31 31 38 65 61 38 30 62 32 34 Data Ascii: {"method":"job","params":{"blob":"1010e6d2fdbb0679847df5727cc1dc03e0389f118ea80b2422e9b3221ec450ba73af1faeb3a67100000000f2263661945e620dc42ce5f8e55432e005f0164a8d782bd1942ecd4d8cb8a4002a","algo":"rx/0","height":3321298,"seed_hash":"b9d67be7395
Jan 9, 2025 07:15:10.804630995 CET	195	OUT	Data Raw: 7b 22 69 64 22 3a 33 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 31 33 30 37 37 37 33 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 33 32 32 31 Data Ascii: {"id":3,"jsonrpc":"2.0","method":"submit","params":{"id":"1307773","job_id":"1322128","nonce":"5b0b0000","result":"79332dc854e9107f0c2d5e5ef7338436641128c65443550f028f5fea89bd1400"}}
Jan 9, 2025 07:15:11.035393000 CET	75	IN	Data Raw: 7b 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 69 64 22 3a 33 2c 22 65 72 72 6f 72 22 3a 6e 75 6c 6c 2c 22 72 65 73 75 6c 74 22 3a 7b 22 73 74 61 74 75 73 22 3a 22 4f 4b 22 7d 7d 0a Data Ascii: {"jsonrpc":"2.0","id":3,"error":null,"result":{"status":"OK"}}
Jan 9, 2025 07:15:13.585481882 CET	195	OUT	Data Raw: 7b 22 69 64 22 3a 34 2c 22 6a 73 6f 6e 72 70 63 22 3a 22 32 2e 30 22 2c 22 6d 65 74 68 6f 64 22 3a 22 73 75 62 6d 69 74 22 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 22 3a 22 31 33 30 37 37 37 33 22 2c 22 6a 6f 62 5f 69 64 22 3a 22 31 33 32 32 31 Data Ascii: {"id":4,"jsonrpc":"2.0","method":"submit","params":{"id":"1307773","job_id":"1322128","nonce":"2c100000","result":"c49e5ed50c74cd453e3d615ed0a218ef5ec7fc4b021cc4cf07dbf3b4bfdf0100"}}

Start time (UTC):	06:07:57
Start date (UTC):	09/01/2025
Path:	/tmp/watchdog.elf
Arguments:	/tmp/watchdog.elf
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:07:59
Start date (UTC):	09/01/2025
Path:	/tmp/watchdog.elf
Arguments:	-
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:08:22
Start date (UTC):	09/01/2025
Path:	/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q
Arguments:	-
File size:	332896 bytes
MD5 hash:	e11b7cf1f0512317321e6a7cf532296a

Start time (UTC):	06:08:49
Start date (UTC):	09/01/2025
Path:	/dev/shm//daemon
Arguments:	-
File size:	2751832 bytes
MD5 hash:	fd8121e312db46f3b1ac123fce2e73d1

Start time (UTC):	06:09:30
Start date (UTC):	09/01/2025
Path:	/dev/shm//daemon
Arguments:	-
File size:	2751832 bytes
MD5 hash:	fd8121e312db46f3b1ac123fce2e73d1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report watchdog.elf

Overview

General Information

Detection

Signatures

Classification

General Information

Warnings

Runtime Messages

Process Tree

Malware Threat Intel

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/dev/shm/config.json

/dev/shm/daemon

/root/.config/3IjY1dOX

/root/.config/5ILIPv7r

/root/.local/3JlaqAbw

/root/.local/HxJw69zN

/root/.ssh/1ay0mCs9

/root/mwxK5CRX

/root/snap/T3B6PyyF

/root/snap/db.data

/sys/devices/system/node/node0/hugepages/hugepages-2048kB/nr_hugepages

/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-logind.service-LPFY4g/HIsZygoZ2jW0Q

/var/spool/cron/crontabs/tmp.12euVY

/var/spool/cron/crontabs/tmp.15NUyV

/var/spool/cron/crontabs/tmp.1dDMy3

/var/spool/cron/crontabs/tmp.1x531C

/var/spool/cron/crontabs/tmp.29wH4Q

/var/spool/cron/crontabs/tmp.5Vn4Hx

/var/spool/cron/crontabs/tmp.7KuJ4M

/var/spool/cron/crontabs/tmp.83QaW4

/var/spool/cron/crontabs/tmp.8mou9Y

/var/spool/cron/crontabs/tmp.9WES5F

/var/spool/cron/crontabs/tmp.9YGa5C

/var/spool/cron/crontabs/tmp.9loi14

/var/spool/cron/crontabs/tmp.Aowpxi

/var/spool/cron/crontabs/tmp.AtspgY

/var/spool/cron/crontabs/tmp.CgNfao

/var/spool/cron/crontabs/tmp.FZoLqk

/var/spool/cron/crontabs/tmp.G2Egsm

Linux Analysis Report
watchdog.elf

Start time (UTC):	06:09:50
Start date (UTC):	09/01/2025
Path:	/dev/shm//daemon
Arguments:	-
File size:	2751832 bytes
MD5 hash:	fd8121e312db46f3b1ac123fce2e73d1

Start time (UTC):	06:11:12
Start date (UTC):	09/01/2025
Path:	/dev/shm//daemon
Arguments:	-
File size:	2751832 bytes
MD5 hash:	fd8121e312db46f3b1ac123fce2e73d1

Start time (UTC):	06:08:00
Start date (UTC):	09/01/2025
Path:	/tmp/watchdog.elf
Arguments:	-
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:08:01
Start date (UTC):	09/01/2025
Path:	/root/.local/3JlaqAbw
Arguments:	-
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:08:03
Start date (UTC):	09/01/2025
Path:	/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-timedated.service-nDlXcg/v7JYhylR
Arguments:	-
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:08:04
Start date (UTC):	09/01/2025
Path:	/root/.config/3IjY1dOX
Arguments:	-
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:08:05
Start date (UTC):	09/01/2025
Path:	/var/tmp/systemd-private-aa7ef13c7a2d44d8a04d54e61953176a-systemd-resolved.service-fe4hsi/FfvI9TNe
Arguments:	-
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:08:06
Start date (UTC):	09/01/2025
Path:	/root/.ssh/1ay0mCs9
Arguments:	1ay0mCs9
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:08:07
Start date (UTC):	09/01/2025
Path:	/root/.ssh/1ay0mCs9
Arguments:	-
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d

Start time (UTC):	06:08:09
Start date (UTC):	09/01/2025
Path:	/var/tmp/eBc7g8EI
Arguments:	-
File size:	316480 bytes
MD5 hash:	f124e8a9e771966e3846a638be333e8d