3c0e677024ea8554a0eed96c62ef39549cefebb44937d9c778926daac67d5495

Analysis

max time kernel
150s
max time network
11s
platform
debian-9_mipsel
resource
debian9-mipsel-20240226-en
resource tags

arch:mipselimage:debian9-mipsel-20240226-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipselsystem
submitted
27-09-2024 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
Size

30KB
MD5

fa8008ca091d7d984279655e9bc577d8
SHA1

2cb21f9e3473a1fb6e3718b2018d6eea5f6f5020
SHA256

3c0e677024ea8554a0eed96c62ef39549cefebb44937d9c778926daac67d5495
SHA512

138f3847581ed8730764453da36c9555dd669e0bf5efc0c6f2433d443afeb4419cd6f190d97417dfa47a8cde3ab145e75664e96b16aad991ab5f10bf8204d9db
SSDEEP

384:p7pQBDf6jlpTWg3vMGQiirhHwMyGj4CC9vEKMvU/4Qdre21jT58vKpG2Y0orcfKS:p78zQ5VFNcDAFLcIwgnoYq0xFBVZHttn

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Flushes firewall rules 1 TTPs 1 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
defense_evasion

Disable or Modify System Firewall
T1562.004

Processes:

iptables

pid process

721 iptables
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

726 sudo

pid	process
721	iptables

pid	process
726	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargsxargsxargsxargsxargsgrepxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargschattrxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargschattrxargsxargs

pid	process
1475	xargs
803	xargs
1021	xargs
1366	xargs
1598	xargs
1608	xargs
759	grep
1414	xargs
1419	xargs
1402	xargs
1429	xargs
1454	xargs
1481	xargs
1577	xargs
1053	xargs
1225	xargs
1302	xargs
1618	xargs
1288	xargs
1469	xargs
747	chattr
785	xargs
1140	xargs
1487	xargs
1603	xargs
833	xargs
875	xargs
994	xargs
1493	xargs
1623	xargs
1628	xargs
851	xargs
955	xargs
1464	xargs
1196	xargs
1282	xargs
1459	xargs
815	xargs
827	xargs
1015	xargs
1340	xargs
1588	xargs
779	xargs
1034	xargs
1201	xargs
950	xargs
1353	xargs
1444	xargs
1115	xargs
1191	xargs
1248	xargs
1505	xargs
869	xargs
945	xargs
1079	xargs
1424	xargs
1553	xargs
1040	xargs
1295	xargs
1391	xargs
1151	xargs
713	chattr
839	xargs
900	xargs

Enumerates running processes
Discovers information about currently running processes on the system

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

pspsexim4pspspkillpspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	exim4
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pkill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

pid	process
946	ps
1004	ps
1030	ps
1500	ps
1409	ps
1524	ps
754	ps
1036	ps
1147	ps
1197	ps
964	ps
1231	ps
1506	ps
1599	ps
990	ps
1221	ps
1460	ps
1566	ps
1272	ps
1387	ps
1425	ps
1465	ps
1445	ps
1542	ps
1011	ps
1089	ps
1172	ps
1392	ps
1482	ps
1369	ps
1450	ps
1518	ps
1536	ps
936	ps
997	ps
1330	ps
1355	ps
951	ps
1131	ps
1136	ps
1336	ps
1488	ps
1548	ps
1081	ps
1167	ps
1177	ps
1202	ps
970	ps
1291	ps
1554	ps
1440	ps
1476	ps
1512	ps
1530	ps
1152	ps
758	ps
931	ps
1097	ps
1141	ps
1298	ps
1125	ps
1157	ps
884	ps
1056	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pspspspspspspspspspspspspspspkillpspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

description	ioc	process
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/5/status	ps
File opened for reading	/proc/711/status	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/73/status	ps
File opened for reading	/proc/165/status	ps
File opened for reading	/proc/324/stat	ps
File opened for reading	/proc/477/stat	ps
File opened for reading	/proc/144/cmdline	ps
File opened for reading	/proc/9/stat	ps
File opened for reading	/proc/8/stat	ps
File opened for reading	/proc/73/status	ps
File opened for reading	/proc/115/stat	ps
File opened for reading	/proc/1409/status	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/15/cmdline	pkill
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/514/status	ps
File opened for reading	/proc/1093/status	ps
File opened for reading	/proc/74/status	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/707/cmdline	ps
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/14/stat	ps
File opened for reading	/proc/74/stat	ps
File opened for reading	/proc/225/status	ps
File opened for reading	/proc/375/stat	ps
File opened for reading	/proc/705/stat	ps
File opened for reading	/proc/70/status	ps
File opened for reading	/proc/71/status	ps
File opened for reading	/proc/684/cmdline	ps
File opened for reading	/proc/4/cmdline	pkill
File opened for reading	/proc/79/stat	ps
File opened for reading	/proc/20/cmdline	ps
File opened for reading	/proc/82/status	ps
File opened for reading	/proc/22/status	ps
File opened for reading	/proc/144/cmdline	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/23/status	ps
File opened for reading	/proc/69/status	ps
File opened for reading	/proc/943/stat	ps
File opened for reading	/proc/703/stat	ps
File opened for reading	/proc/8/status	ps
File opened for reading	/proc/73/status	ps
File opened for reading	/proc/703/stat	ps
File opened for reading	/proc/75/status	ps
File opened for reading	/proc/712/stat	ps
File opened for reading	/proc/320/status	ps
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/17/status	ps
File opened for reading	/proc/79/status	ps
File opened for reading	/proc/2/status	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/377/cmdline	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/6/status	ps
File opened for reading	/proc/1393/cmdline	ps
File opened for reading	/proc/351/stat	ps
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/10/cmdline	ps
File opened for reading	/proc/1161/cmdline	ps
File opened for reading	/proc/377/cmdline	ps

System Network Configuration Discovery 1 TTPs 3 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

grepgrepgrep

pid process

1169 grep
1199 grep
1442 grep
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

fa8008ca091d7d984279655e9bc577d8_JaffaCakes118

description ioc process

File opened for modification /tmp/log_rot fa8008ca091d7d984279655e9bc577d8_JaffaCakes118

pid	process
1169	grep
1199	grep
1442	grep

description	ioc	process
File opened for modification	/tmp/log_rot	fa8008ca091d7d984279655e9bc577d8_JaffaCakes118

/tmp/fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
/tmp/fa8008ca091d7d984279655e9bc577d8_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:707

/bin/rm
rm -rf /var/log/syslog
2⤵
PID:708

/usr/bin/chattr
chattr -iua /tmp/
2⤵
PID:709

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
- Attempts to change immutable files
PID:713

/usr/bin/chattr
chattr -R -i /var/spool/cron
2⤵
PID:717

/usr/bin/chattr
chattr -i /etc/crontab
2⤵
PID:719

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:721

/usr/bin/sudo
sudo sysctl "kernel.nmi_watchdog=0"
2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:726

/usr/sbin/sendmail
sendmail -t
3⤵
PID:735

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1su9Hi-0000Br-EC
4⤵
- Reads CPU attributes
PID:751

/usr/sbin/sendmail
sendmail -t
3⤵
PID:739

/usr/sbin/exim4
/usr/sbin/exim4 -Mc 1su9Hi-0000Bv-D1
4⤵
PID:750

/sbin/sysctl
sysctl "kernel.nmi_watchdog=0"
3⤵
PID:741

/usr/sbin/userdel
userdel akay
2⤵
PID:742

/usr/sbin/userdel
userdel vfinder
2⤵
PID:744

/usr/bin/chattr
chattr -iae /root/.ssh/
2⤵
PID:746

/usr/bin/chattr
chattr -iae /root/.ssh/authorized_keys
2⤵
- Attempts to change immutable files
PID:747

/bin/rm
rm -rf "/tmp/addres*"
2⤵
PID:748

/bin/rm
rm -rf "/tmp/walle*"
2⤵
PID:749

/bin/rm
rm -rf /tmp/keys
2⤵
PID:753

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:754

/bin/grep
grep -i "[a]liyun"
2⤵
PID:755

/bin/grep
grep -i "[y]unjing"
2⤵
- Attempts to change immutable files
PID:759

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:758

/bin/grep
grep 185.71.65.238
2⤵
PID:763

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:764

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:765

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:767

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:771

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:770

/bin/grep
grep 140.82.52.87
2⤵
PID:769

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:772

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:777

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:776

/bin/grep
grep :143
2⤵
PID:775

/bin/grep
grep -v -
2⤵
PID:778

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:779

/bin/grep
grep :2222
2⤵
PID:781

/bin/grep
grep -v -
2⤵
PID:784

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:782

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:785

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:783

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:789

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:788

/bin/grep
grep :3333
2⤵
PID:787

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:791

/bin/grep
grep -v -
2⤵
PID:790

/bin/grep
grep :3389
2⤵
PID:793

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:795

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:794

/bin/grep
grep -v -
2⤵
PID:796

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:797

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:800

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:801

/bin/grep
grep :4444
2⤵
PID:799

/bin/grep
grep -v -
2⤵
PID:802

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:803

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:806

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:807

/bin/grep
grep -v -
2⤵
PID:808

/bin/grep
grep :5555
2⤵
PID:805

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:809

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:813

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:812

/bin/grep
grep :6666
2⤵
PID:811

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:815

/bin/grep
grep -v -
2⤵
PID:814

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:819

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:818

/bin/grep
grep :6665
2⤵
PID:817

/bin/grep
grep -v -
2⤵
PID:820

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:821

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:825

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:824

/bin/grep
grep :6667
2⤵
PID:823

/bin/grep
grep -v -
2⤵
PID:826

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:827

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:831

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:830

/bin/grep
grep :7777
2⤵
PID:829

/bin/grep
grep -v -
2⤵
PID:832

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:833

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:837

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:836

/bin/grep
grep :8444
2⤵
PID:835

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:839

/bin/grep
grep -v -
2⤵
PID:838

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:842

/bin/grep
grep :3347
2⤵
PID:841

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:843

/bin/grep
grep -v -
2⤵
PID:844

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:845

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:849

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:848

/bin/grep
grep :14444
2⤵
PID:847

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:851

/bin/grep
grep -v -
2⤵
PID:850

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:855

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:854

/bin/grep
grep :14433
2⤵
PID:853

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:857

/bin/grep
grep -v -
2⤵
PID:856

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:861

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:860

/bin/grep
grep :13531
2⤵
PID:859

/bin/grep
grep -v -
2⤵
PID:862

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:863

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:865

/bin/cat
cat /tmp/.X11-unix/01
2⤵
PID:864

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:867

/bin/cat
cat /tmp/.X11-unix/11
2⤵
PID:866

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:869

/bin/cat
cat /tmp/.X11-unix/22
2⤵
PID:868

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:871

/bin/cat
cat /tmp/.pg_stat.0
2⤵
PID:870

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:873

/bin/cat
cat /tmp/.pg_stat.1
2⤵
PID:872

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:875

/bin/cat
cat /data/./oka.pid
2⤵
PID:874

/usr/bin/pkill
pkill -f zsvc
2⤵
- Reads runtime system information
PID:876

/usr/bin/pkill
pkill -f pdefenderd
2⤵
- Reads CPU attributes
PID:877

/usr/bin/pkill
pkill -f updatecheckerd
2⤵
PID:878

/bin/grep
grep -v grep
2⤵
PID:881

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:882

/bin/grep
grep ./oka
2⤵
PID:880

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:883

/bin/ps
ps aux
2⤵
PID:879

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:887

/bin/grep
grep -v grep
2⤵
PID:886

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:888

/bin/grep
grep "postgres: autovacum"
2⤵
PID:885

/bin/ps
ps aux
2⤵
- Process Discovery
PID:884

/bin/grep
grep -v "\\["
2⤵
PID:892

/bin/grep
grep -v bin
2⤵
PID:891

/usr/bin/awk
awk "length(\$1) == 8"
2⤵
PID:890

/bin/ps
ps ax -o "command,pid" -www
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:889

/bin/grep
grep -v "("
2⤵
PID:893

/bin/grep
grep -v php-fpm
2⤵
PID:894

/bin/grep
grep -v proxymap
2⤵
PID:895

/bin/grep
grep -v postgres
2⤵
PID:896

/bin/grep
grep -v postgrey
2⤵
PID:897

/bin/grep
grep -v kinsing
2⤵
PID:898

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:899

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:900

/bin/grep
grep -v "\\["
2⤵
PID:907

/bin/grep
grep -v bin
2⤵
PID:906

/usr/bin/awk
awk "length(\$1) == 16"
2⤵
PID:905

/bin/ps
ps ax -o "command,pid" -www
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:904

/bin/grep
grep -v "("
2⤵
PID:908

/bin/grep
grep -v php-fpm
2⤵
PID:909

/bin/grep
grep -v proxymap
2⤵
PID:910

/bin/grep
grep -v postgres
2⤵
PID:911

/bin/grep
grep -v postgrey
2⤵
PID:912

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:913

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:914

/bin/grep
grep -v "\\["
2⤵
PID:918

/bin/grep
grep -v bin
2⤵
PID:917

/usr/bin/awk
awk "length(\$5) == 8"
2⤵
PID:916

/bin/grep
grep -v "("
2⤵
PID:919

/bin/ps
ps ax
2⤵
PID:915

/bin/grep
grep -v php-fpm
2⤵
PID:920

/bin/grep
grep -v proxymap
2⤵
PID:921

/bin/grep
grep -v postgres
2⤵
PID:922

/bin/grep
grep -v postgrey
2⤵
PID:923

/usr/bin/awk
awk "{print \$1}"
2⤵
PID:924

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:925

/bin/grep
grep /tmp/sscks
2⤵
PID:928

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:929

/bin/grep
grep -v grep
2⤵
PID:927

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:930

/bin/ps
ps aux
2⤵
PID:926

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:934

/bin/grep
grep -v grep
2⤵
PID:933

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:935

/bin/grep
grep "sleep 60"
2⤵
PID:932

/bin/ps
ps aux
2⤵
- Process Discovery
PID:931

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:939

/bin/grep
grep -v grep
2⤵
PID:938

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:940

/bin/grep
grep ./crun
2⤵
PID:937

/bin/ps
ps aux
2⤵
- Process Discovery
PID:936

/usr/bin/awk
awk "{if(\$3>80.0) print \$2}"
2⤵
PID:944

/bin/grep
grep -v grep
2⤵
PID:943

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:945

/bin/grep
grep -vw kdevtmpfsi
2⤵
PID:942

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:941

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:949

/bin/grep
grep :3333
2⤵
PID:948

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:950

/bin/grep
grep -v grep
2⤵
PID:947

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:946

/bin/ps
ps aux
2⤵
- Process Discovery
PID:951

/bin/grep
grep -v grep
2⤵
PID:952

/bin/grep
grep :5555
2⤵
PID:953

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:954

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:955

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:961

/bin/grep
grep "kworker -c\\"
2⤵
PID:960

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:962

/bin/grep
grep -v grep
2⤵
PID:959

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:958

/bin/grep
grep log_
2⤵
PID:966

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:967

/bin/grep
grep -v grep
2⤵
PID:965

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:968

/bin/ps
ps aux
2⤵
- Process Discovery
PID:964

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:973

/bin/grep
grep systemten
2⤵
PID:972

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:974

/bin/grep
grep -v grep
2⤵
PID:971

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:970

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:980

/bin/grep
grep netns
2⤵
PID:979

/bin/grep
grep -v grep
2⤵
PID:978

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:981

/usr/local/sbin/kill
kill -9 10
3⤵
PID:982

/usr/local/bin/kill
kill -9 10
3⤵
PID:982

/usr/sbin/kill
kill -9 10
3⤵
PID:982

/usr/bin/kill
kill -9 10
3⤵
PID:982

/sbin/kill
kill -9 10
3⤵
PID:982

/bin/kill
kill -9 10
3⤵
PID:982

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:977

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:987

/bin/grep
grep voltuned
2⤵
PID:986

/bin/grep
grep -v grep
2⤵
PID:985

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:988

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:984

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:993

/bin/grep
grep darwin
2⤵
PID:992

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:994

/bin/grep
grep -v grep
2⤵
PID:991

/bin/ps
ps aux
2⤵
- Process Discovery
PID:990

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1000

/bin/grep
grep /tmp/dl
2⤵
PID:999

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1001

/bin/grep
grep -v grep
2⤵
PID:998

/bin/ps
ps aux
2⤵
- Process Discovery
PID:997

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1008

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1007

/bin/grep
grep /tmp/ddg
2⤵
PID:1006

/bin/grep
grep -v grep
2⤵
PID:1005

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1004

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1014

/bin/grep
grep /tmp/pprt
2⤵
PID:1013

/bin/grep
grep -v grep
2⤵
PID:1012

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1011

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1015

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1019

/bin/grep
grep /tmp/ppol
2⤵
PID:1018

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1021

/bin/grep
grep -v grep
2⤵
PID:1017

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1016

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1026

/bin/grep
grep "/tmp/65ccE*"
2⤵
PID:1025

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1027

/bin/grep
grep -v grep
2⤵
PID:1024

/bin/ps
ps aux
2⤵
PID:1023

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1034

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1033

/bin/grep
grep "/tmp/jmx*"
2⤵
PID:1032

/bin/grep
grep -v grep
2⤵
PID:1031

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1030

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1040

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1036

/bin/grep
grep -v grep
2⤵
PID:1037

/bin/grep
grep "/tmp/2Ne80*"
2⤵
PID:1038

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1039

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1045

/bin/grep
grep IOFoqIgyC0zmf2UR
2⤵
PID:1044

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1046

/bin/grep
grep -v grep
2⤵
PID:1043

/bin/ps
ps aux
2⤵
PID:1042

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1052

/bin/grep
grep 45.76.122.92
2⤵
PID:1051

/bin/grep
grep -v grep
2⤵
PID:1050

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1053

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1049

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1060

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1059

/bin/grep
grep 51.38.191.178
2⤵
PID:1058

/bin/grep
grep -v grep
2⤵
PID:1057

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1056

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1065

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1064

/bin/grep
grep 51.15.56.161
2⤵
PID:1063

/bin/grep
grep -v grep
2⤵
PID:1062

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1061

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1072

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1071

/bin/grep
grep -v grep
2⤵
PID:1069

/bin/grep
grep 86s.jpg
2⤵
PID:1070

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1068

/bin/grep
grep -v grep
2⤵
PID:1076

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1075

/bin/grep
grep aGTSGJJp
2⤵
PID:1077

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1078

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1079

/bin/grep
grep nMrfmnRa
2⤵
PID:1083

/bin/grep
grep -v grep
2⤵
PID:1082

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1084

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1081

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1085

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1093

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1092

/bin/grep
grep PuNY5tm2
2⤵
PID:1091

/bin/grep
grep -v grep
2⤵
PID:1090

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1089

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1101

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1100

/bin/grep
grep I0r8Jyyt
2⤵
PID:1099

/bin/grep
grep -v grep
2⤵
PID:1098

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1097

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1108

/bin/grep
grep AgdgACUD
2⤵
PID:1107

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1109

/bin/grep
grep -v grep
2⤵
PID:1106

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1105

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1115

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1114

/bin/grep
grep uiZvwxG8
2⤵
PID:1113

/bin/grep
grep -v grep
2⤵
PID:1112

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1111

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1121

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1120

/bin/grep
grep hahwNEdB
2⤵
PID:1119

/bin/grep
grep -v grep
2⤵
PID:1118

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1117

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1128

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1129

/bin/grep
grep BtwXn5qH
2⤵
PID:1127

/bin/grep
grep -v grep
2⤵
PID:1126

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1125

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1135

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1134

/bin/grep
grep 3XEzey2T
2⤵
PID:1133

/bin/grep
grep -v grep
2⤵
PID:1132

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1131

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1139

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1140

/bin/grep
grep t2tKrCSZ
2⤵
PID:1138

/bin/grep
grep -v grep
2⤵
PID:1137

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1136

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1145

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1144

/bin/grep
grep HD7fcBgg
2⤵
PID:1143

/bin/grep
grep -v grep
2⤵
PID:1142

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1141

/bin/grep
grep zXcDajSs
2⤵
PID:1149

/bin/grep
grep -v grep
2⤵
PID:1148

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1147

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1151

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1150

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1155

/bin/grep
grep 3lmigMo
2⤵
PID:1154

/bin/grep
grep -v grep
2⤵
PID:1153

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1152

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1156

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1160

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1161

/bin/grep
grep AkMK4A2
2⤵
PID:1159

/bin/grep
grep -v grep
2⤵
PID:1158

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1157

/bin/grep
grep AJ2AkKe
2⤵
PID:1164

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1165

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1166

/bin/grep
grep -v grep
2⤵
PID:1163

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1162

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1170

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1171

/bin/grep
grep -v grep
2⤵
PID:1168

/bin/grep
grep HiPxCJRS
2⤵
- System Network Configuration Discovery
PID:1169

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1167

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1176

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1175

/bin/grep
grep http_0xCC030
2⤵
PID:1174

/bin/grep
grep -v grep
2⤵
PID:1173

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1172

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1180

/bin/grep
grep http_0xCC031
2⤵
PID:1179

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1181

/bin/grep
grep -v grep
2⤵
PID:1178

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1177

/bin/grep
grep http_0xCC032
2⤵
PID:1184

/bin/grep
grep -v grep
2⤵
PID:1183

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1182

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1186

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1185

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1190

/bin/grep
grep http_0xCC033
2⤵
PID:1189

/bin/grep
grep -v grep
2⤵
PID:1188

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1191

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1187

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1196

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1195

/bin/grep
grep C4iLM4L
2⤵
PID:1194

/bin/grep
grep -v grep
2⤵
PID:1193

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1192

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1201

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1200

/bin/grep
grep aziplcr72qjhzvin
2⤵
- System Network Configuration Discovery
PID:1199

/bin/grep
grep -v grep
2⤵
PID:1198

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1197

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1205

/usr/bin/awk
awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
2⤵
PID:1204

/bin/grep
grep -v grep
2⤵
PID:1203

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1202

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1209

/bin/grep
grep /boot/vmlinuz
2⤵
PID:1208

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1210

/bin/grep
grep -v grep
2⤵
PID:1207

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1206

/bin/grep
grep i4b503a52cc5
2⤵
PID:1213

/bin/grep
grep -v grep
2⤵
PID:1212

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1214

/bin/ps
ps aux
2⤵
PID:1211

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1215

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1219

/bin/grep
grep dgqtrcst23rtdi3ldqk322j2
2⤵
PID:1218

/bin/grep
grep -v grep
2⤵
PID:1217

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1220

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1216

/bin/grep
grep 2g0uv7npuhrlatd
2⤵
PID:1223

/bin/grep
grep -v grep
2⤵
PID:1222

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1221

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1224

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1225

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1229

/bin/grep
grep nqscheduler
2⤵
PID:1228

/bin/grep
grep -v grep
2⤵
PID:1227

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1230

/bin/ps
ps aux
2⤵
PID:1226

/bin/grep
grep rkebbwgqpl4npmm
2⤵
PID:1233

/bin/grep
grep -v grep
2⤵
PID:1232

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1234

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1235

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1231

/bin/grep
grep -v aux
2⤵
PID:1238

/bin/grep
grep "]"
2⤵
PID:1239

/bin/grep
grep -v grep
2⤵
PID:1237

/usr/bin/awk
awk "\$3>10.0{print \$2}"
2⤵
PID:1240

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1241

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1236

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1247

/bin/grep
grep 2fhtu70teuhtoh78jc5s
2⤵
PID:1246

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1248

/bin/grep
grep -v grep
2⤵
PID:1245

/bin/ps
ps aux
2⤵
PID:1244

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1252

/bin/grep
grep 0kwti6ut420t
2⤵
PID:1251

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1253

/bin/grep
grep -v grep
2⤵
PID:1250

/bin/ps
ps aux
2⤵
PID:1249

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1259

/bin/grep
grep 44ct7udt0patws3agkdfqnjm
2⤵
PID:1258

/bin/grep
grep -v grep
2⤵
PID:1257

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1260

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1256

/bin/grep
grep -v -
2⤵
PID:1266

/bin/grep
grep -v _
2⤵
PID:1267

/bin/grep
grep -v /
2⤵
PID:1265

/bin/grep
grep -v grep
2⤵
PID:1264

/usr/bin/awk
awk "length(\$11)>19{print \$2}"
2⤵
PID:1268

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1263

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1269

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1275

/bin/grep
grep "\\[^"
2⤵
PID:1274

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1276

/bin/grep
grep -v grep
2⤵
PID:1273

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1272

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1281

/bin/grep
grep rsync
2⤵
PID:1280

/bin/grep
grep -v grep
2⤵
PID:1279

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1282

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1278

/bin/grep
grep watchd0g
2⤵
PID:1286

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1287

/bin/grep
grep -v grep
2⤵
PID:1285

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1288

/bin/ps
ps aux
2⤵
PID:1284

/bin/grep
grep -v grep
2⤵
PID:1292

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1291

/bin/egrep
egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:1293

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1294

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1295

/usr/local/sbin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:1293

/usr/local/bin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:1293

/usr/sbin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:1293

/usr/bin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:1293

/sbin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:1293

/bin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:1293

/bin/grep
grep 158.69.133.18:8220
2⤵
PID:1300

/bin/grep
grep -v grep
2⤵
PID:1299

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1301

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1302

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1298

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1307

/bin/grep
grep /tmp/java
2⤵
PID:1306

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1308

/bin/grep
grep -v grep
2⤵
PID:1305

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1304

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1314

/bin/grep
grep gitee.com
2⤵
PID:1313

/bin/grep
grep -v grep
2⤵
PID:1312

/bin/ps
ps aux
2⤵
PID:1311

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1315

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1320

/bin/grep
grep /tmp/java
2⤵
PID:1319

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1321

/bin/grep
grep -v grep
2⤵
PID:1318

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1317

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1327

/bin/grep
grep 104.248.4.162
2⤵
PID:1326

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1328

/bin/grep
grep -v grep
2⤵
PID:1325

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1324

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1334

/bin/grep
grep -v grep
2⤵
PID:1331

/bin/grep
grep 89.35.39.78
2⤵
PID:1332

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1333

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1330

/bin/grep
grep /dev/shm/z3.sh
2⤵
PID:1338

/bin/grep
grep -v grep
2⤵
PID:1337

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1339

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1340

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1336

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1346

/bin/grep
grep kthrotlds
2⤵
PID:1345

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1347

/bin/grep
grep -v grep
2⤵
PID:1344

/bin/ps
ps aux
2⤵
PID:1343

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1352

/bin/grep
grep ksoftirqds
2⤵
PID:1351

/bin/grep
grep -v grep
2⤵
PID:1350

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1353

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1349

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1358

/bin/grep
grep netdns
2⤵
PID:1357

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1359

/bin/grep
grep -v grep
2⤵
PID:1356

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1355

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1365

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1366

/bin/grep
grep -v grep
2⤵
PID:1363

/bin/grep
grep watchdogs
2⤵
PID:1364

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1362

/bin/grep
grep -v root
2⤵
PID:1371

/bin/grep
grep -v dblaunch
2⤵
PID:1372

/bin/grep
grep -v grep
2⤵
PID:1370

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1369

/bin/grep
grep -v dblaunchs
2⤵
PID:1373

/bin/grep
grep -v dblaunched
2⤵
PID:1374

/bin/grep
grep -v apache2
2⤵
PID:1375

/bin/grep
grep -v atd
2⤵
PID:1376

/bin/grep
grep -v kdevtmpfsi
2⤵
PID:1377

/bin/grep
grep -v postgresq1
2⤵
PID:1378

/usr/bin/awk
awk "\$3>80.0{print \$2}"
2⤵
PID:1379

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1380

/bin/grep
grep " ps"
2⤵
PID:1384

/bin/grep
grep -v aux
2⤵
PID:1383

/bin/grep
grep -v grep
2⤵
PID:1382

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1385

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1386

/bin/ps
ps aux
2⤵
PID:1381

/bin/grep
grep sync_supers
2⤵
PID:1389

/bin/grep
grep -v grep
2⤵
PID:1388

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1387

/usr/bin/cut
cut -c 9-15
2⤵
PID:1390

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1391

/usr/bin/cut
cut -c 9-15
2⤵
PID:1395

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1396

/bin/grep
grep cpuset
2⤵
PID:1394

/bin/grep
grep -v grep
2⤵
PID:1393

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1392

/bin/grep
grep -v aux
2⤵
PID:1399

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1401

/bin/grep
grep "x]"
2⤵
PID:1400

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1402

/bin/grep
grep -v grep
2⤵
PID:1398

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1397

/bin/grep
grep "sh] <"
2⤵
PID:1406

/bin/grep
grep -v aux
2⤵
PID:1405

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1407

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1408

/bin/grep
grep -v grep
2⤵
PID:1404

/bin/ps
ps aux
2⤵
PID:1403

/bin/grep
grep " \\[]"
2⤵
PID:1412

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1413

/bin/grep
grep -v aux
2⤵
PID:1411

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1414

/bin/grep
grep -v grep
2⤵
PID:1410

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1409

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1418

/bin/grep
grep /tmp/l.sh
2⤵
PID:1417

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1419

/bin/grep
grep -v grep
2⤵
PID:1416

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1415

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1424

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1423

/bin/grep
grep /tmp/zmcat
2⤵
PID:1422

/bin/grep
grep -v grep
2⤵
PID:1421

/bin/ps
ps aux
2⤵
PID:1420

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1428

/bin/grep
grep hahwNEdB
2⤵
PID:1427

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1429

/bin/grep
grep -v grep
2⤵
PID:1426

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1425

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1433

/bin/grep
grep CnzFVPLF
2⤵
PID:1432

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1434

/bin/grep
grep -v grep
2⤵
PID:1431

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1430

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1438

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1439

/bin/grep
grep CvKzzZLs
2⤵
PID:1437

/bin/grep
grep -v grep
2⤵
PID:1436

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1435

/bin/grep
grep aziplcr72qjhzvin
2⤵
- System Network Configuration Discovery
PID:1442

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1443

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1444

/bin/grep
grep -v grep
2⤵
PID:1441

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1440

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1448

/bin/grep
grep /tmp/udevd
2⤵
PID:1447

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1449

/bin/grep
grep -v grep
2⤵
PID:1446

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1445

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1450

/bin/grep
grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
2⤵
PID:1452

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1453

/bin/grep
grep -v grep
2⤵
PID:1451

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1454

/bin/grep
grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
2⤵
PID:1457

/bin/grep
grep -v grep
2⤵
PID:1456

/bin/ps
ps aux
2⤵
PID:1455

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1458

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1459

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1460

/bin/grep
grep -v grep
2⤵
PID:1461

/bin/grep
grep sustse
2⤵
PID:1462

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1464

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1463

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1465

/bin/grep
grep -v grep
2⤵
PID:1466

/bin/grep
grep sustse3
2⤵
PID:1467

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1468

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1469

/bin/grep
grep wget
2⤵
PID:1473

/bin/grep
grep mr.sh
2⤵
PID:1472

/bin/grep
grep -v grep
2⤵
PID:1471

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1474

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1470

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1475

/bin/grep
grep curl
2⤵
PID:1479

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1480

/bin/grep
grep mr.sh
2⤵
PID:1478

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1481

/bin/grep
grep -v grep
2⤵
PID:1477

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1476

/bin/grep
grep 2mr.sh
2⤵
PID:1484

/bin/grep
grep -v grep
2⤵
PID:1483

/bin/grep
grep wget
2⤵
PID:1485

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1487

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1486

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1482

/bin/grep
grep 2mr.sh
2⤵
PID:1490

/bin/grep
grep curl
2⤵
PID:1491

/bin/grep
grep -v grep
2⤵
PID:1489

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1492

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1493

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1488

/bin/grep
grep wget
2⤵
PID:1497

/bin/grep
grep cr5.sh
2⤵
PID:1496

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1498

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1499

/bin/grep
grep -v grep
2⤵
PID:1495

/bin/ps
ps aux
2⤵
PID:1494

/bin/grep
grep curl
2⤵
PID:1503

/bin/grep
grep cr5.sh
2⤵
PID:1502

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1504

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1505

/bin/grep
grep -v grep
2⤵
PID:1501

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1500

/bin/grep
grep logo9.jpg
2⤵
PID:1508

/bin/grep
grep wget
2⤵
PID:1509

/bin/grep
grep -v grep
2⤵
PID:1507

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1510

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1511

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1506

/bin/grep
grep -v grep
2⤵
PID:1513

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1512

/bin/grep
grep logo9.jpg
2⤵
PID:1514

/bin/grep
grep curl
2⤵
PID:1515

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1517

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1516

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1521

/bin/grep
grep j2.conf
2⤵
PID:1520

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1522

/bin/grep
grep -v grep
2⤵
PID:1519

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1518

/bin/grep
grep luk-cpu
2⤵
PID:1526

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1528

/bin/grep
grep wget
2⤵
PID:1527

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1529

/bin/grep
grep -v grep
2⤵
PID:1525

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1524

/bin/grep
grep curl
2⤵
PID:1533

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1534

/bin/grep
grep luk-cpu
2⤵
PID:1532

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1535

/bin/grep
grep -v grep
2⤵
PID:1531

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1530

/bin/grep
grep wget
2⤵
PID:1539

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1540

/bin/grep
grep ficov
2⤵
PID:1538

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1541

/bin/grep
grep -v grep
2⤵
PID:1537

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1536

/bin/grep
grep ficov
2⤵
PID:1544

/bin/grep
grep -v grep
2⤵
PID:1543

/bin/grep
grep curl
2⤵
PID:1545

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1546

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1547

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1542

/bin/grep
grep wget
2⤵
PID:1551

/bin/grep
grep he.sh
2⤵
PID:1550

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1552

/bin/grep
grep -v grep
2⤵
PID:1549

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1553

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1548

/bin/grep
grep he.sh
2⤵
PID:1556

/bin/grep
grep curl
2⤵
PID:1557

/bin/grep
grep -v grep
2⤵
PID:1555

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1558

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1559

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1554

/bin/grep
grep miner.sh
2⤵
PID:1562

/bin/grep
grep wget
2⤵
PID:1563

/bin/grep
grep -v grep
2⤵
PID:1561

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1564

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1565

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1560

/bin/grep
grep miner.sh
2⤵
PID:1568

/bin/grep
grep curl
2⤵
PID:1569

/bin/grep
grep -v grep
2⤵
PID:1567

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1570

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1571

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1566

/bin/grep
grep wget
2⤵
PID:1575

/bin/grep
grep nullcrew
2⤵
PID:1574

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1576

/bin/grep
grep -v grep
2⤵
PID:1573

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1577

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1572

/bin/grep
grep nullcrew
2⤵
PID:1580

/bin/grep
grep curl
2⤵
PID:1581

/bin/grep
grep -v grep
2⤵
PID:1579

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1583

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1582

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1578

/bin/grep
grep 107.174.47.156
2⤵
PID:1586

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1587

/bin/grep
grep -v grep
2⤵
PID:1585

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1588

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1584

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1592

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1593

/bin/grep
grep 83.220.169.247
2⤵
PID:1591

/bin/grep
grep -v grep
2⤵
PID:1590

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1589

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1597

/bin/grep
grep 51.38.203.146
2⤵
PID:1596

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1598

/bin/grep
grep -v grep
2⤵
PID:1595

/bin/ps
ps aux
2⤵
PID:1594

/bin/grep
grep 144.217.45.45
2⤵
PID:1601

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1602

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1603

/bin/grep
grep -v grep
2⤵
PID:1600

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1599

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1607

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1608

/bin/grep
grep 107.174.47.181
2⤵
PID:1606

/bin/grep
grep -v grep
2⤵
PID:1605

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1604

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1612

/bin/grep
grep 176.31.6.16
2⤵
PID:1611

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1613

/bin/grep
grep -v grep
2⤵
PID:1610

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1609

/bin/grep
grep mine.moneropool.com
2⤵
PID:1616

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1617

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1618

/bin/grep
grep -v grep
2⤵
PID:1615

/bin/ps
ps auxf
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1614

/bin/grep
grep pool.t00ls.ru
2⤵
PID:1621

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1622

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1623

/bin/grep
grep -v grep
2⤵
PID:1620

/bin/ps
ps auxf
2⤵
PID:1619

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1627

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1628

/bin/grep
grep xmr.crypto-pool.fr:8080
2⤵
PID:1626

/bin/grep
grep -v grep
2⤵
PID:1625

/bin/ps
ps auxf
2⤵
- Reads runtime system information
PID:1624

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1632

/bin/grep
grep xmr.crypto-pool.fr:3333
2⤵
PID:1631

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1633

/bin/grep
grep -v grep
2⤵
PID:1630

/bin/ps
ps auxf
2⤵
- Reads CPU attributes
PID:1629

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1637

/bin/grep
grep "[email protected]"
2⤵
PID:1636

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1638

/bin/grep
grep -v grep
2⤵
PID:1635

/bin/ps
ps auxf
2⤵
PID:1634

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/mail/user

Filesize
825B

MD5
f0e912b6e7a573a4a3c4a7003a4ced38

SHA1
53d1876437a1abd48a8bd0fcfc8b678c40cc4484

SHA256
0d238fb4152f913a27de7b7fd66dc04aa1354399761f7dea6569b7acaf2c861f

SHA512
1b82f8e69542d26f93c1cbd9d49ed9210fbc09fe796b180f7be5902836f36dbe83d4aec7dee5c1acb81c52deb712757539caa05ce507dad4198e98065e82d378

Download Submit
/var/mail/user

Filesize
1KB

MD5
4e9fec05b09a35ed10a16832d0f3b8fd

SHA1
4d3c4803b039285a7f2b44c5adfdb5784bba123c

SHA256
7fb818984e6f60733254689f6c5a1918d45661f00ddbc972b3e610cdd35a9857

SHA512
03c9bd627c0feab369c807be74bb554e366a85ca9e88969d0a4d86c3980c94146a8dffd93252b15f1c811afa9a2ab08681bdd9fe2326a3abdc935dc198555119

Download Submit
/var/spool/exim4/input/1su9Hi-0000Br-EC-D

Filesize
128B

MD5
201742f5479df4deefd406d93c19a44c

SHA1
78af9eccaafbbc1993ae7d168f3c14b435d07951

SHA256
076587060c61a2863e5384e48686b2cbe3a998ec4df358092a6158feaaf7da6e

SHA512
d4259b321f8987adea6c53fd39b360c51a538bead37ec55089c65bb1e1526f29202c6a62237a295ef894999abb92b5ac39a689d52f90f32b33d3e3b15f912528

Download Submit
/var/spool/exim4/input/1su9Hi-0000Br-EC-J

Filesize
34B

MD5
d7d96d63d643a4ce3e408eba7dfcedc5

SHA1
c53607f95c5c57beafc1d8266646797a035f76ea

SHA256
21db3a59b2d0ce18fb250b787d6e2c85d12919f5fdf1448c8f48207c4083b159

SHA512
703a03e54776a6ad9b8adc6c475bbc91c06502618fa3b6f495b1a01a4f6f7aa6fb65dc6ba6885ddc6af961627062f1ce1e1d66688288cbd3bef7754d249fa9b3

Download Submit
/var/spool/exim4/input/1su9Hi-0000Bv-D1-D

Filesize
146B

MD5
7b1dd5fca0c8a14898a67287e4a6741c

SHA1
e5b7b64711e200261cdb8ce2e00bb6338f62db2b

SHA256
13f69c3b59c03587798078a4e8305981831cc5d9fd70b44101309b807d3047c0

SHA512
3b14b84d279713376ee687543558bb5782af160c27b2138610e1b71afde0cf4ae9e364b50cf2024ea7dde8f8f2b5a66b1c30d87f9366ab93b66c1dad2ff293c7

Download Submit
/var/spool/exim4/input/hdr.735

Filesize
915B

MD5
9c773eaa488c60d297a0dc4a24ab3cf4

SHA1
d659a715816e94e6f7ef161cc6056814c0b01739

SHA256
557d415b0af016e6374a4b9daa735dbd2d25d29aca956dab2fd0b946f1f9b18d

SHA512
9d9d2303ef9c976c2c06fbd34ce409dd8686c1b8373b61c7d37c82d085229d0029e3878993311ee5fb43532f3da051f868137be509cb6c0c12c8bf9ff2bdca33

Download Submit
/var/spool/exim4/msglog/1su9Hi-0000Br-EC

Filesize
288B

MD5
6d4f49ec76f0de39db44b6022ef1a7c0

SHA1
ea38d772932cc2c13eca71ce1e040b637d349630

SHA256
7843b5041519ad864f57cbb01df25bfc2e83604e4cfd3eeda104093972edf64e

SHA512
a2fb6a428c1721c6649126f1935b56a1c6c85afc5d993faf8d9184c763a9d20f666f3ae1879949e1d37053c8fe03953893b18e6369915f11498c64d0aa26bdaa

Download Submit
/var/spool/exim4/msglog/1su9Hi-0000Br-EC

Filesize
89B

MD5
ae2a780663b87383f042baa517969eae

SHA1
71f6773b371d6e1c9229efc6cd897ba29bf145cd

SHA256
4df0376329169bf0393ecf5b8561028681edeccbdd46da00b957ef63b7f08b36

SHA512
ee3d0380552c9d9875afcae422193ddc8317cae73d837e5ee7336b39f428ec3130342410f3cf9a98cf13b900657997593cbdb527027be22021348f999863a109

Download Submit
/var/spool/exim4/msglog/1su9Hi-0000Bv-D1

Filesize
288B

MD5
8affc803947ce754e49e2dc179a7d3e0

SHA1
694e49ed8611deee87be57aec65661d6335a972e

SHA256
fe064b5cd6c12527443da51b8e6b5ccf73aa458cd9d7650c4997d86f96ae491d

SHA512
b295744c98efa94b852f325242f775906b0967f5f14751890fd9875d6af2b277b0117ffac9a26fb0a5da0b5c38843fd4e19c8662554037b218de2f840286d818

Download Submit
/var/spool/exim4/msglog/1su9Hi-0000Bv-D1

Filesize
89B

MD5
59e5f246705aa32417d7d84423e9bbb3

SHA1
1d05948704eab1ec7efa2516db63a8a45581909e

SHA256
30aa0d24fd4346b8cd53d7db70096b1881f7ae861ca162a88c00f98b9121ab3f

SHA512
fb61526f540c83fc82c886f89ca4768337881ce761829c60a38878dfc979a6c3a517123d84cfa222abeccd525e6ce8f9798ca63c1df5ac18d47e027edf5610f8

Download Submit