Linux Analysis Report
Aqua.sh4.elf

Overview

General Information

Sample name: Aqua.sh4.elf
Analysis ID: 1580701
MD5: b7f5a593f39fcdf0eeb54946581628cd
SHA1: 92a4b02dc9c5926e1461057ea8c91d661ae49610
SHA256: b82781506512cfca4fefddcfe9e05d9c3eca7fe8535ae1501c71ebc5ef9ff3c9
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 68
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Creates hidden files and/or directories
Deletes log files
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Found strings indicative of a multi-platform dropper
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Reads system version information
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Aqua.sh4.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: Aqua.sh4.elf Virustotal: Detection: 39% Perma Link
Source: Aqua.sh4.elf ReversingLabs: Detection: 39%
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5718) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5898) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5983) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6084) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6168) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6269) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6350) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6451) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6450) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6553) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6554) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6658) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6657) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6815) Reads CPU info from /sys: /sys/devices/system/cpu/online
Found strings indicative of a multi-platform dropper
Source: Aqua.sh4.elf String: lEOF/proc//proc/%s/cmdlinerwgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.13:44728 -> 89.190.156.145:7733
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/sbin/rsyslogd (PID: 5614) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5692) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5744) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5810) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5896) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5973) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5981) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5993) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6060) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6089) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6157) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6166) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6178) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6246) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6337) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6348) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6369) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6436) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6447) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6471) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6539) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6548) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6574) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6642) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6653) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6676) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6745) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6813) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6823) Reads hosts file: /etc/hosts
Sample listens on a socket
Source: /lib/systemd/systemd-journald (PID: 5750) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6093) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6182) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6275) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6374) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6476) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6580) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6743) Socket: unknown address family
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 45.148.10.84 replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: global traffic DNS traffic detected: DNS query: 45.148.10.84
Source: syslog.139.dr String found in binary or memory: https://www.rsyslog.com

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1884, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5442, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 660, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 726, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 727, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 778, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 783, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 790, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 795, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1400, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1432, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 2970, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 3069, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 3132, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5418, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5419, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5604, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5613, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5614, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1411, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 2936, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5689, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5692, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5709, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 765, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 767, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1410, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 2935, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5275, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5629, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5719, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5744, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5745, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5750, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5753, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5810, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5811, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5813, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5873, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5895, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5896, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5812, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5816, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5904, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5907, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5908, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5972, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5973, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5977, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5971, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5979, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5981, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5911, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5914, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5989, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5992, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5993, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6058, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6057, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6060, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6061, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5997, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6000, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6087, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6088, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6089, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6156, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6157, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6158, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6155, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6164, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6166, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6093, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6098, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6174, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6177, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6178, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6243, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6242, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6245, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6246, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6182, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6185, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6270, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6273, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6274, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6336, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6337, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6343, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6335, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6346, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6348, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6358, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6359, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6275, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6278, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6354, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6363, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6367, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6368, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6369, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6372, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6435, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6436, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6437, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6438, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6434, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6444, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6447, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6450, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6467, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6374, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6377, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6464, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6470, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6471, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6472, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6539, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6540, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6541, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6545, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6538, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6548, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6549, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6554, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6570, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6476, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6481, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6567, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6573, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6574, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6575, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6576, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6641, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6642, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6643, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6647, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6640, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6650, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6653, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6657, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6674, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6580, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6669, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6675, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6676, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6680, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6684, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6681, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6745, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6808, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6744, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6813, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1884, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5442, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 660, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 726, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 727, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 778, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 780, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 783, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 790, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 795, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 936, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1400, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1432, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 2970, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 3069, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 3132, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5418, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5419, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5604, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5613, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5614, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1411, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 2936, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5689, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5692, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5709, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 765, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 767, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 1410, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 2935, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5275, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5629, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5719, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5744, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5745, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5750, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5753, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5810, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5811, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5813, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5873, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5895, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5896, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5812, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5816, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5904, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5907, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5908, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5972, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5973, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5977, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5971, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5979, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5981, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5911, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5914, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5989, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5992, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5993, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6058, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6057, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6060, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6061, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 5997, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6000, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6087, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6088, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6089, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6156, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6157, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6158, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6155, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6164, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6166, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6093, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6098, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6174, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6177, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6178, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6243, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6242, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6245, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6246, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6182, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6185, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6270, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6273, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6274, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6336, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6337, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6343, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6335, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6346, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6348, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6358, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6359, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6275, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6278, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6354, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6363, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6367, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6368, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6369, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6372, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6435, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6436, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6437, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6438, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6434, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6444, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6447, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6450, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6467, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6374, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6377, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6464, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6470, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6471, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6472, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6539, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6540, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6541, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6545, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6538, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6548, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6549, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6554, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6570, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6476, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6481, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6567, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6573, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6574, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6575, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6576, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6641, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6642, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6643, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6647, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6640, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6650, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6653, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6657, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6674, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6580, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6669, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6675, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6676, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6680, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6684, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6681, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6745, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6808, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6744, result: successful Jump to behavior
Source: /tmp/Aqua.sh4.elf (PID: 5438) SIGKILL sent: pid: 6813, result: successful Jump to behavior
Source: classification engine Classification label: mal68.spre.troj.evad.linELF@0/219@120/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 5604) File: /proc/5604/mounts Jump to behavior
Source: /bin/fusermount (PID: 5618) File: /proc/5618/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5689) File: /proc/5689/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5813) File: /proc/5813/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5972) File: /proc/5972/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5979) File: /proc/5979/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6058) File: /proc/6058/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6061) File: /proc/6061/mounts
Source: /usr/bin/dbus-daemon (PID: 6156) File: /proc/6156/mounts
Source: /usr/bin/dbus-daemon (PID: 6164) File: /proc/6164/mounts
Source: /usr/bin/dbus-daemon (PID: 6243) File: /proc/6243/mounts
Source: /usr/bin/dbus-daemon (PID: 6245) File: /proc/6245/mounts
Source: /usr/bin/dbus-daemon (PID: 6336) File: /proc/6336/mounts
Source: /usr/bin/dbus-daemon (PID: 6346) File: /proc/6346/mounts
Source: /usr/bin/dbus-daemon (PID: 6358) File: /proc/6358/mounts
Source: /usr/bin/dbus-daemon (PID: 6368) File: /proc/6368/mounts
Source: /usr/bin/dbus-daemon (PID: 6435) File: /proc/6435/mounts
Source: /usr/bin/dbus-daemon (PID: 6444) File: /proc/6444/mounts
Source: /usr/bin/dbus-daemon (PID: 6467) File: /proc/6467/mounts
Source: /usr/bin/dbus-daemon (PID: 6540) File: /proc/6540/mounts
Source: /usr/bin/dbus-daemon (PID: 6549) File: /proc/6549/mounts
Source: /usr/bin/dbus-daemon (PID: 6570) File: /proc/6570/mounts
Source: /usr/bin/dbus-daemon (PID: 6575) File: /proc/6575/mounts
Source: /usr/bin/dbus-daemon (PID: 6641) File: /proc/6641/mounts
Source: /usr/bin/dbus-daemon (PID: 6650) File: /proc/6650/mounts
Source: /usr/bin/dbus-daemon (PID: 6674) File: /proc/6674/mounts
Source: /usr/bin/dbus-daemon (PID: 6681) File: /proc/6681/mounts
Creates hidden files and/or directories
Source: /usr/libexec/gsd-rfkill (PID: 5442) Directory: <invalid fd (9)>/.. Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5442) Directory: <invalid fd (8)>/.. Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5447) Directory: <invalid fd (10)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5629) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5629) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5629) File: /run/systemd/seats/.#seat0o3uWrP Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5688) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) File: /run/systemd/journal/streams/.#9:65914TTXyAE Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) File: /run/systemd/journal/streams/.#9:659157obmvE Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) File: /run/systemd/journal/streams/.#9:65917Cu0muF Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) File: /run/systemd/journal/streams/.#9:65918qqZ6KH Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) File: /run/systemd/journal/streams/.#9:65919vHY0oE Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) File: /run/systemd/journal/streams/.#9:65935jSL05E Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) File: /run/systemd/journal/streams/.#9:660119pfhpG Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) File: /run/systemd/journal/streams/.#9:660259OqrVF Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5816) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5816) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5816) File: /run/systemd/seats/.#seat0zKINDX Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) File: /run/systemd/journal/streams/.#9:669734uWjxb Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) File: /run/systemd/journal/streams/.#9:66974ygwM8a Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) File: /run/systemd/journal/streams/.#9:66980nMaAL9 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) File: /run/systemd/journal/streams/.#9:66981ld2Hac Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) File: /run/systemd/journal/streams/.#9:66993WWP4h9 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) File: /run/systemd/journal/streams/.#9:66994Em8dqb Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5914) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5914) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5914) File: /run/systemd/seats/.#seat0d45tXm Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) File: /run/systemd/journal/streams/.#9:68382uHCunD Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) File: /run/systemd/journal/streams/.#9:68383yPFqeG Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) File: /run/systemd/journal/streams/.#9:68384X6ENNE Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) File: /run/systemd/journal/streams/.#9:68385WaqhgH Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) File: /run/systemd/journal/streams/.#9:68401RIznFD Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) File: /run/systemd/journal/streams/.#9:684849PktuE Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6000) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6000) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6000) File: /run/systemd/seats/.#seat0B0tH6Q Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6093) File: /run/systemd/journal/streams/.#9:698892VNYZV
Source: /lib/systemd/systemd-journald (PID: 6093) File: /run/systemd/journal/streams/.#9:69890gwU0FT
Source: /lib/systemd/systemd-journald (PID: 6093) File: /run/systemd/journal/streams/.#9:69896Ae1YaV
Source: /lib/systemd/systemd-journald (PID: 6093) File: /run/systemd/journal/streams/.#9:69897pL6iTT
Source: /lib/systemd/systemd-journald (PID: 6093) File: /run/systemd/journal/streams/.#9:69909yXvCuV
Source: /lib/systemd/systemd-journald (PID: 6093) File: /run/systemd/journal/streams/.#9:69910DgAaAX
Source: /lib/systemd/systemd-logind (PID: 6098) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6098) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6098) File: /run/systemd/seats/.#seat064jzWj
Source: /lib/systemd/systemd-journald (PID: 6182) File: /run/systemd/journal/streams/.#9:70518vZTGaG
Source: /lib/systemd/systemd-journald (PID: 6182) File: /run/systemd/journal/streams/.#9:70520gp1c9C
Source: /lib/systemd/systemd-journald (PID: 6182) File: /run/systemd/journal/streams/.#9:70521DAxd2E
Source: /lib/systemd/systemd-journald (PID: 6182) File: /run/systemd/journal/streams/.#9:70522vZcYRD
Source: /lib/systemd/systemd-journald (PID: 6182) File: /run/systemd/journal/streams/.#9:70537Tn4cBC
Source: /lib/systemd/systemd-journald (PID: 6182) File: /run/systemd/journal/streams/.#9:70621JcOwhG
Source: /lib/systemd/systemd-logind (PID: 6185) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6185) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6185) File: /run/systemd/seats/.#seat0Nv1SvT
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:721901xaE3G
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:72191Ih1msG
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:72197goldgI
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:721984HBnzI
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:72210OxpmgI
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:72212TEh2RH
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:722664Z6ynG
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:722739JatQE
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:72298ymueZE
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:72390y7C9HI
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:71534qzcjOH
Source: /lib/systemd/systemd-journald (PID: 6275) File: /run/systemd/journal/streams/.#9:7166918qIzH
Source: /lib/systemd/systemd-logind (PID: 6278) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6278) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6278) File: /run/systemd/seats/.#seat0OJzKjV
Source: /usr/lib/policykit-1/polkitd (PID: 6363) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:73991y4J4lc
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:73996ISHHna
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:739983d15Xc
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:73999vlFhNc
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:74020gMoIab
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:740215Zg4Hb
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:74022xCMCUa
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:740234EIqH8
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:74025ERn45b
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:740269DEkbb
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:74085GzUCka
Source: /lib/systemd/systemd-journald (PID: 6374) File: /run/systemd/journal/streams/.#9:74186Pp3wn9
Source: /lib/systemd/systemd-logind (PID: 6377) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6377) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6377) File: /run/systemd/seats/.#seat0Ti0mIp
Source: /usr/lib/policykit-1/polkitd (PID: 6460) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75886MPjQ8R
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75888ZS7MvS
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75889wMJIBU
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75890oaQwyT
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75899KaXzIQ
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75906dmNa1T
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75912WrGbcU
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75914Mr7PWR
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75915eM15yU
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75916fCWQrT
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:75945vekeyS
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:76050qabKoS
Source: /lib/systemd/systemd-journald (PID: 6476) File: /run/systemd/journal/streams/.#9:754974sge1T
Source: /lib/systemd/systemd-logind (PID: 6481) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6481) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6481) File: /run/systemd/seats/.#seat0lc6iEi
Source: /usr/lib/policykit-1/polkitd (PID: 6561) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77846NYWe4L
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77849SjHh3L
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77850BoO7MI
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77851NN5zyI
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77859CqVfdM
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77866jWbyAI
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77872wUptoK
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77873O7dxjK
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77874yNDgyJ
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77875u2IIOJ
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:77924dm2UyJ
Source: /lib/systemd/systemd-journald (PID: 6580) File: /run/systemd/journal/streams/.#9:78055CH4exJ
Source: /lib/systemd/systemd-logind (PID: 6583) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6583) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6583) File: /run/systemd/seats/.#seat0A87sVW
Source: /usr/lib/policykit-1/polkitd (PID: 6665) Directory: /root/.cache
Source: /lib/systemd/systemd-logind (PID: 6684) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6684) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6684) File: /run/systemd/seats/.#seat0Dj4dSA
Source: /lib/systemd/systemd-journald (PID: 6743) File: /run/systemd/journal/streams/.#9:777718mGvV6
Source: /lib/systemd/systemd-journald (PID: 6743) File: /run/systemd/journal/streams/.#9:77773H6CmF4
Source: /lib/systemd/systemd-journald (PID: 6743) File: /run/systemd/journal/streams/.#9:77774wKhJM3
Source: /lib/systemd/systemd-journald (PID: 6743) File: /run/systemd/journal/streams/.#9:77776PgFhk4
Source: /lib/systemd/systemd-journald (PID: 6743) File: /run/systemd/journal/streams/.#9:77777IUjCo4
Source: /lib/systemd/systemd-journald (PID: 6743) File: /run/systemd/journal/streams/.#9:777842QZsW5
Source: /lib/systemd/systemd-journald (PID: 6743) File: /run/systemd/journal/streams/.#9:78979qj5t03
Source: /lib/systemd/systemd-logind (PID: 6748) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6748) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6748) File: /run/systemd/seats/.#seat04B3EDt
Enumerates processes within the "proc" file system
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/5382/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/5382/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/6350/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/6350/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/230/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/230/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/110/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/110/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/231/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/231/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/111/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/111/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/232/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/232/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/112/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/112/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/233/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/233/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/113/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/113/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/234/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/234/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/114/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/114/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/235/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/235/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/115/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/115/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/236/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/236/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/116/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/116/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/237/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/237/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/117/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/117/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/238/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/238/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/118/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/118/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/239/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/239/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/6348/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/6348/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/119/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/119/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/6349/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/6349/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/10/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/10/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/11/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/11/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/12/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/12/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/13/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/13/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/14/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/14/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/15/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/15/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/16/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/16/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/17/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/17/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/18/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/18/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/19/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/19/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/240/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/240/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/3095/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/3095/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/120/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/120/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/241/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/241/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/121/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/121/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/242/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/242/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/1/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/1/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/122/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/122/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/243/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/243/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/2/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/2/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/123/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/123/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/244/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/244/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/3/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/3/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/124/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/124/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/245/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/245/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/125/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/125/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/4/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/4/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/246/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/246/cmdline
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/126/status
Source: /usr/bin/pkill (PID: 6350) File opened: /proc/126/cmdline
Executes commands using a shell command-line interpreter
Source: /usr/bin/gpu-manager (PID: 5694) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5699) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5703) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5705) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5707) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5711) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5713) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5715) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5877) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5881) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5883) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5885) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5887) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5889) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5891) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5893) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5978) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6062) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6066) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6071) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6073) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6075) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6077) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6079) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6081) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6162) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6165) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6247) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6249) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6254) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6258) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6260) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6262) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6264) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6266) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6344) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6347) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6442) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6445) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6448) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6546) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6550) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6648) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6651) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6809) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6811) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 5695) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5700) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5704) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5706) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5708) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5712) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5714) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5716) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5878) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5882) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5884) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5886) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5888) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5890) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5892) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5894) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5980) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6063) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6070) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6072) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6074) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6076) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6078) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6080) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6082) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6163) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6248) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6252) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6255) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6259) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6261) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6263) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6265) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6267) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6345) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6443) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6446) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6547) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6551) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6649) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6652) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6810) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6812) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 5718) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5898) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5983) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6084) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6168) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6269) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6350) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6451) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6553) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6658) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6815) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Reads system information from the proc file system
Source: /lib/systemd/systemd-journald (PID: 5750) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6093) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6182) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6275) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6374) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6476) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6580) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6743) Reads from proc file: /proc/meminfo
Reads system version information
Source: /sbin/agetty (PID: 5709) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 5895) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 5971) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6057) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6155) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6242) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6335) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6434) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6538) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6640) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6744) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6822) Reads version info: /etc/issue
Source: /usr/sbin/rsyslogd (PID: 5614) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5614) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5692) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5692) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 5693) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 5744) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5810) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5896) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5896) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5973) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5981) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5981) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5993) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6059) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 6060) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6060) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6089) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6157) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6166) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6166) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6178) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6244) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6246) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6246) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6337) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6348) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6348) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6436) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6447) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6447) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6471) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6539) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6548) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6548) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6574) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6642) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6653) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6653) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6676) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6745) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6813) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6813) Log file created: /var/log/auth.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6823) Log file created: /var/log/kern.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/Aqua.sh4.elf (PID: 5436) File: /tmp/Aqua.sh4.elf Jump to behavior
Deletes log files
Source: /usr/bin/gpu-manager (PID: 5693) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5873) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5977) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6059) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6158) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6244) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6343) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6438) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6545) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6647) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6808) Truncated file: /var/log/gpu-manager.log
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5718) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5898) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5983) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6084) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6168) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6269) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6350) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6451) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6450) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6553) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6554) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6658) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6657) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6815) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/Aqua.sh4.elf (PID: 5434) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5447) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5614) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5692) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5693) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5709) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5744) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5750) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5810) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5812) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5873) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5895) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5896) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5908) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5911) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5971) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5973) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5981) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5993) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5997) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6057) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6059) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6060) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6089) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6093) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6155) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6157) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6166) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6178) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6182) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6242) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 6244) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6246) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6275) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6335) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6337) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6348) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6369) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6374) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6434) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6436) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6447) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6450) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6471) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6476) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6538) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6539) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6548) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6554) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6574) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6580) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6640) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6642) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6653) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6657) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6676) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6743) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6744) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6745) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6813) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6822) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6823) Queries kernel information via 'uname':
Source: Aqua.sh4.elf, 5434.1.00007ffe6f5eb000.00007ffe6f60c000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-sh4/tmp/Aqua.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.sh4.elf
Source: kern.log.43.dr Binary or memory string: Dec 25 10:40:06 galassia kernel: [ 106.595480] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
Source: Aqua.sh4.elf, 5434.1.00007ffe6f5eb000.00007ffe6f60c000.rw-.sdmp Binary or memory string: /qemu-open.XXXXX
Source: Aqua.sh4.elf, 5434.1.00007ffe6f5eb000.00007ffe6f60c000.rw-.sdmp Binary or memory string: /usr/bin/qemu-sh4
Source: Aqua.sh4.elf, 5434.1.00007ffe6f5eb000.00007ffe6f60c000.rw-.sdmp Binary or memory string: /tmp/qemu-open.7xxBZ7
Source: Aqua.sh4.elf, 5434.1.00007ffe6f5eb000.00007ffe6f60c000.rw-.sdmp Binary or memory string: V/tmp/qemu-open.7xxBZ7\
Source: kern.log.43.dr Binary or memory string: Dec 25 10:40:06 galassia kernel: [ 106.595440] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel parport_pc ppdev lp drm parport ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper psmouse mptspi scsi_transport_spi ahci mptscsih libahci mptbase vmxnet3
Source: Aqua.sh4.elf, 5434.1.0000561cf0698000.0000561cf06fb000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/sh4
Source: Aqua.sh4.elf, 5434.1.0000561cf0698000.0000561cf06fb000.rw-.sdmp Binary or memory string: V5!/etc/qemu-binfmt/sh4

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.190.156.145
 unknown United Kingdom
7489 HOSTUS-GLOBAL-ASHostUSHK false

Contacted Domains

Name IP Active
45.148.10.84 unknown unknown