Edit tour

Linux Analysis Report
ahuFoyOKGg

Overview

General Information

Sample Name:	ahuFoyOKGg
Analysis ID:	576084
MD5:	f401357e0e9757bdaa2b33969d897152
SHA1:	f12de94f348204ef912a8dc5597903b0d0f43b43
SHA256:	57c71aee92303498151c092bf0d5ff3ea2a11e18af86fd9afb94f47e68526ac9
Tags:	32elfsparc
Infos:

Detection

Mirai

Score:	80
Range:	0 - 100
Whitelisted:	false

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Mirai

Multi AV Scanner detection for submitted file

Deletes all firewall rules

Sample deletes itself

Deletes security-related log files

Tries to stop the "iptables" service

Executes the "kill" or "pkill" command typically used to terminate processes

Reads CPU information from /sys indicative of miner or evasive malware

Uses the "uname" system call to query kernel version information (possible evasion)

Enumerates processes within the "proc" file system

Executes the "systemctl" command used for controlling the systemd system and service manager

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Detected TCP or UDP traffic on non-standard ports

Sample listens on a socket

Deletes log files

Sample has stripped symbol table

Executes the "iptables" command used for managing IP filtering and manipulation

Executes commands using a shell command-line interpreter

Executes the "rm" command used to delete files or directories

Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable

Classification

Analysis Advice

Static ELF header machine description suggests that the sample might not execute correctly on this machine.

All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	576084
Start date:	22.02.2022
Start time:	05:32:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ahuFoyOKGg
Cookbook file name:	defaultlinuxfilecookbook.jbs
Analysis system description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:	default
Detection:	MAL
Classification:	mal80.troj.evad.lin@0/2@0/0

Warnings

Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing network information.

Runtime Messages

Command:	/tmp/ahuFoyOKGg
Exit Code:	0
Exit Code Info:
Killed:	False
Standard Output:	Infected
Standard Error:	Another app is currently holding the xtables lock. Perhaps you want to use the -w option? Failed to stop iptables.service: Unit iptables.service not loaded. Failed to stop iptables.service: Unit iptables.service not loaded. Failed to stop firewalld.service: Unit firewalld.service not loaded. sh: 1: history: not found Failed to stop firewalld.service: Unit firewalld.service not loaded. sh: 1: history: not found Failed to stop iptables.service: Unit iptables.service not loaded. Failed to stop firewalld.service: Unit firewalld.service not loaded. sh: 1: history: not found Failed to stop iptables.service: Unit iptables.service not loaded. Failed to stop firewalld.service: Unit firewalld.service not loaded. sh: 1: history: not found Failed to stop iptables.service: Unit iptables.service not loaded. Failed to stop firewalld.service: Unit firewalld.service not loaded. sh: 1: history: not found

Process Tree

system is lnxubuntu20

ahuFoyOKGg (PID: 5208, Parent: 5107, MD5: 7dc1c0e23cd5e102bb12e5c29403410e) Arguments: /tmp/ahuFoyOKGg

ahuFoyOKGg New Fork (PID: 5210, Parent: 5208)

ahuFoyOKGg New Fork (PID: 5211, Parent: 5208)

ahuFoyOKGg New Fork (PID: 5215, Parent: 5211)

ahuFoyOKGg New Fork (PID: 5228, Parent: 5215)

ahuFoyOKGg New Fork (PID: 5230, Parent: 5228)

ahuFoyOKGg New Fork (PID: 5232, Parent: 5230)

sh (PID: 5232, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5234, Parent: 5232)

rm (PID: 5234, Parent: 5232, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf

ahuFoyOKGg New Fork (PID: 5243, Parent: 5230)

sh (PID: 5243, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5246, Parent: 5243)

rm (PID: 5246, Parent: 5243, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5249, Parent: 5230)

sh (PID: 5249, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5252, Parent: 5249)

rm (PID: 5252, Parent: 5249, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5255, Parent: 5230)

sh (PID: 5255, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5258, Parent: 5255)

rm (PID: 5258, Parent: 5255, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5259, Parent: 5230)

sh (PID: 5259, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5264, Parent: 5259)

iptables (PID: 5264, Parent: 5259, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5268, Parent: 5230)

sh (PID: 5268, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5271, Parent: 5268)

pkill (PID: 5271, Parent: 5268, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5277, Parent: 5230)

sh (PID: 5277, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5281, Parent: 5277)

pkill (PID: 5281, Parent: 5277, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5285, Parent: 5230)

sh (PID: 5285, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5287, Parent: 5285)

pkill (PID: 5287, Parent: 5285, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5293, Parent: 5230)

sh (PID: 5293, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5295, Parent: 5293)

service (PID: 5295, Parent: 5293, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5296, Parent: 5295)

basename (PID: 5296, Parent: 5295, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5297, Parent: 5295)

basename (PID: 5297, Parent: 5295, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5298, Parent: 5295)

systemctl (PID: 5298, Parent: 5295, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5299, Parent: 5295)

service New Fork (PID: 5300, Parent: 5299)

systemctl (PID: 5300, Parent: 5299, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5301, Parent: 5299)

sed (PID: 5301, Parent: 5299, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5295, Parent: 5293, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5313, Parent: 5230)

sh (PID: 5313, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5315, Parent: 5313)

iptables (PID: 5315, Parent: 5313, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5316, Parent: 5313)

iptables (PID: 5316, Parent: 5313, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5317, Parent: 5230)

sh (PID: 5317, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5319, Parent: 5317)

service (PID: 5319, Parent: 5317, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5320, Parent: 5319)

basename (PID: 5320, Parent: 5319, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5321, Parent: 5319)

basename (PID: 5321, Parent: 5319, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5322, Parent: 5319)

systemctl (PID: 5322, Parent: 5319, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5323, Parent: 5319)

service New Fork (PID: 5324, Parent: 5323)

systemctl (PID: 5324, Parent: 5323, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5325, Parent: 5323)

sed (PID: 5325, Parent: 5323, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5319, Parent: 5317, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5341, Parent: 5230)

sh (PID: 5341, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5343, Parent: 5341)

rm (PID: 5343, Parent: 5341, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5344, Parent: 5230)

sh (PID: 5344, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5347, Parent: 5230)

sh (PID: 5347, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5349, Parent: 5347)

rm (PID: 5349, Parent: 5347, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/cache /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5350, Parent: 5230)

sh (PID: 5350, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5352, Parent: 5350)

rm (PID: 5352, Parent: 5350, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5353, Parent: 5230)

sh (PID: 5353, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5355, Parent: 5353)

rm (PID: 5355, Parent: 5353, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5356, Parent: 5230)

sh (PID: 5356, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5358, Parent: 5356)

rm (PID: 5358, Parent: 5356, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5359, Parent: 5230)

sh (PID: 5359, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5361, Parent: 5359)

iptables (PID: 5361, Parent: 5359, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5362, Parent: 5230)

sh (PID: 5362, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5364, Parent: 5362)

pkill (PID: 5364, Parent: 5362, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5372, Parent: 5230)

sh (PID: 5372, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5374, Parent: 5372)

pkill (PID: 5374, Parent: 5372, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5380, Parent: 5230)

sh (PID: 5380, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5382, Parent: 5380)

pkill (PID: 5382, Parent: 5380, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5383, Parent: 5230)

sh (PID: 5383, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5385, Parent: 5383)

service (PID: 5385, Parent: 5383, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5386, Parent: 5385)

basename (PID: 5386, Parent: 5385, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5387, Parent: 5385)

basename (PID: 5387, Parent: 5385, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5388, Parent: 5385)

systemctl (PID: 5388, Parent: 5385, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5389, Parent: 5385)

service New Fork (PID: 5390, Parent: 5389)

systemctl (PID: 5390, Parent: 5389, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5391, Parent: 5389)

sed (PID: 5391, Parent: 5389, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5385, Parent: 5383, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5395, Parent: 5230)

sh (PID: 5395, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5397, Parent: 5395)

iptables (PID: 5397, Parent: 5395, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5398, Parent: 5395)

iptables (PID: 5398, Parent: 5395, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5399, Parent: 5230)

sh (PID: 5399, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5401, Parent: 5399)

service (PID: 5401, Parent: 5399, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5402, Parent: 5401)

basename (PID: 5402, Parent: 5401, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5403, Parent: 5401)

basename (PID: 5403, Parent: 5401, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5404, Parent: 5401)

systemctl (PID: 5404, Parent: 5401, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5405, Parent: 5401)

service New Fork (PID: 5406, Parent: 5405)

systemctl (PID: 5406, Parent: 5405, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5407, Parent: 5405)

sed (PID: 5407, Parent: 5405, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5401, Parent: 5399, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5408, Parent: 5230)

sh (PID: 5408, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5410, Parent: 5408)

rm (PID: 5410, Parent: 5408, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5411, Parent: 5230)

sh (PID: 5411, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5415, Parent: 5230)

sh (PID: 5415, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5417, Parent: 5415)

rm (PID: 5417, Parent: 5415, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5418, Parent: 5230)

sh (PID: 5418, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5420, Parent: 5418)

rm (PID: 5420, Parent: 5418, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5421, Parent: 5230)

sh (PID: 5421, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5423, Parent: 5421)

rm (PID: 5423, Parent: 5421, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5424, Parent: 5230)

sh (PID: 5424, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5426, Parent: 5424)

rm (PID: 5426, Parent: 5424, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5427, Parent: 5230)

sh (PID: 5427, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5429, Parent: 5427)

iptables (PID: 5429, Parent: 5427, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5430, Parent: 5230)

sh (PID: 5430, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5432, Parent: 5430)

pkill (PID: 5432, Parent: 5430, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5433, Parent: 5230)

sh (PID: 5433, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5435, Parent: 5433)

pkill (PID: 5435, Parent: 5433, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5438, Parent: 5230)

sh (PID: 5438, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5440, Parent: 5438)

pkill (PID: 5440, Parent: 5438, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5441, Parent: 5230)

sh (PID: 5441, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5443, Parent: 5441)

service (PID: 5443, Parent: 5441, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5444, Parent: 5443)

basename (PID: 5444, Parent: 5443, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5445, Parent: 5443)

basename (PID: 5445, Parent: 5443, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5446, Parent: 5443)

systemctl (PID: 5446, Parent: 5443, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5447, Parent: 5443)

service New Fork (PID: 5448, Parent: 5447)

systemctl (PID: 5448, Parent: 5447, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5449, Parent: 5447)

sed (PID: 5449, Parent: 5447, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5443, Parent: 5441, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5452, Parent: 5230)

sh (PID: 5452, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5454, Parent: 5452)

iptables (PID: 5454, Parent: 5452, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5455, Parent: 5452)

iptables (PID: 5455, Parent: 5452, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5456, Parent: 5230)

sh (PID: 5456, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5458, Parent: 5456)

service (PID: 5458, Parent: 5456, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5459, Parent: 5458)

basename (PID: 5459, Parent: 5458, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5460, Parent: 5458)

basename (PID: 5460, Parent: 5458, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5461, Parent: 5458)

systemctl (PID: 5461, Parent: 5458, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5462, Parent: 5458)

service New Fork (PID: 5463, Parent: 5462)

systemctl (PID: 5463, Parent: 5462, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5464, Parent: 5462)

sed (PID: 5464, Parent: 5462, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5458, Parent: 5456, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5467, Parent: 5230)

sh (PID: 5467, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5469, Parent: 5467)

rm (PID: 5469, Parent: 5467, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5470, Parent: 5230)

sh (PID: 5470, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5472, Parent: 5230)

sh (PID: 5472, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5474, Parent: 5472)

rm (PID: 5474, Parent: 5472, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5475, Parent: 5230)

sh (PID: 5475, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5477, Parent: 5475)

rm (PID: 5477, Parent: 5475, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5478, Parent: 5230)

sh (PID: 5478, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5480, Parent: 5478)

rm (PID: 5480, Parent: 5478, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5481, Parent: 5230)

sh (PID: 5481, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5483, Parent: 5481)

rm (PID: 5483, Parent: 5481, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5484, Parent: 5230)

sh (PID: 5484, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5486, Parent: 5484)

iptables (PID: 5486, Parent: 5484, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5487, Parent: 5230)

sh (PID: 5487, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5490, Parent: 5487)

pkill (PID: 5490, Parent: 5487, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5493, Parent: 5230)

sh (PID: 5493, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5495, Parent: 5493)

pkill (PID: 5495, Parent: 5493, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5496, Parent: 5230)

sh (PID: 5496, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5498, Parent: 5496)

pkill (PID: 5498, Parent: 5496, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5501, Parent: 5230)

sh (PID: 5501, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5503, Parent: 5501)

service (PID: 5503, Parent: 5501, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5504, Parent: 5503)

basename (PID: 5504, Parent: 5503, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5505, Parent: 5503)

basename (PID: 5505, Parent: 5503, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5506, Parent: 5503)

systemctl (PID: 5506, Parent: 5503, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5507, Parent: 5503)

service New Fork (PID: 5508, Parent: 5507)

systemctl (PID: 5508, Parent: 5507, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5509, Parent: 5507)

sed (PID: 5509, Parent: 5507, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5503, Parent: 5501, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5532, Parent: 5230)

sh (PID: 5532, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5534, Parent: 5532)

iptables (PID: 5534, Parent: 5532, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5535, Parent: 5532)

iptables (PID: 5535, Parent: 5532, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5536, Parent: 5230)

sh (PID: 5536, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5538, Parent: 5536)

service (PID: 5538, Parent: 5536, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5539, Parent: 5538)

basename (PID: 5539, Parent: 5538, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5540, Parent: 5538)

basename (PID: 5540, Parent: 5538, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5541, Parent: 5538)

systemctl (PID: 5541, Parent: 5538, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5544, Parent: 5538)

service New Fork (PID: 5545, Parent: 5544)

systemctl (PID: 5545, Parent: 5544, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5546, Parent: 5544)

sed (PID: 5546, Parent: 5544, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5538, Parent: 5536, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5547, Parent: 5230)

sh (PID: 5547, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5549, Parent: 5547)

rm (PID: 5549, Parent: 5547, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5550, Parent: 5230)

sh (PID: 5550, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5552, Parent: 5230)

sh (PID: 5552, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5554, Parent: 5552)

rm (PID: 5554, Parent: 5552, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5555, Parent: 5230)

sh (PID: 5555, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5557, Parent: 5555)

rm (PID: 5557, Parent: 5555, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5558, Parent: 5230)

sh (PID: 5558, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5560, Parent: 5558)

rm (PID: 5560, Parent: 5558, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5561, Parent: 5230)

sh (PID: 5561, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5563, Parent: 5561)

rm (PID: 5563, Parent: 5561, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5564, Parent: 5230)

sh (PID: 5564, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5566, Parent: 5564)

iptables (PID: 5566, Parent: 5564, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5567, Parent: 5230)

sh (PID: 5567, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5569, Parent: 5567)

pkill (PID: 5569, Parent: 5567, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5572, Parent: 5230)

sh (PID: 5572, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5574, Parent: 5572)

pkill (PID: 5574, Parent: 5572, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5576, Parent: 5230)

sh (PID: 5576, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5578, Parent: 5576)

pkill (PID: 5578, Parent: 5576, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5581, Parent: 5230)

sh (PID: 5581, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5583, Parent: 5581)

service (PID: 5583, Parent: 5581, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5584, Parent: 5583)

basename (PID: 5584, Parent: 5583, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5585, Parent: 5583)

basename (PID: 5585, Parent: 5583, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5586, Parent: 5583)

systemctl (PID: 5586, Parent: 5583, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5587, Parent: 5583)

service New Fork (PID: 5588, Parent: 5587)

systemctl (PID: 5588, Parent: 5587, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5589, Parent: 5587)

sed (PID: 5589, Parent: 5587, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5583, Parent: 5581, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5590, Parent: 5230)

sh (PID: 5590, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5592, Parent: 5590)

iptables (PID: 5592, Parent: 5590, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5593, Parent: 5590)

iptables (PID: 5593, Parent: 5590, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5594, Parent: 5230)

sh (PID: 5594, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5596, Parent: 5594)

service (PID: 5596, Parent: 5594, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5597, Parent: 5596)

basename (PID: 5597, Parent: 5596, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5598, Parent: 5596)

basename (PID: 5598, Parent: 5596, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5599, Parent: 5596)

systemctl (PID: 5599, Parent: 5596, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5602, Parent: 5596)

service New Fork (PID: 5603, Parent: 5602)

systemctl (PID: 5603, Parent: 5602, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5604, Parent: 5602)

sed (PID: 5604, Parent: 5602, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5596, Parent: 5594, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5605, Parent: 5230)

sh (PID: 5605, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5607, Parent: 5605)

rm (PID: 5607, Parent: 5605, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5608, Parent: 5230)

sh (PID: 5608, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5610, Parent: 5230)

sh (PID: 5610, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5612, Parent: 5610)

rm (PID: 5612, Parent: 5610, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5613, Parent: 5230)

sh (PID: 5613, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5615, Parent: 5613)

rm (PID: 5615, Parent: 5613, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5616, Parent: 5230)

sh (PID: 5616, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5618, Parent: 5616)

rm (PID: 5618, Parent: 5616, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5619, Parent: 5230)

sh (PID: 5619, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5621, Parent: 5619)

rm (PID: 5621, Parent: 5619, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5622, Parent: 5230)

sh (PID: 5622, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5624, Parent: 5622)

iptables (PID: 5624, Parent: 5622, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5625, Parent: 5230)

sh (PID: 5625, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5627, Parent: 5625)

pkill (PID: 5627, Parent: 5625, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5631, Parent: 5230)

sh (PID: 5631, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5633, Parent: 5631)

pkill (PID: 5633, Parent: 5631, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5636, Parent: 5230)

sh (PID: 5636, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5638, Parent: 5636)

pkill (PID: 5638, Parent: 5636, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5641, Parent: 5230)

sh (PID: 5641, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5643, Parent: 5641)

service (PID: 5643, Parent: 5641, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5644, Parent: 5643)

basename (PID: 5644, Parent: 5643, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5645, Parent: 5643)

basename (PID: 5645, Parent: 5643, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5646, Parent: 5643)

systemctl (PID: 5646, Parent: 5643, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5647, Parent: 5643)

service New Fork (PID: 5648, Parent: 5647)

systemctl (PID: 5648, Parent: 5647, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5649, Parent: 5647)

sed (PID: 5649, Parent: 5647, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5643, Parent: 5641, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5650, Parent: 5230)

sh (PID: 5650, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5652, Parent: 5650)

iptables (PID: 5652, Parent: 5650, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5653, Parent: 5650)

iptables (PID: 5653, Parent: 5650, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5654, Parent: 5230)

sh (PID: 5654, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5656, Parent: 5654)

service (PID: 5656, Parent: 5654, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5657, Parent: 5656)

basename (PID: 5657, Parent: 5656, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5658, Parent: 5656)

basename (PID: 5658, Parent: 5656, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5659, Parent: 5656)

systemctl (PID: 5659, Parent: 5656, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5660, Parent: 5656)

service New Fork (PID: 5661, Parent: 5660)

systemctl (PID: 5661, Parent: 5660, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5662, Parent: 5660)

sed (PID: 5662, Parent: 5660, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5656, Parent: 5654, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5665, Parent: 5230)

sh (PID: 5665, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5667, Parent: 5665)

rm (PID: 5667, Parent: 5665, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5668, Parent: 5230)

sh (PID: 5668, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5670, Parent: 5230)

sh (PID: 5670, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5672, Parent: 5670)

rm (PID: 5672, Parent: 5670, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5673, Parent: 5230)

sh (PID: 5673, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5675, Parent: 5673)

rm (PID: 5675, Parent: 5673, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5676, Parent: 5230)

sh (PID: 5676, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5678, Parent: 5676)

rm (PID: 5678, Parent: 5676, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5679, Parent: 5230)

sh (PID: 5679, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5681, Parent: 5679)

rm (PID: 5681, Parent: 5679, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5682, Parent: 5230)

sh (PID: 5682, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5684, Parent: 5682)

iptables (PID: 5684, Parent: 5682, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5685, Parent: 5230)

sh (PID: 5685, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5687, Parent: 5685)

pkill (PID: 5687, Parent: 5685, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5690, Parent: 5230)

sh (PID: 5690, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5692, Parent: 5690)

pkill (PID: 5692, Parent: 5690, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5693, Parent: 5230)

sh (PID: 5693, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5695, Parent: 5693)

pkill (PID: 5695, Parent: 5693, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5698, Parent: 5230)

sh (PID: 5698, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5700, Parent: 5698)

service (PID: 5700, Parent: 5698, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5701, Parent: 5700)

basename (PID: 5701, Parent: 5700, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5702, Parent: 5700)

basename (PID: 5702, Parent: 5700, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5703, Parent: 5700)

systemctl (PID: 5703, Parent: 5700, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5704, Parent: 5700)

service New Fork (PID: 5705, Parent: 5704)

systemctl (PID: 5705, Parent: 5704, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5706, Parent: 5704)

sed (PID: 5706, Parent: 5704, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5700, Parent: 5698, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5707, Parent: 5230)

sh (PID: 5707, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5709, Parent: 5707)

iptables (PID: 5709, Parent: 5707, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5710, Parent: 5707)

iptables (PID: 5710, Parent: 5707, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5711, Parent: 5230)

sh (PID: 5711, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5713, Parent: 5711)

service (PID: 5713, Parent: 5711, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5714, Parent: 5713)

basename (PID: 5714, Parent: 5713, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5715, Parent: 5713)

basename (PID: 5715, Parent: 5713, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5718, Parent: 5713)

systemctl (PID: 5718, Parent: 5713, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5719, Parent: 5713)

service New Fork (PID: 5720, Parent: 5719)

systemctl (PID: 5720, Parent: 5719, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5721, Parent: 5719)

sed (PID: 5721, Parent: 5719, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5713, Parent: 5711, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5722, Parent: 5230)

sh (PID: 5722, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5724, Parent: 5722)

rm (PID: 5724, Parent: 5722, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5725, Parent: 5230)

sh (PID: 5725, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5727, Parent: 5230)

sh (PID: 5727, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5729, Parent: 5727)

rm (PID: 5729, Parent: 5727, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5730, Parent: 5230)

sh (PID: 5730, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5732, Parent: 5730)

rm (PID: 5732, Parent: 5730, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5733, Parent: 5230)

sh (PID: 5733, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5735, Parent: 5733)

rm (PID: 5735, Parent: 5733, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5736, Parent: 5230)

sh (PID: 5736, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5738, Parent: 5736)

rm (PID: 5738, Parent: 5736, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5739, Parent: 5230)

sh (PID: 5739, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5741, Parent: 5739)

iptables (PID: 5741, Parent: 5739, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5742, Parent: 5230)

sh (PID: 5742, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5744, Parent: 5742)

pkill (PID: 5744, Parent: 5742, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5748, Parent: 5230)

sh (PID: 5748, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5750, Parent: 5748)

pkill (PID: 5750, Parent: 5748, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5752, Parent: 5230)

sh (PID: 5752, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5754, Parent: 5752)

pkill (PID: 5754, Parent: 5752, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5757, Parent: 5230)

sh (PID: 5757, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5759, Parent: 5757)

service (PID: 5759, Parent: 5757, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5760, Parent: 5759)

basename (PID: 5760, Parent: 5759, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5761, Parent: 5759)

basename (PID: 5761, Parent: 5759, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5762, Parent: 5759)

systemctl (PID: 5762, Parent: 5759, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5763, Parent: 5759)

service New Fork (PID: 5764, Parent: 5763)

systemctl (PID: 5764, Parent: 5763, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5765, Parent: 5763)

sed (PID: 5765, Parent: 5763, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5759, Parent: 5757, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5766, Parent: 5230)

sh (PID: 5766, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5768, Parent: 5766)

iptables (PID: 5768, Parent: 5766, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5771, Parent: 5766)

iptables (PID: 5771, Parent: 5766, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5772, Parent: 5230)

sh (PID: 5772, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5774, Parent: 5772)

service (PID: 5774, Parent: 5772, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5775, Parent: 5774)

basename (PID: 5775, Parent: 5774, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5776, Parent: 5774)

basename (PID: 5776, Parent: 5774, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5777, Parent: 5774)

systemctl (PID: 5777, Parent: 5774, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5778, Parent: 5774)

service New Fork (PID: 5779, Parent: 5778)

systemctl (PID: 5779, Parent: 5778, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5780, Parent: 5778)

sed (PID: 5780, Parent: 5778, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5774, Parent: 5772, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5781, Parent: 5230)

sh (PID: 5781, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5783, Parent: 5781)

rm (PID: 5783, Parent: 5781, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5784, Parent: 5230)

sh (PID: 5784, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5786, Parent: 5230)

sh (PID: 5786, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5788, Parent: 5786)

rm (PID: 5788, Parent: 5786, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5789, Parent: 5230)

sh (PID: 5789, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5791, Parent: 5789)

rm (PID: 5791, Parent: 5789, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5792, Parent: 5230)

sh (PID: 5792, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5794, Parent: 5792)

rm (PID: 5794, Parent: 5792, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5795, Parent: 5230)

sh (PID: 5795, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5797, Parent: 5795)

rm (PID: 5797, Parent: 5795, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5798, Parent: 5230)

sh (PID: 5798, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5800, Parent: 5798)

iptables (PID: 5800, Parent: 5798, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5801, Parent: 5230)

sh (PID: 5801, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5803, Parent: 5801)

pkill (PID: 5803, Parent: 5801, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5806, Parent: 5230)

sh (PID: 5806, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5808, Parent: 5806)

pkill (PID: 5808, Parent: 5806, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5809, Parent: 5230)

sh (PID: 5809, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5811, Parent: 5809)

pkill (PID: 5811, Parent: 5809, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5814, Parent: 5230)

sh (PID: 5814, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5816, Parent: 5814)

service (PID: 5816, Parent: 5814, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5817, Parent: 5816)

basename (PID: 5817, Parent: 5816, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5818, Parent: 5816)

basename (PID: 5818, Parent: 5816, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5819, Parent: 5816)

systemctl (PID: 5819, Parent: 5816, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5820, Parent: 5816)

service New Fork (PID: 5821, Parent: 5820)

systemctl (PID: 5821, Parent: 5820, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5822, Parent: 5820)

sed (PID: 5822, Parent: 5820, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5816, Parent: 5814, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5823, Parent: 5230)

sh (PID: 5823, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5825, Parent: 5823)

iptables (PID: 5825, Parent: 5823, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5826, Parent: 5823)

iptables (PID: 5826, Parent: 5823, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5827, Parent: 5230)

sh (PID: 5827, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5829, Parent: 5827)

service (PID: 5829, Parent: 5827, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5830, Parent: 5829)

basename (PID: 5830, Parent: 5829, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5831, Parent: 5829)

basename (PID: 5831, Parent: 5829, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5832, Parent: 5829)

systemctl (PID: 5832, Parent: 5829, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5833, Parent: 5829)

service New Fork (PID: 5834, Parent: 5833)

systemctl (PID: 5834, Parent: 5833, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5835, Parent: 5833)

sed (PID: 5835, Parent: 5833, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5829, Parent: 5827, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5839, Parent: 5230)

sh (PID: 5839, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5841, Parent: 5839)

rm (PID: 5841, Parent: 5839, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5842, Parent: 5230)

sh (PID: 5842, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5844, Parent: 5230)

sh (PID: 5844, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5846, Parent: 5844)

rm (PID: 5846, Parent: 5844, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5847, Parent: 5230)

sh (PID: 5847, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5849, Parent: 5847)

rm (PID: 5849, Parent: 5847, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5850, Parent: 5230)

sh (PID: 5850, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5852, Parent: 5850)

rm (PID: 5852, Parent: 5850, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5853, Parent: 5230)

sh (PID: 5853, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5855, Parent: 5853)

rm (PID: 5855, Parent: 5853, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5856, Parent: 5230)

sh (PID: 5856, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5858, Parent: 5856)

iptables (PID: 5858, Parent: 5856, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5859, Parent: 5230)

sh (PID: 5859, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5861, Parent: 5859)

pkill (PID: 5861, Parent: 5859, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5865, Parent: 5230)

sh (PID: 5865, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5867, Parent: 5865)

pkill (PID: 5867, Parent: 5865, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5870, Parent: 5230)

sh (PID: 5870, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5872, Parent: 5870)

pkill (PID: 5872, Parent: 5870, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5875, Parent: 5230)

sh (PID: 5875, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5877, Parent: 5875)

service (PID: 5877, Parent: 5875, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5878, Parent: 5877)

basename (PID: 5878, Parent: 5877, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5879, Parent: 5877)

basename (PID: 5879, Parent: 5877, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5880, Parent: 5877)

systemctl (PID: 5880, Parent: 5877, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5881, Parent: 5877)

service New Fork (PID: 5882, Parent: 5881)

systemctl (PID: 5882, Parent: 5881, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5883, Parent: 5881)

sed (PID: 5883, Parent: 5881, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5877, Parent: 5875, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5884, Parent: 5230)

sh (PID: 5884, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5886, Parent: 5884)

iptables (PID: 5886, Parent: 5884, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5887, Parent: 5884)

iptables (PID: 5887, Parent: 5884, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5888, Parent: 5230)

sh (PID: 5888, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5890, Parent: 5888)

service (PID: 5890, Parent: 5888, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5891, Parent: 5890)

basename (PID: 5891, Parent: 5890, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5894, Parent: 5890)

basename (PID: 5894, Parent: 5890, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5895, Parent: 5890)

systemctl (PID: 5895, Parent: 5890, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5896, Parent: 5890)

service New Fork (PID: 5897, Parent: 5896)

systemctl (PID: 5897, Parent: 5896, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5898, Parent: 5896)

sed (PID: 5898, Parent: 5896, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5890, Parent: 5888, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5899, Parent: 5230)

sh (PID: 5899, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5901, Parent: 5899)

rm (PID: 5901, Parent: 5899, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5902, Parent: 5230)

sh (PID: 5902, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5904, Parent: 5230)

sh (PID: 5904, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5906, Parent: 5904)

rm (PID: 5906, Parent: 5904, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5907, Parent: 5230)

sh (PID: 5907, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5909, Parent: 5907)

rm (PID: 5909, Parent: 5907, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5910, Parent: 5230)

sh (PID: 5910, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5912, Parent: 5910)

rm (PID: 5912, Parent: 5910, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5913, Parent: 5230)

sh (PID: 5913, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5915, Parent: 5913)

rm (PID: 5915, Parent: 5913, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5916, Parent: 5230)

sh (PID: 5916, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5918, Parent: 5916)

iptables (PID: 5918, Parent: 5916, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5919, Parent: 5230)

sh (PID: 5919, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5921, Parent: 5919)

pkill (PID: 5921, Parent: 5919, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5924, Parent: 5230)

sh (PID: 5924, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5926, Parent: 5924)

pkill (PID: 5926, Parent: 5924, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5927, Parent: 5230)

sh (PID: 5927, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5929, Parent: 5927)

pkill (PID: 5929, Parent: 5927, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5932, Parent: 5230)

sh (PID: 5932, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5934, Parent: 5932)

service (PID: 5934, Parent: 5932, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5935, Parent: 5934)

basename (PID: 5935, Parent: 5934, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5936, Parent: 5934)

basename (PID: 5936, Parent: 5934, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5937, Parent: 5934)

systemctl (PID: 5937, Parent: 5934, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5938, Parent: 5934)

service New Fork (PID: 5939, Parent: 5938)

systemctl (PID: 5939, Parent: 5938, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5940, Parent: 5938)

sed (PID: 5940, Parent: 5938, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5934, Parent: 5932, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5943, Parent: 5230)

sh (PID: 5943, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5945, Parent: 5943)

iptables (PID: 5945, Parent: 5943, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5946, Parent: 5943)

iptables (PID: 5946, Parent: 5943, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5947, Parent: 5230)

sh (PID: 5947, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5949, Parent: 5947)

service (PID: 5949, Parent: 5947, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5950, Parent: 5949)

basename (PID: 5950, Parent: 5949, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5951, Parent: 5949)

basename (PID: 5951, Parent: 5949, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5952, Parent: 5949)

systemctl (PID: 5952, Parent: 5949, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5953, Parent: 5949)

service New Fork (PID: 5954, Parent: 5953)

systemctl (PID: 5954, Parent: 5953, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5955, Parent: 5953)

sed (PID: 5955, Parent: 5953, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5949, Parent: 5947, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5956, Parent: 5230)

sh (PID: 5956, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5958, Parent: 5956)

rm (PID: 5958, Parent: 5956, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5959, Parent: 5230)

sh (PID: 5959, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 5961, Parent: 5230)

sh (PID: 5961, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5963, Parent: 5961)

rm (PID: 5963, Parent: 5961, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 5964, Parent: 5230)

sh (PID: 5964, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5966, Parent: 5964)

rm (PID: 5966, Parent: 5964, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5967, Parent: 5230)

sh (PID: 5967, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5969, Parent: 5967)

rm (PID: 5969, Parent: 5967, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5970, Parent: 5230)

sh (PID: 5970, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5972, Parent: 5970)

rm (PID: 5972, Parent: 5970, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5973, Parent: 5230)

sh (PID: 5973, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5975, Parent: 5973)

iptables (PID: 5975, Parent: 5973, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5976, Parent: 5230)

sh (PID: 5976, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5978, Parent: 5976)

pkill (PID: 5978, Parent: 5976, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5982, Parent: 5230)

sh (PID: 5982, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5984, Parent: 5982)

pkill (PID: 5984, Parent: 5982, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5985, Parent: 5230)

sh (PID: 5985, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5987, Parent: 5985)

pkill (PID: 5987, Parent: 5985, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5991, Parent: 5230)

sh (PID: 5991, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5993, Parent: 5991)

service (PID: 5993, Parent: 5991, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5994, Parent: 5993)

basename (PID: 5994, Parent: 5993, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5995, Parent: 5993)

basename (PID: 5995, Parent: 5993, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5996, Parent: 5993)

systemctl (PID: 5996, Parent: 5993, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5997, Parent: 5993)

service New Fork (PID: 5998, Parent: 5997)

systemctl (PID: 5998, Parent: 5997, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5999, Parent: 5997)

sed (PID: 5999, Parent: 5997, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5993, Parent: 5991, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 6000, Parent: 5230)

sh (PID: 6000, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 6002, Parent: 6000)

iptables (PID: 6002, Parent: 6000, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 6003, Parent: 6000)

iptables (PID: 6003, Parent: 6000, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 6004, Parent: 5230)

sh (PID: 6004, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 6006, Parent: 6004)

service (PID: 6006, Parent: 6004, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 6007, Parent: 6006)

basename (PID: 6007, Parent: 6006, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 6008, Parent: 6006)

basename (PID: 6008, Parent: 6006, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 6009, Parent: 6006)

systemctl (PID: 6009, Parent: 6006, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 6010, Parent: 6006)

service New Fork (PID: 6011, Parent: 6010)

systemctl (PID: 6011, Parent: 6010, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 6012, Parent: 6010)

sed (PID: 6012, Parent: 6010, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 6006, Parent: 6004, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 6015, Parent: 5230)

sh (PID: 6015, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 6017, Parent: 6015)

rm (PID: 6017, Parent: 6015, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 6018, Parent: 5230)

sh (PID: 6018, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

ahuFoyOKGg New Fork (PID: 6020, Parent: 5230)

sh (PID: 6020, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 6022, Parent: 6020)

rm (PID: 6022, Parent: 6020, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/* /var/* /var/run/* /var/tmp/*

ahuFoyOKGg New Fork (PID: 6023, Parent: 5230)

sh (PID: 6023, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 6025, Parent: 6023)

rm (PID: 6025, Parent: 6023, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 6026, Parent: 5230)

sh (PID: 6026, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 6028, Parent: 6026)

rm (PID: 6028, Parent: 6026, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 6029, Parent: 5230)

sh (PID: 6029, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 6031, Parent: 6029)

rm (PID: 6031, Parent: 6029, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 6032, Parent: 5230)

sh (PID: 6032, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 6034, Parent: 6032)

iptables (PID: 6034, Parent: 6032, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 6035, Parent: 5230)

sh (PID: 6035, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 6037, Parent: 6035)

pkill (PID: 6037, Parent: 6035, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 6038, Parent: 5230)

sh (PID: 6038, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 6040, Parent: 6038)

pkill (PID: 6040, Parent: 6038, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 6043, Parent: 5230)

sh (PID: 6043, Parent: 5230, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 6045, Parent: 6043)

pkill (PID: 6045, Parent: 6043, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5217, Parent: 5211)

ahuFoyOKGg New Fork (PID: 5219, Parent: 5217)

ahuFoyOKGg New Fork (PID: 5221, Parent: 5219)

sh (PID: 5221, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"

sh New Fork (PID: 5223, Parent: 5221)

rm (PID: 5223, Parent: 5221, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/ahuFoyOKGg /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/tmp.Lzi5cB1EjE /tmp/tmp.MnQ8R1JpkR /tmp/tmp.iNAklbDLcD /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf

ahuFoyOKGg New Fork (PID: 5238, Parent: 5219)

sh (PID: 5238, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /var/log/wtmp"

sh New Fork (PID: 5240, Parent: 5238)

rm (PID: 5240, Parent: 5238, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /var/log/wtmp

ahuFoyOKGg New Fork (PID: 5241, Parent: 5219)

sh (PID: 5241, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /tmp/*"

sh New Fork (PID: 5245, Parent: 5241)

rm (PID: 5245, Parent: 5241, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /tmp/*

ahuFoyOKGg New Fork (PID: 5247, Parent: 5219)

sh (PID: 5247, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf /bin/netstat"

sh New Fork (PID: 5251, Parent: 5247)

rm (PID: 5251, Parent: 5247, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /bin/netstat

ahuFoyOKGg New Fork (PID: 5253, Parent: 5219)

sh (PID: 5253, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "iptables -F"

sh New Fork (PID: 5257, Parent: 5253)

iptables (PID: 5257, Parent: 5253, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: iptables -F

ahuFoyOKGg New Fork (PID: 5266, Parent: 5219)

sh (PID: 5266, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 busybox"

sh New Fork (PID: 5270, Parent: 5266)

pkill (PID: 5270, Parent: 5266, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 busybox

ahuFoyOKGg New Fork (PID: 5279, Parent: 5219)

sh (PID: 5279, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 perl"

sh New Fork (PID: 5282, Parent: 5279)

pkill (PID: 5282, Parent: 5279, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 perl

ahuFoyOKGg New Fork (PID: 5288, Parent: 5219)

sh (PID: 5288, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "pkill -9 python"

sh New Fork (PID: 5290, Parent: 5288)

pkill (PID: 5290, Parent: 5288, MD5: fa96a75a08109d8842e4865b2907d51f) Arguments: pkill -9 python

ahuFoyOKGg New Fork (PID: 5302, Parent: 5219)

sh (PID: 5302, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service iptables stop"

sh New Fork (PID: 5304, Parent: 5302)

service (PID: 5304, Parent: 5302, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service iptables stop

service New Fork (PID: 5305, Parent: 5304)

basename (PID: 5305, Parent: 5304, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5306, Parent: 5304)

basename (PID: 5306, Parent: 5304, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5307, Parent: 5304)

systemctl (PID: 5307, Parent: 5304, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5310, Parent: 5304)

service New Fork (PID: 5311, Parent: 5310)

systemctl (PID: 5311, Parent: 5310, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5312, Parent: 5310)

sed (PID: 5312, Parent: 5310, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5304, Parent: 5302, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop iptables.service

ahuFoyOKGg New Fork (PID: 5328, Parent: 5219)

sh (PID: 5328, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "/sbin/iptables -F; /sbin/iptables -X"

sh New Fork (PID: 5330, Parent: 5328)

iptables (PID: 5330, Parent: 5328, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -F

sh New Fork (PID: 5331, Parent: 5328)

iptables (PID: 5331, Parent: 5328, MD5: 1ab05fef765b6342cdfadaa5275b33af) Arguments: /sbin/iptables -X

ahuFoyOKGg New Fork (PID: 5332, Parent: 5219)

sh (PID: 5332, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "service firewalld stop"

sh New Fork (PID: 5334, Parent: 5332)

service (PID: 5334, Parent: 5332, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: service firewalld stop

service New Fork (PID: 5335, Parent: 5334)

basename (PID: 5335, Parent: 5334, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5336, Parent: 5334)

basename (PID: 5336, Parent: 5334, MD5: 3283660e59f128df18bec9b96fbd4d41) Arguments: basename /usr/sbin/service

service New Fork (PID: 5337, Parent: 5334)

systemctl (PID: 5337, Parent: 5334, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl --quiet is-active multi-user.target

service New Fork (PID: 5338, Parent: 5334)

service New Fork (PID: 5339, Parent: 5338)

systemctl (PID: 5339, Parent: 5338, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl list-unit-files --full --type=socket

service New Fork (PID: 5340, Parent: 5338)

sed (PID: 5340, Parent: 5338, MD5: 885062561f66aa1d4af4c54b9e7cc81a) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p

systemctl (PID: 5334, Parent: 5332, MD5: 4deddfb6741481f68aeac522cc26ff4b) Arguments: systemctl stop firewalld.service

ahuFoyOKGg New Fork (PID: 5367, Parent: 5219)

sh (PID: 5367, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "rm -rf ~/.bash_history"

sh New Fork (PID: 5369, Parent: 5367)

rm (PID: 5369, Parent: 5367, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -rf /root/.bash_history

ahuFoyOKGg New Fork (PID: 5370, Parent: 5219)

sh (PID: 5370, Parent: 5219, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "history -c"

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Mirai_12	Yara detected Mirai	Joe Security

Stderr: Another app is currently holding the xtables lock. Perhaps you want to use the -w option?Failed to stop iptables.service: Unit iptables.service not loaded.Failed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewalld.service: Unit firewalld.service not loaded.sh: 1: history: not foundFailed to stop firewalld.service: Unit firewalld.service not loaded.sh: 1: history: not foundFailed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewalld.service: Unit firewalld.service not loaded.sh: 1: history: not foundFailed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewalld.service: Unit firewalld.service not loaded.sh: 1: history: not foundFailed to stop iptables.service: Unit iptables.service not loaded.Failed to stop firewalld.service: Unit firewalld.service not loaded.sh: 1: history: not found: exit code = 0

Source: /usr/sbin/service (PID: 5301)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p	Jump to behavior
Source: /usr/sbin/service (PID: 5325)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p	Jump to behavior
Source: /usr/sbin/service (PID: 5391)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p	Jump to behavior
Source: /usr/sbin/service (PID: 5407)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p	Jump to behavior
Source: /usr/sbin/service (PID: 5449)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p	Jump to behavior
Source: /usr/sbin/service (PID: 5464)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p	Jump to behavior
Source: /usr/sbin/service (PID: 5509)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5546)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5589)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5604)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5649)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5662)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5706)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5721)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5765)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5780)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5822)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5835)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5883)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5898)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5940)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5955)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5999)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 6012)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5312)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p
Source: /usr/sbin/service (PID: 5340)	Sed executable: /usr/bin/sed -> sed -ne s/\\.socket\\s[a-z]\\s*$/.socket/p

Hooking and other Techniques for Hiding and Protection

Sample deletes itself

Source: /usr/bin/rm (PID: 5223)

File: /tmp/ahuFoyOKGg

Malware Analysis System Evasion

Deletes security-related log files

Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5246)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5352)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5420)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5477)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5557)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5615)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5675)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5732)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5791)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5849)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5909)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5966)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 6025)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5240)	Truncated file: /var/log/wtmp

Source: /usr/bin/pkill (PID: 5271)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5281)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5287)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5364)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5374)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5432)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5435)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5440)	Reads CPU info from /sys: /sys/devices/system/cpu/online	Jump to behavior
Source: /usr/bin/pkill (PID: 5490)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5495)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5498)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5569)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5574)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5578)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5627)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5633)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5638)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5687)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5692)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5695)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5744)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5750)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5754)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5803)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5808)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5811)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5861)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5867)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5872)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5921)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5926)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5929)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5978)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5984)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5987)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6037)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6040)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6045)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5270)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5282)	Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 5290)	Reads CPU info from /sys: /sys/devices/system/cpu/online

Source: /tmp/ahuFoyOKGg (PID: 5208)

Queries kernel information via 'uname':

Jump to behavior

Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/hp	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/auth.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/alternatives.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/private	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dpkg.log.1	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dpkg.log.2.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/syslog.4.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/btmp	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/faillog	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/unattended-upgrades	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apt (deleted)/history.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apt (deleted)/term.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apt (deleted)/history.log.2.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apt (deleted)/eipp.log.xz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apt (deleted)/term.log.1.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apt (deleted)/term.log.2.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apt (deleted)/history.log.1.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apt	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/auth.log.1	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/syslog.3.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/gdm3	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dmesg.1.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apport.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/speech-dispatcher	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/bootstrap.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/auth.log.2.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dpkg.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dmesg.3.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dmesg.4.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/kern.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/alternatives.log.1	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/kern.log.2.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/lastlog	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dmesg.2.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/vmware-vmsvc-root.1.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/btmp.1	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dist-upgrade	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/ubuntu-advantage.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/syslog	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/dmesg	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apport.log.1	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/Xorg.1.log.old	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/syslog.1	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/vmware-vmsvc-root.3.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/Xorg.0.log.old	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/vmware-vmsvc-root.2.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/lightdm	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/apport.log.2.gz	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/cloud-init-output.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/installer	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/Xorg.0.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/vmware-vmsvc-root.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/fontconfig.log	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/journal (deleted)/ee49dfd4fa47433baee88884e2d7de7c	Jump to behavior
Source: /usr/bin/rm (PID: 5234)	Truncated file: /var/log/journal	Jump to behavior
Source: /usr/bin/rm (PID: 5246)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5352)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5420)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5477)	Truncated file: /var/log/wtmp	Jump to behavior
Source: /usr/bin/rm (PID: 5557)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5615)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5675)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5732)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5791)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5849)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5909)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5966)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 6025)	Truncated file: /var/log/wtmp
Source: /usr/bin/rm (PID: 5240)	Truncated file: /var/log/wtmp

Source: ahuFoyOKGg, 5208.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp, ahuFoyOKGg, 5211.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp, ahuFoyOKGg, 5215.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp, ahuFoyOKGg, 5228.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp, ahuFoyOKGg, 5217.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/sparc
Source: ahuFoyOKGg, 5208.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp, ahuFoyOKGg, 5211.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp, ahuFoyOKGg, 5215.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp, ahuFoyOKGg, 5228.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp, ahuFoyOKGg, 5217.1.000000003e7aefd7.00000000ab2b30d5.rw-.sdmp	Binary or memory string: U!/etc/qemu-binfmt/sparc
Source: ahuFoyOKGg, 5208.1.000000006318e493.000000004adaed8e.rw-.sdmp, ahuFoyOKGg, 5211.1.000000006318e493.000000004adaed8e.rw-.sdmp, ahuFoyOKGg, 5215.1.000000006318e493.000000004adaed8e.rw-.sdmp, ahuFoyOKGg, 5228.1.000000006318e493.000000004adaed8e.rw-.sdmp, ahuFoyOKGg, 5217.1.000000006318e493.000000004adaed8e.rw-.sdmp	Binary or memory string: 9D{x86_64/usr/bin/qemu-sparc/tmp/ahuFoyOKGgSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/ahuFoyOKGg
Source: ahuFoyOKGg, 5208.1.000000006318e493.000000004adaed8e.rw-.sdmp, ahuFoyOKGg, 5211.1.000000006318e493.000000004adaed8e.rw-.sdmp, ahuFoyOKGg, 5215.1.000000006318e493.000000004adaed8e.rw-.sdmp, ahuFoyOKGg, 5228.1.000000006318e493.000000004adaed8e.rw-.sdmp, ahuFoyOKGg, 5217.1.000000006318e493.000000004adaed8e.rw-.sdmp	Binary or memory string: /usr/bin/qemu-sparc

Stealing of Sensitive Information

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Mirai

Source: Yara match

File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	1 Systemd Service	1 Systemd Service	1 Disable or Modify Tools	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Scripting	LSASS Memory	1 System Network Configuration Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	2 Disable or Modify System Firewall	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Indicator Removal on Host	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 File Deletion	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Malware Configuration

⊘No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Number of created Files
Is malicious
Internet

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ahuFoyOKGg	35%	Virustotal		Browse
ahuFoyOKGg	33%	ReversingLabs	Linux.Trojan.Mirai

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
81.43.25.58	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
181.128.175.138	unknown	Colombia	13489	EPMTelecomunicacionesSAESPCO	false
153.165.241.164	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	false
72.142.99.246	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
76.186.167.23	unknown	United States	11427	TWC-11427-TEXASUS	false
74.114.235.162	unknown	United States	46817	MTAINCUS	false
196.37.233.32	unknown	South Africa	3741	ISZA	false
42.29.89.80	unknown	Korea Republic of	9644	SKTELECOM-NET-ASSKTelecomKR	false
108.233.166.184	unknown	United States	7018	ATT-INTERNET4US	false
129.106.132.110	unknown	United States	5707	UTHSC-HUS	false
145.155.207.242	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
143.159.228.224	unknown	United States	6871	PLUSNETUKInternetServiceProviderGB	false
14.26.177.249	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
113.176.182.4	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	false
45.61.12.173	unknown	Canada	395282	HYPERTECDCSCA	false
194.185.144.65	unknown	Italy	3313	INET-ASIT	false
123.49.41.156	unknown	Bangladesh	17494	BTTB-AS-APTelecomOperatorInternetServiceProviderasw	false
32.221.121.125	unknown	United States	46690	SNET-FCCUS	false
181.75.29.136	unknown	Chile	6535	TelmexServiciosEmpresarialesSACL	false
193.124.64.103	unknown	Russian Federation	48347	MTW-ASRU	false
87.143.249.155	unknown	Germany	3320	DTAGInternetserviceprovideroperationsDE	false
89.91.243.107	unknown	France	5410	BOUYGTEL-ISPFR	false
2.229.196.132	unknown	Italy	12874	FASTWEBIT	false
200.110.111.118	unknown	unknown	270252	TVFINTERNETRAPIDALTDABR	false
153.84.237.209	unknown	United States	14962	NCR-252US	false
152.8.40.218	unknown	United States	81	NCRENUS	false
220.183.55.16	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
223.121.253.102	unknown	China	58453	CMI-INT-HKLevel30Tower1HK	false
128.42.160.25	unknown	United States	8	RICE-ASUS	false
112.41.220.107	unknown	China	56044	CMNET-AS-LIAONINGChinaMobilecommunicationscorporationC	false
96.20.4.244	unknown	Canada	5769	VIDEOTRONCA	false
86.102.74.206	unknown	Russian Federation	12332	PRIMORYE-ASRU	false
99.210.200.138	unknown	Canada	812	ROGERS-COMMUNICATIONSCA	false
80.37.100.107	unknown	Spain	3352	TELEFONICA_DE_ESPANAES	false
146.78.164.93	unknown	United States	4193	WA-STATE-GOVUS	false
90.24.234.52	unknown	France	3215	FranceTelecom-OrangeFR	false
109.235.168.252	unknown	Sweden	35041	NET-BINERO-STHLM1SE	false
58.170.69.178	unknown	Australia	1221	ASN-TELSTRATelstraCorporationLtdAU	false
88.40.154.158	unknown	Italy	3269	ASN-IBSNAZIT	false
112.150.231.3	unknown	Korea Republic of	17858	POWERVIS-AS-KRLGPOWERCOMMKR	false
210.201.189.146	unknown	Taiwan; Republic of China (ROC)	7482	APOL-ASAsiaPacificOn-lineServiceIncTW	false
123.88.124.250	unknown	China	9394	CTTNETChinaTieTongTelecommunicationsCorporationCN	false
160.44.182.175	unknown	Germany	34086	SCZN-ASDE	false
78.188.78.32	unknown	Turkey	9121	TTNETTR	false
179.133.103.153	unknown	Brazil	26599	TELEFONICABRASILSABR	false
164.52.243.159	unknown	United States	33154	DQECOMUS	false
171.2.74.146	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	false
188.255.119.126	unknown	Russian Federation	42610	NCNET-ASRU	false
171.138.168.24	unknown	United States	9874	STARHUB-MOBILEStarHubLtdSG	false
4.37.121.204	unknown	United States	3356	LEVEL3US	false
184.43.147.60	unknown	United States	5778	CENTURYLINK-LEGACY-EMBARQ-RCMTUS	false
107.6.182.104	unknown	United States	32475	SINGLEHOP-LLCUS	false
17.109.227.18	unknown	United States	714	APPLE-ENGINEERINGUS	false
153.92.80.131	unknown	Germany	41998	NETCOMBW-ASDE	false
82.54.251.18	unknown	Italy	3269	ASN-IBSNAZIT	false
145.49.94.79	unknown	Netherlands	1103	SURFNET-NLSURFnetTheNetherlandsNL	false
158.112.223.50	unknown	Norway	49278	NORDEFNO	false
131.85.92.29	unknown	United States	140	DNIC-AS-00140US	false
149.96.240.254	unknown	United States	16839	SNCUS	false
102.147.93.243	unknown	Zambia	37287	ZAIN-ZAMBIAZM	false
140.81.220.114	unknown	unknown	27293	BANKOFCANADACA	false
152.199.65.49	unknown	United States	15133	EDGECASTUS	false
157.21.202.218	unknown	United States	53446	EVMSUS	false
40.3.252.161	unknown	United States	4249	LILLY-ASUS	false
104.231.155.254	unknown	United States	10796	TWC-10796-MIDWESTUS	false
189.46.141.207	unknown	Brazil	27699	TELEFONICABRASILSABR	false
150.51.172.201	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
200.219.112.93	unknown	Brazil	8167	BrasilTelecomSA-FilialDistritoFederalBR	false
148.125.59.167	unknown	United States	2119	TELENOR-NEXTELTelenorNorgeASNO	false
118.64.199.81	unknown	China	4713	OCNNTTCommunicationsCorporationJP	false
151.211.164.103	unknown	United Kingdom	11003	PANDGUS	false
201.212.17.117	unknown	Argentina	10481	TelecomArgentinaSAAR	false
76.219.128.242	unknown	United States	7018	ATT-INTERNET4US	false
218.84.205.53	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
210.138.150.37	unknown	Japan	2497	IIJInternetInitiativeJapanIncJP	false
69.123.133.227	unknown	United States	6128	CABLE-NET-1US	false
74.114.235.130	unknown	United States	46817	MTAINCUS	false
107.177.38.15	unknown	United States	40676	AS40676US	false
77.94.7.134	unknown	Kazakhstan	21299	KAR-TEL-ASAlmatyRepublicofKazakhstanKZ	false
212.3.36.129	unknown	Spain	39155	JETNETES	false
74.213.192.184	unknown	United States	36728	EMERYTELCOMUS	false
139.37.189.24	unknown	United States	9905	LINKNET-ID-APLinknetASNID	false
23.215.231.244	unknown	United States	16625	AKAMAI-ASUS	false
220.216.44.0	unknown	Japan	10010	TOKAITOKAICommunicationsCorporationJP	false
39.139.154.9	unknown	China	9808	CMNET-GDGuangdongMobileCommunicationCoLtdCN	false
83.218.107.240	unknown	Poland	196927	RTKPL	false
1.255.125.242	unknown	Korea Republic of	9770	SPEEDONSTV-AS-KRLGHelloVisionCorpKR	false
162.127.82.98	unknown	United States	11714	NETWORKNEBRASKAUS	false
194.132.165.9	unknown	Sweden	202296	MICROGROUPSE	false
160.123.253.213	unknown	South Africa	3741	ISZA	false
12.169.81.91	unknown	United States	7018	ATT-INTERNET4US	false
187.128.168.144	unknown	Mexico	28283	AdylnetTelecomBR	false
150.34.117.153	unknown	Japan	9991	SHUDO-UHiroshimaShudoUniversityJP	false
146.137.69.155	unknown	United States	683	ARGONNE-ASUS	false
160.44.208.77	unknown	Germany	6878	AS6878DE	false
42.178.154.149	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
134.170.73.160	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
187.130.74.239	unknown	Mexico	8151	UninetSAdeCVMX	false
120.251.73.231	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	false
192.221.22.49	unknown	United States	3356	LEVEL3US	false

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
88.40.154.158	notabotnet.arm7	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
EPMTelecomunicacionesSAESPCO	ij6G6QW5J5	Get hash	malicious	Browse	190.248.105.45
	30h1uvycwO	Get hash	malicious	Browse	190.165.24.35
	4rWBoMFRww	Get hash	malicious	Browse	181.142.24.200
	qPmVl8Mmdm	Get hash	malicious	Browse	181.128.127.236
	zng0W7aeJW	Get hash	malicious	Browse	190.29.50.110
	PZiTRj9FTs	Get hash	malicious	Browse	190.165.24.19
	3sFLjv3aWP	Get hash	malicious	Browse	190.165.24.33
	zEqcR6NjKc	Get hash	malicious	Browse	181.136.190.109
	KVDg3OQlnj	Get hash	malicious	Browse	181.136.190.115
	apep.arm7	Get hash	malicious	Browse	190.165.24.35
	apep.arm	Get hash	malicious	Browse	181.129.241.191
	ZYMoKCQp40	Get hash	malicious	Browse	190.248.105.11
	n1QctxXsbN	Get hash	malicious	Browse	190.70.206.192
	N698PtJ97O	Get hash	malicious	Browse	181.128.127.240
	bFSG6nzHxT	Get hash	malicious	Browse	190.251.65.252
	8XEoLEb7ES	Get hash	malicious	Browse	190.70.10.218
	vi99ZKe6ZF	Get hash	malicious	Browse	190.165.24.74
	XUj78fC1wm	Get hash	malicious	Browse	181.128.127.202
	fajkHDqLJS	Get hash	malicious	Browse	190.248.105.51
	Cbz2z7AIB8	Get hash	malicious	Browse	181.136.190.148
TELEFONICA_DE_ESPANAES	arm7.cloudbot	Get hash	malicious	Browse	88.16.209.63
	pEOpNU4tWe	Get hash	malicious	Browse	95.121.137.224
	RnHIXiYP86	Get hash	malicious	Browse	83.38.221.198
	qPmVl8Mmdm	Get hash	malicious	Browse	160.214.82.108
	mXjhFxwYY6	Get hash	malicious	Browse	194.227.43.9
	http___195.133.18.119_beastmode_b3astmode.mips	Get hash	malicious	Browse	79.152.26.154
	x86-20220221-0419	Get hash	malicious	Browse	88.7.35.30
	rYTbXjTHKI	Get hash	malicious	Browse	95.121.68.79
	zng0W7aeJW	Get hash	malicious	Browse	95.121.68.78
	BDRKUNDhJN	Get hash	malicious	Browse	95.121.68.19
	kET53Ai3yK	Get hash	malicious	Browse	37.12.240.29
	LgEuRX5Mjw	Get hash	malicious	Browse	160.215.185.165
	apep.arm7	Get hash	malicious	Browse	160.214.82.107
	Zbj30QzYXw	Get hash	malicious	Browse	95.122.127.120
	bFSG6nzHxT	Get hash	malicious	Browse	95.121.137.236
	XUj78fC1wm	Get hash	malicious	Browse	95.125.208.113
	jQX1YraPjv	Get hash	malicious	Browse	95.121.68.56
	e8G1cXYi2d	Get hash	malicious	Browse	37.12.240.19
	apep.x86	Get hash	malicious	Browse	160.215.185.105
	apep.arm7	Get hash	malicious	Browse	160.214.82.146
OCNNTTCommunicationsCorporationJP	zD5hJsdrFw	Get hash	malicious	Browse	153.132.88.205
	kPDAoYSzMB	Get hash	malicious	Browse	114.180.151.208
	arm7.cloudbot	Get hash	malicious	Browse	153.160.179.51
	pEOpNU4tWe	Get hash	malicious	Browse	153.172.248.10
	5fAPZmn63M	Get hash	malicious	Browse	122.16.214.4
	uAHAz1QR4F	Get hash	malicious	Browse	121.112.239.231
	WFQ65TdWSX	Get hash	malicious	Browse	121.115.232.7
	yRlZggM7ZR	Get hash	malicious	Browse	153.154.199.112
	VviFpgo9BG	Get hash	malicious	Browse	221.190.154.74
	4rWBoMFRww	Get hash	malicious	Browse	180.20.196.143
	1yoxmUfvxv	Get hash	malicious	Browse	123.224.115.43
	mXjhFxwYY6	Get hash	malicious	Browse	118.5.14.221
	ivPi2pnlv4	Get hash	malicious	Browse	122.26.163.147
	911.x86	Get hash	malicious	Browse	122.31.88.36
	b3astmode.x86	Get hash	malicious	Browse	123.224.18.122
	http___195.133.18.119_beastmode_b3astmode.arm5	Get hash	malicious	Browse	153.239.66.147
	http___195.133.18.119_beastmode_b3astmode.arm6	Get hash	malicious	Browse	153.141.251.37
	http___195.133.18.119_beastmode_b3astmode.arm7	Get hash	malicious	Browse	210.254.189.112
	http___195.133.18.119_beastmode_b3astmode.mips	Get hash	malicious	Browse	58.93.193.222
	http___195.133.18.119_beastmode_b3astmode.mpsl	Get hash	malicious	Browse	153.145.15.169

Process:	/tmp/ahuFoyOKGg
File Type:	ASCII text
Category:	dropped
Size (bytes):	38
Entropy (8bit):	3.3918926446809334
Encrypted:	false
SSDEEP:	3:KkZRAkd:KaAu
MD5:	C7EA09D26E26605227076E0514A33038
SHA1:	C3F9736E9AF7BD0885578859A50B205C8FA5FC8E
SHA-256:	7E8AD76E0D200E93918CA2E93C99FF8ECD02071953BF1479819DB3AC0DBB6D07
SHA-512:	17D0088725EB9991E9EB82E8A3DE0878E45E6F394BBC2AD260AA59C786FF0AD565E145E21256425D1C0ABE15F3ECB402EBB0A6A5E1C2D5BA7A4D95EC93A2861F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	nameserver 8.8.8.8.nameserver 8.8.4.4.

Source: ahuFoyOKGg	Virustotal: Detection: 35%			Perma Link
Source: ahuFoyOKGg	ReversingLabs: Detection: 32%

Source: Traffic	Snort IDS: 404 ICMP Destination Unreachable Protocol Unreachable 80.221.151.48: -> 192.168.2.23:
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 71.246.67.13:23 -> 192.168.2.23:56644
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 71.246.67.13:23 -> 192.168.2.23:56644
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 71.246.67.13:23 -> 192.168.2.23:56652
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 71.246.67.13:23 -> 192.168.2.23:56652
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.41.38.178:23 -> 192.168.2.23:41038
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 194.254.254.149:23 -> 192.168.2.23:49870
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 194.254.254.149:23 -> 192.168.2.23:49870
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.176.49.53:23 -> 192.168.2.23:47532
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.176.49.53:23 -> 192.168.2.23:47532
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 71.246.67.13:23 -> 192.168.2.23:56898
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 71.246.67.13:23 -> 192.168.2.23:56898
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.41.38.178:23 -> 192.168.2.23:41224
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 194.254.254.149:23 -> 192.168.2.23:50192
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 194.254.254.149:23 -> 192.168.2.23:50192
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.41.38.178:23 -> 192.168.2.23:41400
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.176.49.53:23 -> 192.168.2.23:47754
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.176.49.53:23 -> 192.168.2.23:47754
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 71.246.67.13:23 -> 192.168.2.23:57094
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 71.246.67.13:23 -> 192.168.2.23:57094
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 194.254.254.149:23 -> 192.168.2.23:50296
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 194.254.254.149:23 -> 192.168.2.23:50296
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.41.38.178:23 -> 192.168.2.23:41490
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.165.203.43:23 -> 192.168.2.23:36038
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.165.203.43:23 -> 192.168.2.23:36038
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:36934 -> 62.193.97.9:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.176.49.53:23 -> 192.168.2.23:47956
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.176.49.53:23 -> 192.168.2.23:47956
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 71.246.67.13:23 -> 192.168.2.23:57296
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 71.246.67.13:23 -> 192.168.2.23:57296
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.195.160.53:23 -> 192.168.2.23:41226
Source: Traffic	Snort IDS: 2027973 ET EXPLOIT HiSilicon DVR - Default Telnet Root Password Inbound 192.168.2.23:36182 -> 112.165.203.43:23
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.165.203.43:23 -> 192.168.2.23:36182
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.165.203.43:23 -> 192.168.2.23:36182
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.69.86:23 -> 192.168.2.23:53498
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.69.86:23 -> 192.168.2.23:53498
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.195.160.53:23 -> 192.168.2.23:41276
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.69.86:23 -> 192.168.2.23:53556
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.69.86:23 -> 192.168.2.23:53556
Source: Traffic	Snort IDS: 716 INFO TELNET access 121.121.88.115:23 -> 192.168.2.23:57322
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.195.160.53:23 -> 192.168.2.23:41456
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.69.86:23 -> 192.168.2.23:53672
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.69.86:23 -> 192.168.2.23:53672
Source: Traffic	Snort IDS: 716 INFO TELNET access 200.41.38.178:23 -> 192.168.2.23:41944
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.165.203.43:23 -> 192.168.2.23:36360
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.165.203.43:23 -> 192.168.2.23:36360
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.69.86:23 -> 192.168.2.23:53996
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.69.86:23 -> 192.168.2.23:53996
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 194.254.254.149:23 -> 192.168.2.23:51052
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 194.254.254.149:23 -> 192.168.2.23:51052
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.195.160.53:23 -> 192.168.2.23:41854
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.106.147.193:23 -> 192.168.2.23:57136
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.69.86:23 -> 192.168.2.23:54128
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.69.86:23 -> 192.168.2.23:54128
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 185.106.147.193:23 -> 192.168.2.23:57136
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 112.165.203.43:23 -> 192.168.2.23:36864
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 112.165.203.43:23 -> 192.168.2.23:36864
Source: Traffic	Snort IDS: 716 INFO TELNET access 185.106.147.193:23 -> 192.168.2.23:57246
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.69.86:23 -> 192.168.2.23:54234
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.69.86:23 -> 192.168.2.23:54234
Source: Traffic	Snort IDS: 716 INFO TELNET access 79.117.245.174:23 -> 192.168.2.23:53568
Source: Traffic	Snort IDS: 716 INFO TELNET access 218.149.199.135:23 -> 192.168.2.23:50186
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 71.246.67.13:23 -> 192.168.2.23:58098
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 71.246.67.13:23 -> 192.168.2.23:58098
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 185.106.147.193:23 -> 192.168.2.23:57246
Source: Traffic	Snort IDS: 492 INFO TELNET login failed 113.195.160.53:23 -> 192.168.2.23:42048
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 113.176.49.53:23 -> 192.168.2.23:48786
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 113.176.49.53:23 -> 192.168.2.23:48786
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 218.149.199.135:23 -> 192.168.2.23:50186
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 218.149.199.135:23 -> 192.168.2.23:50186
Source: Traffic	Snort IDS: 1251 INFO TELNET Bad Login 202.151.69.86:23 -> 192.168.2.23:54288
Source: Traffic	Snort IDS: 718 INFO TELNET login incorrect 202.151.69.86:23 -> 192.168.2.23:54288
Source: Traffic	Snort IDS: 716 INFO TELNET access 103.145.140.186:23 -> 192.168.2.23:52004

Source: /bin/sh (PID: 5264)	Args: iptables -F	Jump to behavior
Source: /bin/sh (PID: 5361)	Args: iptables -F	Jump to behavior
Source: /bin/sh (PID: 5429)	Args: iptables -F	Jump to behavior
Source: /bin/sh (PID: 5486)	Args: iptables -F	Jump to behavior
Source: /bin/sh (PID: 5566)	Args: iptables -F
Source: /bin/sh (PID: 5624)	Args: iptables -F
Source: /bin/sh (PID: 5684)	Args: iptables -F
Source: /bin/sh (PID: 5741)	Args: iptables -F
Source: /bin/sh (PID: 5800)	Args: iptables -F
Source: /bin/sh (PID: 5858)	Args: iptables -F
Source: /bin/sh (PID: 5918)	Args: iptables -F
Source: /bin/sh (PID: 5975)	Args: iptables -F
Source: /bin/sh (PID: 6034)	Args: iptables -F
Source: /bin/sh (PID: 5257)	Args: iptables -F

Source: /usr/sbin/service (PID: 5295)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5295)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5385)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5385)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5443)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5443)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5503)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5503)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5583)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5583)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5643)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5643)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5700)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5700)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5759)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5759)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5816)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5816)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5877)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5877)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5934)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5934)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5993)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5993)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5304)	Systemctl executable stopping iptables: /usr/sbin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5304)	Systemctl executable stopping iptables: /usr/bin/systemctl -> systemctl stop iptables.service

Source: global traffic	TCP traffic: 192.168.2.23:42836 -> 91.189.91.43:443
Source: global traffic	TCP traffic: 192.168.2.23:42516 -> 109.202.202.202:80
Source: global traffic	TCP traffic: 192.168.2.23:43928 -> 91.189.91.42:443
Source: global traffic	TCP traffic: 192.168.2.23:39306 -> 34.249.145.219:443

Source: /bin/sh (PID: 5315)	Iptables executable: /sbin/iptables -> /sbin/iptables -F	Jump to behavior
Source: /bin/sh (PID: 5316)	Iptables executable: /sbin/iptables -> /sbin/iptables -X	Jump to behavior
Source: /bin/sh (PID: 5397)	Iptables executable: /sbin/iptables -> /sbin/iptables -F	Jump to behavior
Source: /bin/sh (PID: 5398)	Iptables executable: /sbin/iptables -> /sbin/iptables -X	Jump to behavior
Source: /bin/sh (PID: 5454)	Iptables executable: /sbin/iptables -> /sbin/iptables -F	Jump to behavior
Source: /bin/sh (PID: 5455)	Iptables executable: /sbin/iptables -> /sbin/iptables -X	Jump to behavior
Source: /bin/sh (PID: 5534)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5535)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 5592)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5593)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 5652)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5653)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 5709)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5710)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 5768)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5771)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 5825)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5826)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 5886)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5887)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 5945)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5946)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 6002)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 6003)	Iptables executable: /sbin/iptables -> /sbin/iptables -X
Source: /bin/sh (PID: 5330)	Iptables executable: /sbin/iptables -> /sbin/iptables -F
Source: /bin/sh (PID: 5331)	Iptables executable: /sbin/iptables -> /sbin/iptables -X

Source: unknown	Network traffic detected: HTTP traffic on port 39306 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 27.157.63.193
Source: unknown	TCP traffic detected without corresponding DNS query: 221.58.126.193
Source: unknown	TCP traffic detected without corresponding DNS query: 63.204.59.77
Source: unknown	TCP traffic detected without corresponding DNS query: 175.186.105.44
Source: unknown	TCP traffic detected without corresponding DNS query: 14.89.154.2
Source: unknown	TCP traffic detected without corresponding DNS query: 101.211.83.16
Source: unknown	TCP traffic detected without corresponding DNS query: 154.139.98.241
Source: unknown	TCP traffic detected without corresponding DNS query: 148.181.42.36
Source: unknown	TCP traffic detected without corresponding DNS query: 103.83.217.91
Source: unknown	TCP traffic detected without corresponding DNS query: 209.34.78.102
Source: unknown	TCP traffic detected without corresponding DNS query: 72.138.51.223
Source: unknown	TCP traffic detected without corresponding DNS query: 120.39.248.170
Source: unknown	TCP traffic detected without corresponding DNS query: 184.90.80.225
Source: unknown	TCP traffic detected without corresponding DNS query: 70.124.97.92
Source: unknown	TCP traffic detected without corresponding DNS query: 194.233.83.27
Source: unknown	TCP traffic detected without corresponding DNS query: 117.226.205.5
Source: unknown	TCP traffic detected without corresponding DNS query: 9.137.202.159
Source: unknown	TCP traffic detected without corresponding DNS query: 190.15.111.255
Source: unknown	TCP traffic detected without corresponding DNS query: 23.255.1.124
Source: unknown	TCP traffic detected without corresponding DNS query: 97.181.39.158
Source: unknown	TCP traffic detected without corresponding DNS query: 48.24.144.184
Source: unknown	TCP traffic detected without corresponding DNS query: 159.18.168.243
Source: unknown	TCP traffic detected without corresponding DNS query: 223.101.194.133
Source: unknown	TCP traffic detected without corresponding DNS query: 191.90.50.225
Source: unknown	TCP traffic detected without corresponding DNS query: 24.61.2.233
Source: unknown	TCP traffic detected without corresponding DNS query: 166.77.147.0
Source: unknown	TCP traffic detected without corresponding DNS query: 219.146.47.44
Source: unknown	TCP traffic detected without corresponding DNS query: 157.52.237.105
Source: unknown	TCP traffic detected without corresponding DNS query: 98.204.182.38
Source: unknown	TCP traffic detected without corresponding DNS query: 124.194.233.95
Source: unknown	TCP traffic detected without corresponding DNS query: 93.153.221.232
Source: unknown	TCP traffic detected without corresponding DNS query: 193.166.193.247
Source: unknown	TCP traffic detected without corresponding DNS query: 44.144.133.164
Source: unknown	TCP traffic detected without corresponding DNS query: 120.160.69.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.153.77.28
Source: unknown	TCP traffic detected without corresponding DNS query: 181.33.33.252
Source: unknown	TCP traffic detected without corresponding DNS query: 24.185.177.80
Source: unknown	TCP traffic detected without corresponding DNS query: 116.53.153.161
Source: unknown	TCP traffic detected without corresponding DNS query: 64.160.132.38
Source: unknown	TCP traffic detected without corresponding DNS query: 173.204.252.161
Source: unknown	TCP traffic detected without corresponding DNS query: 156.239.215.88
Source: unknown	TCP traffic detected without corresponding DNS query: 175.147.75.78
Source: unknown	TCP traffic detected without corresponding DNS query: 12.229.182.92
Source: unknown	TCP traffic detected without corresponding DNS query: 138.35.53.126
Source: unknown	TCP traffic detected without corresponding DNS query: 77.78.78.32
Source: unknown	TCP traffic detected without corresponding DNS query: 14.120.69.11
Source: unknown	TCP traffic detected without corresponding DNS query: 12.249.68.145
Source: unknown	TCP traffic detected without corresponding DNS query: 184.149.239.238
Source: unknown	TCP traffic detected without corresponding DNS query: 31.213.253.90
Source: unknown	TCP traffic detected without corresponding DNS query: 165.36.45.230

Source: Initial sample	String containing 'busybox' found: pkill -9 busybox
Source: Initial sample	String containing 'busybox' found: rm -rf /tmp/* /var/* /var/run/* /var/tmp/rm -rf /var/log/wtmprm -rf /tmp/rm -rf /bin/netstatiptables -Fpkill -9 busyboxpkill -9 perlpkill -9 pythonservice iptables stop/sbin/iptables -F; /sbin/iptables -Xservice firewalld stoprm -rf ~/.bash_historyhistory -c%d.%d.%d.%dabcdefghijklmnopqrstuvwxyz12345678910abcdefghijklmnopqrstuvwxyzallrandzap,synrstfinackpshUDPTCPRAND-HEXICMPV2GAMERAND-GAMEHOMEKILL-ALL

Source: /bin/sh (PID: 5271)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5281)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 5287)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior
Source: /bin/sh (PID: 5364)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5374)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 5382)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior
Source: /bin/sh (PID: 5432)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5435)	Pkill executable: /usr/bin/pkill -> pkill -9 perl	Jump to behavior
Source: /bin/sh (PID: 5440)	Pkill executable: /usr/bin/pkill -> pkill -9 python	Jump to behavior
Source: /bin/sh (PID: 5490)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox	Jump to behavior
Source: /bin/sh (PID: 5495)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5498)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5569)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5574)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5578)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5627)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5633)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5638)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5687)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5692)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5695)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5744)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5750)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5754)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5803)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5808)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5811)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5861)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5867)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5872)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5921)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5926)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5929)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5978)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5984)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5987)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 6037)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 6040)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 6045)	Pkill executable: /usr/bin/pkill -> pkill -9 python
Source: /bin/sh (PID: 5270)	Pkill executable: /usr/bin/pkill -> pkill -9 busybox
Source: /bin/sh (PID: 5282)	Pkill executable: /usr/bin/pkill -> pkill -9 perl
Source: /bin/sh (PID: 5290)	Pkill executable: /usr/bin/pkill -> pkill -9 python

Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5140/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5140/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5382/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5382/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5262/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5262/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5142/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5142/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1582/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1582/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/3088/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/3088/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5380/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5380/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/230/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/230/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/110/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/110/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/231/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/231/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/111/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/111/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/232/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/232/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1579/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1579/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/112/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/112/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/233/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/233/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1699/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1699/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/113/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/113/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/234/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/234/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1335/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1335/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1698/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1698/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/114/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/114/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/235/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/235/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1334/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1334/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1576/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1576/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/2302/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/2302/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/115/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/115/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/236/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/236/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/116/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/116/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/237/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/237/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/117/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/117/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/118/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/118/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/910/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/910/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/119/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/119/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/912/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/912/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/10/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/10/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/2307/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/2307/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/11/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/11/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/918/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/918/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5030/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/5030/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/12/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/12/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/13/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/13/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/14/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/14/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/15/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/15/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/16/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/16/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/17/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/17/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/18/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/18/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1594/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1594/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/120/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/120/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/121/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/121/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1349/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1349/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/1/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/122/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/122/cmdline	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/243/status	Jump to behavior
Source: /usr/bin/pkill (PID: 5382)	File opened: /proc/243/cmdline	Jump to behavior

Source: /usr/sbin/service (PID: 5295)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5298)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5300)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/service (PID: 5319)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service	Jump to behavior
Source: /usr/sbin/service (PID: 5322)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5324)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/service (PID: 5385)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5388)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5390)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/service (PID: 5401)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service	Jump to behavior
Source: /usr/sbin/service (PID: 5404)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5406)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/service (PID: 5443)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service	Jump to behavior
Source: /usr/sbin/service (PID: 5446)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5448)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/service (PID: 5458)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service	Jump to behavior
Source: /usr/sbin/service (PID: 5461)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target	Jump to behavior
Source: /usr/sbin/service (PID: 5463)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket	Jump to behavior
Source: /usr/sbin/service (PID: 5503)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5506)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5508)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5538)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5541)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5545)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5583)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5586)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5588)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5596)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5599)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5603)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5643)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5646)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5648)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5656)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5659)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5661)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5700)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5703)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5705)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5713)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5718)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5720)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5759)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5762)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5764)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5774)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5777)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5779)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5816)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5819)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5821)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5829)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5832)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5834)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5877)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5880)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5882)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5890)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5895)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5897)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5934)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5937)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5939)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5949)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5952)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5954)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5993)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5996)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5998)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 6006)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 6009)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 6011)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5304)	Systemctl executable: /usr/bin/systemctl -> systemctl stop iptables.service
Source: /usr/sbin/service (PID: 5307)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5311)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket
Source: /usr/sbin/service (PID: 5334)	Systemctl executable: /usr/bin/systemctl -> systemctl stop firewalld.service
Source: /usr/sbin/service (PID: 5337)	Systemctl executable: /usr/bin/systemctl -> systemctl --quiet is-active multi-user.target
Source: /usr/sbin/service (PID: 5339)	Systemctl executable: /usr/bin/systemctl -> systemctl list-unit-files --full --type=socket

Source: /tmp/ahuFoyOKGg (PID: 5232)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5243)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5249)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5255)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5259)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5268)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5277)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5285)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5293)	Shell command executed: sh -c "service iptables stop"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5313)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5317)	Shell command executed: sh -c "service firewalld stop"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5341)	Shell command executed: sh -c "rm -rf ~/.bash_history"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5344)	Shell command executed: sh -c "history -c"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5347)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5350)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5353)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5356)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5359)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5362)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5372)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5380)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5383)	Shell command executed: sh -c "service iptables stop"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5395)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5399)	Shell command executed: sh -c "service firewalld stop"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5408)	Shell command executed: sh -c "rm -rf ~/.bash_history"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5411)	Shell command executed: sh -c "history -c"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5415)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5418)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5421)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5424)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5427)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5430)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5433)	Shell command executed: sh -c "pkill -9 perl"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5438)	Shell command executed: sh -c "pkill -9 python"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5441)	Shell command executed: sh -c "service iptables stop"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5452)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5456)	Shell command executed: sh -c "service firewalld stop"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5467)	Shell command executed: sh -c "rm -rf ~/.bash_history"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5470)	Shell command executed: sh -c "history -c"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5472)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5475)	Shell command executed: sh -c "rm -rf /var/log/wtmp"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5478)	Shell command executed: sh -c "rm -rf /tmp/*"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5481)	Shell command executed: sh -c "rm -rf /bin/netstat"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5484)	Shell command executed: sh -c "iptables -F"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5487)	Shell command executed: sh -c "pkill -9 busybox"	Jump to behavior
Source: /tmp/ahuFoyOKGg (PID: 5493)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5496)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5501)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5532)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5536)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5547)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5550)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 5552)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5555)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5558)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5561)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5564)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5567)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5572)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5576)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5581)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5590)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5594)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5605)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5608)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 5610)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5613)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5616)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5619)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5622)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5625)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5631)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5636)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5641)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5650)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5654)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5665)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5668)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 5670)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5673)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5676)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5679)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5682)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5685)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5690)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5693)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5698)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5707)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5711)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5722)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5725)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 5727)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5730)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5733)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5736)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5739)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5742)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5748)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5752)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5757)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5766)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5772)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5781)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5784)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 5786)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5789)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5792)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5795)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5798)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5801)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5806)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5809)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5814)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5823)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5827)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5839)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5842)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 5844)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5847)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5850)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5853)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5856)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5859)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5865)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5870)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5875)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5884)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5888)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5899)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5902)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 5904)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5907)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5910)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5913)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5916)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5919)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5924)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5927)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5932)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5943)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5947)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5956)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5959)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 5961)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5964)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5967)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5970)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5973)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5976)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5982)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5985)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5991)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 6000)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 6004)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 6015)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 6018)	Shell command executed: sh -c "history -c"
Source: /tmp/ahuFoyOKGg (PID: 6020)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 6023)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 6026)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 6029)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 6032)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 6035)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 6038)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 6043)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5221)	Shell command executed: sh -c "rm -rf /tmp/* /var/* /var/run/* /var/tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5238)	Shell command executed: sh -c "rm -rf /var/log/wtmp"
Source: /tmp/ahuFoyOKGg (PID: 5241)	Shell command executed: sh -c "rm -rf /tmp/*"
Source: /tmp/ahuFoyOKGg (PID: 5247)	Shell command executed: sh -c "rm -rf /bin/netstat"
Source: /tmp/ahuFoyOKGg (PID: 5253)	Shell command executed: sh -c "iptables -F"
Source: /tmp/ahuFoyOKGg (PID: 5266)	Shell command executed: sh -c "pkill -9 busybox"
Source: /tmp/ahuFoyOKGg (PID: 5279)	Shell command executed: sh -c "pkill -9 perl"
Source: /tmp/ahuFoyOKGg (PID: 5288)	Shell command executed: sh -c "pkill -9 python"
Source: /tmp/ahuFoyOKGg (PID: 5302)	Shell command executed: sh -c "service iptables stop"
Source: /tmp/ahuFoyOKGg (PID: 5328)	Shell command executed: sh -c "/sbin/iptables -F; /sbin/iptables -X"
Source: /tmp/ahuFoyOKGg (PID: 5332)	Shell command executed: sh -c "service firewalld stop"
Source: /tmp/ahuFoyOKGg (PID: 5367)	Shell command executed: sh -c "rm -rf ~/.bash_history"
Source: /tmp/ahuFoyOKGg (PID: 5370)	Shell command executed: sh -c "history -c"

Source: /bin/sh (PID: 5234)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf	Jump to behavior
Source: /bin/sh (PID: 5246)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5252)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5258)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5343)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history	Jump to behavior
Source: /bin/sh (PID: 5349)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/cache /var/run/* /var/tmp/*	Jump to behavior
Source: /bin/sh (PID: 5352)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5355)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5358)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5410)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history	Jump to behavior
Source: /bin/sh (PID: 5417)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*	Jump to behavior
Source: /bin/sh (PID: 5420)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5423)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5426)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5469)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history	Jump to behavior
Source: /bin/sh (PID: 5474)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*	Jump to behavior
Source: /bin/sh (PID: 5477)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp	Jump to behavior
Source: /bin/sh (PID: 5480)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*	Jump to behavior
Source: /bin/sh (PID: 5483)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat	Jump to behavior
Source: /bin/sh (PID: 5549)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 5554)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 5557)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5560)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5563)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5607)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 5612)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 5615)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5618)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5621)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5667)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 5672)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 5675)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5678)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5681)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5724)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 5729)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 5732)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5735)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5738)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5783)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 5788)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 5791)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5794)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5797)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5841)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 5846)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 5849)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5852)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5855)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5901)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 5906)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 5909)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5912)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5915)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5958)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 5963)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 5966)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5969)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5972)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 6017)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history
Source: /bin/sh (PID: 6022)	Rm executable: /usr/bin/rm -> rm -rf /tmp/* /var/* /var/run/* /var/tmp/*
Source: /bin/sh (PID: 6025)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 6028)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 6031)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5223)	Rm executable: /usr/bin/rm -> rm -rf /tmp/ahuFoyOKGg /tmp/config-err-dHT8bZ /tmp/dmesgtail.log /tmp/snap.lxd /tmp/ssh-hOQ5FjG2iVgO /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-c4RYFi /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-AfPZzg /tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i /tmp/tmp.Lzi5cB1EjE /tmp/tmp.MnQ8R1JpkR /tmp/tmp.iNAklbDLcD /tmp/vmware-root_721-4290559889 /var/backups /var/cache /var/crash /var/lib /var/local /var/lock /var/log /var/mail /var/metrics /var/opt /var/run /var/snap /var/spool /var/tmp /var/run/NetworkManager /var/run/acpid.pid /var/run/acpid.socket /var/run/apport.lock /var/run/avahi-daemon /var/run/blkid /var/run/cloud-init /var/run/console-setup /var/run/crond.pid /var/run/crond.reboot /var/run/cryptsetup /var/run/cups /var/run/dbus /var/run/dmeventd-client /var/run/dmeventd-server /var/run/gdm3 /var/run/gdm3.pid /var/run/initctl /var/run/initramfs /var/run/irqbalance /var/run/lock /var/run/log /var/run/lvm /var/run/mlocate.daily.lock /var/run/mono-xsp4 /var/run/mono-xsp4.pid /var/run/motd.d /var/run/mount /var/run/multipathd.pid /var/run/netns /var/run/network /var/run/screen /var/run/sendsigs.omit.d /var/run/shm /var/run/snapd /var/run/snapd-snap.socket /var/run/snapd.socket /var/run/speech-dispatcher /var/run/spice-vdagentd /var/run/sshd /var/run/sshd.pid /var/run/sudo /var/run/systemd /var/run/tmpfiles.d /var/run/udev /var/run/udisks2 /var/run/unattended-upgrades.lock /var/run/user /var/run/utmp /var/run/uuidd /var/run/vmware /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-ModemManager.service-J6Q1Te /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-srP90f /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-biJ0Gi /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-1jIxdj /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-llmWag /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-resolved.service-X16eHh /var/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-GpSnaf
Source: /bin/sh (PID: 5240)	Rm executable: /usr/bin/rm -> rm -rf /var/log/wtmp
Source: /bin/sh (PID: 5245)	Rm executable: /usr/bin/rm -> rm -rf /tmp/*
Source: /bin/sh (PID: 5251)	Rm executable: /usr/bin/rm -> rm -rf /bin/netstat
Source: /bin/sh (PID: 5369)	Rm executable: /usr/bin/rm -> rm -rf /root/.bash_history

File type:	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
Entropy (8bit):	6.1609530948121805
TrID:	ELF Executable and Linkable format (generic) (4004/1) 100.00%
File name:	ahuFoyOKGg
File size:	107904
MD5:	f401357e0e9757bdaa2b33969d897152
SHA1:	f12de94f348204ef912a8dc5597903b0d0f43b43
SHA256:	57c71aee92303498151c092bf0d5ff3ea2a11e18af86fd9afb94f47e68526ac9
SHA512:	e74ad5de8008602c1c7cbeb562b6e5f80e6a321f2931c2b452522504538726fe4bac03c44366749b644017284cc1a3af7bee784bc1adf9a72dd059855bd1a64b
SSDEEP:	1536:dN1tRgPmwHzHSJ1g2vq6VzwuDNNCF0hZjRstlas5RtthLgw:P1tUmiwK2y6twuRNI0ZWracbF
File Content Preview:	.ELF...........................4.........4. ...(..........................................................h.........dt.Q................................@..(....@.]Q................#.....c...`.....!..... ...@.....".........`......$ ... ...@...........`....

ELF header
Class:	ELF32
Data:	2's complement, big endian
Version:	1 (current)
Machine:	Sparc
Version Number:	0x1
Type:	EXEC (Executable file)
OS/ABI:	UNIX - System V
ABI Version:	0
Entry Point Address:	0x101a4
Flags:	0x0
ELF Header Size:	52
Program Header Offset:	52
Program Header Size:	32
Number of Program Headers:	3
Section Header Offset:	107504
Section Header Size:	40
Number of Section Headers:	10
Header String Table Index:	9

Name	Type	Address	Offset	Size	EntSize	Flags	Flags Description	Align
	NULL	0x0	0x0	0x0	0x0	0x0		0
.init	PROGBITS	0x10094	0x94	0x1c	0x0	0x6	AX	4
.text	PROGBITS	0x100b0	0xb0	0x1757c	0x0	0x6	AX	4
.fini	PROGBITS	0x2762c	0x1762c	0x14	0x0	0x6	AX	4
.rodata	PROGBITS	0x27640	0x17640	0x2450	0x0	0x2	A	8
.ctors	PROGBITS	0x3a000	0x1a000	0x8	0x0	0x3	WA	4
.dtors	PROGBITS	0x3a008	0x1a008	0x8	0x0	0x3	WA	4
.data	PROGBITS	0x3a018	0x1a018	0x398	0x0	0x3	WA	8
.bss	NOBITS	0x3a3b0	0x1a3b0	0x64f8	0x0	0x3	WA	8
.shstrtab	STRTAB	0x0	0x1a3b0	0x3e	0x0	0x0		1

Type	Offset	Virtual Address	Physical Address	File Size	Memory Size	Entropy	Flags	Flags Description	Align	Section Mappings
LOAD	0x0	0x10000	0x10000	0x19a90	0x19a90	3.5869	0x5	R E	0x10000	.init .text .fini .rodata
LOAD	0x1a000	0x3a000	0x3a000	0x3b0	0x68a8	1.5053	0x6	RW	0x10000	.ctors .dtors .data .bss
GNU_STACK	0x0	0x0	0x0	0x0	0x0	0.0000	0x6	RW	0x4

Start time:	05:32:44
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	/tmp/ahuFoyOKGg
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Start time:	05:32:45
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Linux Analysis Report ahuFoyOKGg

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

General Information

Warnings

Runtime Messages

Process Tree

Yara Signatures

PCAP (Network Traffic)

Joe Sandbox Signatures

AV Detection

Bitcoin Miner

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Malware Configuration

Behavior Graph

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

/run/systemd/resolve/stub-resolv.conf

Static File Info

General

Static ELF Info

ELF header

Sections

Program Segments

Network Behavior

Network Port Distribution

TCP Packets

System Behavior

Analysis Process: ahuFoyOKGg PID: 5208, Parent PID: 5107

General

Chronological Activities

Analysis Process: ahuFoyOKGg PID: 5210, Parent PID: 5208

General

Analysis Process: ahuFoyOKGg PID: 5211, Parent PID: 5208

General

Chronological Activities

Analysis Process: ahuFoyOKGg PID: 5215, Parent PID: 5211

General

Chronological Activities

Analysis Process: ahuFoyOKGg PID: 5228, Parent PID: 5215

General

Chronological Activities

Analysis Process: ahuFoyOKGg PID: 5230, Parent PID: 5228

General

Chronological Activities

Analysis Process: ahuFoyOKGg PID: 5232, Parent PID: 5230

General

Chronological Activities

Linux Analysis Report
ahuFoyOKGg

Start time:	05:32:53
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Start time:	05:32:54
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Start time:	05:32:59
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Start time:	05:33:03
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Start time:	05:33:09
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Start time:	05:33:15
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Start time:	05:33:17
Start date:	22/02/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl stop iptables.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b

Start time:	05:33:18
Start date:	22/02/2022
Path:	/tmp/ahuFoyOKGg
Arguments:	n/a
File size:	4379400 bytes
MD5 hash:	7dc1c0e23cd5e102bb12e5c29403410e

Start time:	05:33:19
Start date:	22/02/2022
Path:	/bin/sh
Arguments:	n/a
File size:	129816 bytes
MD5 hash:	1e6b1c887c59a315edb7eb9a315fc84c

Start time:	05:33:23
Start date:	22/02/2022
Path:	/usr/bin/systemctl
Arguments:	systemctl stop firewalld.service
File size:	996584 bytes
MD5 hash:	4deddfb6741481f68aeac522cc26ff4b