105e32c8ef13d4d001923c1a43a8849d069fc4adebe48e5e6a9e726eb605ce31

Analysis

max time kernel
150s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
07/03/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.rsync/a/init0
Size

9KB
MD5

019e23027bc3849142dd8625451ed5c0
SHA1

982c0318414c3fdf82e3726c4ef4e9021751bbd9
SHA256

0e8472f2005560c6f4db4e5aef39e5d35185b35c67f70a27c8b3dcb242eed25e
SHA512

89fd143e3060669df59feeb599cb5042bf8996983dd9073a53cf1d00d408ec9930e1ce29a1aa3aa1f1157a3a6dee1a0cc32f0791c92f75ed0f74c59f326cdc32
SSDEEP

96:97gXuXeR7P0YQH8h9GVQbxgeJwI222bznGWDKKFZ5W:97xeRb038hAGbxIz9/0

Score

6^/10

Malware Config

Signatures

Attempts to change immutable files 1 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1154	chattr

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/531/status	ps
File opened for reading	/proc/741/stat	killall
File opened for reading	/proc/531/status	pkill
File opened for reading	/proc/721/cmdline	pkill
File opened for reading	/proc/1056/status	pkill
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/37/status	ps
File opened for reading	/proc/83/stat	ps
File opened for reading	/proc/980/stat	ps
File opened for reading	/proc/21/cmdline	pkill
File opened for reading	/proc/344/status	ps
File opened for reading	/proc/796/stat	ps
File opened for reading	/proc/74/cmdline	pkill
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/9/cmdline	pkill
File opened for reading	/proc/115/cmdline	pkill
File opened for reading	/proc/724/cmdline	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/684/cmdline	pkill
File opened for reading	/proc/115/status	pkill
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/22/status	pkill
File opened for reading	/proc/703/cmdline	ps
File opened for reading	/proc/317/cmdline	ps
File opened for reading	/proc/filesystems	kill
File opened for reading	/proc/filesystems	pkill
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/499/status	pkill
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/filesystems	pkill
File opened for reading	/proc/6/cmdline	pkill
File opened for reading	/proc/18/cmdline	pkill
File opened for reading	/proc/408/stat	killall
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/83/stat	ps
File opened for reading	/proc/344/cmdline	pkill
File opened for reading	/proc/530/status	pkill
File opened for reading	/proc/70/status	pkill
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/21/status	pkill
File opened for reading	/proc/76/cmdline	ps
File opened for reading	/proc/75/cmdline	ps
File opened for reading	/proc/485/cmdline	ps
File opened for reading	/proc/9/status	pkill
File opened for reading	/proc/16/status	pkill
File opened for reading	/proc/152/status	pkill
File opened for reading	/proc/78/cmdline	pkill
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/317/cmdline	ps
File opened for reading	/proc/887/stat	ps
File opened for reading	/proc/1033/cmdline	ps
File opened for reading	/proc/8/status	pkill
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/116/stat	ps
File opened for reading	/proc/115/status	pkill
File opened for reading	/proc/7/cmdline	pkill
File opened for reading	/proc/73/status	pkill
File opened for reading	/proc/224/status	ps
File opened for reading	/proc/20/cmdline	pkill
File opened for reading	/proc/311/stat	killall

Writes file to tmp directory 4 IoCs

Malware often drops required files in the /tmp directory.

description	ioc
File opened for modification	/tmp/crondpid
File opened for modification	/tmp/ssdpid
File opened for modification	/tmp/syslogspid
File opened for modification	/tmp/.rsync/a/.procs

/tmp/.rsync/a/init0
/tmp/.rsync/a/init0
1⤵
PID:721
- /bin/rm
  rm /tmp/.cron
  2⤵
  PID:723
- /bin/rm
  rm "/tmp/Donald*"
  2⤵
  PID:728
- /bin/rm
  rm "/tmp/Macron*"
  2⤵
  PID:730
- /bin/rm
  rm /tmp/.main
  2⤵
  PID:732
- /bin/rm
  rm "/tmp/.yam*" -rf
  2⤵
  PID:733
- /bin/rm
  rm -f /tmp/irq
  2⤵
  PID:734
- /bin/rm
  rm -f /tmp/irq.sh
  2⤵
  PID:735
- /bin/rm
  rm -f /tmp/irqbalanc1
  2⤵
  PID:737
- /bin/rm
  rm -rf /boot/grub/deamon
  2⤵
  PID:738
- /bin/rm
  rm -rf /boot/grub/disk_genius
  2⤵
  PID:740
- /bin/rm
  rm -rf "/tmp/*httpd.conf"
  2⤵
  PID:742
- /bin/rm
  rm -rf "/tmp/*httpd.conf*"
  2⤵
  PID:743
- /bin/rm
  rm -rf "/tmp/*index_bak*"
  2⤵
  PID:744
- /bin/rm
  rm -rf "/tmp/.systemd-private-*"
  2⤵
  PID:745
- /bin/rm
  rm -rf "/tmp/.xm*"
  2⤵
  PID:746
- /bin/rm
  rm -rf /tmp/a7b104c270
  2⤵
  PID:748
- /bin/rm
  rm -rf /tmp/conn
  2⤵
  PID:749
- /bin/rm
  rm -rf /tmp/conns
  2⤵
  PID:750
- /bin/rm
  rm -rf /tmp/httpd.conf
  2⤵
  PID:751
- /bin/rm
  rm -rf "/tmp/java*"
  2⤵
  PID:752
- /bin/rm
  rm -rf /tmp/kworkerds /bin/kworkerds /bin/config.json /var/tmp/kworkerds /var/tmp/config.json /usr/local/lib/libjdk.so
  2⤵
  PID:753
- /bin/rm
  rm -rf /tmp/qW3xT.2 /tmp/ddgs.3013 /tmp/ddgs.3012 /tmp/wnTKYg /tmp/2t3ik
  2⤵
  PID:754
- /bin/rm
  rm -rf /tmp/root.sh /tmp/pools.txt /tmp/libapache /tmp/config.json /tmp/bashf /tmp/bashg /tmp/libapache
  2⤵
  PID:755
- /bin/rm
  rm -rf "/tmp/xm*"
  2⤵
  PID:757
- /bin/rm
  rm -rf "/var/tmp/java*"
  2⤵
  PID:758
- /bin/ps
  ps auxw
  2⤵
  PID:759
- /usr/bin/awk
  awk /34e2fg/
  2⤵
  PID:760
- /usr/bin/awk
  awk "!/awk/"
  2⤵
  PID:761
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:763
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:774
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:774
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:774
- - /usr/bin/kill
    kill -9
    3⤵
    PID:774
- - /sbin/kill
    kill -9
    3⤵
    PID:774
- - /bin/kill
    kill -9
    3⤵
    PID:774
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:762
- /usr/bin/killall
  killall -9 chron-34e2fg
  2⤵
  PID:765
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:769
- - /usr/local/sbin/kill
    kill -9 767
    3⤵
    PID:776
- - /usr/local/bin/kill
    kill -9 767
    3⤵
    PID:776
- - /usr/sbin/kill
    kill -9 767
    3⤵
    PID:776
- - /usr/bin/kill
    kill -9 767
    3⤵
    PID:776
- - /sbin/kill
    kill -9 767
    3⤵
    PID:776
- - /bin/kill
    kill -9 767
    3⤵
    PID:776
- /usr/bin/awk
  awk "/34e|r\\/v3|moy5|defunct/"
  2⤵
  PID:767
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:768
- /bin/ps
  ps wx
  2⤵
  - Reads runtime system information
  PID:766
- /bin/ps
  ps axf -o "pid %cpu"
  2⤵
  PID:771
- /usr/bin/awk
  awk "{if(\$2>=40.0) print \$1}"
  2⤵
  PID:772
- /usr/bin/killall
  killall .Historys
  2⤵
  PID:775
- /usr/bin/killall
  killall .sshd
  2⤵
  - Reads runtime system information
  PID:777
- /usr/bin/killall
  killall neptune
  2⤵
  PID:778
- /usr/bin/killall
  killall xm64
  2⤵
  PID:779
- /usr/bin/killall
  killall xm32
  2⤵
  PID:780
- /usr/bin/killall
  killall ld-linux
  2⤵
  - Reads runtime system information
  PID:781
- /usr/bin/killall
  killall xmrig
  2⤵
  PID:782
- /usr/bin/killall
  killall .xmrig
  2⤵
  PID:783
- /usr/bin/killall
  killall suppoieup
  2⤵
  - Reads runtime system information
  PID:784
- /usr/bin/killall
  killall xrx
  2⤵
  PID:785
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  - Reads runtime system information
  PID:786
- /usr/bin/pkill
  pkill wnTKYg
  2⤵
  PID:787
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:790
- /bin/grep
  grep -v grep
  2⤵
  PID:789
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:791
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:792
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:793
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:793
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:793
- - /usr/bin/kill
    kill -9
    3⤵
    PID:793
- - /sbin/kill
    kill -9
    3⤵
    PID:793
- - /bin/kill
    kill -9
    3⤵
    PID:793
- /bin/ps
  ps auxf
  2⤵
  PID:788
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:797
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:796
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:798
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:799
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:799
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:799
- - /usr/bin/kill
    kill -9
    3⤵
    PID:799
- - /sbin/kill
    kill -9
    3⤵
    PID:799
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:799
- /bin/grep
  grep -v grep
  2⤵
  PID:795
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:794
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:803
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:802
- /bin/grep
  grep -v grep
  2⤵
  PID:801
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:804
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:805
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:805
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:805
- - /usr/bin/kill
    kill -9
    3⤵
    PID:805
- - /sbin/kill
    kill -9
    3⤵
    PID:805
- - /bin/kill
    kill -9
    3⤵
    PID:805
- /bin/ps
  ps auxf
  2⤵
  PID:800
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:812
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:815
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:815
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:815
- - /usr/bin/kill
    kill -9
    3⤵
    PID:815
- - /sbin/kill
    kill -9
    3⤵
    PID:815
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:815
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:811
- /bin/grep
  grep 119.9.76.107:443
  2⤵
  PID:810
- /bin/grep
  grep -v grep
  2⤵
  PID:809
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:808
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:826
- /bin/grep
  grep monerohash.com
  2⤵
  PID:825
- /bin/grep
  grep -v grep
  2⤵
  PID:824
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:827
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:830
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:830
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:830
- - /usr/bin/kill
    kill -9
    3⤵
    PID:830
- - /sbin/kill
    kill -9
    3⤵
    PID:830
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:830
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:823
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:839
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:838
- /bin/grep
  grep -v grep
  2⤵
  PID:837
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:840
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:842
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:842
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:842
- - /usr/bin/kill
    kill -9
    3⤵
    PID:842
- - /sbin/kill
    kill -9
    3⤵
    PID:842
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:842
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:836
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:851
- /bin/grep
  grep -v grep
  2⤵
  PID:850
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:849
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:852
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:853
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:854
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:854
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:854
- - /usr/bin/kill
    kill -9
    3⤵
    PID:854
- - /sbin/kill
    kill -9
    3⤵
    PID:854
- - /bin/kill
    kill -9
    3⤵
    PID:854
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:864
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:863
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:865
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:869
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:869
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:869
- - /usr/bin/kill
    kill -9
    3⤵
    PID:869
- - /sbin/kill
    kill -9
    3⤵
    PID:869
- - /bin/kill
    kill -9
    3⤵
    PID:869
- /bin/grep
  grep -v grep
  2⤵
  PID:862
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:861
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:880
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:879
- /bin/grep
  grep -v grep
  2⤵
  PID:878
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:882
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:884
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:884
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:884
- - /usr/bin/kill
    kill -9
    3⤵
    PID:884
- - /sbin/kill
    kill -9
    3⤵
    PID:884
- - /bin/kill
    kill -9
    3⤵
    PID:884
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:877
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:891
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:892
- /bin/grep
  grep -v grep
  2⤵
  PID:890
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:893
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:895
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:895
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:895
- - /usr/bin/kill
    kill -9
    3⤵
    PID:895
- - /sbin/kill
    kill -9
    3⤵
    PID:895
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:895
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:889
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:899
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:898
- /bin/grep
  grep -v grep
  2⤵
  PID:897
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:900
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:901
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:901
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:901
- - /usr/bin/kill
    kill -9
    3⤵
    PID:901
- - /sbin/kill
    kill -9
    3⤵
    PID:901
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:901
- /bin/ps
  ps auxf
  2⤵
  PID:896
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:905
- /bin/grep
  grep xmrig
  2⤵
  PID:904
- /bin/grep
  grep -v grep
  2⤵
  PID:903
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:906
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:907
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:907
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:907
- - /usr/bin/kill
    kill -9
    3⤵
    PID:907
- - /sbin/kill
    kill -9
    3⤵
    PID:907
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:907
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:902
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:911
- /bin/grep
  grep xmrigDaemon
  2⤵
  PID:910
- /bin/grep
  grep -v grep
  2⤵
  PID:909
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:912
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:913
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:913
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:913
- - /usr/bin/kill
    kill -9
    3⤵
    PID:913
- - /sbin/kill
    kill -9
    3⤵
    PID:913
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:913
- /bin/ps
  ps auxf
  2⤵
  PID:908
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:917
- /bin/grep
  grep xmrigMiner
  2⤵
  PID:916
- /bin/grep
  grep -v grep
  2⤵
  PID:915
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:918
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:919
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:919
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:919
- - /usr/bin/kill
    kill -9
    3⤵
    PID:919
- - /sbin/kill
    kill -9
    3⤵
    PID:919
- - /bin/kill
    kill -9
    3⤵
    PID:919
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:914
- /bin/grep
  grep /var/tmp/java
  2⤵
  PID:924
- /bin/grep
  grep -v grep
  2⤵
  PID:923
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:925
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:922
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:926
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:929
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:929
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:929
- - /usr/bin/kill
    kill -9
    3⤵
    PID:929
- - /sbin/kill
    kill -9
    3⤵
    PID:929
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:929
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:940
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:942
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:942
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:942
- - /usr/bin/kill
    kill -9
    3⤵
    PID:942
- - /sbin/kill
    kill -9
    3⤵
    PID:942
- - /bin/kill
    kill -9
    3⤵
    PID:942
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:939
- /bin/grep
  grep ddgs
  2⤵
  PID:938
- /bin/grep
  grep -v grep
  2⤵
  PID:937
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:936
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:951
- /bin/grep
  grep qW3xT
  2⤵
  PID:950
- /bin/grep
  grep -v grep
  2⤵
  PID:949
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:952
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:955
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:955
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:955
- - /usr/bin/kill
    kill -9
    3⤵
    PID:955
- - /sbin/kill
    kill -9
    3⤵
    PID:955
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:955
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:948
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:963
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:964
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:967
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:967
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:967
- - /usr/bin/kill
    kill -9
    3⤵
    PID:967
- - /sbin/kill
    kill -9
    3⤵
    PID:967
- - /bin/kill
    kill -9
    3⤵
    PID:967
- /bin/grep
  grep -v grep
  2⤵
  PID:961
- /bin/grep
  grep t00ls.ru
  2⤵
  PID:962
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:960
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:976
- /bin/grep
  grep /var/tmp/sustes
  2⤵
  PID:975
- /bin/grep
  grep -v grep
  2⤵
  PID:974
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:977
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:979
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:979
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:979
- - /usr/bin/kill
    kill -9
    3⤵
    PID:979
- - /sbin/kill
    kill -9
    3⤵
    PID:979
- - /bin/kill
    kill -9
    3⤵
    PID:979
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:973
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:983
- /bin/grep
  grep ld-linux
  2⤵
  PID:982
- /bin/grep
  grep -v grep
  2⤵
  PID:981
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:984
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:985
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:985
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:985
- - /usr/bin/kill
    kill -9
    3⤵
    PID:985
- - /sbin/kill
    kill -9
    3⤵
    PID:985
- - /bin/kill
    kill -9
    3⤵
    PID:985
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:980
- /bin/grep
  grep xiaoyao
  2⤵
  PID:987
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:988
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:989
- - /usr/local/sbin/kill
    kill -9 987
    3⤵
    PID:990
- - /usr/local/bin/kill
    kill -9 987
    3⤵
    PID:990
- - /usr/sbin/kill
    kill -9 987
    3⤵
    PID:990
- - /usr/bin/kill
    kill -9 987
    3⤵
    PID:990
- - /sbin/kill
    kill -9 987
    3⤵
    PID:990
- - /bin/kill
    kill -9 987
    3⤵
    PID:990
- /bin/ps
  ps auxf
  2⤵
  PID:986
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:994
- - /usr/local/sbin/kill
    kill -9 992
    3⤵
    PID:995
- - /usr/local/bin/kill
    kill -9 992
    3⤵
    PID:995
- - /usr/sbin/kill
    kill -9 992
    3⤵
    PID:995
- - /usr/bin/kill
    kill -9 992
    3⤵
    PID:995
- - /sbin/kill
    kill -9 992
    3⤵
    PID:995
- - /bin/kill
    kill -9 992
    3⤵
    - Reads CPU attributes
    PID:995
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:993
- /bin/grep
  grep Donald
  2⤵
  PID:992
- /bin/ps
  ps auxf
  2⤵
  PID:991
- /bin/grep
  grep Macron
  2⤵
  PID:997
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:996
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:999
- - /usr/local/sbin/kill
    kill -9 997
    3⤵
    PID:1000
- - /usr/local/bin/kill
    kill -9 997
    3⤵
    PID:1000
- - /usr/sbin/kill
    kill -9 997
    3⤵
    PID:1000
- - /usr/bin/kill
    kill -9 997
    3⤵
    PID:1000
- - /sbin/kill
    kill -9 997
    3⤵
    PID:1000
- - /bin/kill
    kill -9 997
    3⤵
    - Reads CPU attributes
    PID:1000
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:998
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1004
- - /usr/local/sbin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /usr/local/bin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /usr/sbin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /usr/bin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /sbin/kill
    kill -9 1002
    3⤵
    PID:1005
- - /bin/kill
    kill -9 1002
    3⤵
    PID:1005
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1003
- /bin/grep
  grep ld-linux
  2⤵
  PID:1002
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1001
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1009
- - /usr/local/sbin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /usr/local/bin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /usr/sbin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /usr/bin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /sbin/kill
    kill -9 1007
    3⤵
    PID:1010
- - /bin/kill
    kill -9 1007
    3⤵
    PID:1010
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1008
- /bin/grep
  grep named
  2⤵
  PID:1007
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1006
- /bin/grep
  grep kernelcfg
  2⤵
  PID:1012
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1013
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1014
- - /usr/local/sbin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /usr/local/bin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /usr/sbin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /usr/bin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /sbin/kill
    kill -9 1012
    3⤵
    PID:1015
- - /bin/kill
    kill -9 1012
    3⤵
    PID:1015
- /bin/ps
  ps auxf
  2⤵
  PID:1011
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1019
- - /usr/local/sbin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /usr/local/bin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /usr/sbin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /usr/bin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /sbin/kill
    kill -9 1017
    3⤵
    PID:1020
- - /bin/kill
    kill -9 1017
    3⤵
    PID:1020
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1018
- /bin/grep
  grep xiaoxue
  2⤵
  PID:1017
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1016
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1024
- - /usr/local/sbin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /usr/local/bin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /usr/sbin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /usr/bin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /sbin/kill
    kill -9 1022
    3⤵
    PID:1025
- - /bin/kill
    kill -9 1022
    3⤵
    PID:1025
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1023
- /bin/grep
  grep kernelupgrade
  2⤵
  PID:1022
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1021
- /bin/grep
  grep kernelorg
  2⤵
  PID:1027
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1028
- /bin/ps
  ps auxf
  2⤵
  PID:1026
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1029
- - /usr/local/sbin/kill
    kill -9 1027
    3⤵
    PID:1030
- - /usr/local/bin/kill
    kill -9 1027
    3⤵
    PID:1030
- - /usr/sbin/kill
    kill -9 1027
    3⤵
    PID:1030
- - /usr/bin/kill
    kill -9 1027
    3⤵
    PID:1030
- - /sbin/kill
    kill -9 1027
    3⤵
    PID:1030
- - /bin/kill
    kill -9 1027
    3⤵
    - Reads runtime system information
    PID:1030
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1034
- - /usr/local/sbin/kill
    kill -9 1032
    3⤵
    PID:1035
- - /usr/local/bin/kill
    kill -9 1032
    3⤵
    PID:1035
- - /usr/sbin/kill
    kill -9 1032
    3⤵
    PID:1035
- - /usr/bin/kill
    kill -9 1032
    3⤵
    PID:1035
- - /sbin/kill
    kill -9 1032
    3⤵
    PID:1035
- - /bin/kill
    kill -9 1032
    3⤵
    - Reads CPU attributes
    PID:1035
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1033
- /bin/grep
  grep kernelupdates
  2⤵
  PID:1032
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1031
- /bin/grep
  grep lib
  2⤵
  PID:1038
- /bin/grep
  grep jenkins
  2⤵
  PID:1039
- /bin/grep
  grep -v httpPort
  2⤵
  PID:1040
- /bin/grep
  grep var
  2⤵
  PID:1037
- /bin/grep
  grep -v headless
  2⤵
  PID:1041
- /bin/grep
  grep "\\-c"
  2⤵
  PID:1042
- /bin/ps
  ps ax
  2⤵
  PID:1036
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1043
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1044
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1044
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1044
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1044
- - /sbin/kill
    kill -9
    3⤵
    PID:1044
- - /bin/kill
    kill -9
    3⤵
    PID:1044
- /usr/bin/xargs
  xargs pkill -f
  2⤵
  PID:1047
- - /usr/local/sbin/pkill
    pkill -f
    3⤵
    PID:1048
- - /usr/local/bin/pkill
    pkill -f
    3⤵
    PID:1048
- - /usr/sbin/pkill
    pkill -f
    3⤵
    PID:1048
- - /usr/bin/pkill
    pkill -f
    3⤵
    - Reads CPU attributes
    PID:1048
- /bin/ps
  ps ax
  2⤵
  PID:1045
- /bin/grep
  grep -o "./[0-9]* -c"
  2⤵
  PID:1046
- /usr/bin/pkill
  pkill -f /usr/bin/.sshd
  2⤵
  PID:1049
- /usr/bin/pkill
  pkill -f acpid
  2⤵
  - Reads runtime system information
  PID:1050
- /usr/bin/pkill
  pkill -f Donald
  2⤵
  PID:1051
- /usr/bin/pkill
  pkill -f Macron
  2⤵
  - Reads CPU attributes
  PID:1052
- /usr/bin/pkill
  pkill -f AnXqV.yam
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1053
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  - Reads runtime system information
  PID:1054
- /usr/bin/pkill
  pkill -f askdljlqw
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1055
- /usr/bin/pkill
  pkill -f bashe
  2⤵
  - Reads runtime system information
  PID:1056
- /usr/bin/pkill
  pkill -f bashf
  2⤵
  - Reads CPU attributes
  PID:1057
- /usr/bin/pkill
  pkill -f bashg
  2⤵
  - Reads runtime system information
  PID:1058
- /usr/bin/pkill
  pkill -f bashh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1059
- /usr/bin/pkill
  pkill -f bashx
  2⤵
  PID:1060
- /usr/bin/pkill
  pkill -f BI5zj
  2⤵
  PID:1061
- /usr/bin/pkill
  pkill -f biosetjenkins
  2⤵
  - Reads runtime system information
  PID:1062
- /usr/bin/pkill
  pkill -f bonn.sh
  2⤵
  - Reads runtime system information
  PID:1063
- /usr/bin/pkill
  pkill -f bonns
  2⤵
  - Reads runtime system information
  PID:1064
- /usr/bin/pkill
  pkill -f conn.sh
  2⤵
  - Reads CPU attributes
  PID:1065
- /usr/bin/pkill
  pkill -f conns
  2⤵
  - Reads CPU attributes
  PID:1066
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  - Reads CPU attributes
  PID:1067
- /usr/bin/pkill
  pkill -f crypto-pool
  2⤵
  PID:1068
- /usr/bin/pkill
  pkill -f ddg.2011
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1069
- /usr/bin/pkill
  pkill -f deamon
  2⤵
  PID:1070
- /usr/bin/pkill
  pkill -f disk_genius
  2⤵
  PID:1071
- /usr/bin/pkill
  pkill -f donns
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1072
- /usr/bin/pkill
  pkill -f Duck.sh
  2⤵
  - Reads CPU attributes
  PID:1073
- /usr/bin/pkill
  pkill -f gddr
  2⤵
  - Reads runtime system information
  PID:1074
- /usr/bin/pkill
  pkill -f Guard.sh
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1075
- /usr/bin/pkill
  pkill -f i586
  2⤵
  - Reads CPU attributes
  PID:1076
- /usr/bin/pkill
  pkill -f icb5o
  2⤵
  - Reads CPU attributes
  PID:1077
- /usr/bin/pkill
  pkill -f ir29xc1
  2⤵
  PID:1078
- /usr/bin/pkill
  pkill -f irqba2anc1
  2⤵
  PID:1079
- /usr/bin/pkill
  pkill -f irqba5xnc1
  2⤵
  - Reads runtime system information
  PID:1080
- /usr/bin/pkill
  pkill -f irqbalanc1
  2⤵
  PID:1081
- /usr/bin/pkill
  pkill -f irqbalance
  2⤵
  - Reads CPU attributes
  PID:1082
- /usr/bin/pkill
  pkill -f irqbnc1
  2⤵
  PID:1083
- /usr/bin/pkill
  pkill -f JnKihGjn
  2⤵
  PID:1084
- /usr/bin/pkill
  pkill -f jweri
  2⤵
  - Reads runtime system information
  PID:1085
- /usr/bin/pkill
  pkill -f kw.sh
  2⤵
  - Reads CPU attributes
  PID:1086
- /usr/bin/pkill
  pkill -f kworker34
  2⤵
  - Reads runtime system information
  PID:1087
- /usr/bin/pkill
  pkill -f kxjd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1088
- /usr/bin/pkill
  pkill -f libapache
  2⤵
  PID:1089
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  - Reads CPU attributes
  PID:1090
- /usr/bin/pkill
  pkill -f lx26
  2⤵
  PID:1091
- /usr/bin/pkill
  pkill -f mgwsl
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1092
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  PID:1093
- /usr/bin/pkill
  pkill -f minergate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1094
- /usr/bin/pkill
  pkill -f minexmr
  2⤵
  PID:1095
- /usr/bin/pkill
  pkill -f mixnerdx
  2⤵
  - Reads runtime system information
  PID:1096
- /usr/bin/pkill
  pkill -f mstxmr
  2⤵
  PID:1097
- /usr/bin/pkill
  pkill -f nanoWatch
  2⤵
  - Reads runtime system information
  PID:1098
- /usr/bin/pkill
  pkill -f nopxi
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1099
- /usr/bin/pkill
  pkill -f NXLAi
  2⤵
  - Reads CPU attributes
  PID:1100
- /usr/bin/pkill
  pkill -f performedl
  2⤵
  PID:1101
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  - Reads runtime system information
  PID:1102
- /usr/bin/pkill
  pkill -f pro.sh
  2⤵
  PID:1103
- /usr/bin/pkill
  pkill -f pythno
  2⤵
  PID:1104
- /usr/bin/pkill
  pkill -f qW3xT.2
  2⤵
  - Reads CPU attributes
  PID:1105
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  PID:1106
- /usr/bin/pkill
  pkill -f stratum
  2⤵
  - Reads CPU attributes
  PID:1107
- /usr/bin/pkill
  pkill -f sustes
  2⤵
  - Reads CPU attributes
  PID:1108
- /usr/bin/pkill
  pkill -f wnTKYg
  2⤵
  PID:1109
- /usr/bin/pkill
  pkill -f XbashY
  2⤵
  PID:1110
- /usr/bin/pkill
  pkill -f XJnRj
  2⤵
  - Reads runtime system information
  PID:1111
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  - Reads runtime system information
  PID:1112
- /usr/bin/pkill
  pkill -f xmrigDaemon
  2⤵
  PID:1113
- /usr/bin/pkill
  pkill -f xmrigMiner
  2⤵
  - Reads CPU attributes
  PID:1114
- /usr/bin/pkill
  pkill -f ysaydh
  2⤵
  PID:1115
- /usr/bin/pkill
  pkill -f zigw
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1116
- /usr/bin/pkill
  pkill -f ld-linux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1117
- /usr/bin/pkill
  pkill -f xrx
  2⤵
  - Reads CPU attributes
  PID:1118
- /bin/grep
  grep -v grep
  2⤵
  PID:1121
- /bin/grep
  grep crond
  2⤵
  PID:1120
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1119
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1122
- /bin/rm
  rm /tmp/crondpid -f
  2⤵
  PID:1123
- /bin/grep
  grep -v grep
  2⤵
  PID:1126
- /bin/grep
  grep sshd
  2⤵
  PID:1125
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  PID:1124
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1127
- /bin/rm
  rm -f /tmp/ssdpid
  2⤵
  PID:1134
- /bin/grep
  grep -v grep
  2⤵
  PID:1137
- /bin/grep
  grep syslogs
  2⤵
  PID:1136
- /bin/ps
  ps ax
  2⤵
  - Reads runtime system information
  PID:1135
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1138
- /bin/rm
  rm /tmp/syslogspid -f
  2⤵
  PID:1139
- /bin/grep
  grep "b 22"
  2⤵
  PID:1141
- /bin/ps
  ps x
  2⤵
  - Reads runtime system information
  PID:1140
- /usr/bin/awk
  awk "{print \$1,\$5}"
  2⤵
  PID:1142
- /bin/cat
  cat .procs
  2⤵
  PID:1143
- /usr/bin/chattr
  chattr -iaR /var/tmp/.xrx
  2⤵
  - Attempts to change immutable files
  PID:1154
- /bin/rm
  rm -rf /var/tmp/.xrx
  2⤵
  PID:1155
- /bin/grep
  grep "d 22"
  2⤵
  PID:1157
- /bin/ps
  ps x
  2⤵
  PID:1156
- /usr/bin/awk
  awk "{print \$1,\$5}"
  2⤵
  PID:1158
- /bin/cat
  cat .procs
  2⤵
  PID:1159
- /bin/grep
  grep 69.28.55.86:443
  2⤵
  PID:1171
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1172
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1173
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1174
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1175
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1175
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1175
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1175
- - /sbin/kill
    kill -9
    3⤵
    PID:1175
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1175
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1178
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1179
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1180
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1181
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1181
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1181
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1181
- - /sbin/kill
    kill -9
    3⤵
    PID:1181
- - /bin/kill
    kill -9
    3⤵
    PID:1181
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1177
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1185
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1184
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1186
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1187
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1187
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1187
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1187
- - /sbin/kill
    kill -9
    3⤵
    PID:1187
- - /bin/kill
    kill -9
    3⤵
    PID:1187
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1183
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1190
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1191
- /bin/grep
  grep 119.9.76.107
  2⤵
  PID:1189
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1192
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1193
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1193
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1193
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1193
- - /sbin/kill
    kill -9
    3⤵
    PID:1193
- - /bin/kill
    kill -9
    3⤵
    PID:1193
- /bin/grep
  grep :143
  2⤵
  PID:1195
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1196
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1197
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1198
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1199
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1199
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1199
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1199
- - /sbin/kill
    kill -9
    3⤵
    PID:1199
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1199
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1203
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1204
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1205
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1205
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1205
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1205
- - /sbin/kill
    kill -9
    3⤵
    PID:1205
- - /bin/kill
    kill -9
    3⤵
    PID:1205
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1202
- /bin/grep
  grep :2222
  2⤵
  PID:1201
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1209
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1208
- /usr/bin/xargs
  xargs kill -9
  2⤵
  - Reads runtime system information
  PID:1210
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1211
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1211
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1211
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1211
- - /sbin/kill
    kill -9
    3⤵
    PID:1211
- - /bin/kill
    kill -9
    3⤵
    PID:1211
- /bin/grep
  grep :3333
  2⤵
  PID:1207
- /bin/grep
  grep :3389
  2⤵
  PID:1213
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1214
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1215
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1216
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1217
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1217
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1217
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1217
- - /sbin/kill
    kill -9
    3⤵
    PID:1217
- - /bin/kill
    kill -9
    3⤵
    PID:1217
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1221
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1222
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1223
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1223
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1223
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1223
- - /sbin/kill
    kill -9
    3⤵
    PID:1223
- - /bin/kill
    kill -9
    3⤵
    PID:1223
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1220
- /bin/grep
  grep :4444
  2⤵
  PID:1219
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1227
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1226
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1228
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1229
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1229
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1229
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1229
- - /sbin/kill
    kill -9
    3⤵
    PID:1229
- - /bin/kill
    kill -9
    3⤵
    PID:1229
- /bin/grep
  grep :5555
  2⤵
  PID:1225
- /bin/grep
  grep :6666
  2⤵
  PID:1231
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1232
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1233
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1234
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1235
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1235
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1235
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1235
- - /sbin/kill
    kill -9
    3⤵
    PID:1235
- - /bin/kill
    kill -9
    3⤵
    PID:1235
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1238
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1239
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1240
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1241
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1241
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1241
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1241
- - /sbin/kill
    kill -9
    3⤵
    PID:1241
- - /bin/kill
    kill -9
    3⤵
    PID:1241
- /bin/grep
  grep :6665
  2⤵
  PID:1237
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1244
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1245
- /bin/grep
  grep :6667
  2⤵
  PID:1243
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1246
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1247
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1247
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1247
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1247
- - /sbin/kill
    kill -9
    3⤵
    PID:1247
- - /bin/kill
    kill -9
    3⤵
    PID:1247
- /bin/grep
  grep :7777
  2⤵
  PID:1249
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1250
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1251
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1252
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1253
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1253
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1253
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1253
- - /sbin/kill
    kill -9
    3⤵
    PID:1253
- - /bin/kill
    kill -9
    3⤵
    PID:1253
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1257
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1256
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1258
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1259
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1259
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1259
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1259
- - /sbin/kill
    kill -9
    3⤵
    PID:1259
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1259
- /bin/grep
  grep :8444
  2⤵
  PID:1255
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1262
- /bin/grep
  grep :3347
  2⤵
  PID:1261
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1263
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1264
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1265
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1265
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1265
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1265
- - /sbin/kill
    kill -9
    3⤵
    PID:1265
- - /bin/kill
    kill -9
    3⤵
    PID:1265
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1268
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1269
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1270
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1271
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1271
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1271
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1271
- - /sbin/kill
    kill -9
    3⤵
    PID:1271
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1271
- /bin/grep
  grep :14444
  2⤵
  PID:1267
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1275
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1274
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1276
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1277
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1277
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1277
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1277
- - /sbin/kill
    kill -9
    3⤵
    PID:1277
- - /bin/kill
    kill -9
    3⤵
    PID:1277
- /bin/grep
  grep :14433
  2⤵
  PID:1273
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1281
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1280
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1282
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1283
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1283
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1283
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1283
- - /sbin/kill
    kill -9
    3⤵
    PID:1283
- - /bin/kill
    kill -9
    3⤵
    PID:1283
- /bin/grep
  grep :13531
  2⤵
  PID:1279
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1286
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1287
- /bin/grep
  grep 138.199.40.233:9137
  2⤵
  PID:1285
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1288
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1289
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1289
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1289
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1289
- - /sbin/kill
    kill -9
    3⤵
    PID:1289
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1289
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1292
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1293
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1294
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1295
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1295
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1295
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1295
- - /sbin/kill
    kill -9
    3⤵
    PID:1295
- - /bin/kill
    kill -9
    3⤵
    PID:1295
- /bin/grep
  grep 185.150.117.29
  2⤵
  PID:1291

/bin/sed
sed -e "s/\\.[0-9]*//g"
1⤵
PID:1130

/bin/ps
ps -p 384 -o "%cpu"
1⤵
PID:1132

/bin/grep
grep -v "%CPU"
1⤵
PID:1133

/usr/bin/awk
awk "{print \$1;}"
1⤵
PID:1147

/usr/bin/awk
awk "{print \$2;}"
1⤵
PID:1150

/usr/bin/wc
wc -c
1⤵
PID:1153

/usr/bin/awk
awk "{print \$1;}"
1⤵
PID:1163

/usr/bin/awk
awk "{print \$2;}"
1⤵
PID:1166

/usr/bin/wc
wc -c
1⤵
PID:1169

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/.rsync/a/.procs

Filesize
10B

MD5
b03848593b10ce8def1d65edafcf20e1

SHA1
c9df40a4881752b7fd8d7e81bb1afee45a80ba6a

SHA256
af472195f4f339d85f8ea84e660b5d47c9e5218c16f4016f5815a29514a17029

SHA512
0b4c13378c972f904939a034d213aeb10f14c84a135665cd0865bad36c99db9a123e0c131d7e5348a9ca1c3d13ae6c2abcad50e5a7468a269331a127ce521b33

Download Submit
/tmp/.rsync/a/.procs

Filesize
10B

MD5
4125035d4cc3e4c5e97d44d0c523c2c9

SHA1
7cc312e4fe946257c8682088df26041ebf3456e0

SHA256
f489e418ec1f2938b2f8a33acf4038d2cbfde7fff352f010ca5a1a0e13188a1c

SHA512
73385603e56719d009046ad21ce2d1cc47989a0b8483818faed14d7ddf81d4cbc0f6401e532b6b59efd4425951a9526e98246ea6d37892b6016b4be3a815b817

Download Submit
/tmp/ssdpid

Filesize
4B

MD5
a5d99f0b68d8429e6a98e8b7765be404

SHA1
5c2b9a2675b89f73c9969010421f59c50ce48ff8

SHA256
579c81f568f7c29e169413de59514e21afa79aa0787df62272e11a71fd42dabc

SHA512
3b7f8475cbb946b23c55c0b244c90bc3b8960d6fe4cbbcd1efc09eb514f781e6cb46f91f5e606d28e8a6f77092f40209102a95f341b9b7cd20235b1e57002a70

Download Submit