105e32c8ef13d4d001923c1a43a8849d069fc4adebe48e5e6a9e726eb605ce31

Analysis

max time kernel
6s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
07-03-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/init0
Size

9KB
MD5

019e23027bc3849142dd8625451ed5c0
SHA1

982c0318414c3fdf82e3726c4ef4e9021751bbd9
SHA256

0e8472f2005560c6f4db4e5aef39e5d35185b35c67f70a27c8b3dcb242eed25e
SHA512

89fd143e3060669df59feeb599cb5042bf8996983dd9073a53cf1d00d408ec9930e1ce29a1aa3aa1f1157a3a6dee1a0cc32f0791c92f75ed0f74c59f326cdc32
SSDEEP

96:97gXuXeR7P0YQH8h9GVQbxgeJwI222bznGWDKKFZ5W:97xeRb038hAGbxIz9/0

Score

6^/10

Malware Config

Signatures

Attempts to change immutable files 1 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1929	chattr

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/186/cmdline	pkill
File opened for reading	/proc/982/stat	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/177/cmdline	ps
File opened for reading	/proc/1085/status	pkill
File opened for reading	/proc/1156/status	pkill
File opened for reading	/proc/34/status	pkill
File opened for reading	/proc/1732/status	ps
File opened for reading	/proc/1169/stat	ps
File opened for reading	/proc/1135/stat	ps
File opened for reading	/proc/1135/stat	ps
File opened for reading	/proc/185/status	ps
File opened for reading	/proc/729/cmdline	pkill
File opened for reading	/proc/1186/status	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/288/status	pkill
File opened for reading	/proc/23/status	pkill
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/1190/cmdline	ps
File opened for reading	/proc/1608/stat	ps
File opened for reading	/proc/84/stat	ps
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/1171/status	ps
File opened for reading	/proc/1200/cmdline	ps
File opened for reading	/proc/218/cmdline	pkill
File opened for reading	/proc/89/status	pkill
File opened for reading	/proc/1204/cmdline	pkill
File opened for reading	/proc/174/status	pkill
File opened for reading	/proc/464/cmdline	pkill
File opened for reading	/proc/463/status	ps
File opened for reading	/proc/1203/stat	ps
File opened for reading	/proc/1204/status	ps
File opened for reading	/proc/1305/cmdline	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/559/status	ps
File opened for reading	/proc/352/stat	ps
File opened for reading	/proc/1319/cmdline	pkill
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/32/cmdline	ps
File opened for reading	/proc/729/cmdline	pkill
File opened for reading	/proc/1575/status	pkill
File opened for reading	/proc/722/cmdline	ps
File opened for reading	/proc/1204/stat	ps
File opened for reading	/proc/31/status	pkill
File opened for reading	/proc/1088/status	pkill
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/1196/stat	ps
File opened for reading	/proc/959/stat	ps
File opened for reading	/proc/894/stat	ps
File opened for reading	/proc/682/stat	ps
File opened for reading	/proc/16/status	pkill
File opened for reading	/proc/658/status	pkill
File opened for reading	/proc/607/cmdline	ps
File opened for reading	/proc/89/stat	ps
File opened for reading	/proc/187/status	pkill
File opened for reading	/proc/83/cmdline	pkill
File opened for reading	/proc/127/status	pkill
File opened for reading	/proc/678/cmdline	pkill
File opened for reading	/proc/1165/cmdline	pkill
File opened for reading	/proc/480/stat	ps
File opened for reading	/proc/545/cmdline	ps
File opened for reading	/proc/559/cmdline	ps
File opened for reading	/proc/1190/cmdline	pkill
File opened for reading	/proc/491/cmdline	pkill

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/crondpid
File opened for modification	/tmp/ssdpid
File opened for modification	/tmp/syslogspid
File opened for modification	/tmp/.rsync/a/.procs

/tmp/.rsync/a/init0
/tmp/.rsync/a/init0
1⤵
PID:1575
- /bin/rm
  rm /tmp/.cron
  2⤵
  PID:1576
- /bin/rm
  rm "/tmp/Donald*"
  2⤵
  PID:1577
- /bin/rm
  rm "/tmp/Macron*"
  2⤵
  PID:1578
- /bin/rm
  rm /tmp/.main
  2⤵
  PID:1579
- /bin/rm
  rm "/tmp/.yam*" -rf
  2⤵
  PID:1580
- /bin/rm
  rm -f /tmp/irq
  2⤵
  PID:1581
- /bin/rm
  rm -f /tmp/irq.sh
  2⤵
  PID:1582
- /bin/rm
  rm -f /tmp/irqbalanc1
  2⤵
  PID:1583
- /bin/rm
  rm -rf /boot/grub/deamon
  2⤵
  PID:1584
- /bin/rm
  rm -rf /boot/grub/disk_genius
  2⤵
  PID:1585
- /bin/rm
  rm -rf "/tmp/*httpd.conf"
  2⤵
  PID:1586
- /bin/rm
  rm -rf "/tmp/*httpd.conf*"
  2⤵
  PID:1587
- /bin/rm
  rm -rf "/tmp/*index_bak*"
  2⤵
  PID:1588
- /bin/rm
  rm -rf "/tmp/.systemd-private-*"
  2⤵
  PID:1589
- /bin/rm
  rm -rf "/tmp/.xm*"
  2⤵
  PID:1590
- /bin/rm
  rm -rf /tmp/a7b104c270
  2⤵
  PID:1591
- /bin/rm
  rm -rf /tmp/conn
  2⤵
  PID:1592
- /bin/rm
  rm -rf /tmp/conns
  2⤵
  PID:1593
- /bin/rm
  rm -rf /tmp/httpd.conf
  2⤵
  PID:1594
- /bin/rm
  rm -rf "/tmp/java*"
  2⤵
  PID:1595
- /bin/rm
  rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so
  2⤵
  PID:1596
- /bin/rm
  rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
  2⤵
  PID:1597
- /bin/rm
  rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
  2⤵
  PID:1598
- /bin/rm
  rm -rf "/tmp/xm*"
  2⤵
  PID:1599
- /bin/rm
  rm -rf "/var/tmp/java*"
  2⤵
  PID:1600
- /usr/bin/killall
  killall -9 chron-34e2fg
  2⤵
  PID:1607
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1605
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1619
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1619
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1619
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1619
- - /sbin/kill
    kill -9
    3⤵
    PID:1619
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1619
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1604
- /usr/bin/awk
  awk "!/awk/"
  2⤵
  PID:1603
- /usr/bin/awk
  awk /34e2fg/
  2⤵
  PID:1602
- /bin/ps
  ps auxw
  2⤵
  PID:1601
- /bin/ps
  ps axf -o "pid %cpu"
  2⤵
  - Reads runtime system information
  PID:1616
- /usr/bin/awk
  awk "{if(\$2>=40.0) print \$1}"
  2⤵
  PID:1617
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1614
- - /usr/local/sbin/kill
    kill -9 1612
    3⤵
    PID:1621
- - /usr/local/bin/kill
    kill -9 1612
    3⤵
    PID:1621
- - /usr/sbin/kill
    kill -9 1612
    3⤵
    PID:1621
- - /usr/bin/kill
    kill -9 1612
    3⤵
    PID:1621
- - /sbin/kill
    kill -9 1612
    3⤵
    PID:1621
- - /bin/kill
    kill -9 1612
    3⤵
    - Reads CPU attributes
    PID:1621
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1613
- /usr/bin/awk
  awk "/34e|r\\/v3|moy5|defunct/"
  2⤵
  PID:1612
- /bin/ps
  ps wx
  2⤵
  - Reads CPU attributes
  PID:1611
- /usr/bin/killall
  killall .Historys
  2⤵
  PID:1620
- /usr/bin/killall
  killall .sshd
  2⤵
  PID:1622
- /usr/bin/killall
  killall neptune
  2⤵
  PID:1623
- /usr/bin/killall
  killall xm64
  2⤵
  PID:1624
- /usr/bin/killall
  killall xm32
  2⤵
  PID:1625
- /usr/bin/killall
  killall ld-linux
  2⤵
  PID:1626
- /usr/bin/killall
  killall xmrig
  2⤵
  PID:1627
- /usr/bin/killall
  killall .xmrig
  2⤵
  PID:1628
- /usr/bin/killall
  killall suppoieup
  2⤵
  PID:1629
- /usr/bin/killall
  killall xrx
  2⤵
  PID:1630
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  PID:1631
- /usr/bin/pkill
  pkill wnTKYg
  2⤵
  PID:1632
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1637
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1638
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1638
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1638
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1638
- - /sbin/kill
    kill -9
    3⤵
    PID:1638
- - /bin/kill
    kill -9
    3⤵
    PID:1638
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1636
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:1635
- /bin/grep
  grep -v grep
  2⤵
  PID:1634
- /bin/ps
  ps auxf
  2⤵
  PID:1633
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1643
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1644
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1644
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1644
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1644
- - /sbin/kill
    kill -9
    3⤵
    PID:1644
- - /bin/kill
    kill -9
    3⤵
    PID:1644
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1642
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:1641
- /bin/grep
  grep -v grep
  2⤵
  PID:1640
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1639
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1649
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1650
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1650
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1650
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1650
- - /sbin/kill
    kill -9
    3⤵
    PID:1650
- - /bin/kill
    kill -9
    3⤵
    PID:1650
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1648
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:1647
- /bin/grep
  grep -v grep
  2⤵
  PID:1646
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1645
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1655
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1656
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1656
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1656
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1656
- - /sbin/kill
    kill -9
    3⤵
    PID:1656
- - /bin/kill
    kill -9
    3⤵
    PID:1656
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1654
- /bin/grep
  grep 119.9.76.107:443
  2⤵
  PID:1653
- /bin/grep
  grep -v grep
  2⤵
  PID:1652
- /bin/ps
  ps auxf
  2⤵
  PID:1651
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1661
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1662
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1662
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1662
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1662
- - /sbin/kill
    kill -9
    3⤵
    PID:1662
- - /bin/kill
    kill -9
    3⤵
    PID:1662
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1660
- /bin/grep
  grep monerohash.com
  2⤵
  PID:1659
- /bin/grep
  grep -v grep
  2⤵
  PID:1658
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1657
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1667
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1668
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1668
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1668
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1668
- - /sbin/kill
    kill -9
    3⤵
    PID:1668
- - /bin/kill
    kill -9
    3⤵
    PID:1668
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1666
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:1665
- /bin/grep
  grep -v grep
  2⤵
  PID:1664
- /bin/ps
  ps auxf
  2⤵
  PID:1663
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1673
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1674
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1674
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1674
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1674
- - /sbin/kill
    kill -9
    3⤵
    PID:1674
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1674
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1672
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:1671
- /bin/grep
  grep -v grep
  2⤵
  PID:1670
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1669
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1679
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1680
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1680
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1680
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1680
- - /sbin/kill
    kill -9
    3⤵
    PID:1680
- - /bin/kill
    kill -9
    3⤵
    PID:1680
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1678
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:1677
- /bin/grep
  grep -v grep
  2⤵
  PID:1676
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1675
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1685
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1686
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1686
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1686
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1686
- - /sbin/kill
    kill -9
    3⤵
    PID:1686
- - /bin/kill
    kill -9
    3⤵
    PID:1686
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1684
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:1683
- /bin/grep
  grep -v grep
  2⤵
  PID:1682
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1681
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1691
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1692
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1692
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1692
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1692
- - /sbin/kill
    kill -9
    3⤵
    PID:1692
- - /bin/kill
    kill -9
    3⤵
    PID:1692
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1690
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:1689
- /bin/grep
  grep -v grep
  2⤵
  PID:1688
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1687
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1697
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1703
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1703
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1703
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1703
- - /sbin/kill
    kill -9
    3⤵
    PID:1703
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1703
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1696
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:1695
- /bin/grep
  grep -v grep
  2⤵
  PID:1694
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1693
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1708
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1711
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1711
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1711
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1711
- - /sbin/kill
    kill -9
    3⤵
    PID:1711
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1711
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1707
- /bin/grep
  grep xmrig
  2⤵
  PID:1706
- /bin/grep
  grep -v grep
  2⤵
  PID:1705
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1704
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1716
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1718
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1718
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1718
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1718
- - /sbin/kill
    kill -9
    3⤵
    PID:1718
- - /bin/kill
    kill -9
    3⤵
    PID:1718
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1715
- /bin/grep
  grep xmrigDaemon
  2⤵
  PID:1714
- /bin/grep
  grep -v grep
  2⤵
  PID:1713
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1712
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1723
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1724
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1724
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1724
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1724
- - /sbin/kill
    kill -9
    3⤵
    PID:1724
- - /bin/kill
    kill -9
    3⤵
    PID:1724
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1722
- /bin/grep
  grep xmrigMiner
  2⤵
  PID:1721
- /bin/grep
  grep -v grep
  2⤵
  PID:1720
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1719
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1729
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1730
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1730
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1730
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1730
- - /sbin/kill
    kill -9
    3⤵
    PID:1730
- - /bin/kill
    kill -9
    3⤵
    PID:1730
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1728
- /bin/grep
  grep /var/tmp/java
  2⤵
  PID:1727
- /bin/grep
  grep -v grep
  2⤵
  PID:1726
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1725
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1735
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1736
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1736
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1736
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1736
- - /sbin/kill
    kill -9
    3⤵
    PID:1736
- - /bin/kill
    kill -9
    3⤵
    PID:1736
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1734
- /bin/grep
  grep ddgs
  2⤵
  PID:1733
- /bin/grep
  grep -v grep
  2⤵
  PID:1732
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1731
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1741
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1742
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1742
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1742
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1742
- - /sbin/kill
    kill -9
    3⤵
    PID:1742
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1742
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1740
- /bin/grep
  grep qW3xT
  2⤵
  PID:1739
- /bin/grep
  grep -v grep
  2⤵
  PID:1738
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1737
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1747
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1748
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1748
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1748
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1748
- - /sbin/kill
    kill -9
    3⤵
    PID:1748
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1748
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1746
- /bin/grep
  grep t00ls.ru
  2⤵
  PID:1745
- /bin/grep
  grep -v grep
  2⤵
  PID:1744
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1743
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1753
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1754
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1754
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1754
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1754
- - /sbin/kill
    kill -9
    3⤵
    PID:1754
- - /bin/kill
    kill -9
    3⤵
    PID:1754
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1752
- /bin/grep
  grep /var/tmp/sustes
  2⤵
  PID:1751
- /bin/grep
  grep -v grep
  2⤵
  PID:1750
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1749
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1759
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1760
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1760
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1760
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1760
- - /sbin/kill
    kill -9
    3⤵
    PID:1760
- - /bin/kill
    kill -9
    3⤵
    PID:1760
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1758
- /bin/grep
  grep ld-linux
  2⤵
  PID:1757
- /bin/grep
  grep -v grep
  2⤵
  PID:1756
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1755
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1764
- - /usr/local/sbin/kill
    kill -9 1762
    3⤵
    PID:1765
- - /usr/local/bin/kill
    kill -9 1762
    3⤵
    PID:1765
- - /usr/sbin/kill
    kill -9 1762
    3⤵
    PID:1765
- - /usr/bin/kill
    kill -9 1762
    3⤵
    PID:1765
- - /sbin/kill
    kill -9 1762
    3⤵
    PID:1765
- - /bin/kill
    kill -9 1762
    3⤵
    - Reads CPU attributes
    PID:1765
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1763
- /bin/grep
  grep xiaoyao
  2⤵
  PID:1762
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1761
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1769
- - /usr/local/sbin/kill
    kill -9 1767
    3⤵
    PID:1770
- - /usr/local/bin/kill
    kill -9 1767
    3⤵
    PID:1770
- - /usr/sbin/kill
    kill -9 1767
    3⤵
    PID:1770
- - /usr/bin/kill
    kill -9 1767
    3⤵
    PID:1770
- - /sbin/kill
    kill -9 1767
    3⤵
    PID:1770
- - /bin/kill
    kill -9 1767
    3⤵
    PID:1770
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1768
- /bin/grep
  grep Donald
  2⤵
  PID:1767
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1766
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1774
- - /usr/local/sbin/kill
    kill -9 1772
    3⤵
    PID:1775
- - /usr/local/bin/kill
    kill -9 1772
    3⤵
    PID:1775
- - /usr/sbin/kill
    kill -9 1772
    3⤵
    PID:1775
- - /usr/bin/kill
    kill -9 1772
    3⤵
    PID:1775
- - /sbin/kill
    kill -9 1772
    3⤵
    PID:1775
- - /bin/kill
    kill -9 1772
    3⤵
    PID:1775
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1773
- /bin/grep
  grep Macron
  2⤵
  PID:1772
- /bin/ps
  ps auxf
  2⤵
  PID:1771
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1779
- - /usr/local/sbin/kill
    kill -9 1777
    3⤵
    PID:1780
- - /usr/local/bin/kill
    kill -9 1777
    3⤵
    PID:1780
- - /usr/sbin/kill
    kill -9 1777
    3⤵
    PID:1780
- - /usr/bin/kill
    kill -9 1777
    3⤵
    PID:1780
- - /sbin/kill
    kill -9 1777
    3⤵
    PID:1780
- - /bin/kill
    kill -9 1777
    3⤵
    PID:1780
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1778
- /bin/grep
  grep ld-linux
  2⤵
  PID:1777
- /bin/ps
  ps auxf
  2⤵
  PID:1776
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1784
- - /usr/local/sbin/kill
    kill -9 1782
    3⤵
    PID:1785
- - /usr/local/bin/kill
    kill -9 1782
    3⤵
    PID:1785
- - /usr/sbin/kill
    kill -9 1782
    3⤵
    PID:1785
- - /usr/bin/kill
    kill -9 1782
    3⤵
    PID:1785
- - /sbin/kill
    kill -9 1782
    3⤵
    PID:1785
- - /bin/kill
    kill -9 1782
    3⤵
    - Reads CPU attributes
    PID:1785
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1783
- /bin/grep
  grep named
  2⤵
  PID:1782
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1781
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1789
- - /usr/local/sbin/kill
    kill -9 1787
    3⤵
    PID:1790
- - /usr/local/bin/kill
    kill -9 1787
    3⤵
    PID:1790
- - /usr/sbin/kill
    kill -9 1787
    3⤵
    PID:1790
- - /usr/bin/kill
    kill -9 1787
    3⤵
    PID:1790
- - /sbin/kill
    kill -9 1787
    3⤵
    PID:1790
- - /bin/kill
    kill -9 1787
    3⤵
    - Reads CPU attributes
    PID:1790
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1788
- /bin/grep
  grep kernelcfg
  2⤵
  PID:1787
- /bin/ps
  ps auxf
  2⤵
  PID:1786
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1794
- - /usr/local/sbin/kill
    kill -9 1792
    3⤵
    PID:1795
- - /usr/local/bin/kill
    kill -9 1792
    3⤵
    PID:1795
- - /usr/sbin/kill
    kill -9 1792
    3⤵
    PID:1795
- - /usr/bin/kill
    kill -9 1792
    3⤵
    PID:1795
- - /sbin/kill
    kill -9 1792
    3⤵
    PID:1795
- - /bin/kill
    kill -9 1792
    3⤵
    - Reads CPU attributes
    PID:1795
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1793
- /bin/grep
  grep xiaoxue
  2⤵
  PID:1792
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1791
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1799
- - /usr/local/sbin/kill
    kill -9 1797
    3⤵
    PID:1800
- - /usr/local/bin/kill
    kill -9 1797
    3⤵
    PID:1800
- - /usr/sbin/kill
    kill -9 1797
    3⤵
    PID:1800
- - /usr/bin/kill
    kill -9 1797
    3⤵
    PID:1800
- - /sbin/kill
    kill -9 1797
    3⤵
    PID:1800
- - /bin/kill
    kill -9 1797
    3⤵
    PID:1800
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1798
- /bin/grep
  grep kernelupgrade
  2⤵
  PID:1797
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1796
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1804
- - /usr/local/sbin/kill
    kill -9 1802
    3⤵
    PID:1805
- - /usr/local/bin/kill
    kill -9 1802
    3⤵
    PID:1805
- - /usr/sbin/kill
    kill -9 1802
    3⤵
    PID:1805
- - /usr/bin/kill
    kill -9 1802
    3⤵
    PID:1805
- - /sbin/kill
    kill -9 1802
    3⤵
    PID:1805
- - /bin/kill
    kill -9 1802
    3⤵
    PID:1805
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1803
- /bin/grep
  grep kernelorg
  2⤵
  PID:1802
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1801
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1809
- - /usr/local/sbin/kill
    kill -9 1807
    3⤵
    PID:1810
- - /usr/local/bin/kill
    kill -9 1807
    3⤵
    PID:1810
- - /usr/sbin/kill
    kill -9 1807
    3⤵
    PID:1810
- - /usr/bin/kill
    kill -9 1807
    3⤵
    PID:1810
- - /sbin/kill
    kill -9 1807
    3⤵
    PID:1810
- - /bin/kill
    kill -9 1807
    3⤵
    PID:1810
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1808
- /bin/grep
  grep kernelupdates
  2⤵
  PID:1807
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1806
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1818
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1819
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1819
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1819
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1819
- - /sbin/kill
    kill -9
    3⤵
    PID:1819
- - /bin/kill
    kill -9
    3⤵
    PID:1819
- /bin/grep
  grep "\\-c"
  2⤵
  PID:1817
- /bin/grep
  grep -v headless
  2⤵
  PID:1816
- /bin/grep
  grep -v httpPort
  2⤵
  PID:1815
- /bin/grep
  grep jenkins
  2⤵
  PID:1814
- /bin/grep
  grep lib
  2⤵
  PID:1813
- /bin/grep
  grep var
  2⤵
  PID:1812
- /bin/ps
  ps ax
  2⤵
  PID:1811
- /usr/bin/xargs
  xargs pkill -f
  2⤵
  PID:1822
- - /usr/local/sbin/pkill
    pkill -f
    3⤵
    PID:1823
- - /usr/local/bin/pkill
    pkill -f
    3⤵
    PID:1823
- - /usr/sbin/pkill
    pkill -f
    3⤵
    PID:1823
- - /usr/bin/pkill
    pkill -f
    3⤵
    PID:1823
- /bin/grep
  grep -o "./[0-9]* -c"
  2⤵
  PID:1821
- /bin/ps
  ps ax
  2⤵
  PID:1820
- /usr/bin/pkill
  pkill -f /usr/bin/.sshd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1824
- /usr/bin/pkill
  pkill -f acpid
  2⤵
  - Reads CPU attributes
  PID:1825
- /usr/bin/pkill
  pkill -f Donald
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1826
- /usr/bin/pkill
  pkill -f Macron
  2⤵
  - Reads runtime system information
  PID:1827
- /usr/bin/pkill
  pkill -f AnXqV.yam
  2⤵
  - Reads runtime system information
  PID:1828
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  - Reads runtime system information
  PID:1829
- /usr/bin/pkill
  pkill -f askdljlqw
  2⤵
  PID:1830
- /usr/bin/pkill
  pkill -f bashe
  2⤵
  - Reads CPU attributes
  PID:1831
- /usr/bin/pkill
  pkill -f bashf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1832
- /usr/bin/pkill
  pkill -f bashg
  2⤵
  - Reads CPU attributes
  PID:1833
- /usr/bin/pkill
  pkill -f bashh
  2⤵
  - Reads CPU attributes
  PID:1834
- /usr/bin/pkill
  pkill -f bashx
  2⤵
  - Reads runtime system information
  PID:1835
- /usr/bin/pkill
  pkill -f BI5zj
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1836
- /usr/bin/pkill
  pkill -f biosetjenkins
  2⤵
  PID:1837
- /usr/bin/pkill
  pkill -f bonn.sh
  2⤵
  PID:1838
- /usr/bin/pkill
  pkill -f bonns
  2⤵
  - Reads runtime system information
  PID:1839
- /usr/bin/pkill
  pkill -f conn.sh
  2⤵
  PID:1840
- /usr/bin/pkill
  pkill -f conns
  2⤵
  - Reads runtime system information
  PID:1841
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  PID:1842
- /usr/bin/pkill
  pkill -f crypto-pool
  2⤵
  - Reads CPU attributes
  PID:1843
- /usr/bin/pkill
  pkill -f ddg.2011
  2⤵
  PID:1844
- /usr/bin/pkill
  pkill -f deamon
  2⤵
  PID:1845
- /usr/bin/pkill
  pkill -f disk_genius
  2⤵
  - Reads CPU attributes
  PID:1846
- /usr/bin/pkill
  pkill -f donns
  2⤵
  PID:1847
- /usr/bin/pkill
  pkill -f Duck.sh
  2⤵
  - Reads CPU attributes
  PID:1848
- /usr/bin/pkill
  pkill -f gddr
  2⤵
  - Reads CPU attributes
  PID:1849
- /usr/bin/pkill
  pkill -f Guard.sh
  2⤵
  PID:1850
- /usr/bin/pkill
  pkill -f i586
  2⤵
  - Reads runtime system information
  PID:1851
- /usr/bin/pkill
  pkill -f icb5o
  2⤵
  PID:1852
- /usr/bin/pkill
  pkill -f ir29xc1
  2⤵
  - Reads CPU attributes
  PID:1853
- /usr/bin/pkill
  pkill -f irqba2anc1
  2⤵
  PID:1854
- /usr/bin/pkill
  pkill -f irqba5xnc1
  2⤵
  PID:1855
- /usr/bin/pkill
  pkill -f irqbalanc1
  2⤵
  - Reads CPU attributes
  PID:1856
- /usr/bin/pkill
  pkill -f irqbalance
  2⤵
  - Reads runtime system information
  PID:1857
- /usr/bin/pkill
  pkill -f irqbnc1
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1858
- /usr/bin/pkill
  pkill -f JnKihGjn
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1859
- /usr/bin/pkill
  pkill -f jweri
  2⤵
  - Reads CPU attributes
  PID:1860
- /usr/bin/pkill
  pkill -f kw.sh
  2⤵
  - Reads runtime system information
  PID:1861
- /usr/bin/pkill
  pkill -f kworker34
  2⤵
  PID:1862
- /usr/bin/pkill
  pkill -f kxjd
  2⤵
  PID:1863
- /usr/bin/pkill
  pkill -f libapache
  2⤵
  PID:1864
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  - Reads CPU attributes
  PID:1865
- /usr/bin/pkill
  pkill -f lx26
  2⤵
  - Reads runtime system information
  PID:1866
- /usr/bin/pkill
  pkill -f mgwsl
  2⤵
  - Reads CPU attributes
  PID:1867
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  PID:1868
- /usr/bin/pkill
  pkill -f minergate
  2⤵
  - Reads CPU attributes
  PID:1869
- /usr/bin/pkill
  pkill -f minexmr
  2⤵
  PID:1870
- /usr/bin/pkill
  pkill -f mixnerdx
  2⤵
  PID:1871
- /usr/bin/pkill
  pkill -f mstxmr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1872
- /usr/bin/pkill
  pkill -f nanoWatch
  2⤵
  PID:1873
- /usr/bin/pkill
  pkill -f nopxi
  2⤵
  PID:1874
- /usr/bin/pkill
  pkill -f NXLAi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1875
- /usr/bin/pkill
  pkill -f performedl
  2⤵
  - Reads CPU attributes
  PID:1876
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  PID:1877
- /usr/bin/pkill
  pkill -f pro.sh
  2⤵
  - Reads runtime system information
  PID:1878
- /usr/bin/pkill
  pkill -f pythno
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1879
- /usr/bin/pkill
  pkill -f qW3xT.2
  2⤵
  - Reads CPU attributes
  PID:1880
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  PID:1881
- /usr/bin/pkill
  pkill -f stratum
  2⤵
  PID:1882
- /usr/bin/pkill
  pkill -f sustes
  2⤵
  PID:1883
- /usr/bin/pkill
  pkill -f wnTKYg
  2⤵
  - Reads runtime system information
  PID:1884
- /usr/bin/pkill
  pkill -f XbashY
  2⤵
  - Reads CPU attributes
  PID:1885
- /usr/bin/pkill
  pkill -f XJnRj
  2⤵
  PID:1886
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  - Reads runtime system information
  PID:1887
- /usr/bin/pkill
  pkill -f xmrigDaemon
  2⤵
  - Reads runtime system information
  PID:1888
- /usr/bin/pkill
  pkill -f xmrigMiner
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1889
- /usr/bin/pkill
  pkill -f ysaydh
  2⤵
  PID:1890
- /usr/bin/pkill
  pkill -f zigw
  2⤵
  PID:1891
- /usr/bin/pkill
  pkill -f ld-linux
  2⤵
  PID:1892
- /usr/bin/pkill
  pkill -f xrx
  2⤵
  - Reads CPU attributes
  PID:1893
- /bin/grep
  grep -v grep
  2⤵
  PID:1896
- /bin/grep
  grep crond
  2⤵
  PID:1895
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1897
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  PID:1894
- /bin/rm
  rm /tmp/crondpid -f
  2⤵
  PID:1898
- /bin/grep
  grep -v grep
  2⤵
  PID:1901
- /bin/grep
  grep sshd
  2⤵
  PID:1900
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1902
- /bin/ps
  ps ax
  2⤵
  PID:1899
- /bin/rm
  rm -f /tmp/ssdpid
  2⤵
  PID:1909
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1913
- /bin/grep
  grep -v grep
  2⤵
  PID:1912
- /bin/grep
  grep syslogs
  2⤵
  PID:1911
- /bin/ps
  ps ax
  2⤵
  - Reads runtime system information
  PID:1910
- /bin/rm
  rm /tmp/syslogspid -f
  2⤵
  PID:1914
- /usr/bin/awk
  awk "{print \$1,\$5}"
  2⤵
  PID:1917
- /bin/grep
  grep "b 22"
  2⤵
  PID:1916
- /bin/ps
  ps x
  2⤵
  - Reads runtime system information
  PID:1915
- /bin/cat
  cat .procs
  2⤵
  PID:1918
- /usr/bin/chattr
  chattr -iaR /var/tmp/.xrx
  2⤵
  - Attempts to change immutable files
  PID:1929
- /bin/rm
  rm -rf /var/tmp/.xrx
  2⤵
  PID:1930
- /usr/bin/awk
  awk "{print \$1,\$5}"
  2⤵
  PID:1933
- /bin/grep
  grep "d 22"
  2⤵
  PID:1932
- /bin/ps
  ps x
  2⤵
  PID:1931
- /bin/cat
  cat .procs
  2⤵
  PID:1934
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1949
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1950
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1950
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1950
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1950
- - /sbin/kill
    kill -9
    3⤵
    PID:1950
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1950
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1948
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1947
- /bin/grep
  grep 69.28.55.86:443
  2⤵
  PID:1946
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1955
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1956
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1956
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1956
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1956
- - /sbin/kill
    kill -9
    3⤵
    PID:1956
- - /bin/kill
    kill -9
    3⤵
    PID:1956
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1954
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1953
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1952
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1961
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1962
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1962
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1962
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1962
- - /sbin/kill
    kill -9
    3⤵
    PID:1962
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1962
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1960
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1959
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1958
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1967
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1968
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1968
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1968
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1968
- - /sbin/kill
    kill -9
    3⤵
    PID:1968
- - /bin/kill
    kill -9
    3⤵
    PID:1968
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1966
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1965
- /bin/grep
  grep 119.9.76.107
  2⤵
  PID:1964
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1973
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1974
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1974
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1974
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1974
- - /sbin/kill
    kill -9
    3⤵
    PID:1974
- - /bin/kill
    kill -9
    3⤵
    PID:1974
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1972
- /bin/grep
  grep :143
  2⤵
  PID:1970
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1971
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1979
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1980
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1980
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1980
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1980
- - /sbin/kill
    kill -9
    3⤵
    PID:1980
- - /bin/kill
    kill -9
    3⤵
    PID:1980
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1978
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1977
- /bin/grep
  grep :2222
  2⤵
  PID:1976
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1985
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1986
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1986
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1986
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1986
- - /sbin/kill
    kill -9
    3⤵
    PID:1986
- - /bin/kill
    kill -9
    3⤵
    PID:1986
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1984
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1983
- /bin/grep
  grep :3333
  2⤵
  PID:1982
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1991
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1992
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1992
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1992
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1992
- - /sbin/kill
    kill -9
    3⤵
    PID:1992
- - /bin/kill
    kill -9
    3⤵
    PID:1992
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1990
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1989
- /bin/grep
  grep :3389
  2⤵
  PID:1988
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1997
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1998
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1998
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1998
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1998
- - /sbin/kill
    kill -9
    3⤵
    PID:1998
- - /bin/kill
    kill -9
    3⤵
    PID:1998
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1996
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1995
- /bin/grep
  grep :4444
  2⤵
  PID:1994
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2003
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2004
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2004
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2004
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2004
- - /sbin/kill
    kill -9
    3⤵
    PID:2004
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2004
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2002
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2001
- /bin/grep
  grep :5555
  2⤵
  PID:2000
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2009
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2010
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2010
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2010
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2010
- - /sbin/kill
    kill -9
    3⤵
    PID:2010
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2010
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2008
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2007
- /bin/grep
  grep :6666
  2⤵
  PID:2006
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2014
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2015
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2016
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2016
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2016
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2016
- - /sbin/kill
    kill -9
    3⤵
    PID:2016
- - /bin/kill
    kill -9
    3⤵
    PID:2016
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2013
- /bin/grep
  grep :6665
  2⤵
  PID:2012
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2021
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2022
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2022
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2022
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2022
- - /sbin/kill
    kill -9
    3⤵
    PID:2022
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2022
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2020
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2019
- /bin/grep
  grep :6667
  2⤵
  PID:2018
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2027
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2028
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2028
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2028
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2028
- - /sbin/kill
    kill -9
    3⤵
    PID:2028
- - /bin/kill
    kill -9
    3⤵
    PID:2028
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2026
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2025
- /bin/grep
  grep :7777
  2⤵
  PID:2024
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2033
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2034
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2034
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2034
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2034
- - /sbin/kill
    kill -9
    3⤵
    PID:2034
- - /bin/kill
    kill -9
    3⤵
    PID:2034
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2032
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2031
- /bin/grep
  grep :8444
  2⤵
  PID:2030
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2039
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2040
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2040
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2040
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2040
- - /sbin/kill
    kill -9
    3⤵
    PID:2040
- - /bin/kill
    kill -9
    3⤵
    PID:2040
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2038
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2037
- /bin/grep
  grep :3347
  2⤵
  PID:2036
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2045
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2046
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2046
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2046
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2046
- - /sbin/kill
    kill -9
    3⤵
    PID:2046
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2046
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2044
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2043
- /bin/grep
  grep :14444
  2⤵
  PID:2042
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2051
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2052
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2052
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2052
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2052
- - /sbin/kill
    kill -9
    3⤵
    PID:2052
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2052
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2050
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2049
- /bin/grep
  grep :14433
  2⤵
  PID:2048
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2057
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2058
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2058
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2058
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2058
- - /sbin/kill
    kill -9
    3⤵
    PID:2058
- - /bin/kill
    kill -9
    3⤵
    PID:2058
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2056
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2055
- /bin/grep
  grep :13531
  2⤵
  PID:2054
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2063
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2064
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2064
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2064
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2064
- - /sbin/kill
    kill -9
    3⤵
    PID:2064
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2064
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2062
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2061
- /bin/grep
  grep 138.199.40.233:9137
  2⤵
  PID:2060
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2069
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2070
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2070
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2070
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2070
- - /sbin/kill
    kill -9
    3⤵
    PID:2070
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2070
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:2068
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2067
- /bin/grep
  grep 185.150.117.29
  2⤵
  PID:2066

/bin/sed
sed -e "s/\\.[0-9]*//g"
1⤵
PID:1905

/bin/grep
grep -v "%CPU"
1⤵
PID:1908

/bin/ps
ps -p 545 -o "%cpu"
1⤵
PID:1907

/usr/bin/awk
awk "{print \$1;}"
1⤵
PID:1922

/usr/bin/awk
awk "{print \$2;}"
1⤵
PID:1925

/usr/bin/wc
wc -c
1⤵
PID:1928

/usr/bin/awk
awk "{print \$1;}"
1⤵
PID:1938

/usr/bin/awk
awk "{print \$2;}"
1⤵
PID:1941

/usr/bin/wc
wc -c
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.rsync/a/.procs

Filesize
10B

MD5
ba36a56def77fabed051e103d0ffdb62

SHA1
ac565680ae39ff9426458c76351a71ddafd7c034

SHA256
a2fa6cfdaa286d4334d1161fa34f39bad5ada34324665c766be2b48623a0f26a

SHA512
04b28d255704e04636ab6345892609bf77b86a0b3ed1bee3331cea86812d13187c415eee99eb39abbb5be9a73015e1e7b34ae27e22db931d08ee3912d7994654

Download Submit
/tmp/.rsync/a/.procs

Filesize
10B

MD5
7f84af1803dd4166980f5b4c775e7429

SHA1
78d58e8fd89fc0a4c6e34c98eda65d09f4cb810d

SHA256
4279aba36559c00dc70e711f6b87cffdc9c31e3a93ec20d56cc3c5d73b5325cd

SHA512
d22053d0186f0fb8507946a8900a6aefdfab11923521b3bf85bd548f26816833698a9635696920644ca3fc2b3c10c0f6eb92631d4fd3348795ce5992fd5dd2e2

Download Submit
/tmp/ssdpid

Filesize
4B

MD5
87f04abc798423ddc76b431715d9dc2a

SHA1
a101474887a989eb0c2cea0fd4740ebea8b4321a

SHA256
084aabe2c9d0111b36db3fdfefea38a20346b95c0d569a9f25e293717173597e

SHA512
9cc6d16e0bad65f0453c9d4a0f5fb04b26ca5f1274804890e57616171d5089dce5e2a0dc0249061a923eaa7bca7b838f3360b50086900567f1e7219899be70bd

Download Submit