105e32c8ef13d4d001923c1a43a8849d069fc4adebe48e5e6a9e726eb605ce31

Analysis

max time kernel
156s
platform
debian-9_mips
resource
debian9-mipsbe-20240226-en
resource tags

arch:mipsimage:debian9-mipsbe-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
07-03-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/init0
Size

9KB
MD5

019e23027bc3849142dd8625451ed5c0
SHA1

982c0318414c3fdf82e3726c4ef4e9021751bbd9
SHA256

0e8472f2005560c6f4db4e5aef39e5d35185b35c67f70a27c8b3dcb242eed25e
SHA512

89fd143e3060669df59feeb599cb5042bf8996983dd9073a53cf1d00d408ec9930e1ce29a1aa3aa1f1157a3a6dee1a0cc32f0791c92f75ed0f74c59f326cdc32
SSDEEP

96:97gXuXeR7P0YQH8h9GVQbxgeJwI222bznGWDKKFZ5W:97xeRb038hAGbxIz9/0

Score

6^/10

Malware Config

Signatures

Attempts to change immutable files 1 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1144	chattr

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/69/stat	ps
File opened for reading	/proc/114/stat	killall
File opened for reading	/proc/149/cmdline	pkill
File opened for reading	/proc/322/cmdline	pkill
File opened for reading	/proc/24/cmdline	pkill
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/691/status	pkill
File opened for reading	/proc/79/status	pkill
File opened for reading	/proc/166/cmdline	pkill
File opened for reading	/proc/352/status	pkill
File opened for reading	/proc/467/cmdline	pkill
File opened for reading	/proc/375/status	ps
File opened for reading	/proc/71/cmdline	ps
File opened for reading	/proc/351/stat	ps
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/71/status	pkill
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/13/cmdline	pkill
File opened for reading	/proc/324/cmdline	pkill
File opened for reading	/proc/916/status	ps
File opened for reading	/proc/115/cmdline	pkill
File opened for reading	/proc/104/cmdline	pkill
File opened for reading	/proc/715/cmdline	pkill
File opened for reading	/proc/1126/stat	ps
File opened for reading	/proc/19/cmdline	pkill
File opened for reading	/proc/filesystems	killall
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/1001/status	ps
File opened for reading	/proc/69/status	pkill
File opened for reading	/proc/697/cmdline	pkill
File opened for reading	/proc/415/status	ps
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/114/status	pkill
File opened for reading	/proc/78/status	pkill
File opened for reading	/proc/1121/stat	ps
File opened for reading	/proc/460/status	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/104/status	pkill
File opened for reading	/proc/2/status	pkill
File opened for reading	/proc/143/stat	ps
File opened for reading	/proc/467/cmdline	pkill
File opened for reading	/proc/711/cmdline	pkill
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/415/stat	killall
File opened for reading	/proc/74/cmdline	pkill
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/324/status	ps
File opened for reading	/proc/74/stat	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/15/status	pkill
File opened for reading	/proc/2/cmdline	pkill
File opened for reading	/proc/104/stat	killall
File opened for reading	/proc/730/status	ps
File opened for reading	/proc/675/cmdline	ps
File opened for reading	/proc/972/stat	ps
File opened for reading	/proc/149/cmdline	pkill
File opened for reading	/proc/460/cmdline	ps
File opened for reading	/proc/72/status	ps
File opened for reading	/proc/114/status	pkill
File opened for reading	/proc/11/cmdline	pkill
File opened for reading	/proc/19/stat	ps

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/crondpid
File opened for modification	/tmp/ssdpid
File opened for modification	/tmp/syslogspid
File opened for modification	/tmp/.rsync/a/.procs

/tmp/.rsync/a/init0
/tmp/.rsync/a/init0
1⤵
PID:711
- /bin/rm
  rm /tmp/.cron
  2⤵
  PID:713
- /bin/rm
  rm "/tmp/Donald*"
  2⤵
  PID:716
- /bin/rm
  rm "/tmp/Macron*"
  2⤵
  PID:721
- /bin/rm
  rm /tmp/.main
  2⤵
  PID:722
- /bin/rm
  rm "/tmp/.yam*" -rf
  2⤵
  PID:723
- /bin/rm
  rm -f /tmp/irq
  2⤵
  PID:725
- /bin/rm
  rm -f /tmp/irq.sh
  2⤵
  PID:726
- /bin/rm
  rm -f /tmp/irqbalanc1
  2⤵
  PID:728
- /bin/rm
  rm -rf /boot/grub/deamon
  2⤵
  PID:729
- /bin/rm
  rm -rf /boot/grub/disk_genius
  2⤵
  PID:731
- /bin/rm
  rm -rf "/tmp/*httpd.conf"
  2⤵
  PID:732
- /bin/rm
  rm -rf "/tmp/*httpd.conf*"
  2⤵
  PID:733
- /bin/rm
  rm -rf "/tmp/*index_bak*"
  2⤵
  PID:734
- /bin/rm
  rm -rf "/tmp/.systemd-private-*"
  2⤵
  PID:735
- /bin/rm
  rm -rf "/tmp/.xm*"
  2⤵
  PID:737
- /bin/rm
  rm -rf /tmp/a7b104c270
  2⤵
  PID:738
- /bin/rm
  rm -rf /tmp/conn
  2⤵
  PID:739
- /bin/rm
  rm -rf /tmp/conns
  2⤵
  PID:740
- /bin/rm
  rm -rf /tmp/httpd.conf
  2⤵
  PID:741
- /bin/rm
  rm -rf "/tmp/java*"
  2⤵
  PID:742
- /bin/rm
  rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so
  2⤵
  PID:743
- /bin/rm
  rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
  2⤵
  PID:744
- /bin/rm
  rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
  2⤵
  PID:746
- /bin/rm
  rm -rf "/tmp/xm*"
  2⤵
  PID:747
- /bin/rm
  rm -rf "/var/tmp/java*"
  2⤵
  PID:748
- /bin/ps
  ps auxw
  2⤵
  - Reads runtime system information
  PID:749
- /usr/bin/awk
  awk /34e2fg/
  2⤵
  PID:750
- /usr/bin/awk
  awk "!/awk/"
  2⤵
  PID:751
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:752
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:753
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:765
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:765
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:765
- - /usr/bin/kill
    kill -9
    3⤵
    PID:765
- - /sbin/kill
    kill -9
    3⤵
    PID:765
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:765
- /usr/bin/killall
  killall -9 chron-34e2fg
  2⤵
  PID:755
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:759
- - /usr/local/sbin/kill
    kill -9 750 757
    3⤵
    PID:766
- - /usr/local/bin/kill
    kill -9 750 757
    3⤵
    PID:766
- - /usr/sbin/kill
    kill -9 750 757
    3⤵
    PID:766
- - /usr/bin/kill
    kill -9 750 757
    3⤵
    PID:766
- - /sbin/kill
    kill -9 750 757
    3⤵
    PID:766
- - /bin/kill
    kill -9 750 757
    3⤵
    - Reads CPU attributes
    PID:766
- /usr/bin/awk
  awk "/34e|r\\/v3|moy5|defunct/"
  2⤵
  PID:757
- /bin/ps
  ps wx
  2⤵
  - Reads CPU attributes
  PID:756
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:758
- /bin/ps
  ps axf -o "pid %cpu"
  2⤵
  - Reads runtime system information
  PID:761
- /usr/bin/awk
  awk "{if(\$2>=40.0) print \$1}"
  2⤵
  PID:762
- /usr/bin/killall
  killall .Historys
  2⤵
  - Reads runtime system information
  PID:764
- /usr/bin/killall
  killall .sshd
  2⤵
  PID:767
- /usr/bin/killall
  killall neptune
  2⤵
  PID:768
- /usr/bin/killall
  killall xm64
  2⤵
  - Reads runtime system information
  PID:769
- /usr/bin/killall
  killall xm32
  2⤵
  PID:770
- /usr/bin/killall
  killall ld-linux
  2⤵
  PID:771
- /usr/bin/killall
  killall xmrig
  2⤵
  - Reads runtime system information
  PID:772
- /usr/bin/killall
  killall .xmrig
  2⤵
  PID:773
- /usr/bin/killall
  killall suppoieup
  2⤵
  PID:774
- /usr/bin/killall
  killall xrx
  2⤵
  PID:775
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  - Reads CPU attributes
  PID:776
- /usr/bin/pkill
  pkill wnTKYg
  2⤵
  - Reads runtime system information
  PID:777
- /bin/ps
  ps auxf
  2⤵
  PID:778
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:780
- /bin/grep
  grep -v grep
  2⤵
  PID:779
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:782
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:783
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:783
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:783
- - /usr/bin/kill
    kill -9
    3⤵
    PID:783
- - /sbin/kill
    kill -9
    3⤵
    PID:783
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:783
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:781
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:787
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:786
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:788
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:789
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:789
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:789
- - /usr/bin/kill
    kill -9
    3⤵
    PID:789
- - /sbin/kill
    kill -9
    3⤵
    PID:789
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:789
- /bin/grep
  grep -v grep
  2⤵
  PID:785
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:784
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:794
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:795
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:795
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:795
- - /usr/bin/kill
    kill -9
    3⤵
    PID:795
- - /sbin/kill
    kill -9
    3⤵
    PID:795
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:795
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:793
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:792
- /bin/grep
  grep -v grep
  2⤵
  PID:791
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:790
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:803
- /bin/grep
  grep 119.9.76.107:443
  2⤵
  PID:802
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:804
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:808
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:808
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:808
- - /usr/bin/kill
    kill -9
    3⤵
    PID:808
- - /sbin/kill
    kill -9
    3⤵
    PID:808
- - /bin/kill
    kill -9
    3⤵
    PID:808
- /bin/grep
  grep -v grep
  2⤵
  PID:801
- /bin/ps
  ps auxf
  2⤵
  PID:800
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:816
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:817
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:820
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:820
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:820
- - /usr/bin/kill
    kill -9
    3⤵
    PID:820
- - /sbin/kill
    kill -9
    3⤵
    PID:820
- - /bin/kill
    kill -9
    3⤵
    PID:820
- /bin/grep
  grep -v grep
  2⤵
  PID:814
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:813
- /bin/grep
  grep monerohash.com
  2⤵
  PID:815
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:828
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:830
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:832
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:832
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:832
- - /usr/bin/kill
    kill -9
    3⤵
    PID:832
- - /sbin/kill
    kill -9
    3⤵
    PID:832
- - /bin/kill
    kill -9
    3⤵
    PID:832
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:827
- /bin/ps
  ps auxf
  2⤵
  PID:825
- /bin/grep
  grep -v grep
  2⤵
  PID:826
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:843
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:846
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:846
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:846
- - /usr/bin/kill
    kill -9
    3⤵
    PID:846
- - /sbin/kill
    kill -9
    3⤵
    PID:846
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:846
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:842
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:841
- /bin/grep
  grep -v grep
  2⤵
  PID:840
- /bin/ps
  ps auxf
  2⤵
  PID:839
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:857
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:856
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:854
- /bin/grep
  grep -v grep
  2⤵
  PID:855
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:858
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:860
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:860
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:860
- - /usr/bin/kill
    kill -9
    3⤵
    PID:860
- - /sbin/kill
    kill -9
    3⤵
    PID:860
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:860
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:872
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:871
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:873
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:876
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:876
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:876
- - /usr/bin/kill
    kill -9
    3⤵
    PID:876
- - /sbin/kill
    kill -9
    3⤵
    PID:876
- - /bin/kill
    kill -9
    3⤵
    PID:876
- /bin/grep
  grep -v grep
  2⤵
  PID:870
- /bin/ps
  ps auxf
  2⤵
  PID:869
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:883
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:882
- /bin/grep
  grep -v grep
  2⤵
  PID:881
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:884
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:885
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:885
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:885
- - /usr/bin/kill
    kill -9
    3⤵
    PID:885
- - /sbin/kill
    kill -9
    3⤵
    PID:885
- - /bin/kill
    kill -9
    3⤵
    PID:885
- /bin/ps
  ps auxf
  2⤵
  PID:880
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:888
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:889
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:890
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:891
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:891
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:891
- - /usr/bin/kill
    kill -9
    3⤵
    PID:891
- - /sbin/kill
    kill -9
    3⤵
    PID:891
- - /bin/kill
    kill -9
    3⤵
    PID:891
- /bin/grep
  grep -v grep
  2⤵
  PID:887
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:886
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:895
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:896
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:897
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:897
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:897
- - /usr/bin/kill
    kill -9
    3⤵
    PID:897
- - /sbin/kill
    kill -9
    3⤵
    PID:897
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:897
- /bin/grep
  grep xmrig
  2⤵
  PID:894
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:892
- /bin/grep
  grep -v grep
  2⤵
  PID:893
- /bin/grep
  grep xmrigDaemon
  2⤵
  PID:900
- /bin/grep
  grep -v grep
  2⤵
  PID:899
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:898
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:901
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:902
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:903
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:903
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:903
- - /usr/bin/kill
    kill -9
    3⤵
    PID:903
- - /sbin/kill
    kill -9
    3⤵
    PID:903
- - /bin/kill
    kill -9
    3⤵
    PID:903
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:907
- /bin/grep
  grep xmrigMiner
  2⤵
  PID:906
- /bin/grep
  grep -v grep
  2⤵
  PID:905
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:908
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:909
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:909
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:909
- - /usr/bin/kill
    kill -9
    3⤵
    PID:909
- - /sbin/kill
    kill -9
    3⤵
    PID:909
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:909
- /bin/ps
  ps auxf
  2⤵
  PID:904
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:917
- /bin/grep
  grep /var/tmp/java
  2⤵
  PID:916
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:918
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:921
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:921
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:921
- - /usr/bin/kill
    kill -9
    3⤵
    PID:921
- - /sbin/kill
    kill -9
    3⤵
    PID:921
- - /bin/kill
    kill -9
    3⤵
    PID:921
- /bin/grep
  grep -v grep
  2⤵
  PID:915
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:914
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:929
- /bin/grep
  grep ddgs
  2⤵
  PID:928
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:930
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:933
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:933
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:933
- - /usr/bin/kill
    kill -9
    3⤵
    PID:933
- - /sbin/kill
    kill -9
    3⤵
    PID:933
- - /bin/kill
    kill -9
    3⤵
    PID:933
- /bin/grep
  grep -v grep
  2⤵
  PID:927
- /bin/ps
  ps auxf
  2⤵
  PID:926
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:941
- /bin/grep
  grep qW3xT
  2⤵
  PID:940
- /bin/grep
  grep -v grep
  2⤵
  PID:939
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:942
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:945
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:945
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:945
- - /usr/bin/kill
    kill -9
    3⤵
    PID:945
- - /sbin/kill
    kill -9
    3⤵
    PID:945
- - /bin/kill
    kill -9
    3⤵
    PID:945
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:938
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:954
- /bin/grep
  grep t00ls.ru
  2⤵
  PID:953
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:955
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:957
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:957
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:957
- - /usr/bin/kill
    kill -9
    3⤵
    PID:957
- - /sbin/kill
    kill -9
    3⤵
    PID:957
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:957
- /bin/grep
  grep -v grep
  2⤵
  PID:952
- /bin/ps
  ps auxf
  2⤵
  PID:951
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:966
- /bin/grep
  grep /var/tmp/sustes
  2⤵
  PID:965
- /bin/grep
  grep -v grep
  2⤵
  PID:964
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:967
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:969
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:969
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:969
- - /usr/bin/kill
    kill -9
    3⤵
    PID:969
- - /sbin/kill
    kill -9
    3⤵
    PID:969
- - /bin/kill
    kill -9
    3⤵
    PID:969
- /bin/ps
  ps auxf
  2⤵
  PID:963
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:973
- /bin/grep
  grep ld-linux
  2⤵
  PID:972
- /bin/grep
  grep -v grep
  2⤵
  PID:971
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:974
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:975
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:975
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:975
- - /usr/bin/kill
    kill -9
    3⤵
    PID:975
- - /sbin/kill
    kill -9
    3⤵
    PID:975
- - /bin/kill
    kill -9
    3⤵
    PID:975
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:970
- /bin/grep
  grep xiaoyao
  2⤵
  PID:977
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:979
- - /usr/local/sbin/kill
    kill -9 977
    3⤵
    PID:980
- - /usr/local/bin/kill
    kill -9 977
    3⤵
    PID:980
- - /usr/sbin/kill
    kill -9 977
    3⤵
    PID:980
- - /usr/bin/kill
    kill -9 977
    3⤵
    PID:980
- - /sbin/kill
    kill -9 977
    3⤵
    PID:980
- - /bin/kill
    kill -9 977
    3⤵
    PID:980
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:978
- /bin/ps
  ps auxf
  2⤵
  PID:976
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:984
- - /usr/local/sbin/kill
    kill -9 982
    3⤵
    PID:985
- - /usr/local/bin/kill
    kill -9 982
    3⤵
    PID:985
- - /usr/sbin/kill
    kill -9 982
    3⤵
    PID:985
- - /usr/bin/kill
    kill -9 982
    3⤵
    PID:985
- - /sbin/kill
    kill -9 982
    3⤵
    PID:985
- - /bin/kill
    kill -9 982
    3⤵
    - Reads CPU attributes
    PID:985
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:983
- /bin/grep
  grep Donald
  2⤵
  PID:982
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:981
- /bin/ps
  ps auxf
  2⤵
  PID:986
- /bin/grep
  grep Macron
  2⤵
  PID:987
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:988
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:989
- - /usr/local/sbin/kill
    kill -9 987
    3⤵
    PID:990
- - /usr/local/bin/kill
    kill -9 987
    3⤵
    PID:990
- - /usr/sbin/kill
    kill -9 987
    3⤵
    PID:990
- - /usr/bin/kill
    kill -9 987
    3⤵
    PID:990
- - /sbin/kill
    kill -9 987
    3⤵
    PID:990
- - /bin/kill
    kill -9 987
    3⤵
    PID:990
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:994
- - /usr/local/sbin/kill
    kill -9 992
    3⤵
    PID:995
- - /usr/local/bin/kill
    kill -9 992
    3⤵
    PID:995
- - /usr/sbin/kill
    kill -9 992
    3⤵
    PID:995
- - /usr/bin/kill
    kill -9 992
    3⤵
    PID:995
- - /sbin/kill
    kill -9 992
    3⤵
    PID:995
- - /bin/kill
    kill -9 992
    3⤵
    - Reads CPU attributes
    PID:995
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:993
- /bin/grep
  grep ld-linux
  2⤵
  PID:992
- /bin/ps
  ps auxf
  2⤵
  PID:991
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:999
- - /usr/local/sbin/kill
    kill -9 997
    3⤵
    PID:1000
- - /usr/local/bin/kill
    kill -9 997
    3⤵
    PID:1000
- - /usr/sbin/kill
    kill -9 997
    3⤵
    PID:1000
- - /usr/bin/kill
    kill -9 997
    3⤵
    PID:1000
- - /sbin/kill
    kill -9 997
    3⤵
    PID:1000
- - /bin/kill
    kill -9 997
    3⤵
    PID:1000
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:998
- /bin/grep
  grep named
  2⤵
  PID:997
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:996
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1003
- /bin/grep
  grep kernelcfg
  2⤵
  PID:1002
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1004
- - /usr/local/sbin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /usr/local/bin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /usr/sbin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /usr/bin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /sbin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /bin/kill
    kill -9 1002
    3⤵
    - Reads CPU attributes
    PID:1005
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1001
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1009
- - /usr/local/sbin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /usr/local/bin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /usr/sbin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /usr/bin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /sbin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /bin/kill
    kill -9 1007
    3⤵
    PID:1010
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1008
- /bin/grep
  grep xiaoxue
  2⤵
  PID:1007
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1006
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1014
- - /usr/local/sbin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /usr/local/bin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /usr/sbin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /usr/bin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /sbin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /bin/kill
    kill -9 1012
    3⤵
    - Reads CPU attributes
    PID:1015
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1013
- /bin/grep
  grep kernelupgrade
  2⤵
  PID:1012
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1011
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1019
- - /usr/local/sbin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /usr/local/bin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /usr/sbin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /usr/bin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /sbin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /bin/kill
    kill -9 1017
    3⤵
    - Reads CPU attributes
    PID:1020
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1018
- /bin/grep
  grep kernelorg
  2⤵
  PID:1017
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1016
- /bin/grep
  grep kernelupdates
  2⤵
  PID:1022
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1023
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1024
- - /usr/local/sbin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /usr/local/bin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /usr/sbin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /usr/bin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /sbin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /bin/kill
    kill -9 1022
    3⤵
    PID:1025
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1021
- /bin/grep
  grep lib
  2⤵
  PID:1028
- /bin/grep
  grep var
  2⤵
  PID:1027
- /bin/grep
  grep jenkins
  2⤵
  PID:1029
- /bin/grep
  grep -v headless
  2⤵
  PID:1031
- /bin/grep
  grep "\\-c"
  2⤵
  PID:1032
- /bin/ps
  ps ax
  2⤵
  - Reads runtime system information
  PID:1026
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1033
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1034
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1034
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1034
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1034
- - /sbin/kill
    kill -9
    3⤵
    PID:1034
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1034
- /bin/grep
  grep -v httpPort
  2⤵
  PID:1030
- /usr/bin/xargs
  xargs pkill -f
  2⤵
  PID:1037
- - /usr/local/sbin/pkill
    pkill -f
    3⤵
    PID:1038
- - /usr/local/bin/pkill
    pkill -f
    3⤵
    PID:1038
- - /usr/sbin/pkill
    pkill -f
    3⤵
    PID:1038
- - /usr/bin/pkill
    pkill -f
    3⤵
    - Reads CPU attributes
    PID:1038
- /bin/grep
  grep -o "./[0-9]* -c"
  2⤵
  PID:1036
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  PID:1035
- /usr/bin/pkill
  pkill -f /usr/bin/.sshd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1039
- /usr/bin/pkill
  pkill -f acpid
  2⤵
  - Reads runtime system information
  PID:1040
- /usr/bin/pkill
  pkill -f Donald
  2⤵
  PID:1041
- /usr/bin/pkill
  pkill -f Macron
  2⤵
  PID:1042
- /usr/bin/pkill
  pkill -f AnXqV.yam
  2⤵
  - Reads runtime system information
  PID:1043
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  PID:1044
- /usr/bin/pkill
  pkill -f askdljlqw
  2⤵
  PID:1045
- /usr/bin/pkill
  pkill -f bashe
  2⤵
  - Reads runtime system information
  PID:1046
- /usr/bin/pkill
  pkill -f bashf
  2⤵
  PID:1047
- /usr/bin/pkill
  pkill -f bashg
  2⤵
  - Reads CPU attributes
  PID:1048
- /usr/bin/pkill
  pkill -f bashh
  2⤵
  - Reads CPU attributes
  PID:1049
- /usr/bin/pkill
  pkill -f bashx
  2⤵
  PID:1050
- /usr/bin/pkill
  pkill -f BI5zj
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1051
- /usr/bin/pkill
  pkill -f biosetjenkins
  2⤵
  - Reads CPU attributes
  PID:1052
- /usr/bin/pkill
  pkill -f bonn.sh
  2⤵
  - Reads runtime system information
  PID:1053
- /usr/bin/pkill
  pkill -f bonns
  2⤵
  PID:1054
- /usr/bin/pkill
  pkill -f conn.sh
  2⤵
  - Reads CPU attributes
  PID:1055
- /usr/bin/pkill
  pkill -f conns
  2⤵
  - Reads runtime system information
  PID:1056
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  - Reads CPU attributes
  PID:1057
- /usr/bin/pkill
  pkill -f crypto-pool
  2⤵
  - Reads runtime system information
  PID:1058
- /usr/bin/pkill
  pkill -f ddg.2011
  2⤵
  - Reads runtime system information
  PID:1059
- /usr/bin/pkill
  pkill -f deamon
  2⤵
  - Reads CPU attributes
  PID:1060
- /usr/bin/pkill
  pkill -f disk_genius
  2⤵
  - Reads CPU attributes
  PID:1061
- /usr/bin/pkill
  pkill -f donns
  2⤵
  - Reads CPU attributes
  PID:1062
- /usr/bin/pkill
  pkill -f Duck.sh
  2⤵
  PID:1063
- /usr/bin/pkill
  pkill -f gddr
  2⤵
  - Reads runtime system information
  PID:1064
- /usr/bin/pkill
  pkill -f Guard.sh
  2⤵
  - Reads runtime system information
  PID:1065
- /usr/bin/pkill
  pkill -f i586
  2⤵
  PID:1066
- /usr/bin/pkill
  pkill -f icb5o
  2⤵
  PID:1067
- /usr/bin/pkill
  pkill -f ir29xc1
  2⤵
  PID:1068
- /usr/bin/pkill
  pkill -f irqba2anc1
  2⤵
  - Reads runtime system information
  PID:1069
- /usr/bin/pkill
  pkill -f irqba5xnc1
  2⤵
  - Reads runtime system information
  PID:1070
- /usr/bin/pkill
  pkill -f irqbalanc1
  2⤵
  PID:1071
- /usr/bin/pkill
  pkill -f irqbalance
  2⤵
  PID:1072
- /usr/bin/pkill
  pkill -f irqbnc1
  2⤵
  PID:1073
- /usr/bin/pkill
  pkill -f JnKihGjn
  2⤵
  PID:1074
- /usr/bin/pkill
  pkill -f jweri
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1075
- /usr/bin/pkill
  pkill -f kw.sh
  2⤵
  - Reads runtime system information
  PID:1076
- /usr/bin/pkill
  pkill -f kworker34
  2⤵
  - Reads CPU attributes
  PID:1077
- /usr/bin/pkill
  pkill -f kxjd
  2⤵
  PID:1078
- /usr/bin/pkill
  pkill -f libapache
  2⤵
  - Reads CPU attributes
  PID:1079
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  - Reads CPU attributes
  PID:1080
- /usr/bin/pkill
  pkill -f lx26
  2⤵
  PID:1081
- /usr/bin/pkill
  pkill -f mgwsl
  2⤵
  - Reads CPU attributes
  PID:1082
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  - Reads CPU attributes
  PID:1083
- /usr/bin/pkill
  pkill -f minergate
  2⤵
  - Reads CPU attributes
  PID:1084
- /usr/bin/pkill
  pkill -f minexmr
  2⤵
  - Reads runtime system information
  PID:1085
- /usr/bin/pkill
  pkill -f mixnerdx
  2⤵
  - Reads CPU attributes
  PID:1086
- /usr/bin/pkill
  pkill -f mstxmr
  2⤵
  PID:1087
- /usr/bin/pkill
  pkill -f nanoWatch
  2⤵
  PID:1088
- /usr/bin/pkill
  pkill -f nopxi
  2⤵
  PID:1089
- /usr/bin/pkill
  pkill -f NXLAi
  2⤵
  PID:1090
- /usr/bin/pkill
  pkill -f performedl
  2⤵
  PID:1091
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  - Reads CPU attributes
  PID:1092
- /usr/bin/pkill
  pkill -f pro.sh
  2⤵
  - Reads runtime system information
  PID:1093
- /usr/bin/pkill
  pkill -f pythno
  2⤵
  - Reads runtime system information
  PID:1094
- /usr/bin/pkill
  pkill -f qW3xT.2
  2⤵
  - Reads CPU attributes
  PID:1095
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  - Reads runtime system information
  PID:1096
- /usr/bin/pkill
  pkill -f stratum
  2⤵
  - Reads runtime system information
  PID:1097
- /usr/bin/pkill
  pkill -f sustes
  2⤵
  PID:1098
- /usr/bin/pkill
  pkill -f wnTKYg
  2⤵
  PID:1099
- /usr/bin/pkill
  pkill -f XbashY
  2⤵
  PID:1100
- /usr/bin/pkill
  pkill -f XJnRj
  2⤵
  PID:1101
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  - Reads runtime system information
  PID:1102
- /usr/bin/pkill
  pkill -f xmrigDaemon
  2⤵
  - Reads runtime system information
  PID:1103
- /usr/bin/pkill
  pkill -f xmrigMiner
  2⤵
  PID:1104
- /usr/bin/pkill
  pkill -f ysaydh
  2⤵
  - Reads runtime system information
  PID:1105
- /usr/bin/pkill
  pkill -f zigw
  2⤵
  PID:1106
- /usr/bin/pkill
  pkill -f ld-linux
  2⤵
  - Reads runtime system information
  PID:1107
- /usr/bin/pkill
  pkill -f xrx
  2⤵
  - Reads CPU attributes
  PID:1108
- /bin/grep
  grep -v grep
  2⤵
  PID:1111
- /bin/grep
  grep crond
  2⤵
  PID:1110
- /bin/ps
  ps ax
  2⤵
  PID:1109
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1112
- /bin/rm
  rm /tmp/crondpid -f
  2⤵
  PID:1113
- /bin/grep
  grep -v grep
  2⤵
  PID:1116
- /bin/grep
  grep sshd
  2⤵
  PID:1115
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  PID:1114
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1117
- /bin/rm
  rm -f /tmp/ssdpid
  2⤵
  PID:1124
- /bin/grep
  grep -v grep
  2⤵
  PID:1127
- /bin/grep
  grep syslogs
  2⤵
  PID:1126
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1125
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1128
- /bin/rm
  rm /tmp/syslogspid -f
  2⤵
  PID:1129
- /bin/grep
  grep "b 22"
  2⤵
  PID:1131
- /bin/ps
  ps x
  2⤵
  - Reads runtime system information
  PID:1130
- /usr/bin/awk
  awk "{print \$1,\$5}"
  2⤵
  PID:1132
- /bin/cat
  cat .procs
  2⤵
  PID:1133
- /usr/bin/chattr
  chattr -iaR /var/tmp/.xrx
  2⤵
  - Attempts to change immutable files
  PID:1144
- /bin/rm
  rm -rf /var/tmp/.xrx
  2⤵
  PID:1145
- /bin/grep
  grep "d 22"
  2⤵
  PID:1147
- /bin/ps
  ps x
  2⤵
  - Reads CPU attributes
  PID:1146
- /usr/bin/awk
  awk "{print \$1,\$5}"
  2⤵
  PID:1148
- /bin/cat
  cat .procs
  2⤵
  PID:1149
- /bin/grep
  grep 69.28.55.86:443
  2⤵
  PID:1161
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1162
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1163
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1164
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1165
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1165
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1165
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1165
- - /sbin/kill
    kill -9
    3⤵
    PID:1165
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1165
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1167
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1168
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1169
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1170
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1171
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1171
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1171
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1171
- - /sbin/kill
    kill -9
    3⤵
    PID:1171
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1171
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1173
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1174
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1175
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1176
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1177
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1177
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1177
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1177
- - /sbin/kill
    kill -9
    3⤵
    PID:1177
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1177
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1180
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1181
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1182
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1183
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1183
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1183
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1183
- - /sbin/kill
    kill -9
    3⤵
    PID:1183
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1183
- /bin/grep
  grep 119.9.76.107
  2⤵
  PID:1179
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1187
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1188
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1189
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1189
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1189
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1189
- - /sbin/kill
    kill -9
    3⤵
    PID:1189
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1189
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1186
- /bin/grep
  grep :143
  2⤵
  PID:1185
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1193
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1192
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1194
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1195
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1195
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1195
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1195
- - /sbin/kill
    kill -9
    3⤵
    PID:1195
- - /bin/kill
    kill -9
    3⤵
    PID:1195
- /bin/grep
  grep :2222
  2⤵
  PID:1191
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1199
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1200
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1201
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1201
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1201
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1201
- - /sbin/kill
    kill -9
    3⤵
    PID:1201
- - /bin/kill
    kill -9
    3⤵
    PID:1201
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1198
- /bin/grep
  grep :3333
  2⤵
  PID:1197
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1204
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1205
- /bin/grep
  grep :3389
  2⤵
  PID:1203
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1206
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1207
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1207
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1207
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1207
- - /sbin/kill
    kill -9
    3⤵
    PID:1207
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1207
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1211
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1210
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1212
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1213
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1213
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1213
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1213
- - /sbin/kill
    kill -9
    3⤵
    PID:1213
- - /bin/kill
    kill -9
    3⤵
    PID:1213
- /bin/grep
  grep :4444
  2⤵
  PID:1209
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1217
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1218
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1219
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1219
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1219
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1219
- - /sbin/kill
    kill -9
    3⤵
    PID:1219
- - /bin/kill
    kill -9
    3⤵
    PID:1219
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1216
- /bin/grep
  grep :5555
  2⤵
  PID:1215
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1224
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1225
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1225
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1225
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1225
- - /sbin/kill
    kill -9
    3⤵
    PID:1225
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1225
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1222
- /bin/grep
  grep :6666
  2⤵
  PID:1221
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1223
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1230
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1231
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1231
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1231
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1231
- - /sbin/kill
    kill -9
    3⤵
    PID:1231
- - /bin/kill
    kill -9
    3⤵
    PID:1231
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1229
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1228
- /bin/grep
  grep :6665
  2⤵
  PID:1227
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1234
- /bin/grep
  grep :6667
  2⤵
  PID:1233
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1235
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1236
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1237
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1237
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1237
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1237
- - /sbin/kill
    kill -9
    3⤵
    PID:1237
- - /bin/kill
    kill -9
    3⤵
    PID:1237
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1240
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1241
- /bin/grep
  grep :7777
  2⤵
  PID:1239
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1242
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1243
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1243
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1243
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1243
- - /sbin/kill
    kill -9
    3⤵
    PID:1243
- - /bin/kill
    kill -9
    3⤵
    PID:1243
- /bin/grep
  grep :8444
  2⤵
  PID:1246
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1247
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1248
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1249
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1250
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1250
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1250
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1250
- - /sbin/kill
    kill -9
    3⤵
    PID:1250
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1250
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1254
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1253
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1255
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1256
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1256
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1256
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1256
- - /sbin/kill
    kill -9
    3⤵
    PID:1256
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1256
- /bin/grep
  grep :3347
  2⤵
  PID:1252
- /bin/grep
  grep :14444
  2⤵
  PID:1258
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1259
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1261
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1262
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1262
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1262
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1262
- - /sbin/kill
    kill -9
    3⤵
    PID:1262
- - /bin/kill
    kill -9
    3⤵
    PID:1262
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1260
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1266
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1265
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1267
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1268
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1268
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1268
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1268
- - /sbin/kill
    kill -9
    3⤵
    PID:1268
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1268
- /bin/grep
  grep :14433
  2⤵
  PID:1264
- /bin/grep
  grep :13531
  2⤵
  PID:1270
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1271
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1273
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1274
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1274
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1274
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1274
- - /sbin/kill
    kill -9
    3⤵
    PID:1274
- - /bin/kill
    kill -9
    3⤵
    PID:1274
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1272
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1277
- /bin/grep
  grep 138.199.40.233:9137
  2⤵
  PID:1276
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1278
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1279
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1280
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1280
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1280
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1280
- - /sbin/kill
    kill -9
    3⤵
    PID:1280
- - /bin/kill
    kill -9
    3⤵
    PID:1280
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1284
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1283
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1285
- /bin/grep
  grep 185.150.117.29
  2⤵
  PID:1282

/bin/sed
sed -e "s/\\.[0-9]*//g"
1⤵
PID:1120

/bin/ps
ps -p 415 -o "%cpu"
1⤵
- Reads CPU attributes
- Reads runtime system information
PID:1122

/bin/grep
grep -v "%CPU"
1⤵
PID:1123

/usr/bin/awk
awk "{print \$1;}"
1⤵
PID:1137

/usr/bin/awk
awk "{print \$2;}"
1⤵
PID:1140

/usr/bin/wc
wc -c
1⤵
PID:1143

/usr/bin/awk
awk "{print \$1;}"
1⤵
PID:1153

/usr/bin/awk
awk "{print \$2;}"
1⤵
PID:1156

/usr/bin/wc
wc -c
1⤵
PID:1159

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.rsync/a/.procs

Filesize
10B

MD5
2585e5debc9fb98847894c1c6ce9bfdf

SHA1
427214745d51af952a08a1e541601659f9803b96

SHA256
8aea6a52a718944f238042518c2f5bd5ae45241f5cab037c9a6012d4c8b38fea

SHA512
90315cb086c6da90d53f91a2eda645accd7b9adfa0b9e9cb03238d93fadfbe80b7785ee03d580d7b10a049da1cbf3154ecda9fc4ba6f15946e630d30dc27db31

Download Submit
/tmp/.rsync/a/.procs

Filesize
10B

MD5
9f7a25b639056ce98245e97f8bf256af

SHA1
85649d7505afb767a9eaca6e84b80f5bbc81102c

SHA256
ab85652197d3bd987bb613cdc9f9a2ad15389398066a35df2673c8227e4ac7af

SHA512
62e7f222b9715c8432e7d43019c0a03642329cf1d4b8922b13f559e54d5297ecd781519b39f8cbd198537507e6334afc51c3e475cce6992ae030029164f6e0c9

Download Submit
/tmp/ssdpid

Filesize
4B

MD5
305254fc3b849150b5ca037af1f31ba4

SHA1
b92060c205c28b7d324d83fa84d6803038a962fa

SHA256
33a20615fad40d50d1eb22458ff1f0f33a7ed5dc5624c07449cef45a72e6c610

SHA512
4fd10f2927234fc962a9710c33d4ddf40ef4bc9e1aba2ba54964589fb2f59c0b5c0c577e8f41edf2c1066aae762f7db2211a4f34a77c2aff42600daddd40cea6

Download Submit