Linux Analysis Report
Aqua.x86-20240507-1844.elf

Overview

General Information

Sample name: Aqua.x86-20240507-1844.elf
Analysis ID: 1437719
MD5: 7a5c8222fbb9db66a2022383049feb75
SHA1: 37bda45a0588e62524ff9ef5eff0ce7c40f48935
SHA256: d5735eeba77fd0cb5f71a458528b8b9e0ca6055b9bfc1c5ee457fc3a760320b0
Infos:

Detection

Mirai
Score: 92
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Machine Learning detection for sample
Queries the IP of a very long domain name
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Deletes log files
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Found strings indicative of a multi-platform dropper
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Reads system version information
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Mirai Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Aqua.x86-20240507-1844.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: Aqua.x86-20240507-1844.elf ReversingLabs: Detection: 50%
Machine Learning detection for sample
Source: Aqua.x86-20240507-1844.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pulseaudio (PID: 5607) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5697) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5783) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5956) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5986) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5989) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6163) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6320) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6419) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6574) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6666) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6758) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6770) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6787) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6931) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6936) Reads CPU info from /sys: /sys/devices/system/cpu/online
Found strings indicative of a multi-platform dropper
Source: Aqua.x86-20240507-1844.elf String: EOF/proc//proc/%s/cmdlinewgetcurlftpechokillbashrebootshutdownhaltpoweroff/fdsocket/proc/%s/stat/proc/proc/%d/exe/proc/%d/stat%d %s %c %d/proc/%d/maps/var/run/mnt/root/var/tmp/boot/bin/sbin/../(deleted)/homedbgmpslmipselmipsarmarm4arm5arm6arm7sh4m68kx86x586x86_64i586i686ppcspc[locker] killed process: %s ;; pid: %d

Networking
barindex
Queries the IP of a very long domain name
Source: unknown DNS traffic detected: query: net.kovey-net.lol.v:fJV66a/PV!E(kx 5|2Zv:fVNNPV!a
Source: unknown DNS traffic detected: query: net.kovey-net.lol.v:f66a/PV!E(e):H 5V2Zv:fNNPV!a
Source: unknown DNS traffic detected: query: net.kovey-net.lol.v:f 66a/PV!E(Nx 52Zv:fg NNPV!a
Source: unknown DNS traffic detected: query: net.kovey-net.lol.v:fI JJPV!a/E<O@@2 Y5; qv v:f0.66
Source: unknown DNS traffic detected: query: net.kovey-net.lol.v:fx66a/PV!E(":# 5w2Zv:fpxJJPV!a
Source: unknown DNS traffic detected: query: net.kovey-net.lol.w:f 66a/PV!E(@9Y 5'Pw:ft JJPV!a
Source: unknown DNS traffic detected: query: net.kovey-net.lol.w:fZ66a/PV!E(x 5_w:fNNPV!a
Source: unknown DNS traffic detected: query: net.kovey-net.lol.w:f* 66a/PV!E(@9Y 5K5Pqw:f1 JJPV!a
Source: unknown DNS traffic detected: query: net.kovey-net.lol.w:fX/66a/PV!E(7: 5"w:f/NNPV!a
Source: unknown DNS traffic detected: query: net.kovey-net.lol.w:fe66a/PV!E(@9Y 54CPw:f3lJJPV!a
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:44728 -> 89.190.156.145:7733
Source: global traffic TCP traffic: 192.168.2.13:44594 -> 94.156.8.76:33966
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/sbin/rsyslogd (PID: 5606) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5691) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5813) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5891) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5987) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6071) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6141) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6157) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6234) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6301) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6315) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6332) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6401) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6415) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6490) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6559) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6572) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6586) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6652) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6663) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6744) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6756) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6783) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6861) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6934) Reads hosts file: /etc/hosts
Sample listens on a socket
Source: /lib/systemd/systemd-journald (PID: 5886) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) Socket: <unknown socket type>:unknown Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6080) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6240) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6338) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6497) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6590) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6682) Socket: <unknown socket type>:unknown
Source: /lib/systemd/systemd-journald (PID: 6859) Socket: <unknown socket type>:unknown
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.v:fJV66a/PV!E(kx 5|2Zv:fVNNPV!a
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.v:f66a/PV!E(e):H 5V2Zv:fNNPV!a
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.v:f 66a/PV!E(Nx 52Zv:fg NNPV!a
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.v:fI JJPV!a/E<O@@2 Y5; qv v:f0.66
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.v:fx66a/PV!E(":# 5w2Zv:fpxJJPV!a
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.w:f 66a/PV!E(@9Y 5'Pw:ft JJPV!a
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.w:fZ66a/PV!E(x 5_w:fNNPV!a
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.w:f* 66a/PV!E(@9Y 5K5Pqw:f1 JJPV!a
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.w:fX/66a/PV!E(7: 5"w:f/NNPV!a
Source: global traffic DNS traffic detected: DNS query: net.kovey-net.lol.w:fe66a/PV!E(@9Y 54CPw:f3lJJPV!a
Source: syslog.411.dr String found in binary or memory: https://www.rsyslog.com

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d Author: unknown
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 Author: unknown
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 Author: unknown
Source: Process Memory Space: Aqua.x86-20240507-1844.elf PID: 5432, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
Source: Process Memory Space: Aqua.x86-20240507-1844.elf PID: 5432, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1884, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5435, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 660, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 726, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 727, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 778, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 783, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 790, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 795, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1400, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1432, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 2970, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 3069, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 3132, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5415, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5416, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5603, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5606, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5607, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5688, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1411, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 2936, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5690, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5691, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5696, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5697, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5786, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 765, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 767, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1410, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 2935, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5275, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5787, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5792, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5813, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5816, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5839, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5877, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5878, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5881, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5886, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5891, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5955, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5956, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5951, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5987, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5988, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5989, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6067, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5965, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5996, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6061, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6070, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6071, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6072, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6078, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6141, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6142, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6146, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6140, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6157, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6158, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6080, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6169, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6228, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6233, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6234, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6235, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6301, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6302, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6306, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6300, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6315, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6316, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6240, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6243, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6325, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6331, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6332, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6333, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6401, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6402, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6406, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6400, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6415, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6416, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6338, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6425, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6482, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6489, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6490, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6558, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6559, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6563, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6557, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6572, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6497, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6500, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6578, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6585, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6586, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6651, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6652, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6656, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6650, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6663, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6590, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6593, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6672, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6677, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6678, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6743, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6744, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6748, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6742, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6753, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6756, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6769, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6770, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6682, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6764, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6780, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6783, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6792, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6787, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6788, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6857, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6861, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6921, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1884, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5435, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 660, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 726, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 727, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 778, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 783, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 790, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 795, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1400, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1432, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 2970, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 3069, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 3132, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5415, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5416, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5603, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5606, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5607, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5688, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1411, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 2936, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5690, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5691, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5696, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5697, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5786, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 765, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 767, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 1410, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 2935, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5275, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5787, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5792, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5813, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5816, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5839, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5877, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5878, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5881, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5886, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5891, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5955, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5956, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5951, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5987, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5988, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5989, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6067, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5965, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 5996, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6061, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6070, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6071, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6072, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6078, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6141, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6142, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6146, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6140, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6157, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6158, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6080, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6169, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6228, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6233, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6234, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6235, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6301, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6302, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6306, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6300, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6315, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6316, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6240, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6243, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6325, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6331, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6332, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6333, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6401, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6402, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6406, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6400, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6415, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6416, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6338, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6425, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6482, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6489, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6490, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6558, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6559, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6563, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6557, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6572, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6497, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6500, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6578, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6585, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6586, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6651, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6652, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6656, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6650, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6663, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6590, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6593, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6672, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6677, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6678, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6743, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6744, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6748, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6742, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6753, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6756, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6769, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6770, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6682, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6764, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6780, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6783, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6792, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6787, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6788, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6857, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6861, result: successful Jump to behavior
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5434) SIGKILL sent: pid: 6921, result: successful Jump to behavior
Yara signature match
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: Aqua.x86-20240507-1844.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_b14f4c5d os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = a70d052918dd2fbc66db241da6438015130f0fb6929229bfe573546fe98da817, id = b14f4c5d-054f-46e6-9fa8-3588f1ef68b7, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_389ee3e9 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 59f2359dc1f41d385d639d157b4cd9fc73d76d8abb7cc09d47632bb4c9a39e6e, id = 389ee3e9-70c1-4c93-a999-292cf6ff1652, last_modified = 2022-01-26
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_8aa7b5d3 reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 02a2c18c362df4b1fceb33f3b605586514ba9a00c7afedf71c04fa54d8146444, id = 8aa7b5d3-e1eb-4b55-b36a-0d3a242c06e9, last_modified = 2022-01-26
Source: Process Memory Space: Aqua.x86-20240507-1844.elf PID: 5432, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
Source: Process Memory Space: Aqua.x86-20240507-1844.elf PID: 5432, type: MEMORYSTR Matched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
Source: classification engine Classification label: mal92.spre.troj.evad.linELF@0/215@11/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 5603) File: /proc/5603/mounts Jump to behavior
Source: /bin/fusermount (PID: 5680) File: /proc/5680/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5690) File: /proc/5690/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5786) File: /proc/5786/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5792) File: /proc/5792/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5955) File: /proc/5955/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5988) File: /proc/5988/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6067) File: /proc/6067/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6072) File: /proc/6072/mounts
Source: /usr/bin/dbus-daemon (PID: 6142) File: /proc/6142/mounts
Source: /usr/bin/dbus-daemon (PID: 6158) File: /proc/6158/mounts
Source: /usr/bin/dbus-daemon (PID: 6235) File: /proc/6235/mounts
Source: /usr/bin/dbus-daemon (PID: 6302) File: /proc/6302/mounts
Source: /usr/bin/dbus-daemon (PID: 6316) File: /proc/6316/mounts
Source: /usr/bin/dbus-daemon (PID: 6333) File: /proc/6333/mounts
Source: /usr/bin/dbus-daemon (PID: 6402) File: /proc/6402/mounts
Source: /usr/bin/dbus-daemon (PID: 6416) File: /proc/6416/mounts
Source: /usr/bin/dbus-daemon (PID: 6558) File: /proc/6558/mounts
Source: /usr/bin/dbus-daemon (PID: 6651) File: /proc/6651/mounts
Source: /usr/bin/dbus-daemon (PID: 6743) File: /proc/6743/mounts
Source: /usr/bin/dbus-daemon (PID: 6753) File: /proc/6753/mounts
Source: /usr/bin/dbus-daemon (PID: 6769) File: /proc/6769/mounts
Source: /usr/bin/dbus-daemon (PID: 6788) File: /proc/6788/mounts
Source: /usr/bin/dbus-daemon (PID: 6857) File: /proc/6857/mounts
Source: /usr/bin/dbus-daemon (PID: 6937) File: /proc/6937/mounts
Source: /usr/bin/dbus-daemon (PID: 6954) File: /proc/6954/mounts
Creates hidden files and/or directories
Source: /usr/libexec/gsd-rfkill (PID: 5435) Directory: <invalid fd (9)>/.. Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5435) Directory: <invalid fd (8)>/.. Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5440) Directory: <invalid fd (10)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5614) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5614) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5614) File: /run/systemd/seats/.#seat0XKE8UI Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5679) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5707) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5707) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5707) File: /run/systemd/seats/.#seat0VjHljK Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5770) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5816) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5816) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5816) File: /run/systemd/seats/.#seat0n2Ny4W Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5881) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5886) File: /run/systemd/journal/streams/.#9:66606U7U5uf Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5886) File: /run/systemd/journal/streams/.#9:66607OD6MKg Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5886) File: /run/systemd/journal/streams/.#9:66667llEJNg Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5886) File: /run/systemd/journal/streams/.#9:66767B9Xurh Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5886) File: /run/systemd/journal/streams/.#9:66865Fm5LMg Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5894) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5894) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5894) File: /run/systemd/seats/.#seat055BR6T Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68751ZUzcvg Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68753Pi6kqf Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:687549ul4xd Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68763WIhRaf Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68764xOD24c Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68765qY6e7g Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68772C744We Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68773wIpkEf Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68774pnxXRd Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68775fOMIwe Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68783V3Kb9g Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68785lxcL0c Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:68862ai8Lpd Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:67920G084xf Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) File: /run/systemd/journal/streams/.#9:67943QknpZd Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5974) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5996) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5996) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5996) File: /run/systemd/seats/.#seat01jkZDB Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6055) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:69686kF5PkY
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:69689RafazW
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:69690Log1wX
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:69696zMyZ3U
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:6970098zyRW
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:69724lXmVXV
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:698007oIGAX
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:69801M8EWfX
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:68498VAupeY
Source: /lib/systemd/systemd-journald (PID: 6080) File: /run/systemd/journal/streams/.#9:685723zYLRX
Source: /lib/systemd/systemd-logind (PID: 6083) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6083) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6083) File: /run/systemd/seats/.#seat0JUlak8
Source: /lib/systemd/systemd-logind (PID: 6169) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6169) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6169) File: /run/systemd/seats/.#seat0KZGDrH
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:70622qRCjT2
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:70623MVHYn1
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:70631dCaba3
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:70632mdnZW1
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:70642GUCiP3
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:71753Hkspr4
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:71755rMokr3
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:71095KAfSL0
Source: /lib/systemd/systemd-journald (PID: 6240) File: /run/systemd/journal/streams/.#9:711692mZxP4
Source: /lib/systemd/systemd-logind (PID: 6243) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6243) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6243) File: /run/systemd/seats/.#seat0za8Vdi
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:72713xtRCHp
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:727145rFduq
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:72715dm3ybu
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:72717VGPGOq
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:72718ZH0etr
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:727249tn82r
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:72736gcNz6t
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:72738igAyHt
Source: /lib/systemd/systemd-journald (PID: 6338) File: /run/systemd/journal/streams/.#9:73729jStt4q
Source: /lib/systemd/systemd-logind (PID: 6341) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6341) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6341) File: /run/systemd/seats/.#seat0WSWc4G
Source: /lib/systemd/systemd-logind (PID: 6425) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6425) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6425) File: /run/systemd/seats/.#seat0ajdTv2
Source: /lib/systemd/systemd-journald (PID: 6497) File: /run/systemd/journal/streams/.#9:73432cNoFTs
Source: /lib/systemd/systemd-journald (PID: 6497) File: /run/systemd/journal/streams/.#9:73433wvMIHu
Source: /lib/systemd/systemd-journald (PID: 6497) File: /run/systemd/journal/streams/.#9:73434JvT8Lu
Source: /lib/systemd/systemd-journald (PID: 6497) File: /run/systemd/journal/streams/.#9:73440ZqDrDu
Source: /lib/systemd/systemd-journald (PID: 6497) File: /run/systemd/journal/streams/.#9:73441aezA6q
Source: /lib/systemd/systemd-journald (PID: 6497) File: /run/systemd/journal/streams/.#9:73443SGlk0u
Source: /lib/systemd/systemd-journald (PID: 6497) File: /run/systemd/journal/streams/.#9:74234foXG7q
Source: /lib/systemd/systemd-logind (PID: 6500) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6500) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6500) File: /run/systemd/seats/.#seat02YgyaF
Source: /lib/systemd/systemd-journald (PID: 6590) File: /run/systemd/journal/streams/.#9:7523563H8ev
Source: /lib/systemd/systemd-journald (PID: 6590) File: /run/systemd/journal/streams/.#9:75236o04Gyw
Source: /lib/systemd/systemd-journald (PID: 6590) File: /run/systemd/journal/streams/.#9:75237CRzT9u
Source: /lib/systemd/systemd-journald (PID: 6590) File: /run/systemd/journal/streams/.#9:75243oVTjpw
Source: /lib/systemd/systemd-journald (PID: 6590) File: /run/systemd/journal/streams/.#9:75244Z3twmu
Source: /lib/systemd/systemd-journald (PID: 6590) File: /run/systemd/journal/streams/.#9:75245MwL8cu
Source: /lib/systemd/systemd-journald (PID: 6590) File: /run/systemd/journal/streams/.#9:7465123mePt
Source: /lib/systemd/systemd-logind (PID: 6593) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6593) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6593) File: /run/systemd/seats/.#seat0pHmEdI
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:76364op3iJu
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:76365rpukHu
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:76371MJTaJr
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:763722urB0r
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:76379GqF8xt
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:76386uiga3q
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:76387TMHdtr
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:76462XlHisr
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:769369fDF5t
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:76946ZXSvgt
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:77065ac00eu
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:771655OHjYq
Source: /lib/systemd/systemd-journald (PID: 6682) File: /run/systemd/journal/streams/.#9:77367BSD2Fr
Source: /lib/systemd/systemd-logind (PID: 6685) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6685) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6685) File: /run/systemd/seats/.#seat0tz7BvF
Source: /usr/lib/policykit-1/polkitd (PID: 6774) Directory: /root/.cache
Source: /lib/systemd/systemd-logind (PID: 6792) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6792) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6792) File: /run/systemd/seats/.#seat0QmCT7M
Source: /usr/lib/policykit-1/polkitd (PID: 6826) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:784044ZqH0O
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78406xko8FO
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78407LVqA2P
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:784084bWJTR
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:784096ExfTP
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78410jb8omR
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78412NmFKTQ
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:784133x6HjO
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78415yUNB5R
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78419dg9qIQ
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78420Dr08BQ
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78427sGN9qO
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78428q55meQ
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78429FgDU1Q
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:784301NXa5O
Source: /lib/systemd/systemd-journald (PID: 6859) File: /run/systemd/journal/streams/.#9:78431itEBTQ
Source: /lib/systemd/systemd-logind (PID: 6864) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6864) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6864) File: /run/systemd/seats/.#seat0S3kLGd
Source: /usr/lib/policykit-1/polkitd (PID: 6944) Directory: /root/.cache
Creates hidden files without content (potentially used as a mutex)
Source: /lib/systemd/systemd-journald (PID: 6682) Empty hidden file: /run/systemd/journal/streams/.#9:77367BSD2Fr
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/5380/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/5380/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/230/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/230/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/110/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/110/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/231/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/231/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/111/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/111/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/232/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/232/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/112/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/112/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/233/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/233/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/113/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/113/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/234/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/234/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/114/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/114/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/235/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/235/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/115/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/115/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/236/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/236/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/116/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/116/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/237/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/237/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/117/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/117/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/238/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/238/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/118/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/118/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/239/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/239/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/119/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/119/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/10/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/10/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/11/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/11/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/12/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/12/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/13/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/13/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/14/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/14/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/5275/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/5275/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/15/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/15/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/16/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/16/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/17/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/17/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/18/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/18/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/19/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/19/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/240/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/240/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/120/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/120/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/241/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/241/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/121/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/121/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/242/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/242/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/1/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/1/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/122/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/122/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/243/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/243/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/5707/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/5707/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/2/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/2/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/123/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/123/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/244/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/244/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/3/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/3/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/124/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/124/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/245/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/245/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/125/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/125/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/4/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/4/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/246/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/246/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/126/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/126/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/5/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/5/cmdline Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/247/status Jump to behavior
Source: /usr/bin/pkill (PID: 5783) File opened: /proc/247/cmdline Jump to behavior
Executes commands using a shell command-line interpreter
Source: /usr/bin/gpu-manager (PID: 5698) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5700) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5702) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5764) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5766) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5774) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5778) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5780) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5958) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5960) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5963) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5966) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5969) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5973) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5979) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5983) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6147) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6149) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6151) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6153) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6155) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6159) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6307) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6311) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6313) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6317) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6407) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6409) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6411) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6413) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6417) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6564) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6566) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6568) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6570) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6657) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6659) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6661) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6664) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6749) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6751) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6754) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6925) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6927) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6929) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 5699) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5701) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5703) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5765) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5769) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5777) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5779) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5781) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5959) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5962) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5964) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5967) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5970) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5975) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5980) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5984) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6148) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6150) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6152) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6154) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6156) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6308) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6312) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6314) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6318) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6408) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6410) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6412) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6414) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6565) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6567) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6569) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6571) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6658) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6660) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6662) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6750) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6752) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6755) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6926) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6928) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6930) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 5783) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5986) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6163) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6320) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6419) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6574) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6666) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6758) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6936) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Reads system information from the proc file system
Source: /lib/systemd/systemd-journald (PID: 5886) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6080) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6240) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6338) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6497) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6590) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6682) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6859) Reads from proc file: /proc/meminfo
Reads system version information
Source: /sbin/agetty (PID: 5688) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 5696) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 5951) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6140) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6300) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6400) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6557) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6650) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6742) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6860) Reads version info: /etc/issue
Source: /usr/sbin/rsyslogd (PID: 5606) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5606) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5691) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5691) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 5692) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 5813) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5813) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5891) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5891) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 5957) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 5987) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5987) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6071) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6141) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6157) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6157) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6234) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6301) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6315) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6315) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6332) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6401) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6415) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6415) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6490) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6559) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6572) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6572) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6652) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6663) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6663) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6744) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6756) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6756) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6783) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6861) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6934) Log file created: /var/log/kern.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6934) Log file created: /var/log/auth.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/Aqua.x86-20240507-1844.elf (PID: 5433) File: /tmp/Aqua.x86-20240507-1844.elf Jump to behavior
Deletes log files
Source: /usr/bin/gpu-manager (PID: 5692) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5957) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6146) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6306) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6406) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6563) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6656) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6748) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6921) Truncated file: /var/log/gpu-manager.log
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pulseaudio (PID: 5607) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5697) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5783) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5956) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5986) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5989) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6163) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6320) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6419) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6574) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6666) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6758) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6770) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6787) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6931) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6936) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /lib/systemd/systemd-hostnamed (PID: 5440) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5606) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5607) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5688) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5691) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5692) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5696) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5697) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5813) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5886) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5891) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5951) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5956) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5957) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5965) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5987) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 5989) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6071) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6080) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6140) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6141) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6157) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6234) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6240) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6300) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6301) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6315) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6332) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6338) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6400) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6401) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6415) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6490) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6497) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6557) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6559) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6572) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6586) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6590) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6650) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6652) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6663) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6682) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6742) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6744) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6756) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6770) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6783) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6787) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6859) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6860) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6861) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6931) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6934) Queries kernel information via 'uname':
Source: syslog.45.dr Binary or memory string: May 7 20:45:53 galassia kernel: [ 106.018898] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel parport_pc ppdev lp drm parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse mptspi scsi_transport_spi ahci mptscsih libahci mptbase vmxnet3
Source: syslog.45.dr Binary or memory string: May 7 20:45:53 galassia kernel: [ 106.018921] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020

Stealing of Sensitive Information
barindex
Yara detected Mirai
Source: Yara match File source: Aqua.x86-20240507-1844.elf, type: SAMPLE
Source: Yara match File source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Aqua.x86-20240507-1844.elf PID: 5432, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Mirai
Source: Yara match File source: Aqua.x86-20240507-1844.elf, type: SAMPLE
Source: Yara match File source: 5432.1.0000000008048000.000000000805a000.r-x.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Aqua.x86-20240507-1844.elf PID: 5432, type: MEMORYSTR

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
94.156.8.76
 net.kovey-net.lol Bulgaria
43561 NET1-ASBG true
89.190.156.145
 unknown United Kingdom
7489 HOSTUS-GLOBAL-ASHostUSHK false

Contacted Domains

Name IP Active
net.kovey-net.lol 94.156.8.76 true
net.kovey-net.lol.w:f 66a/PV!E(@9Y 5'Pw:ft JJPV!a unknown unknown
net.kovey-net.lol.w:fX/66a/PV!E(7: 5"w:f/NNPV!a unknown unknown
net.kovey-net.lol.w:fe66a/PV!E(@9Y 54CPw:f3lJJPV!a unknown unknown
net.kovey-net.lol.v:fx66a/PV!E(":# 5w2Zv:fpxJJPV!a unknown unknown
net.kovey-net.lol.v:f 66a/PV!E(Nx 52Zv:fg NNPV!a unknown unknown
net.kovey-net.lol.w:f* 66a/PV!E(@9Y 5K5Pqw:f1 JJPV!a unknown unknown
net.kovey-net.lol.v:f66a/PV!E(e):H 5V2Zv:fNNPV!a unknown unknown
net.kovey-net.lol.w:fZ66a/PV!E(x 5_w:fNNPV!a unknown unknown
net.kovey-net.lol.v:fJV66a/PV!E(kx 5|2Zv:fVNNPV!a unknown unknown
net.kovey-net.lol.v:fI JJPV!a/E<O@@2 Y5; qv v:f0.66 unknown unknown