Linux Analysis Report
Aqua.i686.elf

Overview

General Information

Sample name: Aqua.i686.elf
Analysis ID: 1580696
MD5: d255631d3c4baf58c938eded123dc951
SHA1: a6db6a717726302e7b6f5f0ae1d9dbb2938e6d76
SHA256: 48b78ddbd3b8c071ec91c97dd91958dcc008cbc132b61ab2e04e719772cd5d24
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Machine Learning detection for sample
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Creates hidden files and/or directories
Deletes log files
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Found strings indicative of a multi-platform dropper
HTTP GET or POST without a user agent
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Reads system version information
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Aqua.i686.elf ReversingLabs: Detection: 36%
Source: Aqua.i686.elf Virustotal: Detection: 31% Perma Link
Machine Learning detection for sample
Source: Aqua.i686.elf Joe Sandbox ML: detected
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6504) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6678) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6839) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 7001) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 7031) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7181) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7211) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7362) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7535) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7634) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7731) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7910) Reads CPU info from /sys: /sys/devices/system/cpu/online
Found strings indicative of a multi-platform dropper
Source: Aqua.i686.elf String: EOF/proc//proc/%s/cmdlinerwgetcurlftpechokillbashrebootshutdownhaltpoweroff/fdsocket/proc/%s/stat/proc/proc/%d/exe/proc/%d/stat%d %s %c %d/proc/%d/maps/var/run/mnt/root/var/tmp/boot/bin/sbin/../(deleted)/homedbgmpslmipselmipsarmarm4arm5arm6arm7sh4m68kx86x586x86_64i586i686ppcspc[locker] killed process: %s ;; pid: %d
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:50012 -> 89.190.156.145:7733
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/sbin/rsyslogd (PID: 6397) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6474) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6513) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6586) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6676) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6683) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6757) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6826) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6836) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6841) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6856) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6924) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6997) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 7004) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7037) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7104) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7177) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7184) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7285) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7360) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7378) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7447) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7516) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7537) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7618) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7632) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7714) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7729) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7809) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7905) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7915) Reads hosts file: /etc/hosts
Sample listens on a socket
Source: /lib/systemd/systemd-journald (PID: 6581) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6862) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 7042) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7106) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7220) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7286) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7385) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7451) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7555) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7651) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7820) Socket: unknown address family
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.42
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: global traffic DNS traffic detected: DNS query: 45.148.10.84
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknown HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue
Source: syslog.253.dr String found in binary or memory: https://www.rsyslog.com
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 37650
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 37650 -> 443

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_3a85a418 Author: unknown
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_268aac0b Author: unknown
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_0cb1699c Author: unknown
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_70ef58f1 Author: unknown
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_3a85a418 Author: unknown
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_2e3f67a9 Author: unknown
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f Author: unknown
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b Author: unknown
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1638, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6222, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6198, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6200, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6392, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6394, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6396, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6397, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6470, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6473, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6474, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6490, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6049, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6231, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6507, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6511, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6512, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6513, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6514, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6522, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6584, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6585, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6586, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6587, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6648, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6673, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6674, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6676, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6675, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6679, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6683, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6755, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6755, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6647, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6691, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6752, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6756, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6757, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6758, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6825, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6826, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6827, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6831, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6833, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6836, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6822, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6837, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6840, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6841, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6853, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6853, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6762, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6765, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6850, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6854, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6855, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6856, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6857, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6862, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6865, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6922, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6923, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6924, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6988, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6990, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6991, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6997, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6998, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7002, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6925, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7003, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7004, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7005, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6926, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6929, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7034, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7035, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7036, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7037, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7038, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7042, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7045, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7102, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7103, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7104, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7105, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7167, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7171, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7176, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7177, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7180, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7166, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7182, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7184, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7106, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7109, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7214, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7215, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7216, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7218, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7219, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7220, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7223, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7280, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7281, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7282, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7285, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7347, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7356, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7359, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7346, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7360, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7363, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7377, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7377, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7286, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7289, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7374, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7378, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7379, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7380, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7381, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7385, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7388, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7446, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7447, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7448, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7450, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7449, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7452, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7515, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7516, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7517, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7519, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7533, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7536, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7537, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7451, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7458, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7545, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7548, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7549, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7550, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7551, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7616, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7617, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7618, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7620, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7615, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7628, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7632, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7555, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7558, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7643, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7646, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7647, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7649, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7650, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7712, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7713, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7714, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7715, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7711, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7722, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7729, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7651, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7745, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7747, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7751, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7809, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7817, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7910, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7744, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7821, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7823, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7905, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1638, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6222, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6198, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6200, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6392, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6394, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6396, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6397, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6470, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6473, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6474, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6490, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6049, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6231, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6507, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6511, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6512, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6513, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6514, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6522, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6584, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6585, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6586, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6587, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6648, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6673, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6674, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6676, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6675, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6679, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6683, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6755, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6755, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6647, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6691, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6752, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6756, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6757, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6758, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6825, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6826, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6827, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6831, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6833, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6836, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6822, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6837, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6840, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6841, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6853, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6853, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6762, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6765, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6850, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6854, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6855, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6856, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6857, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6862, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6865, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6922, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6923, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6924, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6988, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6990, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6991, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6997, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6998, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7002, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6925, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7003, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7004, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7005, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6926, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 6929, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7034, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7035, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7036, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7037, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7038, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7042, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7045, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7102, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7103, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7104, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7105, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7167, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7171, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7176, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7177, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7180, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7166, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7182, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7184, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7106, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7109, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7214, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7215, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7216, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7218, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7219, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7220, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7223, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7280, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7281, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7282, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7285, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7347, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7356, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7359, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7346, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7360, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7363, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7377, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7377, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7286, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7289, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7374, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7378, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7379, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7380, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7381, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7385, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7388, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7446, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7447, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7448, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7450, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7449, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7452, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7515, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7516, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7517, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7519, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7533, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7536, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7537, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7451, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7458, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7545, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7548, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7549, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7550, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7551, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7616, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7617, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7618, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7620, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7615, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7628, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7632, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7555, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7558, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7643, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7646, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7647, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7649, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7650, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7712, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7713, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7714, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7715, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7711, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7722, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7729, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7651, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7745, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7747, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7751, result: no such process Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7809, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7817, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7910, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7744, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7821, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7823, result: successful Jump to behavior
Source: /tmp/Aqua.i686.elf (PID: 6221) SIGKILL sent: pid: 7905, result: successful Jump to behavior
Yara signature match
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_3a85a418 reference_sample = 86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 554aff5770bfe8fdeae94f5f5a0fd7f7786340a95633433d8e686af1c25b8cec, id = 3a85a418-2bd9-445a-86cb-657ca7edf566, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: Aqua.i686.elf, type: SAMPLE Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_268aac0b reference_sample = 49c94d184d7e387c3efe34ae6f021e011c3046ae631c9733ab0a230d5fe28ead, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 9c581721bf82af7dc6482a2c41af5fb3404e01c82545c7b2b29230f707014781, id = 268aac0b-c5c7-4035-8381-4e182de91e32, last_modified = 2021-09-16
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_0cb1699c reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6e44c68bba8c9fb53ac85080b9ad765579f027cabfea5055a0bb3a85b8671089, id = 0cb1699c-9a08-4885-aa7f-0f1ee2543cac, last_modified = 2021-09-16
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_70ef58f1 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c46eac9185e5f396456004d1e0c42b54a9318e0450f797c55703122cfb8fea89, id = 70ef58f1-ac74-4e33-ae03-e68d1d5a4379, last_modified = 2021-09-16
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_3a85a418 reference_sample = 86a43b39b157f47ab12e9dc1013b4eec0e1792092d4cef2772a21a9bf4fc518a, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 554aff5770bfe8fdeae94f5f5a0fd7f7786340a95633433d8e686af1c25b8cec, id = 3a85a418-2bd9-445a-86cb-657ca7edf566, last_modified = 2021-09-16
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_2e3f67a9 reference_sample = fc8741f67f39e7409ab2c6c62d4f9acdd168d3e53cf6976dd87501833771cacb, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = 6a06815f3d2e5f1a7a67f4264953dbb2e9d14e5f3486b178da845eab5b922d4f, id = 2e3f67a9-6fd5-4457-a626-3a9015bdb401, last_modified = 2021-09-16
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_88de437f reference_sample = 8dc745a6de6f319cd6021c3e147597315cc1be02099d78fc8aae94de0e1e4bc6, os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = c19eb595c2b444a809bef8500c20342c9f46694d3018e268833f9b884133a1ea, id = 88de437f-9c98-4e1d-96c0-7b433c99886a, last_modified = 2021-09-16
Source: 6219.1.0000000008048000.0000000008059000.r-x.sdmp, type: MEMORY Matched rule: Linux_Trojan_Mirai_cc93863b reference_sample = 5217f2a46cb93946e04ab00e385ad0fe0a2844b6ea04ef75ee9187aac3f3d52f, os = linux, severity = x86, creation_date = 2022-01-05, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Mirai, fingerprint = f3ecd30f0b511a8e92cfa642409d559e7612c3f57a1659ca46c77aca809a00ac, id = cc93863b-1050-40ba-9d02-5ec9ce6a3a28, last_modified = 2022-01-26
Source: classification engine Classification label: mal76.spre.troj.evad.linELF@0/240@140/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 6396) File: /proc/6396/mounts Jump to behavior
Source: /bin/fusermount (PID: 6398) File: /proc/6398/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6473) File: /proc/6473/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6512) File: /proc/6512/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6585) File: /proc/6585/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6674) File: /proc/6674/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6679) File: /proc/6679/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6825) File: /proc/6825/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6833) File: /proc/6833/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6840) File: /proc/6840/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6855) File: /proc/6855/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6923) File: /proc/6923/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6990) File: /proc/6990/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 7002) File: /proc/7002/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 7005) File: /proc/7005/mounts
Source: /usr/bin/dbus-daemon (PID: 7038) File: /proc/7038/mounts
Source: /usr/bin/dbus-daemon (PID: 7105) File: /proc/7105/mounts
Source: /usr/bin/dbus-daemon (PID: 7176) File: /proc/7176/mounts
Source: /usr/bin/dbus-daemon (PID: 7182) File: /proc/7182/mounts
Source: /usr/bin/dbus-daemon (PID: 7281) File: /proc/7281/mounts
Source: /usr/bin/dbus-daemon (PID: 7356) File: /proc/7356/mounts
Source: /usr/bin/dbus-daemon (PID: 7363) File: /proc/7363/mounts
Source: /usr/bin/dbus-daemon (PID: 7379) File: /proc/7379/mounts
Source: /usr/bin/dbus-daemon (PID: 7446) File: /proc/7446/mounts
Source: /usr/bin/dbus-daemon (PID: 7448) File: /proc/7448/mounts
Source: /usr/bin/dbus-daemon (PID: 7517) File: /proc/7517/mounts
Source: /usr/bin/dbus-daemon (PID: 7536) File: /proc/7536/mounts
Source: /usr/bin/dbus-daemon (PID: 7550) File: /proc/7550/mounts
Source: /usr/bin/dbus-daemon (PID: 7617) File: /proc/7617/mounts
Source: /usr/bin/dbus-daemon (PID: 7628) File: /proc/7628/mounts
Source: /usr/bin/dbus-daemon (PID: 7712) File: /proc/7712/mounts
Source: /usr/bin/dbus-daemon (PID: 7722) File: /proc/7722/mounts
Source: /usr/bin/dbus-daemon (PID: 7747) File: /proc/7747/mounts
Source: /usr/bin/dbus-daemon (PID: 7823) File: /proc/7823/mounts
Source: /usr/bin/dbus-daemon (PID: 7914) File: /proc/7914/mounts
Creates hidden files and/or directories
Source: /usr/libexec/gsd-rfkill (PID: 6222) Directory: <invalid fd (9)>/.. Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 6222) Directory: <invalid fd (8)>/.. Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6229) Directory: <invalid fd (10)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6412) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6412) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6412) File: /run/systemd/seats/.#seat0Legls4 Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6522) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6522) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6590) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6590) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6590) File: /run/systemd/seats/.#seat0Ws8sXv Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79836Ng7lzP Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79838glUXrP Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79839p39S5N Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79840yYBKrM Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79841flWJaQ Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:798421GLBQQ Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79852fEGVyQ Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79853P1ckBO Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79854IVZeDM Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79855wUfqMO Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79861583RMO Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79870VXVgXN Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:79878mKz10N Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) File: /run/systemd/journal/streams/.#9:80018vO8sKM Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6691) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6691) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6691) File: /run/systemd/seats/.#seat0SuqBZ8 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:80827HjFvWu Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:808297TDUcu Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:80830Vss6Pv Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:80831Ow9Yox Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:8083728i2Dw Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:80839D57mFt Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:80840qjLGJv Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:80853AnvWmw Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:80854sECr4v Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:81489jC30xt Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) File: /run/systemd/journal/streams/.#9:81987ZY3Kxx Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6765) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6765) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6765) File: /run/systemd/seats/.#seat06XjQoK Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6865) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6865) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83677aNhvBV Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83678AOEopT Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83679gtwFIW Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83680nUm0DW Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:836814nP32U Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83682j912wU Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83683mYYGbV Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83684CcJS7S Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83693eKN5gW Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83694yAAWGW Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83703UfvNIU Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83710JJYdaV Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:837900xLhvT Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:83803fEfkcT Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) File: /run/systemd/journal/streams/.#9:838934AipIU Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6929) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6929) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6929) File: /run/systemd/seats/.#seat0INlbm7 Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 7045) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7045) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84938zkSZHv
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:849405RXpQu
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84941bR9MGx
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84943xue2Vu
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84944FAaIFv
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84953jifoDy
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:849544BFsNv
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84955M4fpex
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84957TPlK9t
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84964b132ly
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84974HlFc4w
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:84987nN0Kiu
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:86105F5SCgx
Source: /lib/systemd/systemd-journald (PID: 7106) File: /run/systemd/journal/streams/.#9:86269pz63Hy
Source: /lib/systemd/systemd-logind (PID: 7109) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7109) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7109) File: /run/systemd/seats/.#seat0JxvEwM
Source: /lib/systemd/systemd-logind (PID: 7223) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7223) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:86997vWw8v8
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:86998jyd329
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:86999aFUSqa
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:87000ezQSA8
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:87002INsnT6
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:87009GhG0k9
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:87010XfqHD6
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:87011VC0JO9
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:87017tjkut8
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:87018rOIZu8
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:87027CluG67
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:88180UWpQD8
Source: /lib/systemd/systemd-journald (PID: 7286) File: /run/systemd/journal/streams/.#9:88197XtNVoa
Source: /lib/systemd/systemd-logind (PID: 7289) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7289) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7289) File: /run/systemd/seats/.#seat0x1RM5k
Source: /lib/systemd/systemd-logind (PID: 7388) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7388) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:89989GJW5NB
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:89990Tfov9A
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:89991NOFKyD
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:89992jN67TB
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:89993yTOMCz
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:899944ux0aE
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:89995uuazHD
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:89996xJ2qbD
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:90003bV85uA
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:900046wRnfC
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:9001789cifD
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:90018Ki2uHD
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:900988qADaA
Source: /lib/systemd/systemd-journald (PID: 7451) File: /run/systemd/journal/streams/.#9:901427KJmJA
Source: /lib/systemd/systemd-logind (PID: 7458) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7458) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7458) File: /run/systemd/seats/.#seat0BLM1v9
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:91773lopOFt
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:91774ns28Hu
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:91780j2LDAu
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:91781RK7Duu
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:91788Bln0hu
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:91794ZiGb8r
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:917950VEABt
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:91803HAZwzr
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:918769vb3es
Source: /lib/systemd/systemd-journald (PID: 7555) File: /run/systemd/journal/streams/.#9:92037Mv5hRr
Source: /lib/systemd/systemd-logind (PID: 7558) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7558) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7558) File: /run/systemd/seats/.#seat0ZNqVBI
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93309L6v0cL
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93313OMfgRH
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93321fqnRBL
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93322PwpwyI
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93323Or8O1I
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93336BHIGRH
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93337eYaJJL
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:933454fAGwL
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93411Z7sTtL
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93426iLzxMI
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:93457XowRJH
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:94377zqVaxI
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:934926WDPtL
Source: /lib/systemd/systemd-journald (PID: 7651) File: /run/systemd/journal/streams/.#9:9349729hiZH
Source: /lib/systemd/systemd-logind (PID: 7654) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7654) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7654) File: /run/systemd/seats/.#seat0hqy0kZ
Source: /lib/systemd/systemd-logind (PID: 7751) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7751) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7751) File: /run/systemd/seats/.#seat0HNU5si
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:93684QrupXv
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:94626c1sHdw
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:94758TwZD2t
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:95031THWSev
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:95112cAbpuv
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:95196HV7HGv
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:95197CihVJt
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:95398YNXuQv
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:939275FxjGu
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:955784mgk5u
Source: /lib/systemd/systemd-journald (PID: 7820) File: /run/systemd/journal/streams/.#9:95660ZqdBGx
Source: /lib/systemd/systemd-logind (PID: 7827) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7827) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7827) File: /run/systemd/seats/.#seat09Mbyv4
Source: /lib/systemd/systemd-logind (PID: 7923) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7923) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7923) File: /run/systemd/seats/.#seat02Nsl0k
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7989) Directory: /root/.cache
Enumerates processes within the "proc" file system
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7286/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7286/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7286/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7286/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7286/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7286/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7363/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7285/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7285/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7285/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7285/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7285/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7285/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7285/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7364/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7364/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7364/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7364/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7364/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7364/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7364/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7378/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7378/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7378/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7378/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7378/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7378/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7378/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7223/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7223/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7223/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7223/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7223/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7223/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7223/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7289/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7289/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7289/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7289/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7289/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7289/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7289/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7282/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7282/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7282/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7282/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7282/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7282/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7282/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7360/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7360/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7360/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7360/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7360/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7360/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/7360/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/environ
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/sched
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/cgroup
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/status
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/comm
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/cmdline
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/attr/current
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/sessionid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/loginuid
Source: /lib/systemd/systemd-journald (PID: 7286) File opened: /proc/658/cgroup
Executes commands using a shell command-line interpreter
Source: /usr/bin/gpu-manager (PID: 6477) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6482) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6486) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6488) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6492) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6495) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6498) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6501) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6650) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6655) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6657) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6659) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6662) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6665) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6669) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6671) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6832) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6992) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6994) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7011) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7013) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7015) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7018) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7021) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7024) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7026) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7028) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7172) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7174) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7178) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7192) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7196) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7198) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7200) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7202) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7204) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7206) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7208) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7348) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7354) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7357) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7518) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7522) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7527) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7529) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7624) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7626) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7630) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7719) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7723) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7728) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7887) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7889) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7891) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7893) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7895) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7897) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7901) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7903) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/share/language-tools/language-options (PID: 7995) Shell command executed: sh -c "locale -a | grep -F .utf8 "
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 6481) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6483) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6487) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6489) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6493) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6496) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6500) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6502) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6654) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6656) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6658) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6661) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6663) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6666) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6670) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6672) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6834) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6993) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6995) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 7012) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7014) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7016) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7020) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7023) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7025) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7027) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7029) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7173) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7175) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7194) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7197) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7199) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7201) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7203) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7205) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7207) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7209) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7353) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7355) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7358) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7520) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7525) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7528) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7530) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7625) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7627) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7631) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7721) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7726) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7888) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7890) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7892) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7894) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7896) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7898) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7902) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7904) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7997) Grep executable: /usr/bin/grep -> grep -F .utf8
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 6504) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6678) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6839) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 7001) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 7031) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7181) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7211) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7362) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7535) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7634) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7731) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7910) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Reads system information from the proc file system
Source: /lib/systemd/systemd-journald (PID: 6581) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6862) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 7042) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7106) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7220) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7286) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7385) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7451) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7555) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7651) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7820) Reads from proc file: /proc/meminfo
Reads system version information
Source: /sbin/agetty (PID: 6490) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6675) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6822) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6925) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 7166) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7346) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7519) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7615) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7711) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7744) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 7912) Reads version info: /etc/issue
Sample tries to set the executable flag
Source: /usr/sbin/gdm3 (PID: 7813) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 7813) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 7985) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 7985) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7989) File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7989) File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)
Source: /usr/sbin/rsyslogd (PID: 6397) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6474) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6474) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6475) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 6513) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6513) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6586) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6683) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6683) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6757) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6826) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6841) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6841) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6924) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7004) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7004) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 7010) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 7104) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7184) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7184) Log file created: /var/log/auth.log
Source: /usr/bin/gpu-manager (PID: 7191) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 7285) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7360) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7360) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7378) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7447) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7516) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7537) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7537) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7618) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7632) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7632) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7714) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7729) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7729) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7809) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 7886) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 7905) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7905) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7915) Log file created: /var/log/kern.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 7915) Log file created: /var/log/auth.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/Aqua.i686.elf (PID: 6220) File: /tmp/Aqua.i686.elf Jump to behavior
Deletes log files
Source: /usr/bin/gpu-manager (PID: 6475) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6648) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6831) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6988) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 7010) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7167) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7191) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7347) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7515) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7620) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7715) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7886) Truncated file: /var/log/gpu-manager.log
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6504) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6678) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6839) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 7001) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 7031) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7181) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7211) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7362) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7535) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7634) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7731) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7910) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /lib/systemd/systemd-hostnamed (PID: 6229) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6397) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6474) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6475) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6490) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6513) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6581) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6586) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6647) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6648) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6675) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6676) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6683) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6757) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6762) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6822) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6826) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6836) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6841) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6856) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6862) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6924) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6925) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6926) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6997) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 7004) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 7010) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7037) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7042) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7104) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7106) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7166) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7177) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7184) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 7191) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7219) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7220) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7285) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7286) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7346) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7360) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7378) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7385) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7447) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7451) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7516) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7519) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7537) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7551) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7555) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7615) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7618) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7632) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7651) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7711) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7714) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7729) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7744) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7809) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7820) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 7886) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7905) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 7912) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7915) Queries kernel information via 'uname':
Source: syslog.32.dr Binary or memory string: Dec 25 10:36:10 galassia kernel: [ 411.556955] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: syslog.32.dr Binary or memory string: Dec 25 10:36:10 galassia kernel: [ 411.556992] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018

Language, Device and Operating System Detection
barindex
Reads system files that contain records of logged in users
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7989) Logged in records file read: /var/log/wtmp

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.213.35.24
 unknown United States
41231 CANONICAL-ASGB false
89.190.156.145
 unknown United Kingdom
7489 HOSTUS-GLOBAL-ASHostUSHK false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.25 true
45.148.10.84 unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://daisy.ubuntu.com/9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e false
    		high