76021dd25cb21b31b81a43428ebd18640d0598c8afeefc502c7a2ab660de8df5

Analysis

max time kernel
150s
max time network
23s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
17-07-2024 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52940d065af4faae2c6f6a289040bb72_JaffaCakes118
Size

30KB
MD5

52940d065af4faae2c6f6a289040bb72
SHA1

005bafac97f4734cfc8c5d4f14e231df11f4d73a
SHA256

76021dd25cb21b31b81a43428ebd18640d0598c8afeefc502c7a2ab660de8df5
SHA512

ad31d4768c1bd18fe34548cc76a617abe480bbdc244abaa09049654d177984102496842a98ca94903a4db89a708519ddab7d1fc39e08e4979c33737be976de2d
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKU:p78zQ5VFNcDAFLcIwgnoYq0xFBVdHtDn

Score

7^/10

Malware Config

Signatures

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
713	iptables

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
823	xargs
1198	xargs
710	chattr
970	xargs
1295	xargs
1234	xargs
841	xargs
995	xargs
1208	xargs
1042	xargs
1108	xargs
1129	xargs
1223	xargs
1203	xargs
702	chattr
963	xargs
930	xargs
1103	xargs
708	chattr
747	chattr
1247	xargs
1189	xargs
1302	xargs
867	xargs
1097	xargs
1124	xargs
937	xargs
859	xargs
1023	xargs
1253	xargs
1174	xargs
1281	xargs
835	xargs
1002	xargs
1139	xargs
907	xargs
884	xargs
923	xargs
1035	xargs
1179	xargs
1164	xargs
1184	xargs
871	xargs
949	xargs
1009	xargs
752	grep
811	xargs
1228	xargs
879	xargs
1288	xargs
706	chattr
896	xargs
1114	xargs
918	xargs
1048	xargs
1092	xargs
944	xargs
1029	xargs
853	xargs
863	xargs
869	xargs
1275	xargs
1144	xargs
1159	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

description	ioc	Process
File opened for reading	/proc/947/stat	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/103/status	ps
File opened for reading	/proc/695/status	ps
File opened for reading	/proc/479/status	ps
File opened for reading	/proc/479/status	pkill
File opened for reading	/proc/318/stat	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/81/status	ps
File opened for reading	/proc/318/stat	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/387/cmdline	ps
File opened for reading	/proc/318/stat	ps
File opened for reading	/proc/1059/cmdline	ps
File opened for reading	/proc/74/cmdline	ps
File opened for reading	/proc/321/cmdline	ps
File opened for reading	/proc/696/stat	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/387/cmdline	ps
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/2/stat	ps
File opened for reading	/proc/103/stat	ps
File opened for reading	/proc/701/status	ps
File opened for reading	/proc/455/stat	ps
File opened for reading	/proc/21/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/70/cmdline	ps
File opened for reading	/proc/455/status	ps
File opened for reading	/proc/697/stat	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/7/cmdline	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/36/cmdline	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/478/cmdline	ps
File opened for reading	/proc/103/stat	ps
File opened for reading	/proc/1214/stat	ps
File opened for reading	/proc/69/status	ps
File opened for reading	/proc/386/stat	ps
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/9/cmdline	ps
File opened for reading	/proc/83/cmdline	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/676/stat	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/676/cmdline	ps
File opened for reading	/proc/71/status	ps
File opened for reading	/proc/83/stat	ps
File opened for reading	/proc/20/stat	ps
File opened for reading	/proc/478/status	ps
File opened for reading	/proc/479/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/223/status	ps
File opened for reading	/proc/479/stat	ps
File opened for reading	/proc/479/stat	ps
File opened for reading	/proc/223/status	pkill
File opened for reading	/proc/18/stat	ps

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	52940d065af4faae2c6f6a289040bb72_JaffaCakes118

/tmp/52940d065af4faae2c6f6a289040bb72_JaffaCakes118
/tmp/52940d065af4faae2c6f6a289040bb72_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:698
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  PID:699
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:702
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:706
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:708
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  - Attempts to change immutable files
  PID:710
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:713
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:718
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:737
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sTzxC-0000Bt-6d
      4⤵
      Reads CPU attributes
      PID:744
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:740
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1sTzxC-0000Bw-6f
      4⤵
      Reads CPU attributes
      PID:745
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    PID:741
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:742
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:743
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  PID:746
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:747
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:748
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:749
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:750
- /bin/ps
  ps aux
  2⤵
  PID:751
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:752
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:755
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:756
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:758
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:759
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:760
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:761
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:763
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:764
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:765
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:766
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:769
- /bin/grep
  grep :143
  2⤵
  PID:768
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:770
- /bin/grep
  grep -v -
  2⤵
  PID:771
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:772
- /bin/grep
  grep :2222
  2⤵
  PID:774
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:775
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:776
- /bin/grep
  grep -v -
  2⤵
  PID:777
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:778
- /bin/grep
  grep :3333
  2⤵
  PID:780
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:781
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:782
- /bin/grep
  grep -v -
  2⤵
  PID:783
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:784
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:787
- /bin/grep
  grep :3389
  2⤵
  PID:786
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:788
- /bin/grep
  grep -v -
  2⤵
  PID:789
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:790
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:796
- /bin/grep
  grep :4444
  2⤵
  PID:795
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:797
- /bin/grep
  grep -v -
  2⤵
  PID:798
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:799
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:802
- /bin/grep
  grep :5555
  2⤵
  PID:801
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:803
- /bin/grep
  grep -v -
  2⤵
  PID:804
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:805
- /bin/grep
  grep :6666
  2⤵
  PID:807
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:808
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:809
- /bin/grep
  grep -v -
  2⤵
  PID:810
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:811
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:814
- /bin/grep
  grep :6665
  2⤵
  PID:813
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:815
- /bin/grep
  grep -v -
  2⤵
  PID:816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:817
- /bin/grep
  grep :6667
  2⤵
  PID:819
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:820
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:821
- /bin/grep
  grep -v -
  2⤵
  PID:822
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:823
- /bin/grep
  grep :7777
  2⤵
  PID:825
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:826
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:827
- /bin/grep
  grep -v -
  2⤵
  PID:828
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:829
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:832
- /bin/grep
  grep :8444
  2⤵
  PID:831
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:833
- /bin/grep
  grep -v -
  2⤵
  PID:834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:835
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:838
- /bin/grep
  grep :3347
  2⤵
  PID:837
- /bin/grep
  grep -v -
  2⤵
  PID:840
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:839
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:841
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:844
- /bin/grep
  grep :14444
  2⤵
  PID:843
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:845
- /bin/grep
  grep -v -
  2⤵
  PID:846
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:847
- /bin/grep
  grep :14433
  2⤵
  PID:849
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:850
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:851
- /bin/grep
  grep -v -
  2⤵
  PID:852
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:853
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:856
- /bin/grep
  grep :13531
  2⤵
  PID:855
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:857
- /bin/grep
  grep -v -
  2⤵
  PID:858
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:859
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:861
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:860
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:863
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:862
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:865
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:864
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:867
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:866
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:869
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:868
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:871
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:870
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:872
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:873
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  - Reads CPU attributes
  PID:874
- /bin/grep
  grep -v grep
  2⤵
  PID:877
- /bin/grep
  grep ./oka
  2⤵
  PID:876
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:875
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:878
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:879
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:881
- /bin/grep
  grep -v grep
  2⤵
  PID:882
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:880
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:883
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:884
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:886
- /bin/grep
  grep -v bin
  2⤵
  PID:887
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:885
- /bin/grep
  grep -v "\\["
  2⤵
  PID:888
- /bin/grep
  grep -v "("
  2⤵
  PID:889
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:890
- /bin/grep
  grep -v proxymap
  2⤵
  PID:891
- /bin/grep
  grep -v postgres
  2⤵
  PID:892
- /bin/grep
  grep -v postgrey
  2⤵
  PID:893
- /bin/grep
  grep -v kinsing
  2⤵
  PID:894
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:895
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:896
- /bin/grep
  grep -v bin
  2⤵
  PID:899
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:898
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads runtime system information
  PID:897
- /bin/grep
  grep -v "\\["
  2⤵
  PID:900
- /bin/grep
  grep -v "("
  2⤵
  PID:901
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:902
- /bin/grep
  grep -v proxymap
  2⤵
  PID:903
- /bin/grep
  grep -v postgres
  2⤵
  PID:904
- /bin/grep
  grep -v postgrey
  2⤵
  PID:905
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:906
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:907
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:909
- /bin/grep
  grep -v bin
  2⤵
  PID:910
- /bin/grep
  grep -v "\\["
  2⤵
  PID:911
- /bin/ps
  ps ax
  2⤵
  PID:908
- /bin/grep
  grep -v "("
  2⤵
  PID:912
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:913
- /bin/grep
  grep -v proxymap
  2⤵
  PID:914
- /bin/grep
  grep -v postgres
  2⤵
  PID:915
- /bin/grep
  grep -v postgrey
  2⤵
  PID:916
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:917
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:918
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:919
- /bin/grep
  grep -v grep
  2⤵
  PID:920
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:921
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:922
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:923
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:927
- /bin/grep
  grep -v grep
  2⤵
  PID:928
- /bin/ps
  ps aux
  2⤵
  PID:926
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:929
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:930
- /bin/grep
  grep -v grep
  2⤵
  PID:935
- /bin/grep
  grep ./crun
  2⤵
  PID:934
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:933
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:937
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:936
- /bin/grep
  grep -v grep
  2⤵
  PID:942
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:941
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:940
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:943
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:944
- /bin/grep
  grep :3333
  2⤵
  PID:947
- /bin/grep
  grep -v grep
  2⤵
  PID:946
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:945
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:949
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:948
- /bin/grep
  grep :5555
  2⤵
  PID:954
- /bin/grep
  grep -v grep
  2⤵
  PID:953
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:952
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:955
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:956
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:961
- /bin/grep
  grep -v grep
  2⤵
  PID:960
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:962
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:959
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:963
- /bin/grep
  grep log_
  2⤵
  PID:968
- /bin/grep
  grep -v grep
  2⤵
  PID:967
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:966
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:970
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:969
- /bin/grep
  grep systemten
  2⤵
  PID:973
- /bin/grep
  grep -v grep
  2⤵
  PID:972
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:971
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:975
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:974
- /bin/grep
  grep -v grep
  2⤵
  PID:979
- /bin/grep
  grep netns
  2⤵
  PID:980
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:978
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:981
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:982
- - /usr/local/sbin/kill
    kill -9 10
    3⤵
    PID:984
- - /usr/local/bin/kill
    kill -9 10
    3⤵
    PID:984
- - /usr/sbin/kill
    kill -9 10
    3⤵
    PID:984
- - /usr/bin/kill
    kill -9 10
    3⤵
    PID:984
- - /sbin/kill
    kill -9 10
    3⤵
    PID:984
- - /bin/kill
    kill -9 10
    3⤵
    - Reads CPU attributes
    PID:984
- /bin/grep
  grep voltuned
  2⤵
  PID:987
- /bin/grep
  grep -v grep
  2⤵
  PID:986
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:985
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:988
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:989
- /bin/grep
  grep -v grep
  2⤵
  PID:992
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:991
- /bin/grep
  grep darwin
  2⤵
  PID:993
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:994
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:995
- /bin/grep
  grep -v grep
  2⤵
  PID:999
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:998
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1001
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1000
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1002
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1007
- /bin/grep
  grep -v grep
  2⤵
  PID:1006
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1005
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1008
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1009
- /bin/grep
  grep -v grep
  2⤵
  PID:1013
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1015
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1016
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1012
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1014
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1021
- /bin/grep
  grep -v grep
  2⤵
  PID:1020
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1019
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1022
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1023
- /bin/grep
  grep -v grep
  2⤵
  PID:1026
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1025
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1028
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1029
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1027
- /bin/grep
  grep -v grep
  2⤵
  PID:1032
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1033
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1035
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1031
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1034
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1040
- /bin/grep
  grep -v grep
  2⤵
  PID:1039
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1038
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1042
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1041
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1047
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1046
- /bin/grep
  grep -v grep
  2⤵
  PID:1045
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1044
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1048
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1054
- /bin/grep
  grep -v grep
  2⤵
  PID:1053
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1052
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1055
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1056
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1062
- /bin/grep
  grep -v grep
  2⤵
  PID:1061
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1060
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1063
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1064
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1070
- /bin/grep
  grep -v grep
  2⤵
  PID:1069
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1072
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1071
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1068
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1075
- /bin/grep
  grep -v grep
  2⤵
  PID:1074
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1073
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1076
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1077
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1083
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1082
- /bin/grep
  grep -v grep
  2⤵
  PID:1081
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1084
- /bin/ps
  ps aux
  2⤵
  PID:1080
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:1089
- /bin/grep
  grep -v grep
  2⤵
  PID:1088
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1087
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1091
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1092
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:1095
- /bin/grep
  grep -v grep
  2⤵
  PID:1094
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1093
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1096
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1097
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1101
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1102
- /bin/grep
  grep -v grep
  2⤵
  PID:1100
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1103
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1099
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1106
- /bin/grep
  grep -v grep
  2⤵
  PID:1105
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1104
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1107
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1108
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1112
- /bin/grep
  grep -v grep
  2⤵
  PID:1111
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1110
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1114
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1113
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1117
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1115
- /bin/grep
  grep -v grep
  2⤵
  PID:1116
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1118
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1119
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1122
- /bin/grep
  grep -v grep
  2⤵
  PID:1121
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1120
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1123
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1124
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1127
- /bin/grep
  grep -v grep
  2⤵
  PID:1126
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1125
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1129
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1128
- /bin/grep
  grep -v grep
  2⤵
  PID:1131
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1132
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1130
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1134
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1133
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1137
- /bin/grep
  grep -v grep
  2⤵
  PID:1136
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1135
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1138
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1139
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1142
- /bin/grep
  grep -v grep
  2⤵
  PID:1141
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1140
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1143
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1144
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1148
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1147
- /bin/grep
  grep -v grep
  2⤵
  PID:1146
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1149
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1145
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1153
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1152
- /bin/grep
  grep -v grep
  2⤵
  PID:1151
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1154
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1150
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1157
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1158
- /bin/grep
  grep -v grep
  2⤵
  PID:1156
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1159
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1155
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:1162
- /bin/grep
  grep -v grep
  2⤵
  PID:1161
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1160
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1163
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1164
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1168
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:1167
- /bin/grep
  grep -v grep
  2⤵
  PID:1166
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1169
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1165
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1172
- /bin/grep
  grep -v grep
  2⤵
  PID:1171
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1170
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1173
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1174
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1177
- /bin/grep
  grep -v grep
  2⤵
  PID:1176
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1179
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1175
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1178
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1183
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1182
- /bin/grep
  grep -v grep
  2⤵
  PID:1181
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1184
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1180
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:1187
- /bin/grep
  grep -v grep
  2⤵
  PID:1186
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1189
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1188
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1185
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1193
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:1192
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1194
- /bin/grep
  grep -v grep
  2⤵
  PID:1191
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1190
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1198
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:1197
- /bin/grep
  grep -v grep
  2⤵
  PID:1196
- /bin/ps
  ps aux
  2⤵
  PID:1195
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1202
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:1201
- /bin/grep
  grep -v grep
  2⤵
  PID:1200
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1203
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1199
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:1206
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1207
- /bin/grep
  grep -v grep
  2⤵
  PID:1205
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1208
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1204
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1212
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:1211
- /bin/grep
  grep -v grep
  2⤵
  PID:1210
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1213
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1209
- /bin/grep
  grep -v grep
  2⤵
  PID:1215
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1214
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:1216
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1217
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1218
- /bin/grep
  grep nqscheduler
  2⤵
  PID:1221
- /bin/grep
  grep -v grep
  2⤵
  PID:1220
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1223
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1222
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1219
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:1226
- /bin/grep
  grep -v grep
  2⤵
  PID:1225
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1228
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1227
- /bin/ps
  ps aux
  2⤵
  PID:1224
- /bin/grep
  grep -v aux
  2⤵
  PID:1231
- /bin/grep
  grep -v grep
  2⤵
  PID:1230
- /bin/ps
  ps aux
  2⤵
  PID:1229
- /bin/grep
  grep "]"
  2⤵
  PID:1232
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:1233
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1234
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:1239
- /bin/grep
  grep -v grep
  2⤵
  PID:1238
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1241
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1237
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1240
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:1245
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1246
- /bin/grep
  grep -v grep
  2⤵
  PID:1244
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1243
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1247
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1252
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:1251
- /bin/grep
  grep -v grep
  2⤵
  PID:1250
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1253
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1249
- /bin/grep
  grep -v /
  2⤵
  PID:1258
- /bin/grep
  grep -v grep
  2⤵
  PID:1257
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1256
- /bin/grep
  grep -v -
  2⤵
  PID:1259
- /bin/grep
  grep -v _
  2⤵
  PID:1260
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:1261
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1262
- /bin/grep
  grep "\\[^"
  2⤵
  PID:1267
- /bin/grep
  grep -v grep
  2⤵
  PID:1266
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1269
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1265
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1268
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1274
- /bin/grep
  grep rsync
  2⤵
  PID:1273
- /bin/grep
  grep -v grep
  2⤵
  PID:1272
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1275
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1271
- /bin/grep
  grep watchd0g
  2⤵
  PID:1279
- /bin/grep
  grep -v grep
  2⤵
  PID:1278
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1277
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1280
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1281
- /bin/grep
  grep -v grep
  2⤵
  PID:1285
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1284
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1286
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1287
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1288
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1286
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1286
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1286
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1286
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1286
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1286
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:1293
- /bin/grep
  grep -v grep
  2⤵
  PID:1292
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1291
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1295
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1294
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1302
- /bin/ps
  ps aux
  2⤵
  PID:1298
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1300
- /bin/grep
  grep -v grep
  2⤵
  PID:1299
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1301

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/mail/user

Filesize
843B

MD5
7c3a4b706dcd7f098c0073d611251217

SHA1
f53be42e112cccd4007c3cfe1a13155afc84b436

SHA256
6744de8806b941f46309dcd0228d4b526ab792962fdc6ad92db7768ce7df8384

SHA512
8b23f51b699c48a2580835b662de38fbdd0b4d9c1420006ba4ee7e73614f3c498652f28eb41b745d1036e1b45f3edee78db07c7d3315b9d2a2936c2a9bfd23aa

Download Submit
/var/mail/user

Filesize
1KB

MD5
c726e1218e89257e3393d3d3a4c96994

SHA1
27f017b7558c93765cac683582e4b625a3af132e

SHA256
776a1eda6e95c253453f8c45aff53facc47b16a56d5989872da36ef04fd13f7c

SHA512
f8a9e15c9922cae0e50da7785fa024a08bf948a004e95246072aa77bc3d6ee255b6c32ee8fdd29b0274645af87956c26adabfd78f4a09bc89fb659524d9a7a94

Download Submit
/var/spool/exim4/input/1sTzxC-0000Bt-6d-D

Filesize
128B

MD5
8497b2878ffe1180cae17d28d86bff1d

SHA1
66da5beb5a6c363ef4305e46de565bfe3b640899

SHA256
b579eaee417cbec7082379a0a5dc706545068efdfad16ac9aa369f42be6ca6b6

SHA512
8c2e9c901276122dc1a1a4b7e69bcf46021a95da5374e1bac0ed1d465e36252beb8ccfc283c29dadb16f726efb59fd21b743e68ba7b8ccd61e3e561424f894c2

Download Submit
/var/spool/exim4/input/1sTzxC-0000Bw-6f-D

Filesize
146B

MD5
47a0baa16688cd24fa34e69cde609112

SHA1
a74188067b979789c24507b234f1728411d65233

SHA256
414cdd6d268d13f772d1216a08a0a08b02aa1a966a19524c1ea66ccb855e7e66

SHA512
9f5cf8964baab76d02eba13f6380a21878af3635e70a7e6b780544fbef1be912c9f9ade6a46d5ecbcd2ff15a7f273c3543996cbd50a48f6a009ba93c5516c917

Download Submit
/var/spool/exim4/input/1sTzxC-0000Bw-6f-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/hdr.737

Filesize
915B

MD5
c5e388a3b19c8c0953ffdd045066a146

SHA1
5505615846fc4163ab3aacb38970b197245a6664

SHA256
5c59d71a7e636c075897e691672e04d897bac2b814aa7d219077e861ab1a6609

SHA512
253a31f42c92ce294c1207ccad96bf24a753209273f90876be238019306156cc6808848450988545758e31caf84d49d4324504af61d01720be0d9f5bcf32ae8b

Download Submit
/var/spool/exim4/msglog/1sTzxC-0000Bt-6d

Filesize
288B

MD5
de389f4f42ea0506c7953fa75e5e5650

SHA1
bae28ec0edeb75c459e921d22b750297a42ca9b9

SHA256
9c194da81217f47f2516b1d067f7194b72296400b0020ef34cb961ebfa9494c5

SHA512
4f3d3a1d5c1a03f02487614b5310f2d2c80205f33f4e3383db31d96422a11a4efdf54dd4e603f37b3af2707d8f7b0b359f92513cfb18012279d0785876add40f

Download Submit
/var/spool/exim4/msglog/1sTzxC-0000Bt-6d

Filesize
89B

MD5
0110f939b7a325297337b125b761558f

SHA1
8494974e3443440905464dcbee99f536a77c8767

SHA256
3c98eb2856844d7ab16d577a040044364eb575846f9f0d5be6e48920a404540a

SHA512
4796b45755cc0fef03971c2714132fe3f936dbb4a118cf8bcefda46a645023948311c13840efc1e0de96004ce25c684cd12517047f623209365040270097ec65

Download Submit
/var/spool/exim4/msglog/1sTzxC-0000Bw-6f

Filesize
288B

MD5
02b6c10669f7f5eca13a0b7192a1cbd8

SHA1
816cd93b7e31de81e9962f54e92c83561f45e5ea

SHA256
cb80efcf2126ebf02166f94e8803c29edbc522a6534b22068586988d800df06f

SHA512
4a6484a5d709ae84a306c816d0cd0ddaee33123e7da6d38ebd139c860ea5f4107969bd9da64c95a1860c82ca40f87f0e936e3eb39bfd07c20f0cae9f5cad3265

Download Submit
/var/spool/exim4/msglog/1sTzxC-0000Bw-6f

Filesize
89B

MD5
47aee8c870a3240ca290a949faf8c2cd

SHA1
126d636ed95706143d1641ee41a28d1d4cd6350d

SHA256
f4165ff5a23927f9df0225cc0f2c44ecd4575b0fddb38aa6c98d52d21894ae3e

SHA512
e187a7dfb112dcc450a57c5772e35deb09659a78943c1486d1b054ede5c0699f4787a3cfbdb0e3ef5ea4d91224f5363dc676b38b806d3fc79dbb94359d18aec3

Download Submit