8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006

General

Target

pg.sh
Size

35KB
MD5

2550990d2d52581b213e7c9305c392d3
SHA1

f7f069915c9b97550dc1fb6cf631f6222416dcf5
SHA256

8e27b76b3903312cc5e93f250d7cf90b7b999592d70dcf2922bb450023014006
SHA512

a30d4a39203e6a98937e8670b7b3caaa63d2141fdf404bb28ca240d95cb7420bdfb8c695db81cc9c799e8818266600c137b8b0df2dfc69d7566bae64eee2ad50
SSDEEP

768:X87XzQ5VFNcDAFLcIwgnoYq0xFB6ytguz:X3VF+D6cIwgos/z

Score

7^/10

evasion rootkit

Malware Config

Signatures

Deletes system logs 1 TTPs 1 IoCs
Deletes log file which contains global system messages. Adversaries may delete system logs to minimize their footprint.
evasion

Indicator Removal
T1070

Processes:

rm

description ioc process

File deleted /var/log/syslog rm
Flushes firewall rules 2 IoCs
Flushes/ disables firewall rules inside the Linux kernel.

Processes:

ufwiptables

pid process

1544 ufw
1719 iptables
Loads a kernel module 1 IoCs
Loads a Linux kernel module, potentially to achieve persistence
rootkit

Processes:

modprobe

ioc pid process

/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko 1551 modprobe

description	ioc	process
File deleted	/var/log/syslog	rm

pid	process
1544	ufw
1719	iptables

ioc	pid	process
/lib/modules/4.15.0-213-generic/kernel/net/ipv6/netfilter/ip6_tables.ko	1551	modprobe

Attempts to change immutable files 49 IoCs

Modifies inode attributes on the filesystem to allow changing of immutable files.

Processes:

chattriptablesip6tablesip6tablesip6tablesip6tablesip6tablesiptablesiptableschattriptablesip6tablesiptablesiptablesip6tablesiptablesiptablesiptableschattriptablesiptablesiptablesip6tablesip6tablesip6tablesiptablesiptablesiptablesip6tablesip6tablesip6tablesiptablesip6tablesufw-initip6tablesip6tableschattriptablesiptablesiptablesip6tableschattriptablesiptablesip6tableschattrip6tablesip6tablesip6tables

pid	process
1541	chattr
1569	iptables
1649	ip6tables
1673	ip6tables
1641	ip6tables
1680	ip6tables
1705	ip6tables
1600	iptables
1566	iptables
1542	chattr
1629	iptables
1676	ip6tables
1599	iptables
1632	iptables
1677	ip6tables
1592	iptables
1595	iptables
1598	iptables
1543	chattr
1565	iptables
1580	iptables
1596	iptables
1644	ip6tables
1678	ip6tables
1713	ip6tables
1560	iptables
1567	iptables
1601	iptables
1681	ip6tables
1682	ip6tables
1693	ip6tables
1612	iptables
1679	ip6tables
1549	ufw-init
1647	ip6tables
1710	ip6tables
1540	chattr
1563	iptables
1564	iptables
1597	iptables
1646	ip6tables
1724	chattr
1568	iptables
1624	iptables
1648	ip6tables
1725	chattr
1645	ip6tables
1650	ip6tables
1661	ip6tables

Enumerates kernel/hardware configuration 1 TTPs 2 IoCs
Reads contents of /sys virtual filesystem to enumerate system information.

System Information Discovery
T1082

Processes:

modprobe

description ioc process

File opened for reading /sys/module/x_tables/initstate modprobe
File opened for reading /sys/module/ip6_tables/initstate modprobe

description	ioc	process
File opened for reading	/sys/module/x_tables/initstate	modprobe
File opened for reading	/sys/module/ip6_tables/initstate	modprobe

Reads runtime system information 64 IoCs

Reads data from /proc virtual filesystem.

Processes:

lslslslslssudolslslslslslslslslslslslslslslslslslsip6tableslslslslsuserdellslslslslslslslslsuserdellslsls

description	ioc	process
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1123	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	sudo
File opened for reading	/proc/1059	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1127	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1169	ls
File opened for reading	/proc/1181	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1037	ls
File opened for reading	/proc/1187	ls
File opened for reading	/proc/1188	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1072	ls
File opened for reading	/proc/1086	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1152	ls
File opened for reading	/proc/sys/kernel/modprobe	ip6tables
File opened for reading	/proc/sys/kernel/ngroups_max	sudo
File opened for reading	/proc/1156	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1144	ls
File opened for reading	/proc/1099	ls
File opened for reading	/proc/115	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1186	ls
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/1023	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1131	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1173	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1056	ls
File opened for reading	/proc/1149	ls
File opened for reading	/proc/1189	ls
File opened for reading	/proc/self/fd
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1115	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1184	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/12	ls
File opened for reading	/proc/filesystems	userdel
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1168	ls
File opened for reading	/proc/10	ls
File opened for reading	/proc/filesystems	ls
File opened for reading	/proc/1114	ls

Writes file to tmp directory 1 IoCs
Malware often drops required files in the /tmp directory.

Processes:

pg.sh

description ioc process

File opened for modification /tmp/log_rot pg.sh

description	ioc	process
File opened for modification	/tmp/log_rot	pg.sh

/tmp/pg.sh
/tmp/pg.sh
1⤵
- Writes file to tmp directory
PID:1538

/bin/rm
rm -rf /var/log/syslog
2⤵
- Deletes system logs
PID:1539

/usr/bin/chattr
chattr -iua /tmp/
2⤵
- Attempts to change immutable files
PID:1540

/usr/bin/chattr
chattr -iua /var/tmp/
2⤵
- Attempts to change immutable files
PID:1541

/usr/bin/chattr
chattr -R -i /var/spool/cron
2⤵
- Attempts to change immutable files
PID:1542

/usr/bin/chattr
chattr -i /etc/crontab
2⤵
- Attempts to change immutable files
PID:1543

/usr/sbin/ufw
ufw disable
2⤵
- Flushes firewall rules
PID:1544

/sbin/iptables
/sbin/iptables -V
3⤵
PID:1548

/lib/ufw/ufw-init
/lib/ufw/ufw-init force-stop
3⤵
- Attempts to change immutable files
PID:1549

/sbin/ip6tables
ip6tables -L INPUT -n
4⤵
- Reads runtime system information
PID:1550

/sbin/modprobe
/sbin/modprobe ip6_tables
5⤵
- Loads a kernel module
- Enumerates kernel/hardware configuration
PID:1551

/sbin/iptables
iptables -F ufw-logging-deny
4⤵
PID:1555

/sbin/iptables
iptables -F ufw-logging-allow
4⤵
PID:1558

/sbin/iptables
iptables -F ufw-not-local
4⤵
PID:1559

/sbin/iptables
iptables -F ufw-user-logging-input
4⤵
- Attempts to change immutable files
PID:1560

/sbin/iptables
iptables -F ufw-user-limit-accept
4⤵
PID:1561

/sbin/iptables
iptables -F ufw-user-limit
4⤵
PID:1562

/sbin/iptables
iptables -F ufw-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1563

/sbin/iptables
iptables -F ufw-reject-input
4⤵
- Attempts to change immutable files
PID:1564

/sbin/iptables
iptables -F ufw-after-logging-input
4⤵
- Attempts to change immutable files
PID:1565

/sbin/iptables
iptables -F ufw-after-input
4⤵
- Attempts to change immutable files
PID:1566

/sbin/iptables
iptables -F ufw-user-input
4⤵
- Attempts to change immutable files
PID:1567

/sbin/iptables
iptables -F ufw-before-input
4⤵
- Attempts to change immutable files
PID:1568

/sbin/iptables
iptables -F ufw-before-logging-input
4⤵
- Attempts to change immutable files
PID:1569

/sbin/iptables
iptables -F ufw-skip-to-policy-forward
4⤵
PID:1570

/sbin/iptables
iptables -F ufw-reject-forward
4⤵
PID:1571

/sbin/iptables
iptables -F ufw-after-logging-forward
4⤵
PID:1572

/sbin/iptables
iptables -F ufw-after-forward
4⤵
PID:1573

/sbin/iptables
iptables -F ufw-user-logging-forward
4⤵
PID:1574

/sbin/iptables
iptables -F ufw-user-forward
4⤵
PID:1575

/sbin/iptables
iptables -F ufw-before-forward
4⤵
PID:1576

/sbin/iptables
iptables -F ufw-before-logging-forward
4⤵
PID:1577

/sbin/iptables
iptables -F ufw-track-forward
4⤵
PID:1578

/sbin/iptables
iptables -F ufw-track-output
4⤵
PID:1579

/sbin/iptables
iptables -F ufw-track-input
4⤵
- Attempts to change immutable files
PID:1580

/sbin/iptables
iptables -F ufw-skip-to-policy-output
4⤵
PID:1581

/sbin/iptables
iptables -F ufw-reject-output
4⤵
PID:1582

/sbin/iptables
iptables -F ufw-after-logging-output
4⤵
PID:1583

/sbin/iptables
iptables -F ufw-after-output
4⤵
PID:1584

/sbin/iptables
iptables -F ufw-user-logging-output
4⤵
PID:1585

/sbin/iptables
iptables -F ufw-user-output
4⤵
PID:1586

/sbin/iptables
iptables -F ufw-before-output
4⤵
PID:1587

/sbin/iptables
iptables -F ufw-before-logging-output
4⤵
PID:1588

/sbin/iptables
iptables -Z ufw-logging-deny
4⤵
PID:1589

/sbin/iptables
iptables -Z ufw-logging-allow
4⤵
PID:1590

/sbin/iptables
iptables -Z ufw-not-local
4⤵
PID:1591

/sbin/iptables
iptables -Z ufw-user-logging-input
4⤵
- Attempts to change immutable files
PID:1592

/sbin/iptables
iptables -Z ufw-user-limit-accept
4⤵
PID:1593

/sbin/iptables
iptables -Z ufw-user-limit
4⤵
PID:1594

/sbin/iptables
iptables -Z ufw-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1595

/sbin/iptables
iptables -Z ufw-reject-input
4⤵
- Attempts to change immutable files
PID:1596

/sbin/iptables
iptables -Z ufw-after-logging-input
4⤵
- Attempts to change immutable files
PID:1597

/sbin/iptables
iptables -Z ufw-after-input
4⤵
- Attempts to change immutable files
PID:1598

/sbin/iptables
iptables -Z ufw-user-input
4⤵
- Attempts to change immutable files
PID:1599

/sbin/iptables
iptables -Z ufw-before-input
4⤵
- Attempts to change immutable files
PID:1600

/sbin/iptables
iptables -Z ufw-before-logging-input
4⤵
- Attempts to change immutable files
PID:1601

/sbin/iptables
iptables -Z ufw-skip-to-policy-forward
4⤵
PID:1602

/sbin/iptables
iptables -Z ufw-reject-forward
4⤵
PID:1603

/sbin/iptables
iptables -Z ufw-after-logging-forward
4⤵
PID:1604

/sbin/iptables
iptables -Z ufw-after-forward
4⤵
PID:1605

/sbin/iptables
iptables -Z ufw-user-logging-forward
4⤵
PID:1606

/sbin/iptables
iptables -Z ufw-user-forward
4⤵
PID:1607

/sbin/iptables
iptables -Z ufw-before-forward
4⤵
PID:1608

/sbin/iptables
iptables -Z ufw-before-logging-forward
4⤵
PID:1609

/sbin/iptables
iptables -Z ufw-track-forward
4⤵
PID:1610

/sbin/iptables
iptables -Z ufw-track-output
4⤵
PID:1611

/sbin/iptables
iptables -Z ufw-track-input
4⤵
- Attempts to change immutable files
PID:1612

/sbin/iptables
iptables -Z ufw-skip-to-policy-output
4⤵
PID:1613

/sbin/iptables
iptables -Z ufw-reject-output
4⤵
PID:1614

/sbin/iptables
iptables -Z ufw-after-logging-output
4⤵
PID:1615

/sbin/iptables
iptables -Z ufw-after-output
4⤵
PID:1616

/sbin/iptables
iptables -Z ufw-user-logging-output
4⤵
PID:1617

/sbin/iptables
iptables -Z ufw-user-output
4⤵
PID:1618

/sbin/iptables
iptables -Z ufw-before-output
4⤵
PID:1619

/sbin/iptables
iptables -Z ufw-before-logging-output
4⤵
PID:1620

/sbin/iptables
iptables -X ufw-logging-deny
4⤵
PID:1621

/sbin/iptables
iptables -X ufw-logging-allow
4⤵
PID:1622

/sbin/iptables
iptables -X ufw-not-local
4⤵
PID:1623

/sbin/iptables
iptables -X ufw-user-logging-input
4⤵
- Attempts to change immutable files
PID:1624

/sbin/iptables
iptables -X ufw-user-logging-output
4⤵
PID:1625

/sbin/iptables
iptables -X ufw-user-logging-forward
4⤵
PID:1626

/sbin/iptables
iptables -X ufw-user-limit-accept
4⤵
PID:1627

/sbin/iptables
iptables -X ufw-user-limit
4⤵
PID:1628

/sbin/iptables
iptables -X ufw-user-input
4⤵
- Attempts to change immutable files
PID:1629

/sbin/iptables
iptables -X ufw-user-forward
4⤵
PID:1630

/sbin/iptables
iptables -X ufw-user-output
4⤵
PID:1631

/sbin/iptables
iptables -X ufw-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1632

/sbin/iptables
iptables -X ufw-skip-to-policy-output
4⤵
PID:1633

/sbin/iptables
iptables -X ufw-skip-to-policy-forward
4⤵
PID:1634

/sbin/iptables
iptables -P INPUT ACCEPT
4⤵
PID:1635

/sbin/iptables
iptables -P OUTPUT ACCEPT
4⤵
PID:1636

/sbin/iptables
iptables -P FORWARD ACCEPT
4⤵
PID:1637

/sbin/ip6tables
ip6tables -F ufw6-logging-deny
4⤵
PID:1638

/sbin/ip6tables
ip6tables -F ufw6-logging-allow
4⤵
PID:1639

/sbin/ip6tables
ip6tables -F ufw6-not-local
4⤵
PID:1640

/sbin/ip6tables
ip6tables -F ufw6-user-logging-input
4⤵
- Attempts to change immutable files
PID:1641

/sbin/ip6tables
ip6tables -F ufw6-user-limit-accept
4⤵
PID:1642

/sbin/ip6tables
ip6tables -F ufw6-user-limit
4⤵
PID:1643

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1644

/sbin/ip6tables
ip6tables -F ufw6-reject-input
4⤵
- Attempts to change immutable files
PID:1645

/sbin/ip6tables
ip6tables -F ufw6-after-logging-input
4⤵
- Attempts to change immutable files
PID:1646

/sbin/ip6tables
ip6tables -F ufw6-after-input
4⤵
- Attempts to change immutable files
PID:1647

/sbin/ip6tables
ip6tables -F ufw6-user-input
4⤵
- Attempts to change immutable files
PID:1648

/sbin/ip6tables
ip6tables -F ufw6-before-input
4⤵
- Attempts to change immutable files
PID:1649

/sbin/ip6tables
ip6tables -F ufw6-before-logging-input
4⤵
- Attempts to change immutable files
PID:1650

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-forward
4⤵
PID:1651

/sbin/ip6tables
ip6tables -F ufw6-reject-forward
4⤵
PID:1652

/sbin/ip6tables
ip6tables -F ufw6-after-logging-forward
4⤵
PID:1653

/sbin/ip6tables
ip6tables -F ufw6-after-forward
4⤵
PID:1654

/sbin/ip6tables
ip6tables -F ufw6-user-logging-forward
4⤵
PID:1655

/sbin/ip6tables
ip6tables -F ufw6-user-forward
4⤵
PID:1656

/sbin/ip6tables
ip6tables -F ufw6-before-forward
4⤵
PID:1657

/sbin/ip6tables
ip6tables -F ufw6-before-logging-forward
4⤵
PID:1658

/sbin/ip6tables
ip6tables -F ufw6-track-forward
4⤵
PID:1659

/sbin/ip6tables
ip6tables -F ufw6-track-output
4⤵
PID:1660

/sbin/ip6tables
ip6tables -F ufw6-track-input
4⤵
- Attempts to change immutable files
PID:1661

/sbin/ip6tables
ip6tables -F ufw6-skip-to-policy-output
4⤵
PID:1662

/sbin/ip6tables
ip6tables -F ufw6-reject-output
4⤵
PID:1663

/sbin/ip6tables
ip6tables -F ufw6-after-logging-output
4⤵
PID:1664

/sbin/ip6tables
ip6tables -F ufw6-after-output
4⤵
PID:1665

/sbin/ip6tables
ip6tables -F ufw6-user-logging-output
4⤵
PID:1666

/sbin/ip6tables
ip6tables -F ufw6-user-output
4⤵
PID:1667

/sbin/ip6tables
ip6tables -F ufw6-before-output
4⤵
PID:1668

/sbin/ip6tables
ip6tables -F ufw6-before-logging-output
4⤵
PID:1669

/sbin/ip6tables
ip6tables -Z ufw6-logging-deny
4⤵
PID:1670

/sbin/ip6tables
ip6tables -Z ufw6-logging-allow
4⤵
PID:1671

/sbin/ip6tables
ip6tables -Z ufw6-not-local
4⤵
PID:1672

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-input
4⤵
- Attempts to change immutable files
PID:1673

/sbin/ip6tables
ip6tables -Z ufw6-user-limit-accept
4⤵
PID:1674

/sbin/ip6tables
ip6tables -Z ufw6-user-limit
4⤵
PID:1675

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1676

/sbin/ip6tables
ip6tables -Z ufw6-reject-input
4⤵
- Attempts to change immutable files
PID:1677

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-input
4⤵
- Attempts to change immutable files
PID:1678

/sbin/ip6tables
ip6tables -Z ufw6-after-input
4⤵
- Attempts to change immutable files
PID:1679

/sbin/ip6tables
ip6tables -Z ufw6-user-input
4⤵
- Attempts to change immutable files
PID:1680

/sbin/ip6tables
ip6tables -Z ufw6-before-input
4⤵
- Attempts to change immutable files
PID:1681

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-input
4⤵
- Attempts to change immutable files
PID:1682

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-forward
4⤵
PID:1683

/sbin/ip6tables
ip6tables -Z ufw6-reject-forward
4⤵
PID:1684

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-forward
4⤵
PID:1685

/sbin/ip6tables
ip6tables -Z ufw6-after-forward
4⤵
PID:1686

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-forward
4⤵
PID:1687

/sbin/ip6tables
ip6tables -Z ufw6-user-forward
4⤵
PID:1688

/sbin/ip6tables
ip6tables -Z ufw6-before-forward
4⤵
PID:1689

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-forward
4⤵
PID:1690

/sbin/ip6tables
ip6tables -Z ufw6-track-forward
4⤵
PID:1691

/sbin/ip6tables
ip6tables -Z ufw6-track-output
4⤵
PID:1692

/sbin/ip6tables
ip6tables -Z ufw6-track-input
4⤵
- Attempts to change immutable files
PID:1693

/sbin/ip6tables
ip6tables -Z ufw6-skip-to-policy-output
4⤵
PID:1694

/sbin/ip6tables
ip6tables -Z ufw6-reject-output
4⤵
PID:1695

/sbin/ip6tables
ip6tables -Z ufw6-after-logging-output
4⤵
PID:1696

/sbin/ip6tables
ip6tables -Z ufw6-after-output
4⤵
PID:1697

/sbin/ip6tables
ip6tables -Z ufw6-user-logging-output
4⤵
PID:1698

/sbin/ip6tables
ip6tables -Z ufw6-user-output
4⤵
PID:1699

/sbin/ip6tables
ip6tables -Z ufw6-before-output
4⤵
PID:1700

/sbin/ip6tables
ip6tables -Z ufw6-before-logging-output
4⤵
PID:1701

/sbin/ip6tables
ip6tables -X ufw6-logging-deny
4⤵
PID:1702

/sbin/ip6tables
ip6tables -X ufw6-logging-allow
4⤵
PID:1703

/sbin/ip6tables
ip6tables -X ufw6-not-local
4⤵
PID:1704

/sbin/ip6tables
ip6tables -X ufw6-user-logging-input
4⤵
- Attempts to change immutable files
PID:1705

/sbin/ip6tables
ip6tables -X ufw6-user-logging-output
4⤵
PID:1706

/sbin/ip6tables
ip6tables -X ufw6-user-logging-forward
4⤵
PID:1707

/sbin/ip6tables
ip6tables -X ufw6-user-limit-accept
4⤵
PID:1708

/sbin/ip6tables
ip6tables -X ufw6-user-limit
4⤵
PID:1709

/sbin/ip6tables
ip6tables -X ufw6-user-input
4⤵
- Attempts to change immutable files
PID:1710

/sbin/ip6tables
ip6tables -X ufw6-user-forward
4⤵
PID:1711

/sbin/ip6tables
ip6tables -X ufw6-user-output
4⤵
PID:1712

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-input
4⤵
- Attempts to change immutable files
PID:1713

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-output
4⤵
PID:1714

/sbin/ip6tables
ip6tables -X ufw6-skip-to-policy-forward
4⤵
PID:1715

/sbin/ip6tables
ip6tables -P INPUT ACCEPT
4⤵
PID:1716

/sbin/ip6tables
ip6tables -P OUTPUT ACCEPT
4⤵
PID:1717

/sbin/ip6tables
ip6tables -P FORWARD ACCEPT
4⤵
PID:1718

/sbin/iptables
iptables -F
2⤵
- Flushes firewall rules
PID:1719

/usr/bin/sudo
sudo sysctl "kernel.nmi_watchdog=0"
2⤵
- Reads runtime system information
PID:1720

/sbin/sysctl
sysctl "kernel.nmi_watchdog=0"
3⤵
PID:1721

/usr/sbin/userdel
userdel akay
2⤵
- Reads runtime system information
PID:1722

/usr/sbin/userdel
userdel vfinder
2⤵
- Reads runtime system information
PID:1723

/usr/bin/chattr
chattr -iae /root/.ssh/
2⤵
- Attempts to change immutable files
PID:1724

/usr/bin/chattr
chattr -iae /root/.ssh/authorized_keys
2⤵
- Attempts to change immutable files
PID:1725

/bin/rm
rm -rf "/tmp/addres*"
2⤵
PID:1726

/bin/rm
rm -rf "/tmp/walle*"
2⤵
PID:1727

/bin/rm
rm -rf /tmp/keys
2⤵
PID:1728

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1733

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1738

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1743

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1748

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1753

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1758

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1763

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1768

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1773

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1778

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1783

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1788

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1793

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1798

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1803

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1808

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1813

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1818

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1823

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1828

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1833

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1838

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1843

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1848

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1853

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1858

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1863

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1868

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1873

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1878

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1883

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1888

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1893

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1898

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1903

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1908

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1913

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1918

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1923

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1928

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1933

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1938

/bin/grep
grep -q "/var/lib/postgresql/data/pоstgres\\|atlas.x86\\|dotsh\\|/tmp/systemd-private-\\|bin/sysinit\\|.bin/xorg\\|nine.x86\\|data/pg_mem\\|/var/lib/postgresql/data/.*/memory\\|/var/tmp/.bin/systemd\\|balder\\|sys/systemd\\|rtw88_pcied\\|.bin/x\\|httpd_watchdog\\|/var/Sofia\\|3caec218-ce42-42da-8f58-970b22d131e9\\|/tmp/watchdog\\|cpu_hu\\|/tmp/Manager\\|/tmp/manh\\|/tmp/agettyd\\|/var/tmp/java\\|/var/lib/postgresql/data/pоstmaster\\|/memfd\\|/var/lib/postgresql/data/pgdata/pоstmaster\\|/tmp/.metabase/metabasew"
2⤵
PID:1944

/bin/ls
ls -latrh /proc/1
1⤵
PID:1730

/bin/grep
grep exe
1⤵
PID:1731

/bin/ls
ls -latrh /proc/10
1⤵
- Reads runtime system information
PID:1735

/bin/grep
grep exe
1⤵
PID:1736

/bin/ls
ls -latrh /proc/1018
1⤵
- Reads runtime system information
PID:1740

/bin/grep
grep exe
1⤵
PID:1741

/bin/ls
ls -latrh /proc/1023
1⤵
- Reads runtime system information
PID:1745

/bin/grep
grep exe
1⤵
PID:1746

/bin/ls
ls -latrh /proc/1037
1⤵
- Reads runtime system information
PID:1750

/bin/grep
grep exe
1⤵
PID:1751

/bin/ls
ls -latrh /proc/1043
1⤵
- Reads runtime system information
PID:1755

/bin/grep
grep exe
1⤵
PID:1756

/bin/ls
ls -latrh /proc/1056
1⤵
- Reads runtime system information
PID:1760

/bin/grep
grep exe
1⤵
PID:1761

/bin/ls
ls -latrh /proc/1059
1⤵
- Reads runtime system information
PID:1765

/bin/grep
grep exe
1⤵
PID:1766

/bin/ls
ls -latrh /proc/1067
1⤵
PID:1770

/bin/grep
grep exe
1⤵
PID:1771

/bin/ls
ls -latrh /proc/1069
1⤵
- Reads runtime system information
PID:1775

/bin/grep
grep exe
1⤵
PID:1776

/bin/ls
ls -latrh /proc/1072
1⤵
- Reads runtime system information
PID:1780

/bin/grep
grep exe
1⤵
PID:1781

/bin/ls
ls -latrh /proc/1081
1⤵
- Reads runtime system information
PID:1785

/bin/grep
grep exe
1⤵
PID:1786

/bin/ls
ls -latrh /proc/1086
1⤵
- Reads runtime system information
PID:1790

/bin/grep
grep exe
1⤵
PID:1791

/bin/grep
grep exe
1⤵
PID:1796

/bin/ls
ls -latrh /proc/1091
1⤵
- Reads runtime system information
PID:1795

/bin/ls
ls -latrh /proc/1099
1⤵
- Reads runtime system information
PID:1800

/bin/grep
grep exe
1⤵
PID:1801

/bin/ls
ls -latrh /proc/11
1⤵
- Reads runtime system information
PID:1805

/bin/grep
grep exe
1⤵
PID:1806

/bin/ls
ls -latrh /proc/1114
1⤵
- Reads runtime system information
PID:1810

/bin/grep
grep exe
1⤵
PID:1811

/bin/ls
ls -latrh /proc/1115
1⤵
- Reads runtime system information
PID:1815

/bin/grep
grep exe
1⤵
PID:1816

/bin/ls
ls -latrh /proc/1123
1⤵
- Reads runtime system information
PID:1820

/bin/grep
grep exe
1⤵
PID:1821

/bin/grep
grep exe
1⤵
PID:1826

/bin/ls
ls -latrh /proc/1127
1⤵
- Reads runtime system information
PID:1825

/bin/ls
ls -latrh /proc/1131
1⤵
- Reads runtime system information
PID:1830

/bin/grep
grep exe
1⤵
PID:1831

/bin/ls
ls -latrh /proc/1135
1⤵
- Reads runtime system information
PID:1835

/bin/grep
grep exe
1⤵
PID:1836

/bin/ls
ls -latrh /proc/1139
1⤵
PID:1840

/bin/grep
grep exe
1⤵
PID:1841

/bin/ls
ls -latrh /proc/1144
1⤵
- Reads runtime system information
PID:1845

/bin/grep
grep exe
1⤵
PID:1846

/bin/grep
grep exe
1⤵
PID:1851

/bin/ls
ls -latrh /proc/1148
1⤵
- Reads runtime system information
PID:1850

/bin/ls
ls -latrh /proc/1149
1⤵
- Reads runtime system information
PID:1855

/bin/grep
grep exe
1⤵
PID:1856

/bin/ls
ls -latrh /proc/115
1⤵
- Reads runtime system information
PID:1860

/bin/grep
grep exe
1⤵
PID:1861

/bin/ls
ls -latrh /proc/1152
1⤵
- Reads runtime system information
PID:1865

/bin/grep
grep exe
1⤵
PID:1866

/bin/ls
ls -latrh /proc/1154
1⤵
- Reads runtime system information
PID:1870

/bin/grep
grep exe
1⤵
PID:1871

/bin/ls
ls -latrh /proc/1156
1⤵
- Reads runtime system information
PID:1875

/bin/grep
grep exe
1⤵
PID:1876

/bin/ls
ls -latrh /proc/1162
1⤵
PID:1880

/bin/grep
grep exe
1⤵
PID:1881

/bin/grep
grep exe
1⤵
PID:1886

/bin/ls
ls -latrh /proc/1167
1⤵
- Reads runtime system information
PID:1885

/bin/ls
ls -latrh /proc/1168
1⤵
- Reads runtime system information
PID:1890

/bin/grep
grep exe
1⤵
PID:1891

/bin/ls
ls -latrh /proc/1169
1⤵
- Reads runtime system information
PID:1895

/bin/grep
grep exe
1⤵
PID:1896

/bin/ls
ls -latrh /proc/1173
1⤵
- Reads runtime system information
PID:1900

/bin/grep
grep exe
1⤵
PID:1901

/bin/grep
grep exe
1⤵
PID:1906

/bin/ls
ls -latrh /proc/1181
1⤵
- Reads runtime system information
PID:1905

/bin/ls
ls -latrh /proc/1184
1⤵
- Reads runtime system information
PID:1910

/bin/grep
grep exe
1⤵
PID:1911

/bin/ls
ls -latrh /proc/1186
1⤵
- Reads runtime system information
PID:1915

/bin/grep
grep exe
1⤵
PID:1916

/bin/ls
ls -latrh /proc/1187
1⤵
- Reads runtime system information
PID:1920

/bin/grep
grep exe
1⤵
PID:1921

/bin/ls
ls -latrh /proc/1188
1⤵
- Reads runtime system information
PID:1925

/bin/grep
grep exe
1⤵
PID:1926

/bin/ls
ls -latrh /proc/1189
1⤵
- Reads runtime system information
PID:1930

/bin/grep
grep exe
1⤵
PID:1931

/bin/grep
grep exe
1⤵
PID:1936

/bin/ls
ls -latrh /proc/1193
1⤵
- Reads runtime system information
PID:1935

/bin/ls
ls -latrh /proc/12
1⤵
- Reads runtime system information
PID:1940

/bin/grep
grep exe
1⤵
PID:1941

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/tmp/log_rot
Filesize
5B

MD5
727479ef7cedf30c03459bec7d87b0f0

SHA1
2082e7f715f058acab2398d25d135cf5f4c0ce41

SHA256
29872037c9573567744ef10ed2de57864ded7554c9fa2ef03fc1244c65794ba6

SHA512
4cb59d37f8481f9bb2745f494baa0910a68aad40ac2903ef1513547e091e1e772a5f9436f789ab91fcafb75b8a28c2112ede89004be41f33c01d936b542ca6ba

Download Submit

Resubmissions

Analysis

Sharing