Create Interactive Tour

Linux Analysis Report
hanoi.sh4.elf

Overview

General Information

Sample name:hanoi.sh4.elf
Analysis ID:1649662
MD5:a6d7691e700f2907e5f2ec5df85404d9
SHA1:d0464b01799bb8b81912dfb6d02f31f9d69a1432
SHA256:77901d6bd4cfa884b42ab837e3c2e60fb0a73a2f38de4dbc27a4534a196aabc1
Tags:elfuser-abuse_ch
Infos:

Detection

Mirai, Okiru, Xmrig
Score:100
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Mirai
Yara detected Okiru
Yara detected Xmrig cryptocurrency miner
Found strings related to Crypto-Mining
Reads system files that contain records of logged in users
Sample reads /proc/mounts (often used for finding a writable filesystem)
Sample tries to kill multiple processes (SIGKILL)
Creates hidden files and/or directories
Detected TCP or UDP traffic on non-standard ports
Enumerates processes within the "proc" file system
Executes commands using a shell command-line interpreter
Executes the "grep" command used to find patterns in files or piped streams
Executes the "rm" command used to delete files or directories
Found strings indicative of a multi-platform dropper
Reads CPU information from /sys indicative of miner or evasive malware
Sample contains strings indicative of BusyBox which embeds multiple Unix commands in a single executable
Sample has stripped symbol table
Sample listens on a socket
Sample tries to kill a process (SIGKILL)
Sample tries to set the executable flag
Uses the "uname" system call to query kernel version information (possible evasion)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Joe Sandbox version:42.0.0 Malachite
Analysis ID:1649662
Start date and time:2025-03-27 00:58:48 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 5m 40s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultlinuxfilecookbook.jbs
Analysis system description:Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Analysis Mode:default
Sample name:hanoi.sh4.elf
Detection:MAL
Classification:mal100.spre.troj.mine.linELF@0/7@2/0
  • Report size exceeded maximum capacity and may have missing behavior information.
Command:/tmp/hanoi.sh4.elf
PID:5595
Exit Code:0
Exit Code Info:
Killed:False
Standard Output:
lzrd cock fest"/proc/"/exe
Standard Error:
  • system is lnxubuntu20
  • sh (PID: 5627, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom
  • gsd-wacom (PID: 5627, Parent: 1588, MD5: 13778dd1a23a4e94ddc17ac9caa4fcc1) Arguments: /usr/libexec/gsd-wacom
  • sh (PID: 5630, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-color
  • gsd-color (PID: 5630, Parent: 1588, MD5: ac2861ad93ce047283e8e87cefef9a19) Arguments: /usr/libexec/gsd-color
  • sh (PID: 5631, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard
  • gsd-keyboard (PID: 5631, Parent: 1588, MD5: 8e288fd17c80bb0a1148b964b2ac2279) Arguments: /usr/libexec/gsd-keyboard
  • sh (PID: 5632, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
  • sh (PID: 5633, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
  • gsd-rfkill (PID: 5633, Parent: 1588, MD5: 88a16a3c0aba1759358c06215ecfb5cc) Arguments: /usr/libexec/gsd-rfkill
  • sh (PID: 5634, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard
  • gsd-smartcard (PID: 5634, Parent: 1588, MD5: ea1fbd7f62e4cd0331eae2ef754ee605) Arguments: /usr/libexec/gsd-smartcard
  • sh (PID: 5635, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-datetime
  • gsd-datetime (PID: 5635, Parent: 1588, MD5: d80d39745740de37d6634d36e344d4bc) Arguments: /usr/libexec/gsd-datetime
  • sh (PID: 5636, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys
  • gsd-media-keys (PID: 5636, Parent: 1588, MD5: a425448c135afb4b8bfd79cc0b6b74da) Arguments: /usr/libexec/gsd-media-keys
  • sh (PID: 5637, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy
  • gsd-screensaver-proxy (PID: 5637, Parent: 1588, MD5: 77e309450c87dceee43f1a9e50cc0d02) Arguments: /usr/libexec/gsd-screensaver-proxy
  • sh (PID: 5640, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sound
  • gsd-sound (PID: 5640, Parent: 1588, MD5: 4c7d3fb993463337b4a0eb5c80c760ee) Arguments: /usr/libexec/gsd-sound
  • sh (PID: 5641, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-a11y-settings
  • gsd-a11y-settings (PID: 5641, Parent: 1588, MD5: 18e243d2cf30ecee7ea89d1462725c5c) Arguments: /usr/libexec/gsd-a11y-settings
  • sh (PID: 5644, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
  • gsd-housekeeping (PID: 5644, Parent: 1588, MD5: b55f3394a84976ddb92a2915e5d76914) Arguments: /usr/libexec/gsd-housekeeping
  • sh (PID: 5645, Parent: 1588, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power
  • gsd-power (PID: 5645, Parent: 1588, MD5: 28b8e1b43c3e7f1db6741ea1ecd978b7) Arguments: /usr/libexec/gsd-power
  • fusermount (PID: 5648, Parent: 3122, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -u -q -z -- /run/user/1000/gvfs
  • xfwm4 (PID: 5651, Parent: 2984, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
  • xfce4-panel (PID: 5675, Parent: 2984, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
  • rm (PID: 5681, Parent: 2984, MD5: aa2b5496fdbfd88e38791ab81f90b95b) Arguments: rm -f /home/saturnino/.cache/sessions/Thunar-2ec7c2e14-9c4d-40f3-9704-8617ab831fb4
  • xfdesktop (PID: 5686, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
  • systemd New Fork (PID: 5688, Parent: 1)
  • systemd-hostnamed (PID: 5688, Parent: 1, MD5: 2cc8a5576629a2d5bd98e49a4b8bef65) Arguments: /lib/systemd/systemd-hostnamed
  • xfwm4 (PID: 5841, Parent: 2984, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
  • xfconfd (PID: 5843, Parent: 5842, MD5: 4c7a0d6d258bb970905b19b84abcd8e9) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
  • gdm3 New Fork (PID: 5844, Parent: 1400)
  • Default (PID: 5844, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • xfce4-panel (PID: 5845, Parent: 2984, MD5: a15b657c7d54ac1385f1f15004ea6784) Arguments: xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
    • wrapper-2.0 (PID: 5949, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 6291464 systray "Notification Area" "Area where notification icons appear"
    • wrapper-2.0 (PID: 5950, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 6291465 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
    • wrapper-2.0 (PID: 5967, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 6291466 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
    • wrapper-2.0 (PID: 5968, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 6291467 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
    • wrapper-2.0 (PID: 5970, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 6291468 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
    • wrapper-2.0 (PID: 5998, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 6291469 actions "Action Buttons" "Log out, lock or other system actions"
    • wrapper-2.0 (PID: 6047, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 6291464 systray "Notification Area" "Area where notification icons appear"
    • wrapper-2.0 (PID: 6049, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 6291465 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
    • wrapper-2.0 (PID: 6051, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 6291466 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
    • wrapper-2.0 (PID: 6052, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 6291467 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
    • wrapper-2.0 (PID: 6053, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 6291468 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
    • wrapper-2.0 (PID: 6054, Parent: 5845, MD5: ac0b8a906f359a8ae102244738682e76) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 6291469 actions "Action Buttons" "Log out, lock or other system actions"
  • gdm3 New Fork (PID: 5846, Parent: 1400)
  • Default (PID: 5846, Parent: 1400, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /etc/gdm3/PrimeOff/Default
  • xfdesktop (PID: 5847, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
  • systemd New Fork (PID: 5851, Parent: 2935)
  • xfce4-notifyd (PID: 5851, Parent: 2935, MD5: eee956f1b227c1d5031f9c61223255d1) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
  • systemd New Fork (PID: 5861, Parent: 2935)
  • gvfsd (PID: 5861, Parent: 2935, MD5: 1fa32dace8ba066189a8eadd21bb172a) Arguments: /usr/libexec/gvfsd
    • gvfsd New Fork (PID: 5868, Parent: 5861)
      • gvfsd New Fork (PID: 5869, Parent: 5868)
      • gvfsd-fuse (PID: 5869, Parent: 2935, MD5: d18fbf1cbf8eb57b17fac48b7b4be933) Arguments: /usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
        • fusermount (PID: 5870, Parent: 5869, MD5: 576a1b135c82bdcbc97a91acea900566) Arguments: fusermount -o rw,nosuid,nodev,subtype=gvfsd-fuse -- /run/user/1000/gvfs
    • gvfsd New Fork (PID: 6032, Parent: 5861)
    • gvfsd-trash (PID: 6032, Parent: 5861, MD5: 7bd262bd2ff379d0da45f8595163824d) Arguments: /usr/libexec/gvfsd-trash --spawner :1.64 /org/gtk/gvfs/exec_spaw/0
  • xfwm4 (PID: 5883, Parent: 2984, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
  • xfdesktop (PID: 5899, Parent: 2984, MD5: dfb13e1581f80065dcea16f2476f16f2) Arguments: xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
  • xfconfd (PID: 5901, Parent: 5900, MD5: 4c7a0d6d258bb970905b19b84abcd8e9) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
  • systemd New Fork (PID: 5906, Parent: 1)
  • systemd-user-runtime-dir (PID: 5906, Parent: 1, MD5: d55f4b0847f88131dbcfb07435178e54) Arguments: /lib/systemd/systemd-user-runtime-dir stop 127
  • xfwm4 (PID: 5922, Parent: 2984, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
  • tumblerd (PID: 5924, Parent: 5923, MD5: 2ef099898845e9c5ec6f1a6fd3ad61af) Arguments: /usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
  • systemd New Fork (PID: 5926, Parent: 2935)
  • Thunar (PID: 5926, Parent: 2935, MD5: ca35dca6175038f11f012b29178a4f46) Arguments: /usr/bin/Thunar --daemon
  • systemd New Fork (PID: 5927, Parent: 2935)
  • gvfs-udisks2-volume-monitor (PID: 5927, Parent: 2935, MD5: 4912ae23684d55062ac889dd671a8ab9) Arguments: /usr/libexec/gvfs-udisks2-volume-monitor
  • xfconfd (PID: 5936, Parent: 5935, MD5: 4c7a0d6d258bb970905b19b84abcd8e9) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
  • xfwm4 (PID: 5966, Parent: 2984, MD5: 59defa3c00cc30d85ed77b738d55e9da) Arguments: xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
  • systemd New Fork (PID: 5971, Parent: 2935)
  • gvfs-mtp-volume-monitor (PID: 5971, Parent: 2935, MD5: 4ef31436eba465a14362dfe7e1d42ec3) Arguments: /usr/libexec/gvfs-mtp-volume-monitor
  • systemd New Fork (PID: 5994, Parent: 2935)
  • gvfs-goa-volume-monitor (PID: 5994, Parent: 2935, MD5: 1c9b8b8b466cc3b27212ee9c1052a7b2) Arguments: /usr/libexec/gvfs-goa-volume-monitor
  • goa-daemon (PID: 6001, Parent: 6000, MD5: f442acdfc6465acfae3f9f0e05cf6fd3) Arguments: /usr/libexec/goa-daemon
  • goa-identity-service (PID: 6016, Parent: 6015, MD5: 4e1e45c260caf0e8460ff7494a0e8553) Arguments: /usr/libexec/goa-identity-service
  • systemd New Fork (PID: 6021, Parent: 2935)
  • gvfs-afc-volume-monitor (PID: 6021, Parent: 2935, MD5: 724607394f380f47f39e25dd9e1d4825) Arguments: /usr/libexec/gvfs-afc-volume-monitor
  • systemd New Fork (PID: 6028, Parent: 2935)
  • gvfs-gphoto2-volume-monitor (PID: 6028, Parent: 2935, MD5: 8773afb2a78946b2c81024ed4c928353) Arguments: /usr/libexec/gvfs-gphoto2-volume-monitor
  • systemd New Fork (PID: 6044, Parent: 2935)
  • gvfsd-metadata (PID: 6044, Parent: 2935, MD5: 25b3740bd427cf3225e35be4bb2205aa) Arguments: /usr/libexec/gvfsd-metadata
  • xfconfd (PID: 6060, Parent: 6059, MD5: 4c7a0d6d258bb970905b19b84abcd8e9) Arguments: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
  • systemd New Fork (PID: 6066, Parent: 1)
  • accounts-daemon (PID: 6066, Parent: 1, MD5: 01a899e3fb5e7e434bea1290255a1f30) Arguments: /usr/lib/accountsservice/accounts-daemon
    • language-validate (PID: 6080, Parent: 6066, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: /usr/share/language-tools/language-validate en_US.UTF-8
      • language-options (PID: 6081, Parent: 6080, MD5: 16a21f464119ea7fad1d3660de963637) Arguments: /usr/share/language-tools/language-options
        • sh (PID: 6082, Parent: 6081, MD5: 1e6b1c887c59a315edb7eb9a315fc84c) Arguments: sh -c "locale -a | grep -F .utf8 "
          • sh New Fork (PID: 6083, Parent: 6082)
          • locale (PID: 6083, Parent: 6082, MD5: c72a78792469db86d91369c9057f20d2) Arguments: locale -a
          • sh New Fork (PID: 6084, Parent: 6082)
          • grep (PID: 6084, Parent: 6082, MD5: 1e6ebb9dd094f774478f72727bdba0f5) Arguments: grep -F .utf8
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
MiraiMirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
NameDescriptionAttributionBlogpost URLsLink
XMRIGNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/elf.xmrig
SourceRuleDescriptionAuthorStrings
hanoi.sh4.elfJoeSecurity_OkiruYara detected OkiruJoe Security
    hanoi.sh4.elfJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
      hanoi.sh4.elfJoeSecurity_Mirai_8Yara detected MiraiJoe Security
        hanoi.sh4.elfLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
        • 0x12eec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12f00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12f14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12f28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12f3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12f50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12f64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12f78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12f8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12fa0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12fb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12fc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12fdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x12ff0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x13004:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x13018:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x1302c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x13040:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x13054:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x13068:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        • 0x1307c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
        hanoi.sh4.elfLinux_Trojan_Gafgyt_ea92cca8unknownunknown
        • 0x13444:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
        SourceRuleDescriptionAuthorStrings
        5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmpJoeSecurity_OkiruYara detected OkiruJoe Security
          5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
            5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmpJoeSecurity_Mirai_8Yara detected MiraiJoe Security
              5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmpLinux_Trojan_Gafgyt_28a2fe0cunknownunknown
              • 0x12eec:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12f00:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12f14:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12f28:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12f3c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12f50:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12f64:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12f78:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12f8c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12fa0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12fb4:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12fc8:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12fdc:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x12ff0:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x13004:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x13018:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x1302c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x13040:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x13054:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x13068:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              • 0x1307c:$a: 2F 78 33 38 2F 78 46 4A 2F 78 39 33 2F 78 49 44 2F 78 39 41 2F 78 33 38 2F 78 46 4A 2F
              5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmpLinux_Trojan_Gafgyt_ea92cca8unknownunknown
              • 0x13444:$a: 53 65 6C 66 20 52 65 70 20 46 75 63 6B 69 6E 67 20 4E 65 54 69 53 20 61 6E 64
              Click to see the 35 entries
              No Suricata rule has matched

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: hanoi.sh4.elfAvira: detected
              Source: hanoi.sh4.elfVirustotal: Detection: 62%Perma Link
              Source: hanoi.sh4.elfReversingLabs: Detection: 65%

              Bitcoin Miner

              barindex
              Source: Yara matchFile source: hanoi.sh4.elf, type: SAMPLE
              Source: Yara matchFile source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTR
              Source: hanoi.sh4.elf, 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmpString found in binary or memory: cryptonight
              Source: /usr/bin/xfwm4 (PID: 5841)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
              Source: hanoi.sh4.elfString: systemddbuspolkitNetworkManagergettyavahidhclientwpa_supplicant/usr/lib/systemd//sbin/init/usr/sbin//usr/lib/hanoi/proc/%d/net/tcpr %*d: %*x:%x/proc//proc/%s/exe/proc/self/exe/proc/%s/cmdline/proc/proc/%d/exe/proc/%d/cmdlinenetstatwgettftpftpcurlbusybox/bin/busyboxhtopvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/systemd-logindsystemd-journaldsystemd-udevddbus-daemonsystemd-resolvedsystemd-timesyncdlogincronrsyslogavahi-daemonsoraboatnetx86_64dbgmipsmpslbot/var/run/malware/var/tmp/./(deleted)mipselarm4arm5arm6arm7sh4m68kx586i586i686ppcspcmiraimuhstikgafgyttsunamikaitenqbotzollardbackdoorrootkitxmrigcryptonightminerdcpuminerbitminerwormpolkitdshcrondfirewalldkthreaddksoftirqd,
              Source: global trafficTCP traffic: 192.168.2.13:49638 -> 103.230.121.85:3778
              Source: /usr/libexec/gvfsd-trash (PID: 6032)Socket: unknown address familyJump to behavior
              Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.85
              Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.85
              Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.85
              Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.85
              Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.85
              Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.85
              Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.85
              Source: unknownTCP traffic detected without corresponding DNS query: 103.230.121.85
              Source: global trafficDNS traffic detected: DNS query: daisy.ubuntu.com

              System Summary

              barindex
              Source: hanoi.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: hanoi.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c Author: unknown
              Source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 Author: unknown
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 726, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 727, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 792, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 797, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 884, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1444, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1588, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1604, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1745, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1748, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1751, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1755, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1765, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1805, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1847, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1872, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1875, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1879, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1881, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1884, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1891, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1906, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1921, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1922, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1925, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1930, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1940, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1944, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1946, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1969, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1982, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 2961, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 2964, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 2984, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3095, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3114, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3117, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3122, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3132, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3134, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3146, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3147, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3153, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3158, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3181, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3183, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3185, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3203, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3208, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3209, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3220, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3225, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3300, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3310, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3327, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3336, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3375, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3413, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3420, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3424, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3429, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3434, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3448, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3640, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5573, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5627, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5630, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5631, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5632, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5633, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5651, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5675, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5686, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 3104, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 3182, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 3212, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5597, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5601, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5843, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5851, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5901, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5924, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5936, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5949, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5950, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5967, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5968, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5970, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5998, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6047, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6049, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6051, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6052, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6053, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6054, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6060, result: successfulJump to behavior
              Source: Initial sampleString containing 'busybox' found: busybox
              Source: Initial sampleString containing 'busybox' found: /bin/busybox
              Source: Initial sampleString containing 'busybox' found: systemddbuspolkitNetworkManagergettyavahidhclientwpa_supplicant/usr/lib/systemd//sbin/init/usr/sbin//usr/lib/hanoi/proc/%d/net/tcpr %*d: %*x:%x/proc//proc/%s/exe/proc/self/exe/proc/%s/cmdline/proc/proc/%d/exe/proc/%d/cmdlinenetstatwgettftpftpcurlbusybox/bin/busyboxhtopvar/Challengeapp/hi3511gmDVRiboxusr/dvr_main _8182T_1108mnt/mtd/app/guivar/Kylinl0 c/udevdanko-app/ankosample _8182T_1104var/tmp/soniahicorestm_hi3511_dvr/usr/lib/systemd/systemd/usr/libexec/openssh/sftp-serverusr/shellmnt/sys/bin/boot/media/srv/var/run/sbin/lib/etc/dev/home/Davincitelnetsshwatchdog/var/spool/var/Sofiasshd/usr/compress/bin//compress/bin/compress/usr/bashhttpdtelnetddropbearropbearencodersystem/root/dvr_gui//root/dvr_app//anko-app//opt/systemd-logindsystemd-journaldsystemd-udevddbus-daemonsystemd-resolvedsystemd-timesyncdlogincronrsyslogavahi-daemonsoraboatnetx86_64dbgmipsmpslbot/var/run/malware/var/tmp/./(deleted)mipselarm4arm5arm6arm7sh4m68kx586i586i686ppcspcmiraimuhstikgafgyttsunamikaitenqbotzollardbackdoorrootkitxmrigcryptoni
              Source: ELF static info symbol of initial sample.symtab present: no
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 726, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 727, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 792, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 797, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 884, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1444, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1588, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1604, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1745, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1748, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1751, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1755, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1765, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1805, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1847, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1872, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1875, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1879, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1881, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1884, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1891, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1906, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1921, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1922, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1925, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1930, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1940, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1944, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1946, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1969, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 1982, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 2961, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 2964, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 2984, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3095, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3114, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3117, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3122, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3132, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3134, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3146, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3147, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3153, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3158, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3181, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3183, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3185, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3203, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3208, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3209, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3220, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3225, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3300, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3310, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3327, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3336, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3375, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3413, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3420, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3424, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3429, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3434, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3448, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 3640, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5573, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5627, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5630, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5631, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5632, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5633, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5651, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5675, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)SIGKILL sent: pid: 5686, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 3104, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 3182, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 3212, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5597, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5601, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5843, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5851, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5901, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5924, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5936, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5949, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5950, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5967, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5968, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5970, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 5998, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6047, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6049, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6051, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6052, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6053, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6054, result: successfulJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5598)SIGKILL sent: pid: 6060, result: successfulJump to behavior
              Source: hanoi.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: hanoi.sh4.elf, type: SAMPLEMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORYMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_28a2fe0c os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = a2c6beaec18ca876e8487c11bcc7a29279669588aacb7d3027d8d8df8f5bcead, id = 28a2fe0c-eed5-4c79-81e6-3b11b73a4ebd, last_modified = 2021-09-16
              Source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTRMatched rule: Linux_Trojan_Gafgyt_ea92cca8 os = linux, severity = x86, creation_date = 2021-01-12, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Gafgyt, fingerprint = aa4aee9f3d6bedd8234eaf8778895a0f5d71c42b21f2a428f01f121e85704e8e, id = ea92cca8-bba7-4a1c-9b88-a2d051ad0021, last_modified = 2021-09-16
              Source: classification engineClassification label: mal100.spre.troj.mine.linELF@0/7@2/0

              Persistence and Installation Behavior

              barindex
              Source: /bin/fusermount (PID: 5648)File: /proc/5648/mountsJump to behavior
              Source: /bin/fusermount (PID: 5870)File: /proc/5870/mountsJump to behavior
              Source: /usr/libexec/gsd-wacom (PID: 5627)Directory: /var/lib/gdm3/.XdefaultsJump to behavior
              Source: /usr/libexec/gsd-wacom (PID: 5627)Directory: /var/lib/gdm3/.Xdefaults-galassiaJump to behavior
              Source: /usr/libexec/gsd-color (PID: 5630)Directory: /var/lib/gdm3/.XdefaultsJump to behavior
              Source: /usr/libexec/gsd-color (PID: 5630)Directory: /var/lib/gdm3/.Xdefaults-galassiaJump to behavior
              Source: /usr/libexec/gsd-keyboard (PID: 5631)Directory: /var/lib/gdm3/.XdefaultsJump to behavior
              Source: /usr/libexec/gsd-keyboard (PID: 5631)Directory: /var/lib/gdm3/.Xdefaults-galassiaJump to behavior
              Source: /usr/libexec/gsd-rfkill (PID: 5633)Directory: <invalid fd (9)>/..Jump to behavior
              Source: /usr/libexec/gsd-rfkill (PID: 5633)Directory: <invalid fd (8)>/..Jump to behavior
              Source: /usr/libexec/gsd-media-keys (PID: 5636)Directory: /var/lib/gdm3/.XdefaultsJump to behavior
              Source: /usr/libexec/gsd-media-keys (PID: 5636)Directory: /var/lib/gdm3/.Xdefaults-galassiaJump to behavior
              Source: /usr/libexec/gsd-power (PID: 5645)Directory: /var/lib/gdm3/.XdefaultsJump to behavior
              Source: /usr/libexec/gsd-power (PID: 5645)Directory: /var/lib/gdm3/.Xdefaults-galassiaJump to behavior
              Source: /lib/systemd/systemd-hostnamed (PID: 5688)Directory: <invalid fd (10)>/..Jump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /home/saturnino/.local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /home/saturnino/.fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/X11/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/cMap/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/cmap/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/opentype/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/type1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/X11/Type1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/X11/encodings/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/X11/misc/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/X11/util/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/cmap/adobe-cns1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/cmap/adobe-gb1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/cmap/adobe-japan1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/cmap/adobe-japan2/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/cmap/adobe-korea1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/opentype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/opentype/mathjax/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/opentype/noto/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/opentype/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/Gargi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/Gubbi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/Nakula/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/Navilu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/Sahadeva/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/Sarai/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/abyssinica/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/ancient-scripts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/dejavu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/droid/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/fonts-beng-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/fonts-deva-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/fonts-gujr-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/fonts-guru-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/fonts-kalapi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/fonts-orya-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/fonts-telu-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/fonts-yrsa-rasa/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/freefont/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/kacst/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/kacst-one/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lao/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lato/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/liberation/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/liberation2/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-assamese/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-bengali/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-devanagari/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-gujarati/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-kannada/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-oriya/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-punjabi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-tamil/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-tamil-classical/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/lohit-telugu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/noto/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/openoffice/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/padauk/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/pagul/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/samyak/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/samyak-fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/sinhala/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/tibetan-machine/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/tlwg/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/ttf-khmeros-core/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/truetype/ubuntu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/type1/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /usr/share/fonts/X11/encodings/large/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /home/saturnino/.drircJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5843)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5843)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5843)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5843)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /home/saturnino/.local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /home/saturnino/.fonts/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/X11/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/cMap/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/cmap/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/opentype/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/type1/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/X11/Type1/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/X11/encodings/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/X11/misc/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/X11/util/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/cmap/adobe-cns1/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/cmap/adobe-gb1/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/cmap/adobe-japan1/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/cmap/adobe-japan2/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/cmap/adobe-korea1/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/opentype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/opentype/mathjax/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/opentype/noto/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/opentype/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/Gargi/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/Gubbi/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/Nakula/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/Navilu/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/Sahadeva/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/Sarai/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/abyssinica/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/ancient-scripts/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/dejavu/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/droid/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/fonts-beng-extra/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/fonts-deva-extra/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/fonts-gujr-extra/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/fonts-guru-extra/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/fonts-kalapi/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/fonts-orya-extra/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/fonts-telu-extra/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/fonts-yrsa-rasa/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/freefont/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/kacst/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/kacst-one/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lao/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lato/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/liberation/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/liberation2/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-assamese/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-bengali/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-devanagari/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-gujarati/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-kannada/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-malayalam/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-oriya/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-punjabi/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-tamil/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-tamil-classical/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/lohit-telugu/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/noto/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/openoffice/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/padauk/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/pagul/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/samyak/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/samyak-fonts/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/sinhala/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/tibetan-machine/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/tlwg/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/ttf-khmeros-core/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/truetype/ubuntu/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/type1/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /usr/share/fonts/X11/encodings/large/.uuidJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5949)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5950)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5967)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5968)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5970)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /home/saturnino/.hiddenJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /.hiddenJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /home/.hiddenJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /home/saturnino/.local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /home/saturnino/.fonts/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/X11/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/cMap/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/cmap/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/opentype/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/type1/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/X11/Type1/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/X11/encodings/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/X11/misc/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/X11/util/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/cmap/adobe-cns1/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/cmap/adobe-gb1/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/cmap/adobe-japan1/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/cmap/adobe-japan2/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/cmap/adobe-korea1/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/opentype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/opentype/mathjax/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/opentype/noto/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/opentype/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/Gargi/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/Gubbi/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/Nakula/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/Navilu/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/Sahadeva/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/Sarai/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/abyssinica/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/ancient-scripts/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/dejavu/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/droid/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/fonts-beng-extra/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/fonts-deva-extra/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/fonts-gujr-extra/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/fonts-guru-extra/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/fonts-kalapi/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/fonts-orya-extra/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/fonts-telu-extra/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/fonts-yrsa-rasa/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/freefont/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/kacst/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/kacst-one/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lao/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lato/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/liberation/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/liberation2/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-assamese/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-bengali/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-devanagari/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-gujarati/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-kannada/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-malayalam/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-oriya/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-punjabi/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-tamil/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-tamil-classical/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/lohit-telugu/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/noto/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/openoffice/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/padauk/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/pagul/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/samyak/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/samyak-fonts/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/sinhala/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/tibetan-machine/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/tlwg/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/ttf-khmeros-core/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/truetype/ubuntu/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/type1/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /usr/share/fonts/X11/encodings/large/.uuidJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5851)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5851)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5851)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5851)Directory: /home/saturnino/.configJump to behavior
              Source: /bin/fusermount (PID: 5870)Directory: /gvfs/.Jump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /home/saturnino/.local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /home/saturnino/.fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/X11/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/cMap/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/cmap/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/opentype/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/type1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/X11/Type1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/X11/encodings/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/X11/misc/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/X11/util/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/cmap/adobe-cns1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/cmap/adobe-gb1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/cmap/adobe-japan1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/cmap/adobe-japan2/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/cmap/adobe-korea1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/opentype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/opentype/mathjax/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/opentype/noto/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/opentype/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/Gargi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/Gubbi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/Nakula/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/Navilu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/Sahadeva/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/Sarai/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/abyssinica/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/ancient-scripts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/dejavu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/droid/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/fonts-beng-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/fonts-deva-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/fonts-gujr-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/fonts-guru-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/fonts-kalapi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/fonts-orya-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/fonts-telu-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/fonts-yrsa-rasa/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/freefont/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/kacst/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/kacst-one/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lao/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lato/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/liberation/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/liberation2/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-assamese/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-bengali/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-devanagari/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-gujarati/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-kannada/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-oriya/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-punjabi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-tamil/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-tamil-classical/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/lohit-telugu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/noto/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/openoffice/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/padauk/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/pagul/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/samyak/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/samyak-fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/sinhala/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/tibetan-machine/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/tlwg/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/ttf-khmeros-core/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/truetype/ubuntu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/type1/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /usr/share/fonts/X11/encodings/large/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/bin/xfdesktop (PID: 5899)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5901)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5901)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5901)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5901)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /home/saturnino/.local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /home/saturnino/.fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/X11/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/cMap/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/cmap/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/opentype/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/type1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/X11/Type1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/X11/encodings/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/X11/misc/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/X11/util/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/cmap/adobe-cns1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/cmap/adobe-gb1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/cmap/adobe-japan1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/cmap/adobe-japan2/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/cmap/adobe-korea1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/opentype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/opentype/mathjax/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/opentype/noto/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/opentype/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/Gargi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/Gubbi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/Nakula/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/Navilu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/Sahadeva/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/Sarai/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/abyssinica/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/ancient-scripts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/dejavu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/droid/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/fonts-beng-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/fonts-deva-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/fonts-gujr-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/fonts-guru-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/fonts-kalapi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/fonts-orya-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/fonts-telu-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/fonts-yrsa-rasa/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/freefont/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/kacst/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/kacst-one/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lao/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lato/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/liberation/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/liberation2/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-assamese/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-bengali/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-devanagari/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-gujarati/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-kannada/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-oriya/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-punjabi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-tamil/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-tamil-classical/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/lohit-telugu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/noto/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/openoffice/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/padauk/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/pagul/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/samyak/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/samyak-fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/sinhala/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/tibetan-machine/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/tlwg/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/ttf-khmeros-core/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/truetype/ubuntu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/type1/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /usr/share/fonts/X11/encodings/large/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/bin/Thunar (PID: 5926)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/bin/Thunar (PID: 5926)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/bin/Thunar (PID: 5926)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/bin/Thunar (PID: 5926)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5936)Directory: /home/saturnino/.cacheJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5936)Directory: /home/saturnino/.localJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5936)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd (PID: 5936)Directory: /home/saturnino/.configJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /home/saturnino/.Xdefaults-galassiaJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /home/saturnino/.local/share/fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /home/saturnino/.fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/X11/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/cMap/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/cmap/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/opentype/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/type1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/X11/Type1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/X11/encodings/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/X11/misc/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/X11/util/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/cmap/adobe-cns1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/cmap/adobe-gb1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/cmap/adobe-japan1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/cmap/adobe-japan2/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/cmap/adobe-korea1/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/opentype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/opentype/mathjax/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/opentype/noto/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/opentype/urw-base35/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/Gargi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/Gubbi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/Nakula/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/Navilu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/Sahadeva/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/Sarai/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/abyssinica/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/ancient-scripts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/dejavu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/droid/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/fonts-beng-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/fonts-deva-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/fonts-gujr-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/fonts-guru-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/fonts-kalapi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/fonts-orya-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/fonts-telu-extra/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/fonts-yrsa-rasa/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/freefont/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/kacst/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/kacst-one/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lao/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lato/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/liberation/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/liberation2/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-assamese/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-bengali/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-devanagari/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-gujarati/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-kannada/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-oriya/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-punjabi/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-tamil/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-tamil-classical/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/lohit-telugu/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/malayalam/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/noto/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/openoffice/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/padauk/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/pagul/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/samyak/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/samyak-fonts/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/sinhala/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/tibetan-machine/.uuidJump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Directory: /usr/share/fonts/truetype/tlwg/.uuidJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3640/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3640/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3122/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3122/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3117/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3117/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3114/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3114/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/914/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/917/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5431/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5675/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5675/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3134/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3134/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3375/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3375/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3132/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3132/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3095/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3095/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1866/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1745/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1745/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1588/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1588/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/884/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/884/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1982/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1982/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/765/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3246/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/800/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/767/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1906/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1906/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/802/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/803/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1748/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1748/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5686/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5686/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3420/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3420/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1482/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/490/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1480/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1755/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1755/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1875/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1875/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/2964/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/2964/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3413/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3413/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1751/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1751/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1872/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1872/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/2961/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/2961/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1475/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/778/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/936/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/816/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1879/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1879/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5572/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5573/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5573/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1891/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1891/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3310/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3310/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3153/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3153/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/780/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/660/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1921/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1921/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5607/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5608/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/783/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1765/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1765/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5609/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/2974/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1400/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1884/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1884/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3424/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3424/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/2972/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3147/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3147/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/2970/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1881/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/1881/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3146/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3146/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3300/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/3300/net/tcpJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5688/cmdlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5597)File opened: /proc/5601/cmdlineJump to behavior
              Source: /usr/share/language-tools/language-options (PID: 6082)Shell command executed: sh -c "locale -a | grep -F .utf8 "
              Source: /bin/sh (PID: 6084)Grep executable: /usr/bin/grep -> grep -F .utf8
              Source: /usr/bin/xfce4-session (PID: 5681)Rm executable: /usr/bin/rm -> rm -f /home/saturnino/.cache/sessions/Thunar-2ec7c2e14-9c4d-40f3-9704-8617ab831fb4Jump to behavior
              Source: /usr/lib/accountsservice/accounts-daemon (PID: 6066)File: /var/lib/AccountsService/icons (bits: - usr: rx grp: rwx all: rwx)
              Source: /usr/lib/accountsservice/accounts-daemon (PID: 6066)File: /var/lib/AccountsService/users (bits: - usr: - grp: - all: rwx)
              Source: /usr/bin/xfwm4 (PID: 5841)Reads CPU info from /sys: /sys/devices/system/cpu/onlineJump to behavior
              Source: /tmp/hanoi.sh4.elf (PID: 5595)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/libexec/gsd-wacom (PID: 5627)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/libexec/gsd-color (PID: 5630)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/libexec/gsd-keyboard (PID: 5631)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/libexec/gsd-smartcard (PID: 5634)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/libexec/gsd-media-keys (PID: 5636)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/libexec/gsd-power (PID: 5645)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/xfwm4 (PID: 5651)Queries kernel information via 'uname': Jump to behavior
              Source: /lib/systemd/systemd-hostnamed (PID: 5688)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/xfwm4 (PID: 5841)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/xfce4-panel (PID: 5845)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5949)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5950)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5967)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5968)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 (PID: 5970)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/xfdesktop (PID: 5847)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd (PID: 5851)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/xfwm4 (PID: 5883)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/xfdesktop (PID: 5899)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/xfwm4 (PID: 5922)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/Thunar (PID: 5926)Queries kernel information via 'uname': Jump to behavior
              Source: /usr/bin/xfwm4 (PID: 5966)Queries kernel information via 'uname': Jump to behavior
              Source: hanoi.sh4.elf, 5595.1.00007ffe5b007000.00007ffe5b028000.rw-.sdmp, hanoi.sh4.elf, 5597.1.00007ffe5b007000.00007ffe5b028000.rw-.sdmp, hanoi.sh4.elf, 5599.1.00007ffe5b007000.00007ffe5b028000.rw-.sdmp, hanoi.sh4.elf, 5601.1.00007ffe5b007000.00007ffe5b028000.rw-.sdmpBinary or memory string: /usr/bin/qemu-sh4
              Source: hanoi.sh4.elf, 5595.1.00007ffe5b007000.00007ffe5b028000.rw-.sdmp, hanoi.sh4.elf, 5597.1.00007ffe5b007000.00007ffe5b028000.rw-.sdmp, hanoi.sh4.elf, 5599.1.00007ffe5b007000.00007ffe5b028000.rw-.sdmp, hanoi.sh4.elf, 5601.1.00007ffe5b007000.00007ffe5b028000.rw-.sdmpBinary or memory string: 8x86_64/usr/bin/qemu-sh4/tmp/hanoi.sh4.elfSUDO_USER=saturninoPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_UID=1000TERM=xterm-256colorCOLORTERM=truecolorLOGNAME=rootUSER=rootLANG=en_US.UTF-8SUDO_COMMAND=/bin/bashHOME=/rootMAIL=/var/mail/rootSUDO_GID=1000SHELL=/bin/bash/tmp/hanoi.sh4.elf
              Source: hanoi.sh4.elf, 5595.1.00005616561fd000.0000561656260000.rw-.sdmp, hanoi.sh4.elf, 5597.1.00005616561fd000.0000561656260000.rw-.sdmp, hanoi.sh4.elf, 5599.1.00005616561fd000.0000561656260000.rw-.sdmp, hanoi.sh4.elf, 5601.1.00005616561fd000.0000561656260000.rw-.sdmpBinary or memory string: /etc/qemu-binfmt/sh4
              Source: hanoi.sh4.elf, 5595.1.00005616561fd000.0000561656260000.rw-.sdmp, hanoi.sh4.elf, 5597.1.00005616561fd000.0000561656260000.rw-.sdmp, hanoi.sh4.elf, 5599.1.00005616561fd000.0000561656260000.rw-.sdmp, hanoi.sh4.elf, 5601.1.00005616561fd000.0000561656260000.rw-.sdmpBinary or memory string: V5!/etc/qemu-binfmt/sh4

              Language, Device and Operating System Detection

              barindex
              Source: /usr/lib/accountsservice/accounts-daemon (PID: 6066)Logged in records file read: /var/log/wtmp

              Stealing of Sensitive Information

              barindex
              Source: Yara matchFile source: hanoi.sh4.elf, type: SAMPLE
              Source: Yara matchFile source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTR
              Source: Yara matchFile source: hanoi.sh4.elf, type: SAMPLE
              Source: Yara matchFile source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Source: Yara matchFile source: hanoi.sh4.elf, type: SAMPLE
              Source: Yara matchFile source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTR
              Source: Yara matchFile source: hanoi.sh4.elf, type: SAMPLE
              Source: Yara matchFile source: 5599.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5595.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5597.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: 5601.1.00007f5ec4400000.00007f5ec4415000.r-x.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5595, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5597, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5599, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: hanoi.sh4.elf PID: 5601, type: MEMORYSTR
              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information2
              Scripting
              Valid AccountsWindows Management Instrumentation2
              Scripting
              Path Interception1
              File and Directory Permissions Modification
              1
              OS Credential Dumping
              11
              Security Software Discovery
              Remote ServicesData from Local System1
              Non-Standard Port
              Exfiltration Over Other Network Medium1
              Service Stop
              CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
              Hidden Files and Directories
              LSASS Memory1
              System Owner/User Discovery
              Remote Desktop ProtocolData from Removable Media1
              Non-Application Layer Protocol
              Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
              File Deletion
              Security Account Manager1
              File and Directory Discovery
              SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol
              Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS1
              System Information Discovery
              Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              No configs have been found
              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Number of created Files
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649662 Sample: hanoi.sh4.elf Startdate: 27/03/2025 Architecture: LINUX Score: 100 53 103.230.121.85, 3778, 49638 VPSQUANUS Hong Kong 2->53 55 daisy.ubuntu.com 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Antivirus / Scanner detection for submitted sample 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 3 other signatures 2->63 10 hanoi.sh4.elf 2->10         started        13 systemd gvfsd 2->13         started        15 xfce4-session xfce4-panel 2->15         started        17 44 other processes 2->17 signatures3 process4 signatures5 67 Found strings related to Crypto-Mining 10->67 19 hanoi.sh4.elf 10->19         started        22 hanoi.sh4.elf 10->22         started        34 2 other processes 10->34 24 gvfsd 13->24         started        26 gvfsd gvfsd-trash 13->26         started        28 xfce4-panel wrapper-2.0 15->28         started        36 11 other processes 15->36 69 Sample reads /proc/mounts (often used for finding a writable filesystem) 17->69 71 Reads system files that contain records of logged in users 17->71 30 accounts-daemon language-validate 17->30         started        32 gsd-print-notifications 17->32         started        process6 signatures7 65 Sample tries to kill multiple processes (SIGKILL) 19->65 38 gvfsd gvfsd-fuse 24->38         started        40 language-validate language-options 30->40         started        42 gsd-print-notifications gsd-printer 32->42         started        process8 process9 44 gvfsd-fuse fusermount 38->44         started        47 language-options sh 40->47         started        signatures10 73 Sample reads /proc/mounts (often used for finding a writable filesystem) 44->73 49 sh locale 47->49         started        51 sh grep 47->51         started        process11

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand
              SourceDetectionScannerLabelLink
              hanoi.sh4.elf62%VirustotalBrowse
              hanoi.sh4.elf66%ReversingLabsLinux.Trojan.Mirai
              hanoi.sh4.elf100%AviraEXP/ELF.Gafgyt.D
              No Antivirus matches
              No Antivirus matches
              No Antivirus matches

              Download Network PCAP: filteredfull

              NameIPActiveMaliciousAntivirus DetectionReputation
              daisy.ubuntu.com
              162.213.35.25
              truefalse
                high
                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs
                IPDomainCountryFlagASNASN NameMalicious
                103.230.121.85
                unknownHong Kong
                62468VPSQUANUSfalse
                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                103.230.121.85hanoi.m68k.elfGet hashmaliciousMirai, Okiru, XmrigBrowse
                  hanoi.x86_64.elfGet hashmaliciousUnknownBrowse
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    daisy.ubuntu.comresgod.arm5.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.24
                    resgod.x86.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.24
                    resgod.arm.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.24
                    resgod.arm6.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.24
                    sora.arm6.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.25
                    sora.m68k.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.25
                    sora.x86.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.25
                    sora.sh4.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.24
                    ub8ehJSePAfc9FYqZIT6.spc.elfGet hashmaliciousMiraiBrowse
                    • 162.213.35.24
                    jfeeps.elfGet hashmaliciousGafgyt, MiraiBrowse
                    • 162.213.35.24
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    VPSQUANUShanoi.m68k.elfGet hashmaliciousMirai, Okiru, XmrigBrowse
                    • 103.230.121.85
                    hanoi.x86_64.elfGet hashmaliciousUnknownBrowse
                    • 103.230.121.85
                    nabppc.elfGet hashmaliciousUnknownBrowse
                    • 23.251.46.113
                    morte.x86.elfGet hashmaliciousUnknownBrowse
                    • 103.239.72.22
                    YrRZnrf2lC.exeGet hashmaliciousUnknownBrowse
                    • 154.222.224.99
                    YrRZnrf2lC.exeGet hashmaliciousUnknownBrowse
                    • 154.222.224.99
                    nklmips.elfGet hashmaliciousUnknownBrowse
                    • 103.252.19.50
                    http://midasbuypubg.myiphost.com/Get hashmaliciousUnknownBrowse
                    • 107.151.250.70
                    mips.elfGet hashmaliciousMirai, MoobotBrowse
                    • 107.151.229.189
                    O8QAjYEai7.exeGet hashmaliciousUnknownBrowse
                    • 156.224.26.29
                    No context
                    No context
                    Process:/usr/libexec/goa-daemon
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:93B885ADFE0DA089CDF634904FD59F71
                    SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                    SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                    SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:.
                    Process:/usr/libexec/gsd-housekeeping
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3::
                    MD5:93B885ADFE0DA089CDF634904FD59F71
                    SHA1:5BA93C9DB0CFF93F52B521D7420E43F6EDA2784F
                    SHA-256:6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D
                    SHA-512:B8244D028981D693AF7B456AF8EFA4CAD63D282E19FF14942C246E50D9351D22704A802A71C3580B6370DE4CEB293C324A8423342557D4E5C38438F0E36910EE
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:.
                    File type:ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
                    Entropy (8bit):6.752500677742352
                    TrID:
                    • ELF Executable and Linkable format (generic) (4004/1) 100.00%
                    File name:hanoi.sh4.elf
                    File size:87'260 bytes
                    MD5:a6d7691e700f2907e5f2ec5df85404d9
                    SHA1:d0464b01799bb8b81912dfb6d02f31f9d69a1432
                    SHA256:77901d6bd4cfa884b42ab837e3c2e60fb0a73a2f38de4dbc27a4534a196aabc1
                    SHA512:70214eb466a7479b932f9a8233730bfff5c29992779af7caa578099208fcb19f76cae557ce531ca5cc4d09d61750d5e60c50b24a11e4307e3f464bdc85d33af9
                    SSDEEP:1536:fzm8jNG4ipRw3i9I1ZHZn+BrhVDiw7edr:fzm8jNG48RvSN4Ht7eh
                    TLSH:14839F36F0142CE1C46314B8F4BCCE780B12ACE452E52C726FDEC9A558E76AAB54DF58
                    File Content Preview:.ELF..............*.......@.4...LS......4. ...(...............@...@..N...N...............P...PB..PB.0...............Q.td..............................././"O.n......#.*@........#.*@.-..&O.n.l..................................././.../.a"O.!...n...a.b("...q.

                    ELF header

                    Class:ELF32
                    Data:2's complement, little endian
                    Version:1 (current)
                    Machine:<unknown>
                    Version Number:0x1
                    Type:EXEC (Executable file)
                    OS/ABI:UNIX - System V
                    ABI Version:0
                    Entry Point Address:0x4001a0
                    Flags:0xc
                    ELF Header Size:52
                    Program Header Offset:52
                    Program Header Size:32
                    Number of Program Headers:3
                    Section Header Offset:86860
                    Section Header Size:40
                    Number of Section Headers:10
                    Header String Table Index:9
                    NameTypeAddressOffsetSizeEntSizeFlagsFlags DescriptionLinkInfoAlign
                    NULL0x00x00x00x00x0000
                    .initPROGBITS0x4000940x940x2e0x00x6AX004
                    .textPROGBITS0x4000e00xe00x12de00x00x6AX0032
                    .finiPROGBITS0x412ec00x12ec00x220x00x6AX004
                    .rodataPROGBITS0x412ee40x12ee40x1ff00x00x2A004
                    .ctorsPROGBITS0x4250dc0x150dc0x80x00x3WA004
                    .dtorsPROGBITS0x4250e40x150e40x80x00x3WA004
                    .dataPROGBITS0x4250f00x150f00x21c0x00x3WA004
                    .bssNOBITS0x42530c0x1530c0x7700x00x3WA004
                    .shstrtabSTRTAB0x00x1530c0x3e0x00x0001
                    TypeOffsetVirtual AddressPhysical AddressFile SizeMemory SizeEntropyFlagsFlags DescriptionAlignProg InterpreterSection Mappings
                    LOAD0x00x4000000x4000000x14ed40x14ed46.78960x5R E0x10000.init .text .fini .rodata
                    LOAD0x150dc0x4250dc0x4250dc0x2300x9a04.14080x6RW 0x10000.ctors .dtors .data .bss
                    GNU_STACK0x00x00x00x00x00.00000x7RWE0x4

                    Download Network PCAP: filteredfull

                    • Total Packets: 15
                    • 3778 undefined
                    • 53 (DNS)
                    TimestampSource PortDest PortSource IPDest IP
                    Mar 27, 2025 01:00:02.681849957 CET496383778192.168.2.13103.230.121.85
                    Mar 27, 2025 01:00:03.018085957 CET377849638103.230.121.85192.168.2.13
                    Mar 27, 2025 01:00:03.018203974 CET496383778192.168.2.13103.230.121.85
                    Mar 27, 2025 01:00:03.020402908 CET496383778192.168.2.13103.230.121.85
                    Mar 27, 2025 01:00:03.356034994 CET377849638103.230.121.85192.168.2.13
                    Mar 27, 2025 01:00:03.356108904 CET496383778192.168.2.13103.230.121.85
                    Mar 27, 2025 01:00:03.692363024 CET377849638103.230.121.85192.168.2.13
                    Mar 27, 2025 01:00:13.031886101 CET496383778192.168.2.13103.230.121.85
                    Mar 27, 2025 01:00:13.365628958 CET377849638103.230.121.85192.168.2.13
                    Mar 27, 2025 01:00:13.365660906 CET377849638103.230.121.85192.168.2.13
                    Mar 27, 2025 01:00:13.365894079 CET496383778192.168.2.13103.230.121.85
                    Mar 27, 2025 01:00:14.492965937 CET496383778192.168.2.13103.230.121.85
                    Mar 27, 2025 01:00:14.829246998 CET377849638103.230.121.85192.168.2.13
                    Mar 27, 2025 01:00:14.829368114 CET496383778192.168.2.13103.230.121.85
                    Mar 27, 2025 01:02:47.207587004 CET3482253192.168.2.138.8.8.8
                    Mar 27, 2025 01:02:47.290549994 CET53348228.8.8.8192.168.2.13
                    Mar 27, 2025 01:02:47.290618896 CET3482253192.168.2.138.8.8.8
                    Mar 27, 2025 01:02:47.290669918 CET3482253192.168.2.138.8.8.8
                    Mar 27, 2025 01:02:47.290669918 CET3482253192.168.2.138.8.8.8
                    Mar 27, 2025 01:02:47.374344110 CET53348228.8.8.8192.168.2.13
                    Mar 27, 2025 01:02:47.374373913 CET53348228.8.8.8192.168.2.13
                    Mar 27, 2025 01:02:47.374434948 CET53348228.8.8.8192.168.2.13
                    Mar 27, 2025 01:02:47.374453068 CET53348228.8.8.8192.168.2.13
                    Mar 27, 2025 01:02:47.374496937 CET3482253192.168.2.138.8.8.8
                    Mar 27, 2025 01:02:47.374497890 CET3482253192.168.2.138.8.8.8
                    Mar 27, 2025 01:02:49.375998974 CET53348228.8.8.8192.168.2.13
                    Mar 27, 2025 01:02:49.377887964 CET3482253192.168.2.138.8.8.8
                    Mar 27, 2025 01:02:49.460757971 CET53348228.8.8.8192.168.2.13
                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    Mar 27, 2025 01:02:47.290669918 CET192.168.2.138.8.8.80xade3Standard query (0)daisy.ubuntu.comA (IP address)IN (0x0001)false
                    Mar 27, 2025 01:02:47.290669918 CET192.168.2.138.8.8.80x8746Standard query (0)daisy.ubuntu.com28IN (0x0001)false
                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Mar 27, 2025 01:02:47.374434948 CET8.8.8.8192.168.2.130xade3No error (0)daisy.ubuntu.com162.213.35.25A (IP address)IN (0x0001)false
                    Mar 27, 2025 01:02:47.374434948 CET8.8.8.8192.168.2.130xade3No error (0)daisy.ubuntu.com162.213.35.24A (IP address)IN (0x0001)false

                    System Behavior

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/tmp/hanoi.sh4.elf
                    Arguments:/tmp/hanoi.sh4.elf
                    File size:4139976 bytes
                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/tmp/hanoi.sh4.elf
                    Arguments:-
                    File size:4139976 bytes
                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/tmp/hanoi.sh4.elf
                    Arguments:-
                    File size:4139976 bytes
                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/tmp/hanoi.sh4.elf
                    Arguments:-
                    File size:4139976 bytes
                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/tmp/hanoi.sh4.elf
                    Arguments:-
                    File size:4139976 bytes
                    MD5 hash:8943e5f8f8c280467b4472c15ae93ba9

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-wacom
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-wacom
                    Arguments:/usr/libexec/gsd-wacom
                    File size:39520 bytes
                    MD5 hash:13778dd1a23a4e94ddc17ac9caa4fcc1

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-color
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-color
                    Arguments:/usr/libexec/gsd-color
                    File size:92832 bytes
                    MD5 hash:ac2861ad93ce047283e8e87cefef9a19

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:01
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-keyboard
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-keyboard
                    Arguments:/usr/libexec/gsd-keyboard
                    File size:39760 bytes
                    MD5 hash:8e288fd17c80bb0a1148b964b2ac2279

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-print-notifications
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-print-notifications
                    Arguments:/usr/libexec/gsd-print-notifications
                    File size:51840 bytes
                    MD5 hash:71539698aa691718cee775d6b9450ae2

                    Start time (UTC):00:00:09
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-print-notifications
                    Arguments:-
                    File size:51840 bytes
                    MD5 hash:71539698aa691718cee775d6b9450ae2

                    Start time (UTC):00:00:09
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-print-notifications
                    Arguments:-
                    File size:51840 bytes
                    MD5 hash:71539698aa691718cee775d6b9450ae2

                    Start time (UTC):00:00:10
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-printer
                    Arguments:/usr/libexec/gsd-printer
                    File size:31120 bytes
                    MD5 hash:7995828cf98c315fd55f2ffb3b22384d

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-rfkill
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-rfkill
                    Arguments:/usr/libexec/gsd-rfkill
                    File size:51808 bytes
                    MD5 hash:88a16a3c0aba1759358c06215ecfb5cc

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-smartcard
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-smartcard
                    Arguments:/usr/libexec/gsd-smartcard
                    File size:109152 bytes
                    MD5 hash:ea1fbd7f62e4cd0331eae2ef754ee605

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-datetime
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-datetime
                    Arguments:/usr/libexec/gsd-datetime
                    File size:76736 bytes
                    MD5 hash:d80d39745740de37d6634d36e344d4bc

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-media-keys
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-media-keys
                    Arguments:/usr/libexec/gsd-media-keys
                    File size:232936 bytes
                    MD5 hash:a425448c135afb4b8bfd79cc0b6b74da

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-screensaver-proxy
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-screensaver-proxy
                    Arguments:/usr/libexec/gsd-screensaver-proxy
                    File size:27232 bytes
                    MD5 hash:77e309450c87dceee43f1a9e50cc0d02

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:02
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-sound
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-sound
                    Arguments:/usr/libexec/gsd-sound
                    File size:31248 bytes
                    MD5 hash:4c7d3fb993463337b4a0eb5c80c760ee

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-a11y-settings
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-a11y-settings
                    Arguments:/usr/libexec/gsd-a11y-settings
                    File size:23056 bytes
                    MD5 hash:18e243d2cf30ecee7ea89d1462725c5c

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-housekeeping
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-housekeeping
                    Arguments:/usr/libexec/gsd-housekeeping
                    File size:51840 bytes
                    MD5 hash:b55f3394a84976ddb92a2915e5d76914

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gnome-session-binary
                    Arguments:-
                    File size:334664 bytes
                    MD5 hash:d9b90be4f7db60cb3c2d3da6a1d31bfb

                    Start time (UTC):00:00:03
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:/bin/sh -e -u -c "export GIO_LAUNCHED_DESKTOP_FILE_PID=$$; exec \"$@\"" sh /usr/libexec/gsd-power
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:04
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gsd-power
                    Arguments:/usr/libexec/gsd-power
                    File size:88672 bytes
                    MD5 hash:28b8e1b43c3e7f1db6741ea1ecd978b7

                    Start time (UTC):00:00:04
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd-fuse
                    Arguments:-
                    File size:47632 bytes
                    MD5 hash:d18fbf1cbf8eb57b17fac48b7b4be933

                    Start time (UTC):00:00:04
                    Start date (UTC):27/03/2025
                    Path:/bin/fusermount
                    Arguments:fusermount -u -q -z -- /run/user/1000/gvfs
                    File size:39144 bytes
                    MD5 hash:576a1b135c82bdcbc97a91acea900566

                    Start time (UTC):00:00:04
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:04
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfwm4
                    Arguments:xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
                    File size:420424 bytes
                    MD5 hash:59defa3c00cc30d85ed77b738d55e9da

                    Start time (UTC):00:00:04
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:06
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:00:06
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:06
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/rm
                    Arguments:rm -f /home/saturnino/.cache/sessions/Thunar-2ec7c2e14-9c4d-40f3-9704-8617ab831fb4
                    File size:72056 bytes
                    MD5 hash:aa2b5496fdbfd88e38791ab81f90b95b

                    Start time (UTC):00:00:06
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:08
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfdesktop
                    Arguments:xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
                    File size:473520 bytes
                    MD5 hash:dfb13e1581f80065dcea16f2476f16f2

                    Start time (UTC):00:00:07
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75

                    Start time (UTC):00:00:07
                    Start date (UTC):27/03/2025
                    Path:/lib/systemd/systemd-hostnamed
                    Arguments:/lib/systemd/systemd-hostnamed
                    File size:35040 bytes
                    MD5 hash:2cc8a5576629a2d5bd98e49a4b8bef65

                    Start time (UTC):00:00:12
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfwm4
                    Arguments:xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
                    File size:420424 bytes
                    MD5 hash:59defa3c00cc30d85ed77b738d55e9da

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/dbus-daemon
                    Arguments:-
                    File size:249032 bytes
                    MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                    File size:112880 bytes
                    MD5 hash:4c7a0d6d258bb970905b19b84abcd8e9

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/sbin/gdm3
                    Arguments:-
                    File size:453296 bytes
                    MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/etc/gdm3/PrimeOff/Default
                    Arguments:/etc/gdm3/PrimeOff/Default
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:xfce4-panel --display :1.0 --sm-client-id 2d6b1caf2-8023-452b-bd0d-d23295482740
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:00:35
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:00:35
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 6291464 systray "Notification Area" "Area where notification icons appear"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:00:35
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:00:35
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 6291465 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:00:38
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:00:38
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 6291466 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:00:38
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:00:38
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 6291467 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:00:39
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:00:39
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 6291468 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:00:42
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:00:42
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 6291469 actions "Action Buttons" "Log out, lock or other system actions"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:01:00
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:01:00
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libsystray.so 6 6291464 systray "Notification Area" "Area where notification icons appear"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:01:00
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:01:00
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libstatusnotifier.so 7 6291465 statusnotifier "Status Notifier Plugin" "Provides a panel area for status notifier items (application indicators)"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:01:00
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:01:00
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libpulseaudio-plugin.so 8 6291466 pulseaudio "PulseAudio Plugin" "Adjust the audio volume of the PulseAudio sound system"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:01:00
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:01:01
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libxfce4powermanager.so 9 6291467 power-manager-plugin "Power Manager Plugin" "Display the battery levels of your devices and control the brightness of your display"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:01:01
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:01:01
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libnotification-plugin.so 10 6291468 notification-plugin "Notification Plugin" "Notification plugin for the Xfce panel"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:01:01
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-panel
                    Arguments:-
                    File size:375768 bytes
                    MD5 hash:a15b657c7d54ac1385f1f15004ea6784

                    Start time (UTC):00:01:01
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/panel/wrapper-2.0 /usr/lib/x86_64-linux-gnu/xfce4/panel/plugins/libactions.so 14 6291469 actions "Action Buttons" "Log out, lock or other system actions"
                    File size:35136 bytes
                    MD5 hash:ac0b8a906f359a8ae102244738682e76

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/sbin/gdm3
                    Arguments:-
                    File size:453296 bytes
                    MD5 hash:2492e2d8d34f9377e3e530a61a15674f

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/etc/gdm3/PrimeOff/Default
                    Arguments:/etc/gdm3/PrimeOff/Default
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfdesktop
                    Arguments:xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
                    File size:473520 bytes
                    MD5 hash:dfb13e1581f80065dcea16f2476f16f2

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75

                    Start time (UTC):00:00:13
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/notifyd/xfce4-notifyd
                    File size:112872 bytes
                    MD5 hash:eee956f1b227c1d5031f9c61223255d1

                    Start time (UTC):00:00:17
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75

                    Start time (UTC):00:00:17
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd
                    Arguments:/usr/libexec/gvfsd
                    File size:39224 bytes
                    MD5 hash:1fa32dace8ba066189a8eadd21bb172a

                    Start time (UTC):00:00:19
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd
                    Arguments:-
                    File size:39224 bytes
                    MD5 hash:1fa32dace8ba066189a8eadd21bb172a

                    Start time (UTC):00:00:19
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd
                    Arguments:-
                    File size:39224 bytes
                    MD5 hash:1fa32dace8ba066189a8eadd21bb172a

                    Start time (UTC):00:00:19
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd-fuse
                    Arguments:/usr/libexec/gvfsd-fuse /run/user/1000/gvfs -f -o big_writes
                    File size:47632 bytes
                    MD5 hash:d18fbf1cbf8eb57b17fac48b7b4be933

                    Start time (UTC):00:00:19
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd-fuse
                    Arguments:-
                    File size:47632 bytes
                    MD5 hash:d18fbf1cbf8eb57b17fac48b7b4be933

                    Start time (UTC):00:00:19
                    Start date (UTC):27/03/2025
                    Path:/bin/fusermount
                    Arguments:fusermount -o rw,nosuid,nodev,subtype=gvfsd-fuse -- /run/user/1000/gvfs
                    File size:39144 bytes
                    MD5 hash:576a1b135c82bdcbc97a91acea900566

                    Start time (UTC):00:00:56
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd
                    Arguments:-
                    File size:39224 bytes
                    MD5 hash:1fa32dace8ba066189a8eadd21bb172a

                    Start time (UTC):00:00:56
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd-trash
                    Arguments:/usr/libexec/gvfsd-trash --spawner :1.64 /org/gtk/gvfs/exec_spaw/0
                    File size:55608 bytes
                    MD5 hash:7bd262bd2ff379d0da45f8595163824d

                    Start time (UTC):00:00:21
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:21
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfwm4
                    Arguments:xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
                    File size:420424 bytes
                    MD5 hash:59defa3c00cc30d85ed77b738d55e9da

                    Start time (UTC):00:00:21
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:21
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfdesktop
                    Arguments:xfdesktop --display :1.0 --sm-client-id 260d40b3c-9c6a-4cb1-bbe4-3557725aa528
                    File size:473520 bytes
                    MD5 hash:dfb13e1581f80065dcea16f2476f16f2

                    Start time (UTC):00:00:21
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/dbus-daemon
                    Arguments:-
                    File size:249032 bytes
                    MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                    Start time (UTC):00:00:21
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                    File size:112880 bytes
                    MD5 hash:4c7a0d6d258bb970905b19b84abcd8e9

                    Start time (UTC):00:00:23
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75

                    Start time (UTC):00:00:23
                    Start date (UTC):27/03/2025
                    Path:/lib/systemd/systemd-user-runtime-dir
                    Arguments:/lib/systemd/systemd-user-runtime-dir stop 127
                    File size:22672 bytes
                    MD5 hash:d55f4b0847f88131dbcfb07435178e54

                    Start time (UTC):00:00:29
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:29
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfwm4
                    Arguments:xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
                    File size:420424 bytes
                    MD5 hash:59defa3c00cc30d85ed77b738d55e9da

                    Start time (UTC):00:00:29
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/dbus-daemon
                    Arguments:-
                    File size:249032 bytes
                    MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                    Start time (UTC):00:00:29
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
                    Arguments:/usr/lib/x86_64-linux-gnu/tumbler-1/tumblerd
                    File size:149888 bytes
                    MD5 hash:2ef099898845e9c5ec6f1a6fd3ad61af

                    Start time (UTC):00:00:31
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75

                    Start time (UTC):00:00:31
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/Thunar
                    Arguments:/usr/bin/Thunar --daemon
                    File size:901328 bytes
                    MD5 hash:ca35dca6175038f11f012b29178a4f46

                    Start time (UTC):00:00:32
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75

                    Start time (UTC):00:00:32
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfs-udisks2-volume-monitor
                    Arguments:/usr/libexec/gvfs-udisks2-volume-monitor
                    File size:199648 bytes
                    MD5 hash:4912ae23684d55062ac889dd671a8ab9

                    Start time (UTC):00:00:33
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/dbus-daemon
                    Arguments:-
                    File size:249032 bytes
                    MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                    Start time (UTC):00:00:33
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                    File size:112880 bytes
                    MD5 hash:4c7a0d6d258bb970905b19b84abcd8e9

                    Start time (UTC):00:00:37
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfce4-session
                    Arguments:-
                    File size:264752 bytes
                    MD5 hash:648919f03ad356720c8c27f5aaaf75d1

                    Start time (UTC):00:00:37
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/xfwm4
                    Arguments:xfwm4 --display :1.0 --sm-client-id 27575c7dd-2dac-48f0-9f3a-eff67ec043e5
                    File size:420424 bytes
                    MD5 hash:59defa3c00cc30d85ed77b738d55e9da

                    Start time (UTC):00:00:40
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75

                    Start time (UTC):00:00:40
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfs-mtp-volume-monitor
                    Arguments:/usr/libexec/gvfs-mtp-volume-monitor
                    File size:113032 bytes
                    MD5 hash:4ef31436eba465a14362dfe7e1d42ec3

                    Start time (UTC):00:00:42
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75

                    Start time (UTC):00:00:42
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfs-goa-volume-monitor
                    Arguments:/usr/libexec/gvfs-goa-volume-monitor
                    File size:117128 bytes
                    MD5 hash:1c9b8b8b466cc3b27212ee9c1052a7b2

                    Start time (UTC):00:00:43
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/dbus-daemon
                    Arguments:-
                    File size:249032 bytes
                    MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c

                    Start time (UTC):00:00:43
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/goa-daemon
                    Arguments:/usr/libexec/goa-daemon
                    File size:55776 bytes
                    MD5 hash:f442acdfc6465acfae3f9f0e05cf6fd3

                    Start time (UTC):00:00:48
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/dbus-daemon
                    Arguments:-
                    File size:249032 bytes
                    MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c
                    Start time (UTC):00:00:48
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/goa-identity-service
                    Arguments:/usr/libexec/goa-identity-service
                    File size:158096 bytes
                    MD5 hash:4e1e45c260caf0e8460ff7494a0e8553
                    Start time (UTC):00:00:51
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75
                    Start time (UTC):00:00:51
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfs-afc-volume-monitor
                    Arguments:/usr/libexec/gvfs-afc-volume-monitor
                    File size:113032 bytes
                    MD5 hash:724607394f380f47f39e25dd9e1d4825
                    Start time (UTC):00:00:53
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75
                    Start time (UTC):00:00:53
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfs-gphoto2-volume-monitor
                    Arguments:/usr/libexec/gvfs-gphoto2-volume-monitor
                    File size:117128 bytes
                    MD5 hash:8773afb2a78946b2c81024ed4c928353
                    Start time (UTC):00:00:59
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75
                    Start time (UTC):00:00:59
                    Start date (UTC):27/03/2025
                    Path:/usr/libexec/gvfsd-metadata
                    Arguments:/usr/libexec/gvfsd-metadata
                    File size:88456 bytes
                    MD5 hash:25b3740bd427cf3225e35be4bb2205aa
                    Start time (UTC):00:01:03
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/dbus-daemon
                    Arguments:-
                    File size:249032 bytes
                    MD5 hash:3089d47e3f3ab84cd81c48fd406d7a8c
                    Start time (UTC):00:01:03
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                    Arguments:/usr/lib/x86_64-linux-gnu/xfce4/xfconf/xfconfd
                    File size:112880 bytes
                    MD5 hash:4c7a0d6d258bb970905b19b84abcd8e9
                    Start time (UTC):00:01:09
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/systemd/systemd
                    Arguments:-
                    File size:1620224 bytes
                    MD5 hash:9b2bec7092a40488108543f9334aab75
                    Start time (UTC):00:01:09
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/accountsservice/accounts-daemon
                    Arguments:/usr/lib/accountsservice/accounts-daemon
                    File size:203192 bytes
                    MD5 hash:01a899e3fb5e7e434bea1290255a1f30
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/usr/lib/accountsservice/accounts-daemon
                    Arguments:-
                    File size:203192 bytes
                    MD5 hash:01a899e3fb5e7e434bea1290255a1f30
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/usr/share/language-tools/language-validate
                    Arguments:/usr/share/language-tools/language-validate en_US.UTF-8
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/usr/share/language-tools/language-validate
                    Arguments:-
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/usr/share/language-tools/language-options
                    Arguments:/usr/share/language-tools/language-options
                    File size:3478464 bytes
                    MD5 hash:16a21f464119ea7fad1d3660de963637
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/usr/share/language-tools/language-options
                    Arguments:-
                    File size:3478464 bytes
                    MD5 hash:16a21f464119ea7fad1d3660de963637
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:sh -c "locale -a | grep -F .utf8 "
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:-
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/locale
                    Arguments:locale -a
                    File size:58944 bytes
                    MD5 hash:c72a78792469db86d91369c9057f20d2
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/bin/sh
                    Arguments:-
                    File size:129816 bytes
                    MD5 hash:1e6b1c887c59a315edb7eb9a315fc84c
                    Start time (UTC):00:01:11
                    Start date (UTC):27/03/2025
                    Path:/usr/bin/grep
                    Arguments:grep -F .utf8
                    File size:199136 bytes
                    MD5 hash:1e6ebb9dd094f774478f72727bdba0f5