Linux Analysis Report
Aqua.arm4.elf

Overview

General Information

Sample name: Aqua.arm4.elf
Analysis ID: 1580703
MD5: 0ffcddb18c465c97e05d87ae18b616c3
SHA1: b5211064fc8e44bb5076c78932d9e77cbeaa4c42
SHA256: 7e8e119354526c4261df902d908ee1e2d2ebfba41086b5d13a1e182de5c3f912
Tags: elfuser-abuse_ch
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Reads system files that contain records of logged in users
Sample deletes itself
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Creates hidden files and/or directories
Deletes log files
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "kill" or "pkill" command typically used to terminate processes
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Reads CPU information from /sys indicative of miner or evasive malware
Reads system information from the proc file system
Reads system version information
Reads the 'hosts' file potentially containing internal network hosts
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses the "uname" system call to query kernel version information (possible evasion)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Aqua.arm4.elf Avira: detected
Multi AV Scanner detection for submitted file
Source: Aqua.arm4.elf ReversingLabs: Detection: 39%
Source: Aqua.arm4.elf Virustotal: Detection: 37% Perma Link
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5807) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5907) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6009) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6090) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6191) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6287) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6370) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6460) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6462) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6486) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6632) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6634) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6658) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6801) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6803) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6902) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6905) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6933) Reads CPU info from /sys: /sys/devices/system/cpu/online
Found strings indicative of a multi-platform dropper
Source: Aqua.arm4.elf String: EOF/proc//proc/%s/cmdlinerwgetcurlftpechokillbashrebootshutdownhaltpoweroff[locker] killed process: %s ;; pid: %d
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.15:37424 -> 89.190.156.145:7733
Reads the 'hosts' file potentially containing internal network hosts
Source: /usr/sbin/rsyslogd (PID: 5703) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5782) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5812) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5881) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5906) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5980) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5988) Reads hosts file: /etc/hosts Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6077) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6088) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6098) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6169) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6196) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6263) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6292) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6357) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6365) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6380) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6446) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6458) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6482) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6558) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6630) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6654) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6728) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6799) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6821) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6890) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6901) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6926) Reads hosts file: /etc/hosts
Source: /usr/sbin/rsyslogd (PID: 6929) Reads hosts file: /etc/hosts
Sample listens on a socket
Source: /lib/systemd/systemd-journald (PID: 5819) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) Socket: unknown address family Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6163) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6258) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6353) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6431) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6556) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6726) Socket: unknown address family
Source: /lib/systemd/systemd-journald (PID: 6829) Socket: unknown address family
Source: /usr/sbin/gdm3 (PID: 7005) Socket: unknown address family
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 45.148.10.84 replaycode: Name error (3)
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: unknown TCP traffic detected without corresponding DNS query: 89.190.156.145
Source: global traffic DNS traffic detected: DNS query: 45.148.10.84
Source: syslog.400.dr String found in binary or memory: https://www.rsyslog.com

System Summary
barindex
Sample tries to kill multiple processes (SIGKILL)
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1679, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5521, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 723, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 724, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 779, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 782, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 796, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 933, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1333, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1440, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3060, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3157, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3220, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5499, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5500, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5701, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5702, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5703, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1432, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3047, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5781, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5782, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5798, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 764, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 766, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1431, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3044, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5360, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5533, result: no such process Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5718, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5808, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5811, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5812, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5819, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5880, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5881, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5883, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5879, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5906, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5822, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5882, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5911, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5916, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5917, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5979, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5980, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5978, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5984, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5988, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5920, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5977, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6010, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6013, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6014, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6076, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6077, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6083, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6075, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6085, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6088, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6017, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6074, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6094, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6097, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6098, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6165, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6164, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6168, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6169, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6106, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6163, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6192, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6195, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6196, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6261, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6260, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6263, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6264, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6202, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6258, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6290, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6291, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6292, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6293, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6357, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6358, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6362, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6356, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6365, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6366, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6296, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6353, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6374, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6377, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6380, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6381, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6446, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6447, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6449, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6450, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6454, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6445, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6457, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6458, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6460, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6431, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6475, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6480, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6481, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6482, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6487, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6491, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6486, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6558, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6559, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6620, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6557, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6629, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6630, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6632, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6556, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6647, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6650, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6653, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6654, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6659, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6663, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6658, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6728, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6729, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6789, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6727, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6799, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6800, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6801, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6726, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6732, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6814, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6819, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6820, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6821, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6822, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6826, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6890, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6891, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6895, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6889, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6900, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6901, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6902, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6921, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6925, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6926, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6927, result: successful Jump to behavior
Sample has stripped symbol table
Source: ELF static info symbol of initial sample .symtab present: no
Sample tries to kill a process (SIGKILL)
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1679, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5521, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 658, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 723, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 724, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 777, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 779, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 782, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 789, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 796, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 933, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1333, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1440, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3060, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3157, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3220, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5499, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5500, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5701, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5702, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5703, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1432, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3047, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5781, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5782, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5798, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 490, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 764, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 766, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 1431, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 3044, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5360, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5533, result: no such process Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5718, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5808, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5811, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5812, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5819, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5880, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5881, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5883, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5879, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5906, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5822, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5882, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5911, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5916, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5917, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5979, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5980, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5978, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5984, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5988, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5920, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 5977, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6010, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6013, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6014, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6076, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6077, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6083, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6075, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6085, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6088, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6017, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6074, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6094, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6097, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6098, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6165, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6164, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6168, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6169, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6106, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6163, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6192, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6195, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6196, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6261, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6260, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6263, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6264, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6202, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6258, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6290, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6291, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6292, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6293, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6357, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6358, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6362, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6356, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6365, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6366, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6296, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6353, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6374, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6377, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6380, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6381, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6446, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6447, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6449, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6450, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6454, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6445, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6457, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6458, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6460, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6431, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6475, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6480, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6481, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6482, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6487, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6491, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6486, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6558, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6559, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6620, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6557, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6629, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6630, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6632, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6556, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6647, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6650, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6653, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6654, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6659, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6663, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6658, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6728, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6729, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6789, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6727, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6799, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6800, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6801, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6726, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6732, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6814, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6819, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6820, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6821, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6822, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6826, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6890, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6891, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6895, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6889, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6900, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6901, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6902, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6921, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6925, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6926, result: successful Jump to behavior
Source: /tmp/Aqua.arm4.elf (PID: 5519) SIGKILL sent: pid: 6927, result: successful Jump to behavior
Source: classification engine Classification label: mal72.spre.troj.evad.linELF@0/250@120/0

Persistence and Installation Behavior
barindex
Sample reads /proc/mounts (often used for finding a writable filesystem)
Source: /usr/bin/dbus-daemon (PID: 5702) File: /proc/5702/mounts Jump to behavior
Source: /bin/fusermount (PID: 5707) File: /proc/5707/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5781) File: /proc/5781/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5880) File: /proc/5880/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5979) File: /proc/5979/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 5984) File: /proc/5984/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6076) File: /proc/6076/mounts Jump to behavior
Source: /usr/bin/dbus-daemon (PID: 6085) File: /proc/6085/mounts
Source: /usr/bin/dbus-daemon (PID: 6165) File: /proc/6165/mounts
Source: /usr/bin/dbus-daemon (PID: 6168) File: /proc/6168/mounts
Source: /usr/bin/dbus-daemon (PID: 6261) File: /proc/6261/mounts
Source: /usr/bin/dbus-daemon (PID: 6264) File: /proc/6264/mounts
Source: /usr/bin/dbus-daemon (PID: 6293) File: /proc/6293/mounts
Source: /usr/bin/dbus-daemon (PID: 6358) File: /proc/6358/mounts
Source: /usr/bin/dbus-daemon (PID: 6366) File: /proc/6366/mounts
Source: /usr/bin/dbus-daemon (PID: 6381) File: /proc/6381/mounts
Source: /usr/bin/dbus-daemon (PID: 6447) File: /proc/6447/mounts
Source: /usr/bin/dbus-daemon (PID: 6449) File: /proc/6449/mounts
Source: /usr/bin/dbus-daemon (PID: 6457) File: /proc/6457/mounts
Source: /usr/bin/dbus-daemon (PID: 6480) File: /proc/6480/mounts
Source: /usr/bin/dbus-daemon (PID: 6487) File: /proc/6487/mounts
Source: /usr/bin/dbus-daemon (PID: 6559) File: /proc/6559/mounts
Source: /usr/bin/dbus-daemon (PID: 6629) File: /proc/6629/mounts
Source: /usr/bin/dbus-daemon (PID: 6650) File: /proc/6650/mounts
Source: /usr/bin/dbus-daemon (PID: 6659) File: /proc/6659/mounts
Source: /usr/bin/dbus-daemon (PID: 6729) File: /proc/6729/mounts
Source: /usr/bin/dbus-daemon (PID: 6800) File: /proc/6800/mounts
Source: /usr/bin/dbus-daemon (PID: 6819) File: /proc/6819/mounts
Source: /usr/bin/dbus-daemon (PID: 6822) File: /proc/6822/mounts
Source: /usr/bin/dbus-daemon (PID: 6891) File: /proc/6891/mounts
Source: /usr/bin/dbus-daemon (PID: 6900) File: /proc/6900/mounts
Source: /usr/bin/dbus-daemon (PID: 6921) File: /proc/6921/mounts
Source: /usr/bin/dbus-daemon (PID: 6925) File: /proc/6925/mounts
Source: /usr/bin/dbus-daemon (PID: 6928) File: /proc/6928/mounts
Source: /usr/bin/dbus-daemon (PID: 7002) File: /proc/7002/mounts
Creates hidden files and/or directories
Source: /usr/libexec/gsd-rfkill (PID: 5521) Directory: <invalid fd (9)>/.. Jump to behavior
Source: /usr/libexec/gsd-rfkill (PID: 5521) Directory: <invalid fd (8)>/.. Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5529) Directory: <invalid fd (10)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5718) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5718) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5718) File: /run/systemd/seats/.#seat05eOgAx Jump to behavior
Source: /usr/lib/policykit-1/polkitd (PID: 5769) Directory: /root/.cache Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5822) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5822) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5822) File: /run/systemd/seats/.#seat03cqUwp Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) File: /run/systemd/journal/streams/.#9:652018F8EJX Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) File: /run/systemd/journal/streams/.#9:65202bFdVzX Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) File: /run/systemd/journal/streams/.#9:65203U4o6i0 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) File: /run/systemd/journal/streams/.#9:65209zpcswW Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) File: /run/systemd/journal/streams/.#9:65210o8I8tW Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) File: /run/systemd/journal/streams/.#9:65211ynHiAX Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5920) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5920) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 5920) File: /run/systemd/seats/.#seat0i5ONBQ Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) File: /run/systemd/journal/streams/.#9:66441u4AvZ7 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) File: /run/systemd/journal/streams/.#9:66442txXXg9 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) File: /run/systemd/journal/streams/.#9:66444k8Zoqb Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) File: /run/systemd/journal/streams/.#9:664452ha6Y8 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) File: /run/systemd/journal/streams/.#9:66461Qvf1w9 Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) File: /run/systemd/journal/streams/.#9:66906cj9fR7 Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6017) Directory: <invalid fd (18)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6017) Directory: <invalid fd (17)>/.. Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6017) File: /run/systemd/seats/.#seat03zyrga Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) File: /run/systemd/journal/streams/.#9:68017P6kC5u Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) File: /run/systemd/journal/streams/.#9:68018Cehi2v Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) File: /run/systemd/journal/streams/.#9:680204yxU8r Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) File: /run/systemd/journal/streams/.#9:68021r4kOKu Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) File: /run/systemd/journal/streams/.#9:68033VlvXkt Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) File: /run/systemd/journal/streams/.#9:68034A0e7Vu Jump to behavior
Source: /lib/systemd/systemd-logind (PID: 6106) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6106) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6106) File: /run/systemd/seats/.#seat0prIZcW
Source: /lib/systemd/systemd-journald (PID: 6163) File: /run/systemd/journal/streams/.#9:68430TBXxFb
Source: /lib/systemd/systemd-journald (PID: 6163) File: /run/systemd/journal/streams/.#9:684320FHmif
Source: /lib/systemd/systemd-journald (PID: 6163) File: /run/systemd/journal/streams/.#9:68434j6Mckd
Source: /lib/systemd/systemd-journald (PID: 6163) File: /run/systemd/journal/streams/.#9:68435VL3oRf
Source: /lib/systemd/systemd-journald (PID: 6163) File: /run/systemd/journal/streams/.#9:68442fH2dxd
Source: /lib/systemd/systemd-journald (PID: 6163) File: /run/systemd/journal/streams/.#9:68464PDyPpc
Source: /lib/systemd/systemd-logind (PID: 6202) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6202) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6202) File: /run/systemd/seats/.#seat0d15Uz9
Source: /lib/systemd/systemd-journald (PID: 6258) File: /run/systemd/journal/streams/.#9:709274Sq7Mm
Source: /lib/systemd/systemd-journald (PID: 6258) File: /run/systemd/journal/streams/.#9:70928CFvDdp
Source: /lib/systemd/systemd-journald (PID: 6258) File: /run/systemd/journal/streams/.#9:70929uDE01n
Source: /lib/systemd/systemd-journald (PID: 6258) File: /run/systemd/journal/streams/.#9:709362TWuAp
Source: /lib/systemd/systemd-journald (PID: 6258) File: /run/systemd/journal/streams/.#9:70937LVulUo
Source: /lib/systemd/systemd-journald (PID: 6258) File: /run/systemd/journal/streams/.#9:710223JGP0q
Source: /lib/systemd/systemd-journald (PID: 6258) File: /run/systemd/journal/streams/.#9:71106XmHqTp
Source: /lib/systemd/systemd-logind (PID: 6296) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6296) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6296) File: /run/systemd/seats/.#seat0maOgxh
Source: /lib/systemd/systemd-journald (PID: 6353) File: /run/systemd/journal/streams/.#9:717694cd0Xz
Source: /lib/systemd/systemd-journald (PID: 6353) File: /run/systemd/journal/streams/.#9:71770nE3Cjz
Source: /lib/systemd/systemd-journald (PID: 6353) File: /run/systemd/journal/streams/.#9:71771Y9GXby
Source: /lib/systemd/systemd-journald (PID: 6353) File: /run/systemd/journal/streams/.#9:71772sSA0iB
Source: /lib/systemd/systemd-journald (PID: 6353) File: /run/systemd/journal/streams/.#9:717848i30xA
Source: /lib/systemd/systemd-journald (PID: 6353) File: /run/systemd/journal/streams/.#9:71785aqJKmB
Source: /lib/systemd/systemd-journald (PID: 6353) File: /run/systemd/journal/streams/.#9:718751mklvz
Source: /lib/systemd/systemd-logind (PID: 6387) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6387) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6387) File: /run/systemd/seats/.#seat0GAO4r9
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73276EdLtyu
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:732785C2GPv
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73281UaIr3t
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73282w4YaEs
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73285xyFBks
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73290s5P5xs
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73296PeQWct
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73297MwIJMr
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73298wUsMrs
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73300dDSsUv
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73312zp9Jfs
Source: /lib/systemd/systemd-journald (PID: 6431) File: /run/systemd/journal/streams/.#9:73314M3lbzu
Source: /usr/lib/policykit-1/polkitd (PID: 6471) Directory: /root/.cache
Source: /lib/systemd/systemd-logind (PID: 6491) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6491) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6491) File: /run/systemd/seats/.#seat0uty5h2
Source: /usr/lib/policykit-1/polkitd (PID: 6514) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74565HUbtbX
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74568VIMqUW
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:7457246aPwV
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74573ixrKjV
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74575cOWt9T
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:745768wivqW
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74577yRH2qV
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74578AGdDSW
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:7458536Lo6T
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74586Dd1BgX
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74587WQEdcX
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74588HdC3GX
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74590msjgGW
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:745913lKYqX
Source: /lib/systemd/systemd-journald (PID: 6556) File: /run/systemd/journal/streams/.#9:74592m9SDXT
Source: /lib/systemd/systemd-logind (PID: 6563) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6563) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6563) File: /run/systemd/seats/.#seat0DIWDTt
Source: /usr/lib/policykit-1/polkitd (PID: 6643) Directory: /root/.cache
Source: /lib/systemd/systemd-logind (PID: 6663) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6663) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6663) File: /run/systemd/seats/.#seat0MtgO71
Source: /usr/lib/policykit-1/polkitd (PID: 6722) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:774724brgMK
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77476mpsDoN
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77478iANlsL
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77479UFfRVO
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:774809KtrmN
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77482zmDnkM
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:7748395yQHL
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77484GdCGzO
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77490lMSu9O
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:774919RPwGL
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77492FBanDM
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77494tzscZL
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77495MtAThP
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77496DSrjNK
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77500kClnjL
Source: /lib/systemd/systemd-journald (PID: 6726) File: /run/systemd/journal/streams/.#9:77855Zh5pFK
Source: /lib/systemd/systemd-logind (PID: 6732) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6732) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6732) File: /run/systemd/seats/.#seat00ckgKg
Source: /usr/lib/policykit-1/polkitd (PID: 6810) Directory: /root/.cache
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:78642JyYfbA
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:78646cLah4x
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:786473WZGPA
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:786486TWcGB
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:78656Jdd6CB
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:786625GEhOz
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:78663I7uHdy
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:78670acyvPz
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:786749WfRUz
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:78675SXmyAB
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:78738ZqCy6A
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:788003c8xbC
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:78846bNTR9A
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:79897yTnxPA
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:79568h2c5Wz
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:79603Q207xy
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:79685ScFzzy
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:797765uSKUB
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:79814qRmkBz
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:80251g8uIEx
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:803410kq4Cx
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:80353nYx0Iz
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:80402HJMzlB
Source: /lib/systemd/systemd-journald (PID: 6829) File: /run/systemd/journal/streams/.#9:80404XpQaHx
Source: /lib/systemd/systemd-logind (PID: 6832) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6832) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6832) File: /run/systemd/seats/.#seat0c8NWQM
Source: /usr/lib/policykit-1/polkitd (PID: 6914) Directory: /root/.cache
Source: /lib/systemd/systemd-logind (PID: 6937) Directory: <invalid fd (18)>/..
Source: /lib/systemd/systemd-logind (PID: 6937) Directory: <invalid fd (17)>/..
Source: /lib/systemd/systemd-logind (PID: 6937) File: /run/systemd/seats/.#seat0KCahJK
Source: /lib/systemd/systemd-logind (PID: 6937) File: /run/systemd/users/.#127V6zI8J
Source: /lib/systemd/systemd-logind (PID: 6937) File: /run/systemd/users/.#127jSyt7K
Source: /lib/systemd/systemd-logind (PID: 6937) File: /run/systemd/sessions/.#c18pbb1J
Source: /lib/systemd/systemd-logind (PID: 6937) File: /run/systemd/users/.#127QwGobK
Source: /lib/systemd/systemd-logind (PID: 6937) File: /run/systemd/seats/.#seat07Ge4DL
Source: /usr/lib/policykit-1/polkitd (PID: 6996) Directory: /root/.cache
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7009) Directory: /var/lib/gdm3/.pam_environment
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7009) Directory: /root/.cache
Enumerates processes within the "proc" file system
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6296/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6296/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6296/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6296/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6296/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6296/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6296/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6353/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6353/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6353/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6353/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6353/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6353/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6366/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6365/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6365/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6365/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6365/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6365/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6365/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6365/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6357/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6357/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6357/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6357/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6357/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6357/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/6357/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/environ
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/sched
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/1/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/cgroup
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/status
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/comm
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/cmdline
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/attr/current
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/sessionid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/loginuid
Source: /lib/systemd/systemd-journald (PID: 6353) File opened: /proc/658/cgroup
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6471/comm
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6471/cmdline
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6471/status
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6471/attr/current
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6471/sessionid
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6471/loginuid
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6471/cgroup
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6460/comm
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6460/cmdline
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6460/status
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6460/attr/current
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6460/sessionid
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6460/loginuid
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6460/cgroup
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6482/comm
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6482/cmdline
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6482/status
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6482/attr/current
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6482/sessionid
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6482/loginuid
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6482/cgroup
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6431/cmdline
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6431/status
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6431/attr/current
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6431/sessionid
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6431/loginuid
Source: /lib/systemd/systemd-journald (PID: 6431) File opened: /proc/6431/cgroup
Executes commands using a shell command-line interpreter
Source: /usr/bin/gpu-manager (PID: 5787) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5789) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5791) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5795) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5797) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5800) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5802) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5804) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5887) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5889) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5891) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5893) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5895) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5899) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5901) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5903) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5986) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5989) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5991) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5996) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5998) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6002) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6004) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6006) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf" Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6084) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6087) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6167) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6171) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6176) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6178) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6180) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6182) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6184) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6186) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6265) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6267) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6274) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6276) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6278) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6280) Shell command executed: sh -c "grep -G \"^blacklist.*amdgpu[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6282) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6284) Shell command executed: sh -c "grep -G \"^blacklist.*nouveau[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6363) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6367) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6455) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6459) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6624) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6626) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6628) Shell command executed: sh -c "grep -G \"^blacklist.*radeon[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6795) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6797) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6896) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /etc/modprobe.d/*.conf"
Source: /usr/bin/gpu-manager (PID: 6898) Shell command executed: sh -c "grep -G \"^blacklist.*nvidia[[:space:]]*$\" /lib/modprobe.d/*.conf"
Source: /usr/share/language-tools/language-options (PID: 7015) Shell command executed: sh -c "locale -a | grep -F .utf8 "
Executes the "grep" command used to find patterns in files or piped streams
Source: /bin/sh (PID: 5788) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5790) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5792) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5796) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5799) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5801) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5803) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5805) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5888) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5890) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5892) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5894) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5896) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5900) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5902) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5904) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5987) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5990) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 5994) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 5997) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6001) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6003) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6005) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf Jump to behavior
Source: /bin/sh (PID: 6007) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf Jump to behavior
Source: /bin/sh (PID: 6086) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6170) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6172) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6177) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6179) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6181) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6183) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6185) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6187) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6266) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6270) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6275) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6277) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6279) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6281) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*amdgpu[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6283) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6285) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nouveau[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6364) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6368) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6456) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6625) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6627) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6631) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*radeon[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6796) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6798) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 6897) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /etc/modprobe.d/alsa-base.conf /etc/modprobe.d/amd64-microcode-blacklist.conf /etc/modprobe.d/blacklist-ath_pci.conf /etc/modprobe.d/blacklist-firewire.conf /etc/modprobe.d/blacklist-framebuffer.conf /etc/modprobe.d/blacklist-modem.conf /etc/modprobe.d/blacklist-oss.conf /etc/modprobe.d/blacklist-rare-network.conf /etc/modprobe.d/blacklist.conf /etc/modprobe.d/intel-microcode-blacklist.conf /etc/modprobe.d/iwlwifi.conf /etc/modprobe.d/mdadm.conf
Source: /bin/sh (PID: 6899) Grep executable: /usr/bin/grep -> grep -G ^blacklist.*nvidia[[:space:]]*$ /lib/modprobe.d/aliases.conf /lib/modprobe.d/blacklist_linux_5.4.0-72-generic.conf /lib/modprobe.d/blacklist_linux_5.4.0-81-generic.conf /lib/modprobe.d/fbdev-blacklist.conf /lib/modprobe.d/systemd.conf
Source: /bin/sh (PID: 7017) Grep executable: /usr/bin/grep -> grep -F .utf8
Executes the "kill" or "pkill" command typically used to terminate processes
Source: /usr/share/gdm/generate-config (PID: 5807) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 5907) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6009) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service Jump to behavior
Source: /usr/share/gdm/generate-config (PID: 6090) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6191) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6287) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6370) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6462) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6634) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6803) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Source: /usr/share/gdm/generate-config (PID: 6905) Pkill executable: /usr/bin/pkill -> pkill --signal HUP --uid gdm dconf-service
Executes the "rm" command used to delete files or directories
Source: /usr/bin/dash (PID: 5505) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.51vzsBljgg /tmp/tmp.n6NYFHzIqJ /tmp/tmp.Lgew8tGXVg Jump to behavior
Source: /usr/bin/dash (PID: 5506) Rm executable: /usr/bin/rm -> rm -f /tmp/tmp.51vzsBljgg /tmp/tmp.n6NYFHzIqJ /tmp/tmp.Lgew8tGXVg Jump to behavior
Reads system information from the proc file system
Source: /lib/systemd/systemd-journald (PID: 5819) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) Reads from proc file: /proc/meminfo Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6163) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6258) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6353) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6431) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6556) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6726) Reads from proc file: /proc/meminfo
Source: /lib/systemd/systemd-journald (PID: 6829) Reads from proc file: /proc/meminfo
Reads system version information
Source: /sbin/agetty (PID: 5798) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 5879) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 5978) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6075) Reads version info: /etc/issue Jump to behavior
Source: /sbin/agetty (PID: 6164) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6260) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6356) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6445) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6557) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6727) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6889) Reads version info: /etc/issue
Source: /sbin/agetty (PID: 6924) Reads version info: /etc/issue
Sample tries to set the executable flag
Source: /usr/sbin/gdm3 (PID: 7005) File: /var/run/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/sbin/gdm3 (PID: 7005) File: /var/log/gdm3 (bits: - usr: -x grp: x all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7009) File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7009) File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)
Source: /usr/sbin/rsyslogd (PID: 5703) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5782) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5782) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 5783) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 5812) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5881) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5906) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5906) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 5980) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 5985) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 5988) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 5988) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6077) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6088) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6088) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6098) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6166) Log file created: /var/log/gpu-manager.log
Source: /usr/sbin/rsyslogd (PID: 6169) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6169) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6196) Log file created: /var/log/kern.log
Source: /usr/bin/gpu-manager (PID: 6262) Log file created: /var/log/gpu-manager.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6263) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6263) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6357) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6365) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6365) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6446) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6458) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6458) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6482) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6558) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6630) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6630) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6654) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6728) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6799) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6799) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6821) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6890) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6901) Log file created: /var/log/kern.log
Source: /usr/sbin/rsyslogd (PID: 6901) Log file created: /var/log/auth.log
Source: /usr/sbin/rsyslogd (PID: 6929) Log file created: /var/log/kern.log Jump to dropped file
Source: /usr/sbin/rsyslogd (PID: 6929) Log file created: /var/log/auth.log Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Sample deletes itself
Source: /tmp/Aqua.arm4.elf (PID: 5517) File: /tmp/Aqua.arm4.elf Jump to behavior
Deletes log files
Source: /usr/bin/gpu-manager (PID: 5783) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5883) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5985) Truncated file: /var/log/gpu-manager.log Jump to behavior
Source: /usr/bin/gpu-manager (PID: 6083) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6166) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6262) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6362) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6454) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6620) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6789) Truncated file: /var/log/gpu-manager.log
Source: /usr/bin/gpu-manager (PID: 6895) Truncated file: /var/log/gpu-manager.log
Reads CPU information from /sys indicative of miner or evasive malware
Source: /usr/bin/pkill (PID: 5807) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 5907) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6009) Reads CPU info from /sys: /sys/devices/system/cpu/online Jump to behavior
Source: /usr/bin/pkill (PID: 6090) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6191) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6287) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6370) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6460) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6462) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6486) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6632) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6634) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6658) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6801) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6803) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6902) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pkill (PID: 6905) Reads CPU info from /sys: /sys/devices/system/cpu/online
Source: /usr/bin/pulseaudio (PID: 6933) Reads CPU info from /sys: /sys/devices/system/cpu/online
Uses the "uname" system call to query kernel version information (possible evasion)
Source: /tmp/Aqua.arm4.elf (PID: 5515) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 5529) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5703) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5782) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5783) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5798) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5812) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5819) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5879) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5881) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5882) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5883) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5906) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 5977) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 5978) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5980) Queries kernel information via 'uname': Jump to behavior
Source: /usr/bin/gpu-manager (PID: 5985) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 5988) Queries kernel information via 'uname': Jump to behavior
Source: /lib/systemd/systemd-journald (PID: 6074) Queries kernel information via 'uname': Jump to behavior
Source: /sbin/agetty (PID: 6075) Queries kernel information via 'uname': Jump to behavior
Source: /usr/sbin/rsyslogd (PID: 6077) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6088) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6098) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6163) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6164) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 6166) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6169) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6196) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6258) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6260) Queries kernel information via 'uname':
Source: /usr/bin/gpu-manager (PID: 6262) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6263) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6292) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6353) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6356) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6357) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6365) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6380) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6431) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6445) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6446) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6458) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6460) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6482) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6486) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6556) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6557) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6558) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6630) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6632) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6654) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6658) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6726) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6727) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6728) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6799) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6801) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6821) Queries kernel information via 'uname':
Source: /lib/systemd/systemd-journald (PID: 6829) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6889) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6890) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6901) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6902) Queries kernel information via 'uname':
Source: /sbin/agetty (PID: 6924) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6926) Queries kernel information via 'uname':
Source: /usr/sbin/rsyslogd (PID: 6929) Queries kernel information via 'uname':
Source: /usr/bin/pulseaudio (PID: 6933) Queries kernel information via 'uname':
Source: /usr/lib/gdm3/gdm-session-worker (PID: 7018) Queries kernel information via 'uname':
Source: Aqua.arm4.elf, 5515.1.00007ffe3d50f000.00007ffe3d530000.rw-.sdmp Binary or memory string: x86_64/usr/bin/qemu-arm/tmp/Aqua.arm4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/Aqua.arm4.elf
Source: kern.log.47.dr Binary or memory string: Dec 25 10:41:19 galassia kernel: [ 160.321177] Modules linked in: monitor(OE) md4 cmac cifs libarc4 fscache libdes vmw_vsock_vmci_transport vsock binfmt_misc dm_multipath scsi_dh_rdac scsi_dh_emc scsi_dh_alua vmw_balloon joydev input_leds serio_raw vmw_vmci sch_fq_codel parport_pc ppdev lp parport drm ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper mptspi scsi_transport_spi psmouse mptscsih mptbase ahci libahci vmxnet3
Source: Aqua.arm4.elf, 5515.1.000055796fb4f000.000055796fc7d000.rw-.sdmp Binary or memory string: /etc/qemu-binfmt/arm
Source: Aqua.arm4.elf, 5515.1.00007ffe3d50f000.00007ffe3d530000.rw-.sdmp Binary or memory string: @lyU/tmp/qemu-open.AaWiZe:
Source: Aqua.arm4.elf, 5515.1.00007ffe3d50f000.00007ffe3d530000.rw-.sdmp Binary or memory string: /usr/bin/qemu-arm
Source: Aqua.arm4.elf, 5515.1.00007ffe3d50f000.00007ffe3d530000.rw-.sdmp Binary or memory string: /tmp/qemu-open.AaWiZe
Source: kern.log.47.dr Binary or memory string: Dec 25 10:41:19 galassia kernel: [ 160.321228] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
Source: Aqua.arm4.elf, 5515.1.000055796fb4f000.000055796fc7d000.rw-.sdmp Binary or memory string: oyU!/etc/qemu-binfmt/arm

Language, Device and Operating System Detection
barindex
Reads system files that contain records of logged in users
Source: /usr/lib/accountsservice/accounts-daemon (PID: 7009) Logged in records file read: /var/log/wtmp

No Screenshots

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
89.190.156.145
 unknown United Kingdom
7489 HOSTUS-GLOBAL-ASHostUSHK false

Contacted Domains

Name IP Active
45.148.10.84 unknown unknown