I was cleaning out a client's site that got hacked after I had cleaned it once already, when I found a cron job pointing to a script in the server /tmp director
qwebengine
cubic-bezier
ncr
jfuzzylogic
bicubic
sample-size
amazon-managed-blockchain
mongodb.driver
tanuki
jarjar
web-mining
tps
roomle
asciidoc
in-class-initialization
autocloseable
html5-import
aws-security-group
kill-ring
font-awesome-4
azure-traffic-manager
aparapi
voiceover
deskband
milestone
facebook-business-manager
lightstep
nanogallery
event-id
react-memo