Linux Analysis Report
Aqua.m68k.elf

Overview

General Information

Sample name: Aqua.m68k.elf
Analysis ID: 1580700
MD5: 29c549bdc05e609a086a240482dd6ad7
SHA1: 724f873e7b7376fae6a91fd8faa897e5936d59ae
SHA256: f51035a8667082e733ca405911900e013cee9ba8533580fccd75e6fe4988c231
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 64
Range: 0 - 100
Whitelisted: false

Signatures

Multi AV Scanner detection for submitted file
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Sends malformed DNS queries
Creates hidden files and/or directories
Deletes log files
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Found strings indicative of a multi-platform dropper
HTTP GET or POST without a user agent
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Aqua.m68k.elf ReversingLabs: Detection: 31%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6546) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6655) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6806) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6897) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6987) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7081) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7174) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7185) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7280) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7285) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7387) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7386) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7494) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7497) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7594) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7600) Reads CPU info from /sys: /sys/devices/system/cpu/online
Found strings indicative of a multi-platform dropper
Source: Aqua.m68k.elf String: N^NuEOF/proc//proc/%s/cmdlinerwgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d

Networking
barindex
Sends malformed DNS queries
Source: global traffic DNS traffic detected: malformed DNS query: 45.148.10.84. [malformed]
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.23:50016 -> 89.190.156.145:7733
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/sbin/rsyslogd (PID: 6430) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6517) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6552) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6623) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6654) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6728) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6794) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6804) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6883) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6895) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6911) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6981) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6999) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7065) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7075) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7093) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7158) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7169) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7199) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7268) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7283) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7307) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7380) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7409) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7476) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7490) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7519) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7584) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7597) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7622) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 7626) Reads hosts file: /etc/hosts
Sample listens on a socket
Source: /lib/systemd/systemd-journald (PID: 6559) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6917) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7005) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7098) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7206) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7313) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7416) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 7523) Socket: unknown address family
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 91.189.91.43
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: global traffic DNS traffic detected: DNS query: 45.148.10.84
Source: global traffic DNS traffic detected: DNS query: 45.148.10.84. [malformed]
Source: global traffic DNS traffic detected: DNS query: daisy.ubuntu.com
Source: unknown HTTP traffic detected: POST /9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e HTTP/1.1Host: daisy.ubuntu.comAccept: */*Content-Type: application/octet-streamX-Whoopsie-Version: 0.2.69ubuntu0.3Content-Length: 164887Expect: 100-continue
Source: syslog.225.dr, syslog.522.dr String found in binary or memory: https://www.rsyslog.com
Source: unknown Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 53122
Source: unknown Network traffic detected: HTTP traffic on port 53122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1638, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6259, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6236, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6237, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6417, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6428, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6429, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6430, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6512, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6517, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6084, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6266, result: no such process Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6449, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6547, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6551, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6552, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6554, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6559, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6621, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6622, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6623, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6625, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6651, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6652, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6654, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6624, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6663, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6723, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6726, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6727, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6728, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6792, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6793, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6794, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6795, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6799, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6803, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6804, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6730, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6733, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6815, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6818, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6819, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6820, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6881, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6882, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6883, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6884, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6892, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6895, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6821, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6824, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6907, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6910, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6911, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6977, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6978, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6980, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6981, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6984, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6985, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6917, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6920, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6996, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6999, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7000, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7004, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7065, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7066, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7067, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7071, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7075, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7076, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7005, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7008, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7090, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7093, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7094, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7095, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7158, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7159, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7160, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7165, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7168, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7169, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7182, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7185, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7098, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7101, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7186, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7198, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7199, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7204, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7205, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7266, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7267, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7268, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7269, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7278, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7280, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7283, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7206, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7209, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7299, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7304, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7305, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7306, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7307, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7373, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7374, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7375, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7376, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7380, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7381, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7386, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7313, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7316, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7403, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7406, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7409, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7410, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7411, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7412, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7476, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7477, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7478, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7481, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7485, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7490, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7491, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7494, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7416, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7419, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7513, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7516, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7519, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7520, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7521, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7522, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7583, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7584, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7585, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7589, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7593, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7594, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7597, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7599, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7621, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7622, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7623, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7624, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1638, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6259, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 720, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 721, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 772, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 774, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 785, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 793, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1320, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1344, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1886, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1983, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 2048, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6236, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6237, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6417, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6428, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6429, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6430, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1335, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1872, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6512, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6517, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 491, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 759, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 761, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1334, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 1860, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6084, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6266, result: no such process Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6449, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6547, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6551, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6552, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6554, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6559, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6621, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6622, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6623, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6625, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6651, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6652, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6654, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6624, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6663, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6723, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6726, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6727, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6728, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6792, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6793, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6794, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6795, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6799, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6803, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6804, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6730, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6733, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6815, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6818, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6819, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6820, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6881, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6882, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6883, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6884, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6892, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6895, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6821, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6824, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6907, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6910, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6911, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6977, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6978, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6980, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6981, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6984, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6985, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6917, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6920, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6996, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 6999, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7000, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7004, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7065, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7066, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7067, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7071, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7075, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7076, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7005, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7008, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7090, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7093, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7094, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7095, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7158, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7159, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7160, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7165, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7168, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7169, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7182, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7185, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7098, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7101, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7186, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7198, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7199, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7204, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7205, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7266, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7267, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7268, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7269, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7278, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7280, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7283, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7206, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7209, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7299, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7304, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7305, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7306, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7307, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7373, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7374, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7375, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7376, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7380, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7381, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7386, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7313, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7316, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7403, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7406, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7409, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7410, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7411, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7412, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7476, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7477, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7478, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7481, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7485, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7490, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7491, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7494, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7416, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7419, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7513, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7516, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7519, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7520, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7521, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7522, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7583, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7584, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7585, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7589, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7593, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7594, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7597, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7599, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7621, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7622, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7623, result: successful Jump to behavior
Source: /tmp/Aqua.m68k.elf (PID: 6256) SIGKILL sent: pid: 7624, result: successful Jump to behavior
Source: classification engine Classification label: mal64.spre.troj.evad.linELF@0/220@131/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 6417) File: /proc/6417/mounts Jump to behavior
Source: /bin/fusermount (PID: 6435) File: /proc/6435/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6512) File: /proc/6512/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6554) File: /proc/6554/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6622) File: /proc/6622/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6652) File: /proc/6652/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6727) File: /proc/6727/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6793) File: /proc/6793/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6803) File: /proc/6803/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6819) File: /proc/6819/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6882) File: /proc/6882/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6892) File: /proc/6892/mounts
Source: /usr/bin/dbus-daemon (PID: 6978) File: /proc/6978/mounts
Source: /usr/bin/dbus-daemon (PID: 6985) File: /proc/6985/mounts
Source: /usr/bin/dbus-daemon (PID: 7004) File: /proc/7004/mounts
Source: /usr/bin/dbus-daemon (PID: 7066) File: /proc/7066/mounts
Source: /usr/bin/dbus-daemon (PID: 7076) File: /proc/7076/mounts
Source: /usr/bin/dbus-daemon (PID: 7094) File: /proc/7094/mounts
Source: /usr/bin/dbus-daemon (PID: 7159) File: /proc/7159/mounts
Source: /usr/bin/dbus-daemon (PID: 7168) File: /proc/7168/mounts
Source: /usr/bin/dbus-daemon (PID: 7182) File: /proc/7182/mounts
Source: /usr/bin/dbus-daemon (PID: 7267) File: /proc/7267/mounts
Source: /usr/bin/dbus-daemon (PID: 7278) File: /proc/7278/mounts
Source: /usr/bin/dbus-daemon (PID: 7304) File: /proc/7304/mounts
Source: /usr/bin/dbus-daemon (PID: 7373) File: /proc/7373/mounts
Source: /usr/bin/dbus-daemon (PID: 7381) File: /proc/7381/mounts
Source: /usr/bin/dbus-daemon (PID: 7406) File: /proc/7406/mounts
Source: /usr/bin/dbus-daemon (PID: 7410) File: /proc/7410/mounts
Source: /usr/bin/dbus-daemon (PID: 7477) File: /proc/7477/mounts
Source: /usr/bin/dbus-daemon (PID: 7491) File: /proc/7491/mounts
Source: /usr/bin/dbus-daemon (PID: 7516) File: /proc/7516/mounts
Source: /usr/bin/dbus-daemon (PID: 7520) File: /proc/7520/mounts
Source: /usr/bin/dbus-daemon (PID: 7583) File: /proc/7583/mounts
Source: /usr/bin/dbus-daemon (PID: 7593) File: /proc/7593/mounts
Source: /usr/bin/dbus-daemon (PID: 7621) File: /proc/7621/mounts
Source: /usr/bin/dbus-daemon (PID: 7625) File: /proc/7625/mounts
Creates hidden files and/or directories
Source: /usr/libexec/gsd-rfkill (PID: 6259) Directory: <invalid fd (9)>/.. Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 6259) Directory: <invalid fd (8)>/.. Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6264) Directory: <invalid fd (10)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6449) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6449) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6449) File: /run/systemd/seats/.#seat0lLJZuP Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 6511) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6564) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6564) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6564) File: /run/systemd/seats/.#seat0QNDBpy Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78652Upn4B2 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78654igePz3 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78655qrVYy3 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78657iSP6J2 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78658MA5nW4 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78659JZpu04 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78660vl4OS5 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:786802YmT62 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78681N8p0i3 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:78738Yvf9y3 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) File: /run/systemd/journal/streams/.#9:788157Bumw5 Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6663) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6663) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6663) File: /run/systemd/seats/.#seat0fYwEM0 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:8037288JbR4 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:80373X8M2A6 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:80379hByWg6 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:80380iyd1e7 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:80388J6x6g6 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:80396TO4TY7 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:80402xSGtN5 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:80430oRa6v4 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) File: /run/systemd/journal/streams/.#9:80507B6uQF7 Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6733) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6733) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6733) File: /run/systemd/seats/.#seat068meVl Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) File: /run/systemd/journal/streams/.#9:812833SmyYX Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) File: /run/systemd/journal/streams/.#9:81284AiHMh0 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) File: /run/systemd/journal/streams/.#9:812904gQg6X Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) File: /run/systemd/journal/streams/.#9:81291KbSPBX Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) File: /run/systemd/journal/streams/.#9:81297xpBCpW Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) File: /run/systemd/journal/streams/.#9:81304CkX2PY Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) File: /run/systemd/journal/streams/.#9:81305DPjKf0 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) File: /run/systemd/journal/streams/.#9:81384ca8YRX Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6824) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6824) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6824) File: /run/systemd/seats/.#seat07ZVgWd Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:828918ZFW6c
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:82892ydoVXf
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:82894EAckAf
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:82895uf8Iyg
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:82902JqqVAd
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:82910tMdqwf
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:82922jWrEld
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:81830E8wHGc
Source: /lib/systemd/systemd-journald (PID: 6917) File: /run/systemd/journal/streams/.#9:83045wOkuCf
Source: /lib/systemd/systemd-logind (PID: 6920) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6920) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6920) File: /run/systemd/seats/.#seat0FgvnRs
Source: /lib/systemd/systemd-journald (PID: 7005) File: /run/systemd/journal/streams/.#9:83592xuE9TQ
Source: /lib/systemd/systemd-journald (PID: 7005) File: /run/systemd/journal/streams/.#9:83593StFqiR
Source: /lib/systemd/systemd-journald (PID: 7005) File: /run/systemd/journal/streams/.#9:83599hiYqeR
Source: /lib/systemd/systemd-journald (PID: 7005) File: /run/systemd/journal/streams/.#9:83600mKZo7U
Source: /lib/systemd/systemd-journald (PID: 7005) File: /run/systemd/journal/streams/.#9:83613sHWX1Q
Source: /lib/systemd/systemd-journald (PID: 7005) File: /run/systemd/journal/streams/.#9:83614p2Ja2Q
Source: /lib/systemd/systemd-journald (PID: 7005) File: /run/systemd/journal/streams/.#9:83622Qe87GQ
Source: /lib/systemd/systemd-journald (PID: 7005) File: /run/systemd/journal/streams/.#9:84581xW0zdU
Source: /lib/systemd/systemd-logind (PID: 7008) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7008) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7008) File: /run/systemd/seats/.#seat06VgEI7
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85466e3UB8S
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85467IN4rcW
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85469aS0PpT
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85475N9X5MW
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:8548798dfGW
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85489cCXzES
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85497SjbNdT
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85498fcaiVS
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85500FQ1TwW
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85501nBnM5U
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:85502QGJWRV
Source: /lib/systemd/systemd-journald (PID: 7098) File: /run/systemd/journal/streams/.#9:855604WsKeW
Source: /lib/systemd/systemd-logind (PID: 7101) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7101) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7101) File: /run/systemd/seats/.#seat0ONb6g8
Source: /usr/lib/policykit-1/polkitd (PID: 7190) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88392U9KFU4
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88397ZmevP4
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88398rQjpk4
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88401Zk6SB3
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88402rIvDl5
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88406PnVHu7
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:884218CRj93
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:884343Vyxm3
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:884354wOtg5
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88436cIr7r3
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88437FX9dN6
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88463NrAFw4
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88547oNcy36
Source: /lib/systemd/systemd-journald (PID: 7206) File: /run/systemd/journal/streams/.#9:88551M46123
Source: /lib/systemd/systemd-logind (PID: 7209) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7209) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7209) File: /run/systemd/seats/.#seat0QJCVxh
Source: /usr/lib/policykit-1/polkitd (PID: 7295) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:892640nQcKc
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:892663aBQ28
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89268BRGG08
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89269sTI1ja
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89270gWJVh9
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89278LQiFic
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89284wato7c
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89298VzW9ec
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89299f6ZgK8
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89306TyXD3c
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89307HEZA5c
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89337cwZHhd
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89448CuPaVc
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:895324EOfta
Source: /lib/systemd/systemd-journald (PID: 7313) File: /run/systemd/journal/streams/.#9:89535TaRMUb
Source: /lib/systemd/systemd-logind (PID: 7316) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7316) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7316) File: /run/systemd/seats/.#seat0mQU4vo
Source: /usr/lib/policykit-1/polkitd (PID: 7399) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91170NFTfqW
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91174HMLXrY
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91175zMXHkY
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91176yWueHX
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91177UUKO8Z
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91187fKuy5X
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91188JWlmAV
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91189hdo9wY
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:911976YjvgW
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:9121353Ge5X
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91214V7sztX
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91239RT0xYZ
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91325ZAMBTZ
Source: /lib/systemd/systemd-journald (PID: 7416) File: /run/systemd/journal/streams/.#9:91328iR7ozX
Source: /lib/systemd/systemd-logind (PID: 7419) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7419) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7419) File: /run/systemd/seats/.#seat0h0IA49
Source: /usr/lib/policykit-1/polkitd (PID: 7507) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93288WuwBm1
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93289t2s992
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93290slSV43
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:932911Zpf01
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93293dansd5
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93370oEEZs2
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93443yniej4
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:934465fb1X1
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93457FnD9t4
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93462ORnWY4
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93534fRQro3
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93537jZ4Tj4
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93538PGLvZ3
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93540M3ZQW3
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93543gWCyv5
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93618p9ac90
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93624KBh0B1
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:93803rkMbp4
Source: /lib/systemd/systemd-journald (PID: 7523) File: /run/systemd/journal/streams/.#9:938862q02h1
Source: /lib/systemd/systemd-logind (PID: 7526) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 7526) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 7526) File: /run/systemd/seats/.#seat0WQu7ki
Source: /usr/lib/policykit-1/polkitd (PID: 7613) Directory: /root/.cache
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/3088/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/3088/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/230/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/230/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/231/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/231/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/232/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/232/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/233/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/233/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/234/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/234/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/1335/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/1335/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/1334/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/1334/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/236/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/236/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/237/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/237/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/910/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/910/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/123/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/124/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/124/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/3/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/3/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/125/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/125/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/4/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/4/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/126/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/126/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/248/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/248/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/6/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/6/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/127/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/127/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/128/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/128/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/249/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/249/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/7206/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/7206/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/9/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/9/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/7209/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/7209/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/20/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/20/cmdline
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/21/status
Source: /usr/bin/pkill (PID: 7285) File opened: /proc/21/cmdline
Executes commands using a shell command-line interpreter
Source: /usr/bin/gpu-manager (PID: 6523) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6525) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6527) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6531) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6534) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6536) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6539) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6541) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6629) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6632) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6634) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6636) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6639) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6642) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6647) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6649) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6797) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6889) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6891) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6982) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7072) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7077) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7166) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7170) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7274) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7276) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7378) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7382) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7486) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7489) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7493) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7590) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 7592) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 6524) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6526) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6530) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6532) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6535) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6537) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6540) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6542) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6630) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6633) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6635) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6637) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6640) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6643) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6648) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6650) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6798) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6890) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6894) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6983) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7073) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7167) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7171) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7275) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7277) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7379) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7383) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7487) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7492) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7591) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 7595) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 6546) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6655) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6806) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6897) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6987) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7081) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7174) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7285) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7387) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7497) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 7600) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Reads system information from the proc file system
Source: /lib/systemd/systemd-journald (PID: 6559) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6917) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7005) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7098) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7206) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7313) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7416) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 7523) Reads from proc file: /proc/meminfo
Source: /usr/sbin/rsyslogd (PID: 6430) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6430) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6517) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6517) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6522) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6552) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6623) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6654) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6654) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6794) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6804) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6804) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6883) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6895) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6895) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6911) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6981) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6981) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6999) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7065) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7075) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7075) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7158) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7169) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7169) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7199) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7268) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7283) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7283) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7307) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7380) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7380) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7476) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7490) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7490) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 7584) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7597) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 7626) Log file created: /var/log/auth.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 7626) Log file created: /var/log/kern.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/Aqua.m68k.elf (PID: 6254) File: /tmp/Aqua.m68k.elf Jump to behavior
Deletes log files
Source: /usr/bin/gpu-manager (PID: 6522) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6625) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6795) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6884) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6980) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7071) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7165) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7269) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7376) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7485) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 7589) Truncated file: /var/log/gpu-manager.log
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 6546) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6655) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6806) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6897) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6987) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7081) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7174) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7185) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7280) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7285) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7387) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7386) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7494) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7497) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 7594) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 7600) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/Aqua.m68k.elf (PID: 6251) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6264) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6430) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6517) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6522) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6552) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6559) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6623) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6624) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6625) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6654) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6728) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6730) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6794) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6804) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6820) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6821) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6883) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6895) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6911) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6917) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6981) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6999) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7005) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7065) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7075) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7093) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7098) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7158) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7169) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7185) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7199) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7206) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7268) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7280) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7283) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7307) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7313) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7380) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7386) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7409) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7416) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7476) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7490) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7494) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7519) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 7523) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7584) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 7594) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7597) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7622) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 7626) Queries kernel information via 'uname':
Source: kern.log.31.dr Binary or memory string: Dec 25 10:39:43 galassia kernel: [ 431.172530] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 12/12/2018
Source: Aqua.m68k.elf, 6251.1.00007fffd0d26000.00007fffd0d47000.rw-.sdmp Binary or memory string: U/tmp/qemu-open.cSyUNQ\4w
Source: Aqua.m68k.elf, 6251.1.00007fffd0d26000.00007fffd0d47000.rw-.sdmp Binary or memory string: /qemu-open.XXXXX
Source: Aqua.m68k.elf, 6251.1.0000558788617000.000055878869c000.rw-.sdmp Binary or memory string: U!/etc/qemu-binfmt/m68k
Source: Aqua.m68k.elf, 6251.1.00007fffd0d26000.00007fffd0d47000.rw-.sdmp Binary or memory string: 9x86_64/usr/bin/qemu-m68k/tmp/Aqua.m68k.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.m68k.elf
Source: Aqua.m68k.elf, 6251.1.00007fffd0d26000.00007fffd0d47000.rw-.sdmp Binary or memory string: /usr/bin/qemu-m68k
Source: kern.log.31.dr Binary or memory string: Dec 25 10:39:43 galassia kernel: [ 431.172506] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel drm parport_pc ppdev lp parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse ahci mptspi vmxnet3 scsi_transport_spi mptscsih libahci mptbase
Source: Aqua.m68k.elf, 6251.1.00007fffd0d26000.00007fffd0d47000.rw-.sdmp Binary or memory string: /tmp/qemu-open.cSyUNQ
Source: Aqua.m68k.elf, 6251.1.0000558788617000.000055878869c000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/m68k

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.213.35.25
 unknown United States
41231 CANONICAL-ASGB false
89.190.156.145
 unknown United Kingdom
7489 HOSTUS-GLOBAL-ASHostUSHK false
109.202.202.202
 unknown Switzerland
13030 INIT7CH false
91.189.91.43
 unknown United Kingdom
41231 CANONICAL-ASGB false
91.189.91.42
 unknown United Kingdom
41231 CANONICAL-ASGB false

Contacted Domains

Name IP Active
daisy.ubuntu.com 162.213.35.24 true
45.148.10.84 unknown unknown
45.148.10.84. [malformed] unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://daisy.ubuntu.com/9aadafe2051348cd32033e1cad68f0a5fe46fba3240ac1e6e42158f31b8a1371790c09baf3996b4979fe8e533446c7dedf30f654c68b25357334c66911dc6a9e false
    		high