Loading ...

Play interactive tourEdit tour

Analysis Report 7ZDbt9EUgm

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:210233
Start date:22.02.2020
Start time:20:31:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 35s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:7ZDbt9EUgm
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 16.04 x64 (Kernel 4.4.0-116, Firefox 59.0, Document Viewer 3.18.2, LibreOffice 5.1.6.2, OpenJDK 1.8.0_171)
Detection:MAL
Classification:mal100.troj.evad.lin@0/23@5/0
Warnings:
Show All
  • Excluded IPs from analysis (whitelisted): 91.189.92.20, 91.189.92.19, 91.189.92.41, 91.189.92.38
  • Excluded domains from analysis (whitelisted): api.snapcraft.io

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
XorDDoS
malicious

Classification

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsLocal Job Scheduling21Local Job Scheduling21Port MonitorsMasquerading11Credential DumpingSecurity Software Discovery11Application Deployment SoftwareData from Local SystemData CompressedUncommonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface1Systemd Service1Accessibility FeaturesScripting1Network SniffingSystem Information Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting1Accessibility FeaturesPath InterceptionFile Deletion1Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for dropped fileShow sources
Source: /lib/libudev.soAvira: detection malicious, Label: LINUX/Xorddos.ucgtz
Antivirus detection for sampleShow sources
Source: 7ZDbt9EUgmAvira: detection malicious, Label: LINUX/Xorddos.ucgtz
Multi AV Scanner detection for submitted fileShow sources
Source: 7ZDbt9EUgmVirustotal: Detection: 62%Perma Link
Source: 7ZDbt9EUgmMetadefender: Detection: 35%Perma Link
Source: 7ZDbt9EUgmReversingLabs TitaniumCloud: Detection: 57%
Machine Learning detection for dropped fileShow sources
Source: /usr/bin/nbfxmtmegkJoe Sandbox ML: detected
Source: /usr/bin/oznztmtukyJoe Sandbox ML: detected
Source: /lib/libudev.soJoe Sandbox ML: detected
Source: /usr/bin/ijcqwxbdhzJoe Sandbox ML: detected
Source: /usr/bin/nvuitguduyJoe Sandbox ML: detected
Source: /usr/bin/pabosymmxsJoe Sandbox ML: detected
Source: /usr/bin/pcuwuugyybJoe Sandbox ML: detected
Source: /usr/bin/rsgfjuzzjlJoe Sandbox ML: detected
Source: /usr/bin/glqextqofdJoe Sandbox ML: detected
Source: /usr/bin/whhdehxlbhJoe Sandbox ML: detected
Source: /usr/bin/irfnqzsahbJoe Sandbox ML: detected
Source: /usr/bin/wtpmrwxnnuJoe Sandbox ML: detected
Source: /usr/bin/sbxtrbnjfgJoe Sandbox ML: detected
Source: /usr/bin/oaoqcduvnbJoe Sandbox ML: detected
Machine Learning detection for sampleShow sources
Source: 7ZDbt9EUgmJoe Sandbox ML: detected

Bitcoin Miner:

barindex
Reads CPU information from /proc indicative of miner or evasive malwareShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)Reads CPU info from proc file: /proc/cpuinfo

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2021326 ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org) 192.168.2.20:55642 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2021326 ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org) 192.168.2.20:54925 -> 8.8.4.4:53
Source: TrafficSnort IDS: 2021326 ET TROJAN Likely Linux/Xorddos.F DDoS Attack Participation (aa.hostasa.org) 192.168.2.20:56551 -> 8.8.8.8:53
Source: TrafficSnort IDS: 2020381 ET TROJAN DDoS.XOR Checkin 192.168.2.20:48822 -> 51.89.70.85:1522
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.2.20:48822 -> 51.89.70.85:1522
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: ppp.gggatat456.com
Urls found in memory or binary dataShow sources
Source: 7ZDbt9EUgmString found in binary or memory: http://www.gnu.org/software/libc/bugs.html

DDoS:

barindex
Yara detected XorDDoS BotShow sources
Source: Yara matchFile source: 7ZDbt9EUgm, type: SAMPLE
Source: Yara matchFile source: /usr/bin/ijcqwxbdhz, type: DROPPED
Source: Yara matchFile source: /usr/bin/wtpmrwxnnu, type: DROPPED
Source: Yara matchFile source: /usr/bin/nbfxmtmegk, type: DROPPED
Source: Yara matchFile source: /usr/bin/pcuwuugyyb, type: DROPPED
Source: Yara matchFile source: /usr/bin/sbxtrbnjfg, type: DROPPED
Source: Yara matchFile source: /usr/bin/irfnqzsahb, type: DROPPED
Source: Yara matchFile source: /usr/bin/rsgfjuzzjl, type: DROPPED
Source: Yara matchFile source: /usr/bin/glqextqofd, type: DROPPED
Source: Yara matchFile source: /usr/bin/nvuitguduy, type: DROPPED
Source: Yara matchFile source: /usr/bin/oznztmtuky, type: DROPPED
Source: Yara matchFile source: /usr/bin/pabosymmxs, type: DROPPED
Source: Yara matchFile source: /usr/bin/oaoqcduvnb, type: DROPPED
Source: Yara matchFile source: /usr/bin/whhdehxlbh, type: DROPPED
Source: Yara matchFile source: /lib/libudev.so, type: DROPPED

System Summary:

barindex
Sample contains strings that are potentially command stringsShow sources
Source: Initial samplePotential command found: X [^_]
Source: Initial samplePotential command found: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab
Source: Initial samplePotential command found: sed -i '/\/etc\/cron.hourly\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontabPATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
Source: Initial samplePotential command found: GET %s HTTP/1.1
Source: Initial samplePotential command found: POST %s HTTP/1.1
Source: Initial samplePotential command found: find library=%s [%lu]; searching
Source: Initial samplePotential command found: file too short
Source: Initial samplePotential command found: file too shortcannot read file datainvalid ELF headerELF file OS ABI invalidELF file ABI version invalidinternal error trying file=%s
Source: Initial samplePotential command found: cp /lib/libudev.so /lib/libudev.so.6
Sample has stripped symbol tableShow sources
Source: ELF static info symbol of initial sample.symtab present: no
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.evad.lin@0/23@5/0

Data Obfuscation:

barindex
PID-file does not contain an ASCII numberShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)/run/gcc.pid: kyxcazwusydgarokeieofyzhhwcrucdg

Persistence and Installation Behavior:

barindex
Sample tries to persist itself using System V runlevelsShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc1.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc2.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc3.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc4.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc5.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc.d/rc1.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc.d/rc2.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc.d/rc3.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc.d/rc4.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/rc.d/rc5.d/S907ZDbt9EUgm -> /etc/init.d/7ZDbt9EUgm
Source: /usr/lib/insserv/insserv (PID: 20819)File: /etc/rc1.d/S017ZDbt9EUgm -> ../init.d/7ZDbt9EUgm
Source: /usr/lib/insserv/insserv (PID: 20819)File: /etc/rc2.d/S017ZDbt9EUgm -> ../init.d/7ZDbt9EUgm
Source: /usr/lib/insserv/insserv (PID: 20819)File: /etc/rc3.d/S017ZDbt9EUgm -> ../init.d/7ZDbt9EUgm
Source: /usr/lib/insserv/insserv (PID: 20819)File: /etc/rc4.d/S017ZDbt9EUgm -> ../init.d/7ZDbt9EUgm
Source: /usr/lib/insserv/insserv (PID: 20819)File: /etc/rc5.d/S017ZDbt9EUgm -> ../init.d/7ZDbt9EUgm
Sample tries to persist itself using cronShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/cron.hourly/gcc.sh
Source: /bin/dash (PID: 20765)File: /etc/crontab
Source: /bin/sed (PID: 20767)File: /etc/crontab
Executes the "systemctl" command used for controlling the systemd system and service managerShow sources
Source: /usr/sbin/update-rc.d (PID: 20854)Systemctl executable: /bin/systemctl -> systemctl daemon-reload
Reads system information from the proc file systemShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)Reads from proc file: /proc/stat
Source: /tmp/7ZDbt9EUgm (PID: 20760)Reads from proc file: /proc/meminfo
Source: /tmp/7ZDbt9EUgm (PID: 20760)Reads from proc file: /proc/cpuinfo
Writes ELF files to diskShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /lib/libudev.soJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/ijcqwxbdhzJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/pcuwuugyybJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/irfnqzsahbJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/sbxtrbnjfgJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/oaoqcduvnbJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/oznztmtukyJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/whhdehxlbhJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/nbfxmtmegkJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/nvuitguduyJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/rsgfjuzzjlJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/pabosymmxsJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/glqextqofdJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/wtpmrwxnnuJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File written: /usr/bin/qntdgcmcocJump to dropped file
Writes crontab like entries to files to /var or /etc typically for achieving persistenceShow sources
Source: /bin/sed (PID: 20767)Crontab like entry written: /etc/sedmiMd1hJump to dropped file
Writes shell script file to disk with an unusual file extensionShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)Writes shell script file to disk with an unusual file extension: /etc/init.d/7ZDbt9EUgmJump to dropped file
Writes shell script files to diskShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)Shell script file created: /etc/cron.hourly/gcc.shJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Drops files in suspicious directoriesShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /etc/init.d/7ZDbt9EUgmJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/ijcqwxbdhzJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/pcuwuugyybJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/irfnqzsahbJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/sbxtrbnjfgJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/oaoqcduvnbJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/oznztmtukyJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/whhdehxlbhJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/nbfxmtmegkJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/nvuitguduyJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/rsgfjuzzjlJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/pabosymmxsJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/glqextqofdJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/wtpmrwxnnuJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/qntdgcmcocJump to dropped file
Source: /usr/lib/insserv/insserv (PID: 20819)File: /etc/init.d/.depend.bootJump to dropped file
Source: /usr/lib/insserv/insserv (PID: 20819)File: /etc/init.d/.depend.startJump to dropped file
Source: /usr/lib/insserv/insserv (PID: 20819)File: /etc/init.d/.depend.stopJump to dropped file
Sample deletes itselfShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/ijcqwxbdhz
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/pcuwuugyyb
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/irfnqzsahb
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/sbxtrbnjfg
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/oaoqcduvnb
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/oznztmtuky
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/whhdehxlbh
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/nbfxmtmegk
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/nvuitguduy
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/rsgfjuzzjl
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/pabosymmxs
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/glqextqofd
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/wtpmrwxnnu
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/qntdgcmcoc
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/hnkhxsduvc
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/hgikpxeoau
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/mdwxkdahhl
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/ifviglxegh
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/tciofuhcyp
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/brpngbdcdl
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/kwpbcarfas
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/aqodzhbxaq
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/zvnxdinbwf
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/mqzcfhbucz
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/ylpdirhqzu
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/cubluuuwgg
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/nosttbhbgk
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/hqofygbuwq
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/dshsuczkde
Source: /tmp/7ZDbt9EUgm (PID: 20760)File: /usr/bin/jxhifakncm
Source: /usr/bin/ijcqwxbdhz (PID: 20868)File: /usr/bin/ijcqwxbdhz
Source: /usr/bin/ijcqwxbdhz (PID: 20874)File: /usr/bin/ijcqwxbdhz
Source: /usr/bin/ijcqwxbdhz (PID: 20886)File: /usr/bin/ijcqwxbdhz
Source: /usr/bin/ijcqwxbdhz (PID: 20891)File: /usr/bin/ijcqwxbdhz
Source: /usr/bin/ijcqwxbdhz (PID: 20881)File: /usr/bin/ijcqwxbdhz
Source: /usr/bin/pcuwuugyyb (PID: 20923)File: /usr/bin/pcuwuugyyb
Source: /usr/bin/pcuwuugyyb (PID: 20926)File: /usr/bin/pcuwuugyyb
Source: /usr/bin/pcuwuugyyb (PID: 20937)File: /usr/bin/pcuwuugyyb
Source: /usr/bin/pcuwuugyyb (PID: 20944)File: /usr/bin/pcuwuugyyb
Source: /usr/bin/pcuwuugyyb (PID: 20933)File: /usr/bin/pcuwuugyyb
Source: /usr/bin/irfnqzsahb (PID: 20978)File: /usr/bin/irfnqzsahb
Source: /usr/bin/irfnqzsahb (PID: 20984)File: /usr/bin/irfnqzsahb
Source: /usr/bin/irfnqzsahb (PID: 20985)File: /usr/bin/irfnqzsahb
Source: /usr/bin/irfnqzsahb (PID: 21000)File: /usr/bin/irfnqzsahb
Source: /usr/bin/irfnqzsahb (PID: 21004)File: /usr/bin/irfnqzsahb
Source: /usr/bin/sbxtrbnjfg (PID: 21037)File: /usr/bin/sbxtrbnjfg
Source: /usr/bin/sbxtrbnjfg (PID: 21045)File: /usr/bin/sbxtrbnjfg
Source: /usr/bin/sbxtrbnjfg (PID: 21041)File: /usr/bin/sbxtrbnjfg
Source: /usr/bin/sbxtrbnjfg (PID: 21040)File: /usr/bin/sbxtrbnjfg
Source: /usr/bin/sbxtrbnjfg (PID: 21043)File: /usr/bin/sbxtrbnjfg
Source: /usr/bin/oaoqcduvnb (PID: 21088)File: /usr/bin/oaoqcduvnb
Source: /usr/bin/oaoqcduvnb (PID: 21091)File: /usr/bin/oaoqcduvnb
Source: /usr/bin/oaoqcduvnb (PID: 21103)File: /usr/bin/oaoqcduvnb
Source: /usr/bin/oaoqcduvnb (PID: 21098)File: /usr/bin/oaoqcduvnb
Source: /usr/bin/oaoqcduvnb (PID: 21101)File: /usr/bin/oaoqcduvnb
Source: /usr/bin/oznztmtuky (PID: 21146)File: /usr/bin/oznztmtuky
Source: /usr/bin/oznztmtuky (PID: 21145)File: /usr/bin/oznztmtuky
Source: /usr/bin/oznztmtuky (PID: 21157)File: /usr/bin/oznztmtuky
Source: /usr/bin/oznztmtuky (PID: 21151)File: /usr/bin/oznztmtuky
Source: /usr/bin/oznztmtuky (PID: 21160)File: /usr/bin/oznztmtuky
Source: /usr/bin/whhdehxlbh (PID: 21200)File: /usr/bin/whhdehxlbh
Source: /usr/bin/whhdehxlbh (PID: 21207)File: /usr/bin/whhdehxlbh
Source: /usr/bin/whhdehxlbh (PID: 21203)File: /usr/bin/whhdehxlbh
Source: /usr/bin/whhdehxlbh (PID: 21213)File: /usr/bin/whhdehxlbh
Source: /usr/bin/whhdehxlbh (PID: 21206)File: /usr/bin/whhdehxlbh
Source: /usr/bin/nbfxmtmegk (PID: 21258)File: /usr/bin/nbfxmtmegk
Source: /usr/bin/nbfxmtmegk (PID: 21255)File: /usr/bin/nbfxmtmegk
Source: /usr/bin/nbfxmtmegk (PID: 21259)File: /usr/bin/nbfxmtmegk
Source: /usr/bin/nbfxmtmegk (PID: 21261)File: /usr/bin/nbfxmtmegk
Source: /usr/bin/nbfxmtmegk (PID: 21263)File: /usr/bin/nbfxmtmegk
Source: /usr/bin/nvuitguduy (PID: 21313)File: /usr/bin/nvuitguduy
Source: /usr/bin/nvuitguduy (PID: 21312)File: /usr/bin/nvuitguduy
Source: /usr/bin/nvuitguduy (PID: 21320)File: /usr/bin/nvuitguduy
Source: /usr/bin/nvuitguduy (PID: 21332)File: /usr/bin/nvuitguduy
Source: /usr/bin/nvuitguduy (PID: 21338)File: /usr/bin/nvuitguduy
Source: /usr/bin/rsgfjuzzjl (PID: 21368)File: /usr/bin/rsgfjuzzjl
Source: /usr/bin/rsgfjuzzjl (PID: 21367)File: /usr/bin/rsgfjuzzjl
Source: /usr/bin/rsgfjuzzjl (PID: 21379)File: /usr/bin/rsgfjuzzjl
Source: /usr/bin/rsgfjuzzjl (PID: 21376)File: /usr/bin/rsgfjuzzjl
Source: /usr/bin/rsgfjuzzjl (PID: 21375)File: /usr/bin/rsgfjuzzjl
Source: /usr/bin/pabosymmxs (PID: 21423)File: /usr/bin/pabosymmxs
Source: /usr/bin/pabosymmxs (PID: 21422)File: /usr/bin/pabosymmxs
Source: /usr/bin/pabosymmxs (PID: 21426)File: /usr/bin/pabosymmxs
Source: /usr/bin/pabosymmxs (PID: 21428)File: /usr/bin/pabosymmxs
Source: /usr/bin/pabosymmxs (PID: 21430)File: /usr/bin/pabosymmxs
Source: /usr/bin/glqextqofd (PID: 21483)File: /usr/bin/glqextqofd
Source: /usr/bin/glqextqofd (PID: 21477)File: /usr/bin/glqextqofd
Source: /usr/bin/glqextqofd (PID: 21480)File: /usr/bin/glqextqofd
Source: /usr/bin/glqextqofd (PID: 21493)File: /usr/bin/glqextqofd
Source: /usr/bin/glqextqofd (PID: 21489)File: /usr/bin/glqextqofd
Source: /usr/bin/wtpmrwxnnu (PID: 21536)File: /usr/bin/wtpmrwxnnu
Source: /usr/bin/wtpmrwxnnu (PID: 21532)File: /usr/bin/wtpmrwxnnu
Source: /usr/bin/wtpmrwxnnu (PID: 21535)File: /usr/bin/wtpmrwxnnu
Source: /usr/bin/wtpmrwxnnu (PID: 21539)File: /usr/bin/wtpmrwxnnu
Source: /usr/bin/wtpmrwxnnu (PID: 21540)File: /usr/bin/wtpmrwxnnu
Source: /usr/bin/qntdgcmcoc (PID: 21585)File: /usr/bin/qntdgcmcoc
Source: /usr/bin/qntdgcmcoc (PID: 21588)File: /usr/bin/qntdgcmcoc
Source: /usr/bin/qntdgcmcoc (PID: 21591)File: /usr/bin/qntdgcmcoc
Source: /usr/bin/qntdgcmcoc (PID: 21596)File: /usr/bin/qntdgcmcoc
Source: /usr/bin/qntdgcmcoc (PID: 21603)File: /usr/bin/qntdgcmcoc
Source: /usr/bin/hnkhxsduvc (PID: 21648)File: /usr/bin/hnkhxsduvc
Source: /usr/bin/hnkhxsduvc (PID: 21642)File: /usr/bin/hnkhxsduvc
Source: /usr/bin/hnkhxsduvc (PID: 21645)File: /usr/bin/hnkhxsduvc
Source: /usr/bin/hnkhxsduvc (PID: 21652)File: /usr/bin/hnkhxsduvc
Source: /usr/bin/hnkhxsduvc (PID: 21649)File: /usr/bin/hnkhxsduvc
Source: /usr/bin/hgikpxeoau (PID: 21702)File: /usr/bin/hgikpxeoau
Source: /usr/bin/hgikpxeoau (PID: 21697)File: /usr/bin/hgikpxeoau
Source: /usr/bin/hgikpxeoau (PID: 21700)File: /usr/bin/hgikpxeoau
Source: /usr/bin/hgikpxeoau (PID: 21703)File: /usr/bin/hgikpxeoau
Source: /usr/bin/hgikpxeoau (PID: 21704)File: /usr/bin/hgikpxeoau
Source: /usr/bin/mdwxkdahhl (PID: 21753)File: /usr/bin/mdwxkdahhl
Source: /usr/bin/mdwxkdahhl (PID: 21752)File: /usr/bin/mdwxkdahhl
Source: /usr/bin/mdwxkdahhl (PID: 21758)File: /usr/bin/mdwxkdahhl
Source: /usr/bin/mdwxkdahhl (PID: 21757)File: /usr/bin/mdwxkdahhl
Source: /usr/bin/mdwxkdahhl (PID: 21759)File: /usr/bin/mdwxkdahhl
Source: /usr/bin/ifviglxegh (PID: 21812)File: /usr/bin/ifviglxegh
Source: /usr/bin/ifviglxegh (PID: 21817)File: /usr/bin/ifviglxegh
Source: /usr/bin/ifviglxegh (PID: 21809)File: /usr/bin/ifviglxegh
Source: /usr/bin/ifviglxegh (PID: 21811)File: /usr/bin/ifviglxegh
Source: /usr/bin/ifviglxegh (PID: 21814)File: /usr/bin/ifviglxegh
Source: /usr/bin/tciofuhcyp (PID: 21862)File: /usr/bin/tciofuhcyp
Source: /usr/bin/tciofuhcyp (PID: 21871)File: /usr/bin/tciofuhcyp
Source: /usr/bin/tciofuhcyp (PID: 21865)File: /usr/bin/tciofuhcyp
Source: /usr/bin/tciofuhcyp (PID: 21872)File: /usr/bin/tciofuhcyp
Source: /usr/bin/tciofuhcyp (PID: 21868)File: /usr/bin/tciofuhcyp
Source: /usr/bin/brpngbdcdl (PID: 21920)File: /usr/bin/brpngbdcdl
Source: /usr/bin/brpngbdcdl (PID: 21926)File: /usr/bin/brpngbdcdl
Source: /usr/bin/brpngbdcdl (PID: 21919)File: /usr/bin/brpngbdcdl
Source: /usr/bin/brpngbdcdl (PID: 21923)File: /usr/bin/brpngbdcdl
Source: /usr/bin/brpngbdcdl (PID: 21936)File: /usr/bin/brpngbdcdl
Source: /usr/bin/kwpbcarfas (PID: 21978)File: /usr/bin/kwpbcarfas
Source: /usr/bin/kwpbcarfas (PID: 21974)File: /usr/bin/kwpbcarfas
Source: /usr/bin/kwpbcarfas (PID: 21989)File: /usr/bin/kwpbcarfas
Source: /usr/bin/kwpbcarfas (PID: 21982)File: /usr/bin/kwpbcarfas
Source: /usr/bin/kwpbcarfas (PID: 21994)File: /usr/bin/kwpbcarfas
Source: /usr/bin/aqodzhbxaq (PID: 22027)File: /usr/bin/aqodzhbxaq
Source: /usr/bin/aqodzhbxaq (PID: 22031)File: /usr/bin/aqodzhbxaq
Source: /usr/bin/aqodzhbxaq (PID: 22034)File: /usr/bin/aqodzhbxaq
Source: /usr/bin/aqodzhbxaq (PID: 22046)File: /usr/bin/aqodzhbxaq
Source: /usr/bin/aqodzhbxaq (PID: 22041)File: /usr/bin/aqodzhbxaq
Source: /usr/bin/zvnxdinbwf (PID: 22090)File: /usr/bin/zvnxdinbwf
Source: /usr/bin/zvnxdinbwf (PID: 22084)File: /usr/bin/zvnxdinbwf
Source: /usr/bin/zvnxdinbwf (PID: 22094)File: /usr/bin/zvnxdinbwf
Source: /usr/bin/zvnxdinbwf (PID: 22089)File: /usr/bin/zvnxdinbwf
Source: /usr/bin/zvnxdinbwf (PID: 22091)File: /usr/bin/zvnxdinbwf
Source: /usr/bin/mqzcfhbucz (PID: 22139)File: /usr/bin/mqzcfhbucz
Source: /usr/bin/mqzcfhbucz (PID: 22142)File: /usr/bin/mqzcfhbucz
Source: /usr/bin/mqzcfhbucz (PID: 22148)File: /usr/bin/mqzcfhbucz
Source: /usr/bin/mqzcfhbucz (PID: 22145)File: /usr/bin/mqzcfhbucz
Source: /usr/bin/mqzcfhbucz (PID: 22152)File: /usr/bin/mqzcfhbucz
Source: /usr/bin/ylpdirhqzu (PID: 22200)File: /usr/bin/ylpdirhqzu
Source: /usr/bin/ylpdirhqzu (PID: 22194)File: /usr/bin/ylpdirhqzu
Source: /usr/bin/ylpdirhqzu (PID: 22197)File: /usr/bin/ylpdirhqzu
Source: /usr/bin/ylpdirhqzu (PID: 22202)File: /usr/bin/ylpdirhqzu
Source: /usr/bin/ylpdirhqzu (PID: 22199)File: /usr/bin/ylpdirhqzu
Source: /usr/bin/cubluuuwgg (PID: 22254)File: /usr/bin/cubluuuwgg
Source: /usr/bin/cubluuuwgg (PID: 22249)File: /usr/bin/cubluuuwgg
Source: /usr/bin/cubluuuwgg (PID: 22252)File: /usr/bin/cubluuuwgg
Source: /usr/bin/cubluuuwgg (PID: 22257)File: /usr/bin/cubluuuwgg
Source: /usr/bin/cubluuuwgg (PID: 22255)File: /usr/bin/cubluuuwgg
Source: /usr/bin/nosttbhbgk (PID: 22309)File: /usr/bin/nosttbhbgk
Source: /usr/bin/nosttbhbgk (PID: 22316)File: /usr/bin/nosttbhbgk
Source: /usr/bin/nosttbhbgk (PID: 22306)File: /usr/bin/nosttbhbgk
Source: /usr/bin/nosttbhbgk (PID: 22310)File: /usr/bin/nosttbhbgk
Source: /usr/bin/nosttbhbgk (PID: 22325)File: /usr/bin/nosttbhbgk
Source: /usr/bin/hqofygbuwq (PID: 22357)File: /usr/bin/hqofygbuwq
Source: /usr/bin/hqofygbuwq (PID: 22360)File: /usr/bin/hqofygbuwq
Source: /usr/bin/hqofygbuwq (PID: 22363)File: /usr/bin/hqofygbuwq
Source: /usr/bin/hqofygbuwq (PID: 22369)File: /usr/bin/hqofygbuwq
Source: /usr/bin/hqofygbuwq (PID: 22366)File: /usr/bin/hqofygbuwq
Source: /usr/bin/dshsuczkde (PID: 22421)File: /usr/bin/dshsuczkde
Source: /usr/bin/dshsuczkde (PID: 22417)File: /usr/bin/dshsuczkde
Source: /usr/bin/dshsuczkde (PID: 22416)File: /usr/bin/dshsuczkde
Source: /usr/bin/dshsuczkde (PID: 22420)File: /usr/bin/dshsuczkde
Source: /usr/bin/dshsuczkde (PID: 22424)File: /usr/bin/dshsuczkde
Drops files with innocent-looking namesShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)Path: /etc/cron.hourly/gcc.shJump to dropped file
Source: /tmp/7ZDbt9EUgm (PID: 20760)Path: /run/gcc.pidJump to dropped file

Malware Analysis System Evasion:

barindex
Reads CPU information from /proc indicative of miner or evasive malwareShow sources
Source: /tmp/7ZDbt9EUgm (PID: 20760)Reads CPU info from proc file: /proc/cpuinfo
Uses the "uname" system call to query kernel version information (possible evasion)Show sources
Source: /tmp/7ZDbt9EUgm (PID: 20757)Queries kernel information via 'uname':
Source: /tmp/7ZDbt9EUgm (PID: 20760)Queries kernel information via 'uname':
Source: /usr/bin/ijcqwxbdhz (PID: 20864)Queries kernel information via 'uname':
Source: /usr/bin/ijcqwxbdhz (PID: 20866)Queries kernel information via 'uname':
Source: /usr/bin/ijcqwxbdhz (PID: 20869)Queries kernel information via 'uname':
Source: /usr/bin/ijcqwxbdhz (PID: 20872)Queries kernel information via 'uname':
Source: /usr/bin/ijcqwxbdhz (PID: 20877)Queries kernel information via 'uname':
Source: /usr/bin/pcuwuugyyb (PID: 20919)Queries kernel information via 'uname':
Source: /usr/bin/pcuwuugyyb (PID: 20921)Queries kernel information via 'uname':
Source: /usr/bin/pcuwuugyyb (PID: 20924)Queries kernel information via 'uname':
Source: /usr/bin/pcuwuugyyb (PID: 20927)Queries kernel information via 'uname':
Source: /usr/bin/pcuwuugyyb (PID: 20930)Queries kernel information via 'uname':
Source: /usr/bin/irfnqzsahb (PID: 20974)Queries kernel information via 'uname':
Source: /usr/bin/irfnqzsahb (PID: 20976)Queries kernel information via 'uname':
Source: /usr/bin/irfnqzsahb (PID: 20979)Queries kernel information via 'uname':
Source: /usr/bin/irfnqzsahb (PID: 20982)Queries kernel information via 'uname':
Source: /usr/bin/irfnqzsahb (PID: 20986)Queries kernel information via 'uname':
Source: /usr/bin/sbxtrbnjfg (PID: 21029)Queries kernel information via 'uname':
Source: /usr/bin/sbxtrbnjfg (PID: 21031)Queries kernel information via 'uname':
Source: /usr/bin/sbxtrbnjfg (PID: 21033)Queries kernel information via 'uname':
Source: /usr/bin/sbxtrbnjfg (PID: 21035)Queries kernel information via 'uname':
Source: /usr/bin/sbxtrbnjfg (PID: 21039)Queries kernel information via 'uname':
Source: /usr/bin/oaoqcduvnb (PID: 21084)Queries kernel information via 'uname':
Source: /usr/bin/oaoqcduvnb (PID: 21086)Queries kernel information via 'uname':
Source: /usr/bin/oaoqcduvnb (PID: 21089)Queries kernel information via 'uname':
Source: /usr/bin/oaoqcduvnb (PID: 21092)Queries kernel information via 'uname':
Source: /usr/bin/oaoqcduvnb (PID: 21097)Queries kernel information via 'uname':
Source: /usr/bin/oznztmtuky (PID: 21139)Queries kernel information via 'uname':
Source: /usr/bin/oznztmtuky (PID: 21141)Queries kernel information via 'uname':
Source: /usr/bin/oznztmtuky (PID: 21143)Queries kernel information via 'uname':
Source: /usr/bin/oznztmtuky (PID: 21147)Queries kernel information via 'uname':
Source: /usr/bin/oznztmtuky (PID: 21150)Queries kernel information via 'uname':
Source: /usr/bin/whhdehxlbh (PID: 21194)Queries kernel information via 'uname':
Source: /usr/bin/whhdehxlbh (PID: 21196)Queries kernel information via 'uname':
Source: /usr/bin/whhdehxlbh (PID: 21198)Queries kernel information via 'uname':
Source: /usr/bin/whhdehxlbh (PID: 21201)Queries kernel information via 'uname':
Source: /usr/bin/whhdehxlbh (PID: 21204)Queries kernel information via 'uname':
Source: /usr/bin/nbfxmtmegk (PID: 21249)Queries kernel information via 'uname':
Source: /usr/bin/nbfxmtmegk (PID: 21251)Queries kernel information via 'uname':
Source: /usr/bin/nbfxmtmegk (PID: 21253)Queries kernel information via 'uname':
Source: /usr/bin/nbfxmtmegk (PID: 21256)Queries kernel information via 'uname':
Source: /usr/bin/nbfxmtmegk (PID: 21260)Queries kernel information via 'uname':
Source: /usr/bin/nvuitguduy (PID: 21306)Queries kernel information via 'uname':
Source: /usr/bin/nvuitguduy (PID: 21308)Queries kernel information via 'uname':
Source: /usr/bin/nvuitguduy (PID: 21310)Queries kernel information via 'uname':
Source: /usr/bin/nvuitguduy (PID: 21314)Queries kernel information via 'uname':
Source: /usr/bin/nvuitguduy (PID: 21317)Queries kernel information via 'uname':
Source: /usr/bin/rsgfjuzzjl (PID: 21361)Queries kernel information via 'uname':
Source: /usr/bin/rsgfjuzzjl (PID: 21363)Queries kernel information via 'uname':
Source: /usr/bin/rsgfjuzzjl (PID: 21365)Queries kernel information via 'uname':
Source: /usr/bin/rsgfjuzzjl (PID: 21369)Queries kernel information via 'uname':
Source: /usr/bin/rsgfjuzzjl (PID: 21372)Queries kernel information via 'uname':
Source: /usr/bin/pabosymmxs (PID: 21416)Queries kernel information via 'uname':
Source: /usr/bin/pabosymmxs (PID: 21418)Queries kernel information via 'uname':
Source: /usr/bin/pabosymmxs (PID: 21420)Queries kernel information via 'uname':
Source: /usr/bin/pabosymmxs (PID: 21424)Queries kernel information via 'uname':
Source: /usr/bin/pabosymmxs (PID: 21427)Queries kernel information via 'uname':
Source: /usr/bin/glqextqofd (PID: 21471)Queries kernel information via 'uname':
Source: /usr/bin/glqextqofd (PID: 21473)Queries kernel information via 'uname':
Source: /usr/bin/glqextqofd (PID: 21475)Queries kernel information via 'uname':
Source: /usr/bin/glqextqofd (PID: 21478)Queries kernel information via 'uname':
Source: /usr/bin/glqextqofd (PID: 21481)Queries kernel information via 'uname':
Source: /usr/bin/wtpmrwxnnu (PID: 21526)Queries kernel information via 'uname':
Source: /usr/bin/wtpmrwxnnu (PID: 21528)Queries kernel information via 'uname':
Source: /usr/bin/wtpmrwxnnu (PID: 21530)Queries kernel information via 'uname':
Source: /usr/bin/wtpmrwxnnu (PID: 21533)Queries kernel information via 'uname':
Source: /usr/bin/wtpmrwxnnu (PID: 21537)Queries kernel information via 'uname':
Source: /usr/bin/qntdgcmcoc (PID: 21581)Queries kernel information via 'uname':
Source: /usr/bin/qntdgcmcoc (PID: 21583)Queries kernel information via 'uname':
Source: /usr/bin/qntdgcmcoc (PID: 21586)Queries kernel information via 'uname':
Source: /usr/bin/qntdgcmcoc (PID: 21589)Queries kernel information via 'uname':
Source: /usr/bin/qntdgcmcoc (PID: 21592)Queries kernel information via 'uname':
Source: /usr/bin/hnkhxsduvc (PID: 21636)Queries kernel information via 'uname':
Source: /usr/bin/hnkhxsduvc (PID: 21638)Queries kernel information via 'uname':
Source: /usr/bin/hnkhxsduvc (PID: 21640)Queries kernel information via 'uname':
Source: /usr/bin/hnkhxsduvc (PID: 21643)Queries kernel information via 'uname':
Source: /usr/bin/hnkhxsduvc (PID: 21646)Queries kernel information via 'uname':
Source: /usr/bin/hgikpxeoau (PID: 21691)Queries kernel information via 'uname':
Source: /usr/bin/hgikpxeoau (PID: 21693)Queries kernel information via 'uname':
Source: /usr/bin/hgikpxeoau (PID: 21695)Queries kernel information via 'uname':
Source: /usr/bin/hgikpxeoau (PID: 21698)Queries kernel information via 'uname':
Source: /usr/bin/hgikpxeoau (PID: 21701)Queries kernel information via 'uname':
Source: /usr/bin/mdwxkdahhl (PID: 21746)Queries kernel information via 'uname':
Source: /usr/bin/mdwxkdahhl (PID: 21748)Queries kernel information via 'uname':
Source: /usr/bin/mdwxkdahhl (PID: 21750)Queries kernel information via 'uname':
Source: /usr/bin/mdwxkdahhl (PID: 21754)Queries kernel information via 'uname':
Source: /usr/bin/mdwxkdahhl (PID: 21756)Queries kernel information via 'uname':
Source: /usr/bin/ifviglxegh (PID: 21801)Queries kernel information via 'uname':
Source: /usr/bin/ifviglxegh (PID: 21803)Queries kernel information via 'uname':
Source: /usr/bin/ifviglxegh (PID: 21805)Queries kernel information via 'uname':
Source: /usr/bin/ifviglxegh (PID: 21807)Queries kernel information via 'uname':
Source: /usr/bin/ifviglxegh (PID: 21810)Queries kernel information via 'uname':
Source: /usr/bin/tciofuhcyp (PID: 21856)Queries kernel information via 'uname':
Source: /usr/bin/tciofuhcyp (PID: 21858)Queries kernel information via 'uname':
Source: /usr/bin/tciofuhcyp (PID: 21860)Queries kernel information via 'uname':
Source: /usr/bin/tciofuhcyp (PID: 21863)Queries kernel information via 'uname':
Source: /usr/bin/tciofuhcyp (PID: 21866)Queries kernel information via 'uname':
Source: /usr/bin/brpngbdcdl (PID: 21911)Queries kernel information via 'uname':
Source: /usr/bin/brpngbdcdl (PID: 21913)Queries kernel information via 'uname':
Source: /usr/bin/brpngbdcdl (PID: 21915)Queries kernel information via 'uname':
Source: /usr/bin/brpngbdcdl (PID: 21917)Queries kernel information via 'uname':
Source: /usr/bin/brpngbdcdl (PID: 21921)Queries kernel information via 'uname':
Source: /usr/bin/kwpbcarfas (PID: 21968)Queries kernel information via 'uname':
Source: /usr/bin/kwpbcarfas (PID: 21970)Queries kernel information via 'uname':
Source: /usr/bin/kwpbcarfas (PID: 21972)Queries kernel information via 'uname':
Source: /usr/bin/kwpbcarfas (PID: 21975)Queries kernel information via 'uname':
Source: /usr/bin/kwpbcarfas (PID: 21981)Queries kernel information via 'uname':
Source: /usr/bin/aqodzhbxaq (PID: 22023)Queries kernel information via 'uname':
Source: /usr/bin/aqodzhbxaq (PID: 22025)Queries kernel information via 'uname':
Source: /usr/bin/aqodzhbxaq (PID: 22028)Queries kernel information via 'uname':
Source: /usr/bin/aqodzhbxaq (PID: 22032)Queries kernel information via 'uname':
Source: /usr/bin/aqodzhbxaq (PID: 22037)Queries kernel information via 'uname':
Source: /usr/bin/zvnxdinbwf (PID: 22078)Queries kernel information via 'uname':
Source: /usr/bin/zvnxdinbwf (PID: 22080)Queries kernel information via 'uname':
Source: /usr/bin/zvnxdinbwf (PID: 22082)Queries kernel information via 'uname':
Source: /usr/bin/zvnxdinbwf (PID: 22085)Queries kernel information via 'uname':
Source: /usr/bin/zvnxdinbwf (PID: 22087)Queries kernel information via 'uname':
Source: /usr/bin/mqzcfhbucz (PID: 22133)Queries kernel information via 'uname':
Source: /usr/bin/mqzcfhbucz (PID: 22135)Queries kernel information via 'uname':
Source: /usr/bin/mqzcfhbucz (PID: 22137)Queries kernel information via 'uname':
Source: /usr/bin/mqzcfhbucz (PID: 22140)Queries kernel information via 'uname':
Source: /usr/bin/mqzcfhbucz (PID: 22144)Queries kernel information via 'uname':
Source: /usr/bin/ylpdirhqzu (PID: 22188)Queries kernel information via 'uname':
Source: /usr/bin/ylpdirhqzu (PID: 22190)Queries kernel information via 'uname':
Source: /usr/bin/ylpdirhqzu (PID: 22192)Queries kernel information via 'uname':
Source: /usr/bin/ylpdirhqzu (PID: 22195)Queries kernel information via 'uname':
Source: /usr/bin/ylpdirhqzu (PID: 22198)Queries kernel information via 'uname':
Source: /usr/bin/cubluuuwgg (PID: 22243)Queries kernel information via 'uname':
Source: /usr/bin/cubluuuwgg (PID: 22245)Queries kernel information via 'uname':
Source: /usr/bin/cubluuuwgg (PID: 22247)Queries kernel information via 'uname':
Source: /usr/bin/cubluuuwgg (PID: 22250)Queries kernel information via 'uname':
Source: /usr/bin/cubluuuwgg (PID: 22253)Queries kernel information via 'uname':
Source: /usr/bin/nosttbhbgk (PID: 22298)Queries kernel information via 'uname':
Source: /usr/bin/nosttbhbgk (PID: 22300)Queries kernel information via 'uname':
Source: /usr/bin/nosttbhbgk (PID: 22302)Queries kernel information via 'uname':
Source: /usr/bin/nosttbhbgk (PID: 22304)Queries kernel information via 'uname':
Source: /usr/bin/nosttbhbgk (PID: 22308)Queries kernel information via 'uname':
Source: /usr/bin/hqofygbuwq (PID: 22353)Queries kernel information via 'uname':
Source: /usr/bin/hqofygbuwq (PID: 22355)Queries kernel information via 'uname':
Source: /usr/bin/hqofygbuwq (PID: 22358)Queries kernel information via 'uname':
Source: /usr/bin/hqofygbuwq (PID: 22361)Queries kernel information via 'uname':
Source: /usr/bin/hqofygbuwq (PID: 22364)Queries kernel information via 'uname':
Source: /usr/bin/dshsuczkde (PID: 22408)Queries kernel information via 'uname':
Source: /usr/bin/dshsuczkde (PID: 22410)Queries kernel information via 'uname':
Source: /usr/bin/dshsuczkde (PID: 22412)Queries kernel information via 'uname':
Source: /usr/bin/dshsuczkde (PID: 22414)Queries kernel information via 'uname':
Source: /usr/bin/dshsuczkde (PID: 22418)Queries kernel information via 'uname':
Source: /usr/bin/jxhifakncm (PID: 22463)Queries kernel information via 'uname':
Source: /usr/bin/jxhifakncm (PID: 22465)Queries kernel information via 'uname':
Source: /usr/bin/jxhifakncm (PID: 22467)Queries kernel information via 'uname':
Source: /usr/bin/jxhifakncm (PID: 22470)Queries kernel information via 'uname':
Source: /usr/bin/jxhifakncm (PID: 22473)Queries kernel information via 'uname':
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: .depend.boot.16.drBinary or memory string: qemu-kvm: mountkernfs.sh udev
Source: .depend.boot.16.drBinary or memory string: TARGETS = console-setup resolvconf alsa-utils mountkernfs.sh ufw plymouth-log hostname.sh lm-sensors screen-cleanup pppd-dns apparmor x11-common udev keyboard-setup mountdevsubfs.sh brltty procps qemu-kvm cryptdisks cryptdisks-early hwclock.sh open-iscsi networking iscsid checkroot.sh lvm2 urandom checkfs.sh mountall.sh mountall-bootclean.sh bootmisc.sh kmod mountnfs.sh checkroot-bootclean.sh mountnfs-bootclean.sh

Remote Access Functionality:

barindex
Yara detected XorDDoS BotShow sources
Source: Yara matchFile source: 7ZDbt9EUgm, type: SAMPLE
Source: Yara matchFile source: /usr/bin/ijcqwxbdhz, type: DROPPED
Source: Yara matchFile source: /usr/bin/wtpmrwxnnu, type: DROPPED
Source: Yara matchFile source: /usr/bin/nbfxmtmegk, type: DROPPED
Source: Yara matchFile source: /usr/bin/pcuwuugyyb, type: DROPPED
Source: Yara matchFile source: /usr/bin/sbxtrbnjfg, type: DROPPED
Source: Yara matchFile source: /usr/bin/irfnqzsahb, type: DROPPED
Source: Yara matchFile source: /usr/bin/rsgfjuzzjl, type: DROPPED
Source: Yara matchFile source: /usr/bin/glqextqofd, type: DROPPED
Source: Yara matchFile source: /usr/bin/nvuitguduy, type: DROPPED
Source: Yara matchFile source: /usr/bin/oznztmtuky, type: DROPPED
Source: Yara matchFile source: /usr/bin/pabosymmxs, type: DROPPED
Source: Yara matchFile source: /usr/bin/oaoqcduvnb, type: DROPPED
Source: Yara matchFile source: /usr/bin/whhdehxlbh, type: DROPPED
Source: Yara matchFile source: /lib/libudev.so, type: DROPPED

Malware Configuration

No configs have been found


Runtime Messages

Command:/tmp/7ZDbt9EUgm
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:

Standard Error:

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 210233 Sample: 7ZDbt9EUgm Startdate: 22/02/2020 Architecture: LINUX Score: 100 77 ppp.gggatat456.com 51.89.70.85, 1522, 48822 unknown France 2->77 79 aa.hostasa.org 2->79 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Antivirus detection for dropped file 2->83 85 Antivirus detection for sample 2->85 87 4 other signatures 2->87 10 7ZDbt9EUgm 2->10         started        signatures3 process4 process5 12 7ZDbt9EUgm 10->12         started        file6 69 /usr/bin/wtpmrwxnnu, ELF 12->69 dropped 71 /usr/bin/whhdehxlbh, ELF 12->71 dropped 73 /usr/bin/sbxtrbnjfg, ELF 12->73 dropped 75 14 other malicious files 12->75 dropped 99 Drops files in suspicious directories 12->99 101 Sample deletes itself 12->101 103 Sample tries to persist itself using cron 12->103 105 Sample tries to persist itself using System V runlevels 12->105 16 7ZDbt9EUgm 12->16         started        18 7ZDbt9EUgm dash 12->18         started        22 7ZDbt9EUgm 12->22         started        24 150 other processes 12->24 signatures7 process8 file9 26 7ZDbt9EUgm update-rc.d 16->26         started        61 /etc/crontab, ASCII 18->61 dropped 89 Sample tries to persist itself using cron 18->89 28 dash sed 18->28         started        31 7ZDbt9EUgm ijcqwxbdhz 22->31         started        33 7ZDbt9EUgm ijcqwxbdhz 24->33         started        35 7ZDbt9EUgm ijcqwxbdhz 24->35         started        37 7ZDbt9EUgm ijcqwxbdhz 24->37         started        39 147 other processes 24->39 signatures10 process11 signatures12 41 update-rc.d insserv 26->41         started        45 update-rc.d systemctl 26->45         started        97 Sample tries to persist itself using cron 28->97 47 ijcqwxbdhz 31->47         started        49 ijcqwxbdhz 33->49         started        51 ijcqwxbdhz 35->51         started        53 ijcqwxbdhz 37->53         started        55 ijcqwxbdhz 39->55         started        57 pcuwuugyyb 39->57         started        59 144 other processes 39->59 process13 file14 63 /etc/init.d/.depend.stop, ASCII 41->63 dropped 65 /etc/init.d/.depend.start, ASCII 41->65 dropped 67 /etc/init.d/.depend.boot, ASCII 41->67 dropped 91 Drops files in suspicious directories 41->91 93 Sample tries to persist itself using System V runlevels 41->93 95 Sample deletes itself 47->95 signatures15

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
7ZDbt9EUgmJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security

    PCAP (Network Traffic)

    No yara matches

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    /usr/bin/ijcqwxbdhzJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
      /usr/bin/wtpmrwxnnuJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
        /usr/bin/nbfxmtmegkJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
          /usr/bin/pcuwuugyybJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
            /usr/bin/sbxtrbnjfgJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
              /usr/bin/irfnqzsahbJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
                /usr/bin/rsgfjuzzjlJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
                  /usr/bin/glqextqofdJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
                    /usr/bin/nvuitguduyJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
                      /usr/bin/oznztmtukyJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
                        /usr/bin/pabosymmxsJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
                          /usr/bin/oaoqcduvnbJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
                            /usr/bin/whhdehxlbhJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security
                              /lib/libudev.soJoeSecurity_XorDDoSYara detected XorDDoS BotJoe Security

                                Sigma Overview

                                No Sigma rule has matched

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                ppp.gggatat456.com2wyzX8yBdRGet hashmaliciousBrowse
                                • 51.38.200.187

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                unknownKakaoTalk_Setup.exeGet hashmaliciousBrowse
                                • 110.76.141.37
                                5fvMKCPv51Get hashmaliciousBrowse
                                • 5.252.179.34
                                SWF-INV #12582020.pdf.htmGet hashmaliciousBrowse
                                • 72.11.234.48
                                http://sangg.ir/wp-content/uploads/2020/02/prime/89761169.zipGet hashmaliciousBrowse
                                • 185.2.14.195
                                info.batGet hashmaliciousBrowse
                                • 172.217.22.226
                                http://photoscape.ch/Setup.exeGet hashmaliciousBrowse
                                • 91.195.240.126
                                INV878237.docGet hashmaliciousBrowse
                                • 185.62.188.10
                                18022020135702-2200.xlsxGet hashmaliciousBrowse
                                • 216.170.123.111
                                https://dawoodmarafie.com/img/hrGet hashmaliciousBrowse
                                • 50.87.33.234
                                https://westworldproperties-casestudies.com/Get hashmaliciousBrowse
                                • 3.8.237.121
                                http://mx.office365.admincheck.29jddji39jdkd03kdd0k93ed.supplyus.stays4you.com/Get hashmaliciousBrowse
                                • 35.209.167.249
                                Ford Motor Company shared doc.docxGet hashmaliciousBrowse
                                • 206.217.139.112
                                JVC_56194.vbsGet hashmaliciousBrowse
                                • 148.251.188.185
                                000418.docmGet hashmaliciousBrowse
                                • 151.101.0.133
                                https://toplevelstatic.com/setting/min.min.jsGet hashmaliciousBrowse
                                • 45.143.138.81
                                FILE.EXEGet hashmaliciousBrowse
                                • 68.66.243.250
                                invoice.159.xlsGet hashmaliciousBrowse
                                • 161.117.177.248
                                invoice.159.xlsGet hashmaliciousBrowse
                                • 161.117.177.248
                                https://u6097639.ct.sendgrid.net/ls/click?upn=m7iE5dD94YpIIPiuve7mad2ioZbtMZ6-2FuG0phpy1-2FjElxjcm3hawYQ5IzGxWiyYxqZFTEirrXzfC2ssrtapitg-3D-3DMpc0_iUyCH6HKfZa25p80SYfPOGQoKUKw8eaXqqi9sHXgI8X8aNOplz3NtG2P-2FgorlmEvoxbeBOIygdYbDFII-2BNT2GmWAdxXm7fewAzHmVvZXZMzKh0FqbPpVZVkMn5danE9EO-2FsgUEgv0uTcwaCrbSBHq-2FCCf0mDtEdN5S3XSvQERZ5cCcM7FQKEI8N2uUaa9-2B8m1IjRTJe-2BCLUMvTGkkLyVFw-3D-3DGet hashmaliciousBrowse
                                • 167.89.115.54
                                https://hr.cosmosol.comGet hashmaliciousBrowse
                                • 62.108.227.102

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                /etc/cron.hourly/gcc.sh3308Get hashmaliciousBrowse
                                  ygljglkjgfg0Get hashmaliciousBrowse
                                    3uIMrGNzkkGet hashmaliciousBrowse
                                      NTuTxYhnj0Get hashmaliciousBrowse
                                        TPHM5fHHv1Get hashmaliciousBrowse
                                          2wyzX8yBdRGet hashmaliciousBrowse
                                            625900Get hashmaliciousBrowse
                                              mxojabktnsGet hashmaliciousBrowse
                                                zertumamkbGet hashmaliciousBrowse
                                                  zazcdpceblGet hashmaliciousBrowse
                                                    bwmckudohsGet hashmaliciousBrowse
                                                      4Zcb1GzjZEGet hashmaliciousBrowse
                                                        qonpcrxkmaGet hashmaliciousBrowse
                                                          libudev.soGet hashmaliciousBrowse
                                                            w.txtGet hashmaliciousBrowse
                                                              w.txtGet hashmaliciousBrowse
                                                                1433.binGet hashmaliciousBrowse
                                                                  isu80Get hashmaliciousBrowse
                                                                    java8000Get hashmaliciousBrowse
                                                                      libudev.soGet hashmaliciousBrowse

                                                                        Antivirus, Machine Learning and Genetic Malware Detection

                                                                        Initial Sample

                                                                        SourceDetectionScannerLabelLink
                                                                        7ZDbt9EUgm62%VirustotalBrowse
                                                                        7ZDbt9EUgm35%MetadefenderBrowse
                                                                        7ZDbt9EUgm58%ReversingLabs TitaniumCloud FileReputationLinux.Trojan.Xorddos
                                                                        7ZDbt9EUgm100%AviraLINUX/Xorddos.ucgtz
                                                                        7ZDbt9EUgm100%Joe Sandbox ML

                                                                        Dropped Files

                                                                        SourceDetectionScannerLabelLink
                                                                        /lib/libudev.so100%AviraLINUX/Xorddos.ucgtz
                                                                        /usr/bin/nbfxmtmegk100%Joe Sandbox ML
                                                                        /usr/bin/oznztmtuky100%Joe Sandbox ML
                                                                        /lib/libudev.so100%Joe Sandbox ML
                                                                        /usr/bin/ijcqwxbdhz100%Joe Sandbox ML
                                                                        /usr/bin/nvuitguduy100%Joe Sandbox ML
                                                                        /usr/bin/pabosymmxs100%Joe Sandbox ML
                                                                        /usr/bin/pcuwuugyyb100%Joe Sandbox ML
                                                                        /usr/bin/rsgfjuzzjl100%Joe Sandbox ML
                                                                        /usr/bin/glqextqofd100%Joe Sandbox ML
                                                                        /usr/bin/whhdehxlbh100%Joe Sandbox ML
                                                                        /usr/bin/irfnqzsahb100%Joe Sandbox ML
                                                                        /usr/bin/wtpmrwxnnu100%Joe Sandbox ML
                                                                        /usr/bin/sbxtrbnjfg100%Joe Sandbox ML
                                                                        /usr/bin/oaoqcduvnb100%Joe Sandbox ML
                                                                        /etc/cron.hourly/gcc.sh32%VirustotalBrowse
                                                                        /etc/cron.hourly/gcc.sh0%MetadefenderBrowse
                                                                        /etc/cron.hourly/gcc.sh28%ReversingLabs TitaniumCloud FileReputationLinux.Trojan.Xorddos
                                                                        /lib/libudev.so62%VirustotalBrowse
                                                                        /lib/libudev.so35%MetadefenderBrowse
                                                                        /lib/libudev.so58%ReversingLabs TitaniumCloud FileReputationLinux.Trojan.Xorddos

                                                                        Domains

                                                                        SourceDetectionScannerLabelLink
                                                                        ppp.gggatat456.com4%VirustotalBrowse
                                                                        aa.hostasa.org3%VirustotalBrowse

                                                                        URLs

                                                                        No Antivirus matches

                                                                        Startup

                                                                        • system is lnxubuntu1
                                                                        • 7ZDbt9EUgm (PID: 20757, Parent: 20706, MD5: 35793cbfd0a4376ea9380ffed9182334) Arguments: /tmp/7ZDbt9EUgm
                                                                          • 7ZDbt9EUgm New Fork (PID: 20760, Parent: 20757)
                                                                            • 7ZDbt9EUgm New Fork (PID: 20763, Parent: 20760)
                                                                              • update-rc.d (PID: 20764, Parent: 20139, MD5: e9e125904f9ed8ff4c8504a55a149005) Arguments: /usr/bin/perl /usr/sbin/update-rc.d 7ZDbt9EUgm defaults
                                                                                • insserv (PID: 20819, Parent: 20764, MD5: 34c11674a0b29347001640aeae7c94f1) Arguments: /usr/lib/insserv/insserv 7ZDbt9EUgm
                                                                                • systemctl (PID: 20854, Parent: 20764, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl daemon-reload
                                                                            • dash (PID: 20765, Parent: 20760, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "sed -i '/\\/etc\\/cron.hourly\\/gcc.sh/d' /etc/crontab && echo '*/3 * * * * root /etc/cron.hourly/gcc.sh' >> /etc/crontab"
                                                                              • dash New Fork (PID: 20767, Parent: 20765)
                                                                              • sed (PID: 20767, Parent: 20765, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -i /\\/etc\\/cron.hourly\\/gcc.sh/d /etc/crontab
                                                                            • 7ZDbt9EUgm New Fork (PID: 20863, Parent: 20760)
                                                                              • ijcqwxbdhz (PID: 20864, Parent: 20139, MD5: aaded0d2a8ea888d1eec908bba0dc009) Arguments: /usr/bin/ijcqwxbdhz "ps -ef" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20865, Parent: 20760)
                                                                              • ijcqwxbdhz (PID: 20866, Parent: 20139, MD5: aaded0d2a8ea888d1eec908bba0dc009) Arguments: /usr/bin/ijcqwxbdhz "sleep 1" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20867, Parent: 20760)
                                                                              • ijcqwxbdhz (PID: 20869, Parent: 20139, MD5: aaded0d2a8ea888d1eec908bba0dc009) Arguments: /usr/bin/ijcqwxbdhz whoami 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20870, Parent: 20760)
                                                                              • ijcqwxbdhz (PID: 20872, Parent: 20139, MD5: aaded0d2a8ea888d1eec908bba0dc009) Arguments: /usr/bin/ijcqwxbdhz "netstat -antop" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20873, Parent: 20760)
                                                                              • ijcqwxbdhz (PID: 20877, Parent: 20139, MD5: aaded0d2a8ea888d1eec908bba0dc009) Arguments: /usr/bin/ijcqwxbdhz sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20918, Parent: 20760)
                                                                              • pcuwuugyyb (PID: 20919, Parent: 20139, MD5: cb6b8abc40bd36472cbcebc6c08acc15) Arguments: /usr/bin/pcuwuugyyb "ps -ef" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20920, Parent: 20760)
                                                                              • pcuwuugyyb (PID: 20921, Parent: 20139, MD5: cb6b8abc40bd36472cbcebc6c08acc15) Arguments: /usr/bin/pcuwuugyyb "echo \"find\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20922, Parent: 20760)
                                                                              • pcuwuugyyb (PID: 20924, Parent: 20139, MD5: cb6b8abc40bd36472cbcebc6c08acc15) Arguments: /usr/bin/pcuwuugyyb "netstat -antop" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20925, Parent: 20760)
                                                                              • pcuwuugyyb (PID: 20927, Parent: 20139, MD5: cb6b8abc40bd36472cbcebc6c08acc15) Arguments: /usr/bin/pcuwuugyyb top 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20928, Parent: 20760)
                                                                              • pcuwuugyyb (PID: 20930, Parent: 20139, MD5: cb6b8abc40bd36472cbcebc6c08acc15) Arguments: /usr/bin/pcuwuugyyb "grep \"A\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20973, Parent: 20760)
                                                                              • irfnqzsahb (PID: 20974, Parent: 20139, MD5: 8ab56f1ab6777b7ad9cc98a8759d46f3) Arguments: /usr/bin/irfnqzsahb who 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20975, Parent: 20760)
                                                                              • irfnqzsahb (PID: 20976, Parent: 20139, MD5: 8ab56f1ab6777b7ad9cc98a8759d46f3) Arguments: /usr/bin/irfnqzsahb sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20977, Parent: 20760)
                                                                              • irfnqzsahb (PID: 20979, Parent: 20139, MD5: 8ab56f1ab6777b7ad9cc98a8759d46f3) Arguments: /usr/bin/irfnqzsahb sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20980, Parent: 20760)
                                                                              • irfnqzsahb (PID: 20982, Parent: 20139, MD5: 8ab56f1ab6777b7ad9cc98a8759d46f3) Arguments: /usr/bin/irfnqzsahb "ifconfig eth0" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 20983, Parent: 20760)
                                                                              • irfnqzsahb (PID: 20986, Parent: 20139, MD5: 8ab56f1ab6777b7ad9cc98a8759d46f3) Arguments: /usr/bin/irfnqzsahb bash 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21028, Parent: 20760)
                                                                              • sbxtrbnjfg (PID: 21029, Parent: 20139, MD5: 848f2226b98a231b4d3466b765b4da16) Arguments: /usr/bin/sbxtrbnjfg "grep \"A\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21030, Parent: 20760)
                                                                              • sbxtrbnjfg (PID: 21031, Parent: 20139, MD5: 848f2226b98a231b4d3466b765b4da16) Arguments: /usr/bin/sbxtrbnjfg "cd /etc" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21032, Parent: 20760)
                                                                              • sbxtrbnjfg (PID: 21033, Parent: 20139, MD5: 848f2226b98a231b4d3466b765b4da16) Arguments: /usr/bin/sbxtrbnjfg id 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21034, Parent: 20760)
                                                                              • sbxtrbnjfg (PID: 21035, Parent: 20139, MD5: 848f2226b98a231b4d3466b765b4da16) Arguments: /usr/bin/sbxtrbnjfg ifconfig 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21036, Parent: 20760)
                                                                              • sbxtrbnjfg (PID: 21039, Parent: 20139, MD5: 848f2226b98a231b4d3466b765b4da16) Arguments: /usr/bin/sbxtrbnjfg "ls -la" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21083, Parent: 20760)
                                                                              • oaoqcduvnb (PID: 21084, Parent: 20139, MD5: d86ce2a59fdae268eff816aa48745657) Arguments: /usr/bin/oaoqcduvnb "grep \"A\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21085, Parent: 20760)
                                                                              • oaoqcduvnb (PID: 21086, Parent: 20139, MD5: d86ce2a59fdae268eff816aa48745657) Arguments: /usr/bin/oaoqcduvnb "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21087, Parent: 20760)
                                                                              • oaoqcduvnb (PID: 21089, Parent: 20139, MD5: d86ce2a59fdae268eff816aa48745657) Arguments: /usr/bin/oaoqcduvnb "ps -ef" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21090, Parent: 20760)
                                                                              • oaoqcduvnb (PID: 21092, Parent: 20139, MD5: d86ce2a59fdae268eff816aa48745657) Arguments: /usr/bin/oaoqcduvnb pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21094, Parent: 20760)
                                                                              • oaoqcduvnb (PID: 21097, Parent: 20139, MD5: d86ce2a59fdae268eff816aa48745657) Arguments: /usr/bin/oaoqcduvnb "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21138, Parent: 20760)
                                                                              • oznztmtuky (PID: 21139, Parent: 20139, MD5: 0f8f2af193254abc82b368f95d43593d) Arguments: /usr/bin/oznztmtuky "cat resolv.conf" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21140, Parent: 20760)
                                                                              • oznztmtuky (PID: 21141, Parent: 20139, MD5: 0f8f2af193254abc82b368f95d43593d) Arguments: /usr/bin/oznztmtuky bash 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21142, Parent: 20760)
                                                                              • oznztmtuky (PID: 21143, Parent: 20139, MD5: 0f8f2af193254abc82b368f95d43593d) Arguments: /usr/bin/oznztmtuky ifconfig 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21144, Parent: 20760)
                                                                              • oznztmtuky (PID: 21147, Parent: 20139, MD5: 0f8f2af193254abc82b368f95d43593d) Arguments: /usr/bin/oznztmtuky id 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21148, Parent: 20760)
                                                                              • oznztmtuky (PID: 21150, Parent: 20139, MD5: 0f8f2af193254abc82b368f95d43593d) Arguments: /usr/bin/oznztmtuky pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21193, Parent: 20760)
                                                                              • whhdehxlbh (PID: 21194, Parent: 20139, MD5: 2eb8058344147d0cb0d97e2b73a3c598) Arguments: /usr/bin/whhdehxlbh ls 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21195, Parent: 20760)
                                                                              • whhdehxlbh (PID: 21196, Parent: 20139, MD5: 2eb8058344147d0cb0d97e2b73a3c598) Arguments: /usr/bin/whhdehxlbh "echo \"find\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21197, Parent: 20760)
                                                                              • whhdehxlbh (PID: 21198, Parent: 20139, MD5: 2eb8058344147d0cb0d97e2b73a3c598) Arguments: /usr/bin/whhdehxlbh sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21199, Parent: 20760)
                                                                              • whhdehxlbh (PID: 21201, Parent: 20139, MD5: 2eb8058344147d0cb0d97e2b73a3c598) Arguments: /usr/bin/whhdehxlbh id 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21202, Parent: 20760)
                                                                              • whhdehxlbh (PID: 21204, Parent: 20139, MD5: 2eb8058344147d0cb0d97e2b73a3c598) Arguments: /usr/bin/whhdehxlbh "netstat -antop" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21248, Parent: 20760)
                                                                              • nbfxmtmegk (PID: 21249, Parent: 20139, MD5: ec1db1b71309f62303aab755a6fbb28a) Arguments: /usr/bin/nbfxmtmegk gnome-terminal 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21250, Parent: 20760)
                                                                              • nbfxmtmegk (PID: 21251, Parent: 20139, MD5: ec1db1b71309f62303aab755a6fbb28a) Arguments: /usr/bin/nbfxmtmegk "ifconfig eth0" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21252, Parent: 20760)
                                                                              • nbfxmtmegk (PID: 21253, Parent: 20139, MD5: ec1db1b71309f62303aab755a6fbb28a) Arguments: /usr/bin/nbfxmtmegk "sleep 1" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21254, Parent: 20760)
                                                                              • nbfxmtmegk (PID: 21256, Parent: 20139, MD5: ec1db1b71309f62303aab755a6fbb28a) Arguments: /usr/bin/nbfxmtmegk gnome-terminal 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21257, Parent: 20760)
                                                                              • nbfxmtmegk (PID: 21260, Parent: 20139, MD5: ec1db1b71309f62303aab755a6fbb28a) Arguments: /usr/bin/nbfxmtmegk "echo \"find\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21305, Parent: 20760)
                                                                              • nvuitguduy (PID: 21306, Parent: 20139, MD5: 2b1e1330e662557a59dfc9aea80a29f5) Arguments: /usr/bin/nvuitguduy who 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21307, Parent: 20760)
                                                                              • nvuitguduy (PID: 21308, Parent: 20139, MD5: 2b1e1330e662557a59dfc9aea80a29f5) Arguments: /usr/bin/nvuitguduy "echo \"find\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21309, Parent: 20760)
                                                                              • nvuitguduy (PID: 21310, Parent: 20139, MD5: 2b1e1330e662557a59dfc9aea80a29f5) Arguments: /usr/bin/nvuitguduy bash 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21311, Parent: 20760)
                                                                              • nvuitguduy (PID: 21314, Parent: 20139, MD5: 2b1e1330e662557a59dfc9aea80a29f5) Arguments: /usr/bin/nvuitguduy pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21315, Parent: 20760)
                                                                              • nvuitguduy (PID: 21317, Parent: 20139, MD5: 2b1e1330e662557a59dfc9aea80a29f5) Arguments: /usr/bin/nvuitguduy pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21360, Parent: 20760)
                                                                              • rsgfjuzzjl (PID: 21361, Parent: 20139, MD5: 1ab768a5edeb868634d5b2693b923903) Arguments: /usr/bin/rsgfjuzzjl id 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21362, Parent: 20760)
                                                                              • rsgfjuzzjl (PID: 21363, Parent: 20139, MD5: 1ab768a5edeb868634d5b2693b923903) Arguments: /usr/bin/rsgfjuzzjl top 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21364, Parent: 20760)
                                                                              • rsgfjuzzjl (PID: 21365, Parent: 20139, MD5: 1ab768a5edeb868634d5b2693b923903) Arguments: /usr/bin/rsgfjuzzjl pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21366, Parent: 20760)
                                                                              • rsgfjuzzjl (PID: 21369, Parent: 20139, MD5: 1ab768a5edeb868634d5b2693b923903) Arguments: /usr/bin/rsgfjuzzjl "cat resolv.conf" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21370, Parent: 20760)
                                                                              • rsgfjuzzjl (PID: 21372, Parent: 20139, MD5: 1ab768a5edeb868634d5b2693b923903) Arguments: /usr/bin/rsgfjuzzjl "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21415, Parent: 20760)
                                                                              • pabosymmxs (PID: 21416, Parent: 20139, MD5: 6dd0d67d1c47f51ce86417b8c55e3f0b) Arguments: /usr/bin/pabosymmxs "ls -la" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21417, Parent: 20760)
                                                                              • pabosymmxs (PID: 21418, Parent: 20139, MD5: 6dd0d67d1c47f51ce86417b8c55e3f0b) Arguments: /usr/bin/pabosymmxs pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21419, Parent: 20760)
                                                                              • pabosymmxs (PID: 21420, Parent: 20139, MD5: 6dd0d67d1c47f51ce86417b8c55e3f0b) Arguments: /usr/bin/pabosymmxs "sleep 1" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21421, Parent: 20760)
                                                                              • pabosymmxs (PID: 21424, Parent: 20139, MD5: 6dd0d67d1c47f51ce86417b8c55e3f0b) Arguments: /usr/bin/pabosymmxs uptime 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21425, Parent: 20760)
                                                                              • pabosymmxs (PID: 21427, Parent: 20139, MD5: 6dd0d67d1c47f51ce86417b8c55e3f0b) Arguments: /usr/bin/pabosymmxs "ifconfig eth0" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21470, Parent: 20760)
                                                                              • glqextqofd (PID: 21471, Parent: 20139, MD5: 5c1b70be5d0ab524cd4595380315664b) Arguments: /usr/bin/glqextqofd "echo \"find\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21472, Parent: 20760)
                                                                              • glqextqofd (PID: 21473, Parent: 20139, MD5: 5c1b70be5d0ab524cd4595380315664b) Arguments: /usr/bin/glqextqofd uptime 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21474, Parent: 20760)
                                                                              • glqextqofd (PID: 21475, Parent: 20139, MD5: 5c1b70be5d0ab524cd4595380315664b) Arguments: /usr/bin/glqextqofd "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21476, Parent: 20760)
                                                                              • glqextqofd (PID: 21478, Parent: 20139, MD5: 5c1b70be5d0ab524cd4595380315664b) Arguments: /usr/bin/glqextqofd "netstat -antop" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21479, Parent: 20760)
                                                                              • glqextqofd (PID: 21481, Parent: 20139, MD5: 5c1b70be5d0ab524cd4595380315664b) Arguments: /usr/bin/glqextqofd top 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21525, Parent: 20760)
                                                                              • wtpmrwxnnu (PID: 21526, Parent: 20139, MD5: ff3cc7e051978d61dcff6171797f7a83) Arguments: /usr/bin/wtpmrwxnnu id 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21527, Parent: 20760)
                                                                              • wtpmrwxnnu (PID: 21528, Parent: 20139, MD5: ff3cc7e051978d61dcff6171797f7a83) Arguments: /usr/bin/wtpmrwxnnu "ifconfig eth0" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21529, Parent: 20760)
                                                                              • wtpmrwxnnu (PID: 21530, Parent: 20139, MD5: ff3cc7e051978d61dcff6171797f7a83) Arguments: /usr/bin/wtpmrwxnnu whoami 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21531, Parent: 20760)
                                                                              • wtpmrwxnnu (PID: 21533, Parent: 20139, MD5: ff3cc7e051978d61dcff6171797f7a83) Arguments: /usr/bin/wtpmrwxnnu bash 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21534, Parent: 20760)
                                                                              • wtpmrwxnnu (PID: 21537, Parent: 20139, MD5: ff3cc7e051978d61dcff6171797f7a83) Arguments: /usr/bin/wtpmrwxnnu "cd /etc" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21580, Parent: 20760)
                                                                              • qntdgcmcoc (PID: 21581, Parent: 20139, MD5: f67b11b2e719b05c729711fa50955986) Arguments: /usr/bin/qntdgcmcoc "grep \"A\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21582, Parent: 20760)
                                                                              • qntdgcmcoc (PID: 21583, Parent: 20139, MD5: f67b11b2e719b05c729711fa50955986) Arguments: /usr/bin/qntdgcmcoc id 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21584, Parent: 20760)
                                                                              • qntdgcmcoc (PID: 21586, Parent: 20139, MD5: f67b11b2e719b05c729711fa50955986) Arguments: /usr/bin/qntdgcmcoc "ls -la" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21587, Parent: 20760)
                                                                              • qntdgcmcoc (PID: 21589, Parent: 20139, MD5: f67b11b2e719b05c729711fa50955986) Arguments: /usr/bin/qntdgcmcoc uptime 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21590, Parent: 20760)
                                                                              • qntdgcmcoc (PID: 21592, Parent: 20139, MD5: f67b11b2e719b05c729711fa50955986) Arguments: /usr/bin/qntdgcmcoc top 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21635, Parent: 20760)
                                                                              • hnkhxsduvc (PID: 21636, Parent: 20139, MD5: 44a6b2f65089e1f52459ebccf8e494c2) Arguments: /usr/bin/hnkhxsduvc id 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21637, Parent: 20760)
                                                                              • hnkhxsduvc (PID: 21638, Parent: 20139, MD5: 44a6b2f65089e1f52459ebccf8e494c2) Arguments: /usr/bin/hnkhxsduvc "sleep 1" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21639, Parent: 20760)
                                                                              • hnkhxsduvc (PID: 21640, Parent: 20139, MD5: 44a6b2f65089e1f52459ebccf8e494c2) Arguments: /usr/bin/hnkhxsduvc ls 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21641, Parent: 20760)
                                                                              • hnkhxsduvc (PID: 21643, Parent: 20139, MD5: 44a6b2f65089e1f52459ebccf8e494c2) Arguments: /usr/bin/hnkhxsduvc bash 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21644, Parent: 20760)
                                                                              • hnkhxsduvc (PID: 21646, Parent: 20139, MD5: 44a6b2f65089e1f52459ebccf8e494c2) Arguments: /usr/bin/hnkhxsduvc "ls -la" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21690, Parent: 20760)
                                                                              • hgikpxeoau (PID: 21691, Parent: 20139, MD5: 4876fb279215fff5a21ac45ce582e425) Arguments: /usr/bin/hgikpxeoau ifconfig 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21692, Parent: 20760)
                                                                              • hgikpxeoau (PID: 21693, Parent: 20139, MD5: 4876fb279215fff5a21ac45ce582e425) Arguments: /usr/bin/hgikpxeoau "grep \"A\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21694, Parent: 20760)
                                                                              • hgikpxeoau (PID: 21695, Parent: 20139, MD5: 4876fb279215fff5a21ac45ce582e425) Arguments: /usr/bin/hgikpxeoau pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21696, Parent: 20760)
                                                                              • hgikpxeoau (PID: 21698, Parent: 20139, MD5: 4876fb279215fff5a21ac45ce582e425) Arguments: /usr/bin/hgikpxeoau "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21699, Parent: 20760)
                                                                              • hgikpxeoau (PID: 21701, Parent: 20139, MD5: 4876fb279215fff5a21ac45ce582e425) Arguments: /usr/bin/hgikpxeoau "sleep 1" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21745, Parent: 20760)
                                                                              • mdwxkdahhl (PID: 21746, Parent: 20139, MD5: 1387afbfc03ea72fc432609183b0099f) Arguments: /usr/bin/mdwxkdahhl top 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21747, Parent: 20760)
                                                                              • mdwxkdahhl (PID: 21748, Parent: 20139, MD5: 1387afbfc03ea72fc432609183b0099f) Arguments: /usr/bin/mdwxkdahhl pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21749, Parent: 20760)
                                                                              • mdwxkdahhl (PID: 21750, Parent: 20139, MD5: 1387afbfc03ea72fc432609183b0099f) Arguments: /usr/bin/mdwxkdahhl "ls -la" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21751, Parent: 20760)
                                                                              • mdwxkdahhl (PID: 21754, Parent: 20139, MD5: 1387afbfc03ea72fc432609183b0099f) Arguments: /usr/bin/mdwxkdahhl sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21755, Parent: 20760)
                                                                              • mdwxkdahhl (PID: 21756, Parent: 20139, MD5: 1387afbfc03ea72fc432609183b0099f) Arguments: /usr/bin/mdwxkdahhl who 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21800, Parent: 20760)
                                                                              • ifviglxegh (PID: 21801, Parent: 20139, MD5: cec7bfe887bb4de1b4bf3a7e895297da) Arguments: /usr/bin/ifviglxegh sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21802, Parent: 20760)
                                                                              • ifviglxegh (PID: 21803, Parent: 20139, MD5: cec7bfe887bb4de1b4bf3a7e895297da) Arguments: /usr/bin/ifviglxegh "echo \"find\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21804, Parent: 20760)
                                                                              • ifviglxegh (PID: 21805, Parent: 20139, MD5: cec7bfe887bb4de1b4bf3a7e895297da) Arguments: /usr/bin/ifviglxegh "sleep 1" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21806, Parent: 20760)
                                                                              • ifviglxegh (PID: 21807, Parent: 20139, MD5: cec7bfe887bb4de1b4bf3a7e895297da) Arguments: /usr/bin/ifviglxegh pwd 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21808, Parent: 20760)
                                                                              • ifviglxegh (PID: 21810, Parent: 20139, MD5: cec7bfe887bb4de1b4bf3a7e895297da) Arguments: /usr/bin/ifviglxegh gnome-terminal 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21855, Parent: 20760)
                                                                              • tciofuhcyp (PID: 21856, Parent: 20139, MD5: 3f85ef330a52ec860548ce10cfacc127) Arguments: /usr/bin/tciofuhcyp "netstat -antop" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21857, Parent: 20760)
                                                                              • tciofuhcyp (PID: 21858, Parent: 20139, MD5: 3f85ef330a52ec860548ce10cfacc127) Arguments: /usr/bin/tciofuhcyp "sleep 1" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21859, Parent: 20760)
                                                                              • tciofuhcyp (PID: 21860, Parent: 20139, MD5: 3f85ef330a52ec860548ce10cfacc127) Arguments: /usr/bin/tciofuhcyp "sleep 1" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21861, Parent: 20760)
                                                                              • tciofuhcyp (PID: 21863, Parent: 20139, MD5: 3f85ef330a52ec860548ce10cfacc127) Arguments: /usr/bin/tciofuhcyp ifconfig 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21864, Parent: 20760)
                                                                              • tciofuhcyp (PID: 21866, Parent: 20139, MD5: 3f85ef330a52ec860548ce10cfacc127) Arguments: /usr/bin/tciofuhcyp "netstat -antop" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21910, Parent: 20760)
                                                                              • brpngbdcdl (PID: 21911, Parent: 20139, MD5: a72bebfda15ed81ed7440ef5384fde86) Arguments: /usr/bin/brpngbdcdl su 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21912, Parent: 20760)
                                                                              • brpngbdcdl (PID: 21913, Parent: 20139, MD5: a72bebfda15ed81ed7440ef5384fde86) Arguments: /usr/bin/brpngbdcdl su 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21914, Parent: 20760)
                                                                              • brpngbdcdl (PID: 21915, Parent: 20139, MD5: a72bebfda15ed81ed7440ef5384fde86) Arguments: /usr/bin/brpngbdcdl "netstat -an" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21916, Parent: 20760)
                                                                              • brpngbdcdl (PID: 21917, Parent: 20139, MD5: a72bebfda15ed81ed7440ef5384fde86) Arguments: /usr/bin/brpngbdcdl sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21918, Parent: 20760)
                                                                              • brpngbdcdl (PID: 21921, Parent: 20139, MD5: a72bebfda15ed81ed7440ef5384fde86) Arguments: /usr/bin/brpngbdcdl "cd /etc" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21967, Parent: 20760)
                                                                              • kwpbcarfas (PID: 21968, Parent: 20139, MD5: 2d52753fdd8a6f36e8adf8d8f195ff56) Arguments: /usr/bin/kwpbcarfas "ps -ef" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21969, Parent: 20760)
                                                                              • kwpbcarfas (PID: 21970, Parent: 20139, MD5: 2d52753fdd8a6f36e8adf8d8f195ff56) Arguments: /usr/bin/kwpbcarfas gnome-terminal 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21971, Parent: 20760)
                                                                              • kwpbcarfas (PID: 21972, Parent: 20139, MD5: 2d52753fdd8a6f36e8adf8d8f195ff56) Arguments: /usr/bin/kwpbcarfas "ls -la" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21973, Parent: 20760)
                                                                              • kwpbcarfas (PID: 21975, Parent: 20139, MD5: 2d52753fdd8a6f36e8adf8d8f195ff56) Arguments: /usr/bin/kwpbcarfas bash 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 21976, Parent: 20760)
                                                                              • kwpbcarfas (PID: 21981, Parent: 20139, MD5: 2d52753fdd8a6f36e8adf8d8f195ff56) Arguments: /usr/bin/kwpbcarfas "ps -ef" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22022, Parent: 20760)
                                                                              • aqodzhbxaq (PID: 22023, Parent: 20139, MD5: 7e51b0a3a15821a83a4c7377ecc86ae1) Arguments: /usr/bin/aqodzhbxaq "grep \"A\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22024, Parent: 20760)
                                                                              • aqodzhbxaq (PID: 22025, Parent: 20139, MD5: 7e51b0a3a15821a83a4c7377ecc86ae1) Arguments: /usr/bin/aqodzhbxaq ifconfig 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22026, Parent: 20760)
                                                                              • aqodzhbxaq (PID: 22028, Parent: 20139, MD5: 7e51b0a3a15821a83a4c7377ecc86ae1) Arguments: /usr/bin/aqodzhbxaq "ifconfig eth0" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22029, Parent: 20760)
                                                                              • aqodzhbxaq (PID: 22032, Parent: 20139, MD5: 7e51b0a3a15821a83a4c7377ecc86ae1) Arguments: /usr/bin/aqodzhbxaq id 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22033, Parent: 20760)
                                                                              • aqodzhbxaq (PID: 22037, Parent: 20139, MD5: 7e51b0a3a15821a83a4c7377ecc86ae1) Arguments: /usr/bin/aqodzhbxaq "cd /etc" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22077, Parent: 20760)
                                                                              • zvnxdinbwf (PID: 22078, Parent: 20139, MD5: f48687e6a7c2141ad3d2d2b235e75993) Arguments: /usr/bin/zvnxdinbwf "ifconfig eth0" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22079, Parent: 20760)
                                                                              • zvnxdinbwf (PID: 22080, Parent: 20139, MD5: f48687e6a7c2141ad3d2d2b235e75993) Arguments: /usr/bin/zvnxdinbwf "grep \"A\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22081, Parent: 20760)
                                                                              • zvnxdinbwf (PID: 22082, Parent: 20139, MD5: f48687e6a7c2141ad3d2d2b235e75993) Arguments: /usr/bin/zvnxdinbwf gnome-terminal 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22083, Parent: 20760)
                                                                              • zvnxdinbwf (PID: 22085, Parent: 20139, MD5: f48687e6a7c2141ad3d2d2b235e75993) Arguments: /usr/bin/zvnxdinbwf sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22086, Parent: 20760)
                                                                              • zvnxdinbwf (PID: 22087, Parent: 20139, MD5: f48687e6a7c2141ad3d2d2b235e75993) Arguments: /usr/bin/zvnxdinbwf "netstat -antop" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22132, Parent: 20760)
                                                                              • mqzcfhbucz (PID: 22133, Parent: 20139, MD5: 88d1861d32d1d0a7f93004cf68dbdc07) Arguments: /usr/bin/mqzcfhbucz sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22134, Parent: 20760)
                                                                              • mqzcfhbucz (PID: 22135, Parent: 20139, MD5: 88d1861d32d1d0a7f93004cf68dbdc07) Arguments: /usr/bin/mqzcfhbucz "netstat -an" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22136, Parent: 20760)
                                                                              • mqzcfhbucz (PID: 22137, Parent: 20139, MD5: 88d1861d32d1d0a7f93004cf68dbdc07) Arguments: /usr/bin/mqzcfhbucz "ifconfig eth0" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22138, Parent: 20760)
                                                                              • mqzcfhbucz (PID: 22140, Parent: 20139, MD5: 88d1861d32d1d0a7f93004cf68dbdc07) Arguments: /usr/bin/mqzcfhbucz "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22141, Parent: 20760)
                                                                              • mqzcfhbucz (PID: 22144, Parent: 20139, MD5: 88d1861d32d1d0a7f93004cf68dbdc07) Arguments: /usr/bin/mqzcfhbucz "ifconfig eth0" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22187, Parent: 20760)
                                                                              • ylpdirhqzu (PID: 22188, Parent: 20139, MD5: d39fdbaedec509b9d1bf6e09e415a5f7) Arguments: /usr/bin/ylpdirhqzu "netstat -an" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22189, Parent: 20760)
                                                                              • ylpdirhqzu (PID: 22190, Parent: 20139, MD5: d39fdbaedec509b9d1bf6e09e415a5f7) Arguments: /usr/bin/ylpdirhqzu sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22191, Parent: 20760)
                                                                              • ylpdirhqzu (PID: 22192, Parent: 20139, MD5: d39fdbaedec509b9d1bf6e09e415a5f7) Arguments: /usr/bin/ylpdirhqzu "cd /etc" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22193, Parent: 20760)
                                                                              • ylpdirhqzu (PID: 22195, Parent: 20139, MD5: d39fdbaedec509b9d1bf6e09e415a5f7) Arguments: /usr/bin/ylpdirhqzu "echo \"find\"" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22196, Parent: 20760)
                                                                              • ylpdirhqzu (PID: 22198, Parent: 20139, MD5: d39fdbaedec509b9d1bf6e09e415a5f7) Arguments: /usr/bin/ylpdirhqzu who 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22242, Parent: 20760)
                                                                              • cubluuuwgg (PID: 22243, Parent: 20139, MD5: ec9cab7e425da316cf533ed28521ebec) Arguments: /usr/bin/cubluuuwgg "netstat -antop" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22244, Parent: 20760)
                                                                              • cubluuuwgg (PID: 22245, Parent: 20139, MD5: ec9cab7e425da316cf533ed28521ebec) Arguments: /usr/bin/cubluuuwgg "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22246, Parent: 20760)
                                                                              • cubluuuwgg (PID: 22247, Parent: 20139, MD5: ec9cab7e425da316cf533ed28521ebec) Arguments: /usr/bin/cubluuuwgg "netstat -an" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22248, Parent: 20760)
                                                                              • cubluuuwgg (PID: 22250, Parent: 20139, MD5: ec9cab7e425da316cf533ed28521ebec) Arguments: /usr/bin/cubluuuwgg su 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22251, Parent: 20760)
                                                                              • cubluuuwgg (PID: 22253, Parent: 20139, MD5: ec9cab7e425da316cf533ed28521ebec) Arguments: /usr/bin/cubluuuwgg gnome-terminal 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22297, Parent: 20760)
                                                                              • nosttbhbgk (PID: 22298, Parent: 20139, MD5: 6fdd47332cae8747834f384ee9253b5a) Arguments: /usr/bin/nosttbhbgk sh 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22299, Parent: 20760)
                                                                              • nosttbhbgk (PID: 22300, Parent: 20139, MD5: 6fdd47332cae8747834f384ee9253b5a) Arguments: /usr/bin/nosttbhbgk who 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22301, Parent: 20760)
                                                                              • nosttbhbgk (PID: 22302, Parent: 20139, MD5: 6fdd47332cae8747834f384ee9253b5a) Arguments: /usr/bin/nosttbhbgk "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22303, Parent: 20760)
                                                                              • nosttbhbgk (PID: 22304, Parent: 20139, MD5: 6fdd47332cae8747834f384ee9253b5a) Arguments: /usr/bin/nosttbhbgk ls 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22305, Parent: 20760)
                                                                              • nosttbhbgk (PID: 22308, Parent: 20139, MD5: 6fdd47332cae8747834f384ee9253b5a) Arguments: /usr/bin/nosttbhbgk ifconfig 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22352, Parent: 20760)
                                                                              • hqofygbuwq (PID: 22353, Parent: 20139, MD5: 25a473b6ace7c8d6b3b74493ae42c19b) Arguments: /usr/bin/hqofygbuwq "cat resolv.conf" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22354, Parent: 20760)
                                                                              • hqofygbuwq (PID: 22355, Parent: 20139, MD5: 25a473b6ace7c8d6b3b74493ae42c19b) Arguments: /usr/bin/hqofygbuwq "route -n" 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22356, Parent: 20760)
                                                                              • hqofygbuwq (PID: 22358, Parent: 20139, MD5: 25a473b6ace7c8d6b3b74493ae42c19b) Arguments: /usr/bin/hqofygbuwq su 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22359, Parent: 20760)
                                                                              • hqofygbuwq (PID: 22361, Parent: 20139, MD5: 25a473b6ace7c8d6b3b74493ae42c19b) Arguments: /usr/bin/hqofygbuwq ifconfig 20760
                                                                            • 7ZDbt9EUgm New Fork (PID: 22362, Parent: 20760)
                                                                              • hqofygbuwq (PID: 22364, Parent: 20139, MD5: 25a473b6ace7c8d6b3b74493ae42c19b) Arguments: /usr/bin/hqofygbuwq sh 20760